Advertisement

Model Checking and Model-Based Testing in the Railway Domain

  • Anne E. HaxthausenEmail author
  • Jan Peleska
Chapter

Abstract

This chapter describes some approaches and emerging trends for verification and model-based testing of railway control systems. We describe state-of-the-art methods and associated tools for verifying interlocking systems and their configuration data, using bounded model checking and k-induction. Using real-world models of novel Danish interlocking systems, it is exemplified how this method scales up and is suitable for industrial application. For verification of the integrated HW/SW system performing the interlocking control tasks, a modelbased hardware-in-the-loop testing approach is presented. The trade-off between complete test strategies capable of uncovering every error in implementations of a given fault domain on the one hand, and on the other hand the unmanageable load of test cases typically created by these strategies is discussed. Pragmatic approaches resulting in manageable test suites with good test strength are explained. Interlocking systems represent just one class of many others, where concrete system instances are created from generic representations, using configuration data for determining the behaviour of the instances. We explain how the systematic transition from generic to concrete instances in the development path is complemented by associated transitions in the verification and testing paths.

Keywords

Model Check System Under Test Kripke Structure Occupancy Status Railway Network 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    M. Aanffis and H. P. Thai. Modelling and Verification of Relay Interlocking Systems. Master’s thesis, Technical University of Denmark, DTU Informatics, E-mail: reception@imm.dtu.dk, 2012.Google Scholar
  2. 2.
    Istvan Babcsanyi. Equivalence of Mealy and Moore Automata. Acta Cybernetica, 14:541–552, 2000.zbMATHMathSciNetGoogle Scholar
  3. 3.
    Patrick Behm, Paul Benoit, Alain Faivre, and Jean-Marc Meynadier. Meteor: A successful application of b in a large project. In J. Wing, J. Woodcock, and J. Davies, editors, FM’99 – Formal Methods, volume 1708 of Lecture Notes in Computer Science, pages 369–387, Berlin Heidelberg, 1999. Springer.Google Scholar
  4. 4.
    Armin Biere, Alessandro Cimatti, Edmund M. Clarke, and Yunshan Zhu. Symbolic Model Checking without BDDs. In Rance Cleaveland, editor, Tools and Algorithms for Construction and Analysis of Systems, 5th International Conference, TACAS ’99, Held as Part of the European Joint Conferences on the Theory and Practice of Software, ETAPS’99, Amsterdam, The Netherlands, March 22-28, 1999, Proceedings, volume 1579 of Lecture Notes in Computer Science, pages 193-207. Springer, 1999.Google Scholar
  5. 5.
    Armin Biere, Keijo Heljanko, Tommi Junttila, Timo Latvala, and Viktor Schuppan. Linear encodings of bounded LTL model checking. Logical Methods in ComputerScience, 2(5), November 2006. arXiv: cs/0611029.Google Scholar
  6. 6.
    Dines Bjprner. New Results and Current Trends in Formal Techniques for the Development of Software for Transportation Systems. In Proceedings of the Symposium on Formal Methods for Railway Operation and Control Systems (FORMS’2003), Budapest/Hungary. L’Harmattan Hongrie, May 15-16 2003.Google Scholar
  7. 7.
    Cecile Braunstein, Anne E. Haxthausen, Wen ling Huang, Felix Hubner, Jan Pe- leska, Uwe Schulze, and Linh Hong Vu. Complete model-based equivalence class testing for the ETCS ceiling speed monitor. In S. Merz and J. Pang, editors, Proceedings of the ICFEM 2014, volume 8829 of Lecture Notes in Computer Science, pages 380–395. Springer Berlin Heidelberg, November 2014.Google Scholar
