From Formal Test Objectives to TTCN-3 for Verifying ETCS Complex Software Control Systems

Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1250)


The design of a practical but accurate software methodology to guarantee systems correctness and safety is still a big challenge. Where test coverage is dissatisfying, formal analysis grants much higher potential to discover errors or safety vulnerabilities during the design phase of a system. However, formal verification methods often require a strong technical background that limits their usage. In this paper, we present a framework based on testing and verification to ensure the correctness and safety of complex distributed software systems. As a result of the application of our methodology we obtain a more reliable system, in terms of functionality, safety and robustness and a reduction of the time necessary for verification. In order to show the applicability of our solution we applied it on a real industrial case study, that is the European Train Control System (ETCS)  [14]. We specify the system using the SDL language  [24], and we use a test generation tool to generate abstract test cases in TTCN-3. Based on these standardized tests, we verify using model-checking, some critical properties of the system, in particular these regarding safety requirements. We analyse a real train accident and we demonstrate how the accident could have been avoided if the ETCS system was used.


Formal verification Safety Model checking Software control systems 


  1. 1.
    Ameur-Boulifa, R., Cavalli, A.R., Maag, S.: Verifying complex software control systems from test objectives: application to the ETCS system. In: Proceedings of the 14th International Conference on Software Technologies, ICSOFT 2019, Prague, Czech Republic, 26–28 July 2019, pp. 397–406 (2019).
  2. 2.
    Ameur-Boulifa, R., Henrio, L., Kulankhina, O., Madelaine, E., Savu, A.: Behavioural semantics for asynchronous components. J. Log. Algebraic Methods Program. 89, 1–40 (2017)MathSciNetzbMATHCrossRefGoogle Scholar
  3. 3.
    Andres, C., Cavalli, A., Yetvushenko, N.: On modeling and testing the european train control system, technical report 09013 lor, telecom sudparis. Technical report, March 2013Google Scholar
  4. 4.
    Abbaspour Asadollah, S., Inam, R., Hansson, H.: A survey on testing for cyber physical system. In: El-Fakih, K., Barlas, G., Yevtushenko, N. (eds.) ICTSS 2015. LNCS, vol. 9447, pp. 194–207. Springer, Cham (2015). Scholar
  5. 5.
    Belghiat, A., Chaoui, A.: A Pi-calculus-based approach for the verification of UML2 sequence diagrams. In: 2015 10th International Joint Conference on Software Technologies (ICSOFT), vol. 2, pp. 1–8. IEEE (2015)Google Scholar
  6. 6.
    Bérard, B., et al.: Systems and Software Verification: Model-checking Techniques and Tools. Springer, Heidelberg (2013).
  7. 7.
    Berthomieu, B., et al.: The syntax and semantics of FIACRE. In: Deliverable number F.3.2.11 of project TOPCASED (2012)Google Scholar
  8. 8.
    Bougacha, R., Wakrime, A.A., Kallel, S., Ayed, R.B., Collart-Dutilleul, S.: A model-based approach for the modeling and the verification of railway signaling system. In: Proceedings of the 14th International Conference on Evaluation of Novel Approaches to Software Engineering, pp. 367–376. SCITEPRESS-Science and Technology Publications, Lda (2019)Google Scholar
  9. 9.
    Bozga, M., Graf, S., Mounier, L.: IF-2.0: a validation environment for component-based real-time systems. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 343–348. Springer, Heidelberg (2002). Scholar
  10. 10.
    Bozga, M., Graf, S., Ober, I., Ober, I., Sifakis, J.: The IF toolset. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 237–267. Springer, Heidelberg (2004). Scholar
  11. 11.
    Bundell, G.A.: Aspects of the safety analysis of an on-board automatic train operation supervisor. In: 2009 IEEE International Conference on Systems, Man and Cybernetics, pp. 3223–3230. IEEE (2009)Google Scholar
  12. 12.
    Cavalli, A.R., Grepet, C., Maag, S., Tortajada, V.: A validation model for the DSR protocol. In: 24th International Conference on Distributed Computing Systems Workshops (ICDCS 2004 Workshops), 23–24 March 2004, Hachioji, Tokyo, Japan, pp. 768–773 (2004).
  13. 13.
    Che, X., Lalanne, F., Maag, S.: A logic-based passive testing approach for the validation of communicating protocols. In: ENASE 2012 - Proceedings of the 7th International Conference on Evaluation of Novel Approaches to Software Engineering, Wroclaw, Poland, 29–30 June 2012, pp. 53–64 (2012)Google Scholar
  14. 14.
    ERTMS Commission Group - European Commission: delivering an effective and interoperable European Rail Traffic Management System (ERTMS) – the way ahead. Technical report, SWD(2017), p. 375, November 2017.
  15. 15.
    ETSI-ES-201-873-1: Methods for testing and specification (MTS), the testing and test control notation version 3, part 1: Ttcn-3 core language, v4.11.1. Technical report, April 2019Google Scholar
  16. 16.
    Ferrante, O., Scholte, E., Rollini, S., North, R., Manica, L., Senni, V.: A methodology for formal requirements validation and automatic test generation and application to aerospace systems. Technical report, SAE Technical Paper (2018)Google Scholar
  17. 17.
    Fraser, G., Wotawa, F., Ammann, P.E.: Testing with model checkers: a survey. Softw. Test. Verification Reliab. 19(3), 215–261 (2009)CrossRefGoogle Scholar
  18. 18.
    Garavel, H., Lang, F., Mateescu, R., Serwe, W.: CADP 2010: a toolbox for the construction and analysis of distributed processes. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 372–387. Springer, Heidelberg (2011). Scholar
  19. 19.
    Garousi, V., Felderer, M., Karapıçak, Ç.M., Yılmaz, U.: Testing embedded software: a survey of the literature. Inf. Softw. Technol. 104, 14–45 (2018)CrossRefGoogle Scholar
  20. 20.
    Ghazel, M.: Formalizing a subset of ERTMS/ETCS specifications for verification purposes. Transp. Res. Part C Emerg. Technol. 42, 60–75 (2014)CrossRefGoogle Scholar
  21. 21.
    Godefroid, P.: Between testing and verification: Dynamic software model checking (2016)Google Scholar
  22. 22.
    Hennessy, M., Lin, H.: Symbolic bisimulations. Theor. Comput. Sci. 138(2), 353–389 (1995)MathSciNetzbMATHCrossRefGoogle Scholar
  23. 23.
    Henrio, L., Madelaine, E., Min, Z.: pNets: an expressive model for parameterised networks of processes. In: 2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, pp. 492–496. IEEE (2015)Google Scholar
  24. 24.
    ITU-T: Recommandation Z.100: CCITT Specification and Description Language (SDL, 1999, updated 2019). Technical report, ITU-T, October 2019Google Scholar
  25. 25.
    Jesus Valdivia, L., Solas, G., Añorga, J., Arrizabalaga, S., Adin, I., Mendizabal, J.: ETCS on-board unit safety testing: saboteurs, testing strategy and results. Promet-Traffic Transp. 29(2), 213–223 (2017)CrossRefGoogle Scholar
  26. 26.
    Kahani, N., Bagherzadeh, M., Cordy, J.R., Dingel, J., Varró, D.: Survey and classification of model transformation tools. Softw. Syst. Model. 18(4), 2361–2397 (2018). Scholar
  27. 27.
    Kapinski, J., Deshmukh, J.V., Jin, X., Ito, H., Butts, K.: Simulation-based approaches for verification of embedded control systems: an overview of traditional and advanced modeling, testing, and verification techniques. IEEE Control Syst. Mag. 36(6), 45–64 (2016)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Karna, A.K., Chen, Y., Yu, H., Zhong, H., Zhao, J.: The role of model checking in software engineering. Front. Comput. Sci. 12(4), 642–668 (2018). Scholar
  29. 29.
    Lee, D., Yannakakis, M.: Principles and methods of testing finite state machines - a survey. IEEE Trans. Comput. 84, 1090–1123 (1996)Google Scholar
  30. 30.
    Lee, D., Yannakakis, M.: Principles and methods of testing finite state machines - a Survey. Proc. IEEE 84, 1090–1123 (1996)CrossRefGoogle Scholar
  31. 31.
    Liu, Y., Tang, T., Liu, J., Zhao, L., Xu, T.: Formal modeling and verification of RBC handover of ETCS using differential dynamic logic. In: 2011 Tenth International Symposium on Autonomous Decentralized Systems, pp. 67–72. IEEE (2011)Google Scholar
  32. 32.
    Mateescu, R., Thivolle, D.: A model checking language for concurrent value-passing systems. In: Cuellar, J., Maibaum, T., Sere, K. (eds.) FM 2008. LNCS, vol. 5014, pp. 148–164. Springer, Heidelberg (2008). Scholar
  33. 33.
    Merouane, K., Grepet, C., Maag, S.: A methodology for interoperability testing of a manet routing protocol. In: International Conference on Wireless and Mobile Communications, p. 5, March 2007.
  34. 34.
    Mouttappa, P., Maag, S., Cavalli, A.: Using passive testing based on symbolic execution and slicing techniques: application to the validation of communication protocols. Comput. Netw. 57(15), 2992–3008 (2013)CrossRefGoogle Scholar
  35. 35.
    Mubeen, S., Nolte, T., Sjödin, M., Lundbäck, J., Lundbäck, K.-L.: Supporting timing analysis of vehicular embedded systems through the refinement of timing constraints. Softw. Syst. Model. 18(1), 39–69 (2017). Scholar
  36. 36.
    Petiot, G., Kosmatov, N., Giorgetti, A., Julliand, J.: How test generation helps software specification and deductive verification in Frama-C. In: Seidl, M., Tillmann, N. (eds.) TAP 2014. LNCS, vol. 8570, pp. 204–211. Springer, Cham (2014). Scholar
  37. 37.
    Platzer, A., Quesel, J.-D.: European train control system: a case study in formal verification. In: Breitman, K., Cavalcanti, A. (eds.) ICFEM 2009. LNCS, vol. 5885, pp. 246–265. Springer, Heidelberg (2009). Scholar
  38. 38.
    Salem, M.O.B., Mosbahi, O., Khalgui, M., Frey, G.: R-UML: An UML profile for verification of flexible control systems. In: Lorenz, P., Cardoso, J., Maciaszek, L.A., van Sinderen, M. (eds.) ICSOFT 2015. CCIS, vol. 586, pp. 118–136. Springer, Cham (2016). Scholar
  39. 39.
    Willcock, C., Dei, T., Tobies, S., Keil, S., Engler, F., Schulz, S.: An Introduction to TTCN-3, 2nd edn. Wiley Publishing, Hoboken (2011)CrossRefGoogle Scholar
  40. 40.
    Yan, F., Gao, C., Tang, T., Zhou, Y.: A safety management and signaling system integration method for communication-based train control system. Urban Rail Transit 3(2), 90–99 (2017). Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.LTCI, Télécom ParisTech, Institut Polytechnique de ParisPalaiseauFrance
  2. 2.Samovar, CNRS, Télécom SudParis, Institut Polytechnique de ParisPalaiseauFrance

Personalised recommendations