  8. 8.
    Cécile Braunstein, Wen-ling Huang, Jan Peleska, Uwe Schulze, Felix Hübner, Anne E. Haxthausen, and Linh Hong Vu. A SysML test model and test suite for the ETCS ceiling speed monitor. Technical report, Embedded Systems Testing Benchmarks Site, 2014-04-30. Available under http://www.mbt-benchmarks.org.
  9. 9.
    Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. The MIT Press, Cambridge, Massachusetts, 1999.Google Scholar
  10. 10.
    Leonardo De Moura, Harald Rueß, and Maria Sorea. Bounded Model Checking and Induction: From Refutation to Verification. In Computer Aided Verification, pages 14–26. Springer, 2003.Google Scholar
  11. 11.
    Ulrich W. Eisenecker and Krzysztof Czarnecki. Generative Programming: Methods, Tools, and Applications. Addison-Wesley, 2000.Google Scholar
  12. 12.
    ERTMS. Annex A for ETCS Baseline 3 and GSM-R Baseline 0, April 2012.Google Scholar
  13. 13.
    CENELEC European Committee for Electrotechnical Standardization. EN 50128:2011 – Railway applications – Communications, signalling and processing systems – Software for railway control and protection systems. 2011.Google Scholar
  14. 14.
    Alessandro Fantechi. Twenty-Five Years of Formal Methods and Railways: What Next? In Steve Counsell and Manuel Nunez, editors, Software Engineering and Formal Methods, volume 8368 of Lecture Notes in Computer Science, pages 167183. Springer, 2014.Google Scholar
  15. 15.
    Alessio Ferrari, Gianluca Magnani, Daniele Grasso, and Alessandro Fantechi. Model Checking Interlocking Control Tables. In Eckehard Schnieder and Geza Tarnai, editors, FORMS/FORMAT 2010 – Formal Methods for Automation and Safety in Railway and Automotive Systems, pages 107–115. Springer, 2010.Google Scholar
  16. 16.
    A. E. Haxthausen and J. Peleska. Formal Development and Verification of a Distributed Railway Control System. IEEE Transaction on Software Engineering, 26(8):687–701, 2000.CrossRefGoogle Scholar
  17. 17.
    Anne E. Haxthausen. Automated Generation of Formal Safety Conditions from Railway Interlocking Tables. International Journal on Software Tools for Technology Transfer (STTT), Special Issue on Formal Methods for Railway Control Systems, 16(6):713–726, 2014.Google Scholar
  18. 18.
    Anne E. Haxthausen, Marie Le Bliguet, and Andreas A. Kjffir. Modelling and Verification of Relay Interlocking Systems. In Christine Choppy and Oleg Sokol- sky, editors, 15th Monterey Workshop: Foundations of Computer Software, Future Trends and Techniques for Development, number 6028 in Lecture Notes in Computer Science, pages 141–153. Springer, 2010. Invited paper.Google Scholar
  19. 19.
    Anne E. Haxthausen and Jan Peleska. Efficient Development and Verification of Safe Railway Control Software. In Railways: Types, Design and Safety Issues, pages 127–148. Nova Science Publishers, Inc., 2013.Google Scholar
  20. 20.
    Anne E. Haxthausen, Jan Peleska, and Sebastian Kinder. A Formal Approach for the Construction and Verification of Railway Control Systems. In Formal Aspects of Computing, volume 23, pages 191–219. Springer, 2011.Google Scholar
  21. 21.
    Wen-ling Huang and Jan Peleska. Complete model-based equivalence class testing. International Journal on Software Tools for Technology Transfer, pages 1–19, 2014.Google Scholar
  22. 22.
    Phillip James and Markus Roggenbach. Automatically Verifying Railway Interlockings Using SAT-based Model Checking. In Electronic Communications of the EASST, volume 35. EASST, 2011.Google Scholar
  23. 23.
    Helge Loding and Jan Peleska. Timed moore automata: test data generation and model checking. In Proc. 3rd International Conference on Software Testing, Verification and Validation (ICST’10). IEEE Computer Society, 2010.Google Scholar
  24. 24.
    Kirsten Mewes. Domain-specific Modelling of Railway Control Systems with Integrated Verification and Validation. PhD thesis, University of Bremen, 2010. http://www.dr.hut-verlag.de/978-3-86853-359-0.html.
  25. 25.
    Jan Peleska. Industrial-Strength Model-Based Testing – State of the Art and Current Challenges. In Alexander K. Petrenko and Holger Schlingloff, editors, Proceedings 8th Workshop on Model-Based Testing, Rome, Italy, volume 111 of Electronic Proceedings in Theoretical Computer Science, pages 3-28. Open Publishing Association, 2013.Google Scholar
  26. 26.
    Jan Peleska, Daniel Große, Anne E. Haxthausen, and Rolf Drechsler. Automated verification for train control systems. In E. Schnieder and G. Tarnai, editors, Formal Methods for Automation and Safety in Railway and Automotive Systems, Braunschweig, Germany, December, 2004, pages 252-265. Technical University of Braunschweig, ISBN 3-9803363-8-7, 2004.Google Scholar
  27. 27.
    Jan Peleska, Artur Honisch, Florian Lapschies, Helge Löding, Hermann Schmid, Peer Smuda, Elena Vorobev, and Cornelia Zahlten. A real-world benchmark model for testing concurrent real-time systems in the automotive domain. In Burkhart Wolff and Fatiha Zaidi, editors, Testing Software and Systems. Proceedings of the 23rd IFIP WG 6.1 International Conference, ICTSS 2011, volume 7019 of LNCS, pages 146–161, Heidelberg Dordrecht London New York, November 2011. IFIP WG 6.1, Springer.Google Scholar
  28. 28.
    Jan Peleska, Elena Vorobev, and Florian Lapschies. Automated test case generation with SMT-solving and abstract interpretation. In Mihaela Bobaru, Klaus Havelund, Gerard J. Holzmann, and Rajeev Joshi, editors, Nasa Formal Methods, Third International Symposium, NFM 2011, volume 6617 of LNCS, pages 298–312, Pasadena, CA, USA, April 2011. Springer.Google Scholar
  29. 29.
    A. Petrenko, N. Yevtushenko, and G. v. Bochmann. Fault models for testing in context. In Reinhard Gotzhein and Jan Bredereke, editors, Formal Description Techniques IX – Theory, application and tools, pages 163–177. Chapman & Hall, 1996.Google Scholar
  30. 30.
    Mary Sheeran, Satnam Singh, and Gunnar Stalmarck. Checking safety properties using induction and a SAT-solver. In Jr. Hunt, Warren A. and Steven D. Johnson, editors, Formal Methods in Computer-Aided Design, volume 1954 of Lecture Notes in Computer Science, pages 127–144. Springer Berlin Heidelberg, 2000.Google Scholar
  31. 31.
    J.G. Springintveld, F.W. Vaandrager, and P.R. D’Argenio. Testing timed automata. Theoretical Computer Science, 254(1–2):225–257, March 2001.zbMATHMathSciNetCrossRefGoogle Scholar
  32. 32.
    Linh Hong Vu, Anne E. Haxthausen, and Jan Peleska. A Domain-Specific Language for Railway Interlocking Systems. In Eckehard Schnieder and Geza Tarnai, editors, FORMS/FORMAT 2014 – 10th Symposium on Formal Methods for Automation and Safety in Railway and Automotive Systems, pages 200-209. Institute for Traffic Safety and Automation Engineering, Technische Universitöat Braunschweig, 2014.Google Scholar
  33. 33.
    Linh Hong Vu, Anne E. Haxthausen, and Jan Peleska. Formal Modeling and Verification of Interlocking Systems Featuring Sequential Release. In Formal Techniques for Safety-Critical Systems, volume 476 of Communications in Computer and Information Science. Springer International Publishing Switzerland, 2015.Google Scholar

Copyright information

© Springer Fachmedien Wiesbaden 2015

Authors and Affiliations

  1. 1.DTU ComputeTechnical University of DenmarkLyngbyDenmark
  2. 2.Department of Mathematics and Computer ScienceUniversity of BremenBremenGermany

Personalised recommendations