Towards formal methods diversity in railways: an experience report with seven frameworks

In the ever expanding universe of formal methods, several tools exist that can be exploited to validate early system designs, and that are applicable to problems of the railway domain. In this paper, we present an experience report in formal modelling and verification using seven different formal environments, namely UMC, Promela/SPIN, NuSMV, mCRL2, CPN Tools, FDR4 and CADP. In particular, we model and verify an algorithm that addresses a typical railway problem, namely deadlock avoidance in train scheduling. The algorithm is designed according to a prototypical architecture, the so-called blackboard pattern, in which a set of global data are atomically updated by a set of concurrent guarded agents. Our experience, limited to the specific problem, shows that the design of the algorithm can be translated into the different formalisms with acceptable effort, while deep proficiency with the tools is required to optimise the performance. The current paper establishes the preliminary foundations for the concept of formal methods diversity in the development of railway systems. The concept is based on the idea that if different non-certified formal environments are used to verify the same design, this increases the confidence on the verification results. Furthermore, by checking that the number of states generated during the verification process is the same for each framework, the designer can have an initial indication of the equivalence of the diverse models. The industrial application of this promising concept requires further research, and appropriate guidelines shall be established to identify the proper formal environments to use for a specific railway problem, and to define an industrial process in which formal methods diversity can be exploited at its full benefits. The paper presents the different models developed, compares the tools employed in terms of language features and performance, and discusses the industrial implications of the concept of formal methods diversity in the railway domain.

[1]  Jaco van de Pol,et al.  1 Motivation : A Modular , High-Performance Model Checker , 2010 .

[2]  Andy J. Wellings,et al.  GUARDS: A Generic Upgradable Architecture for Real-Time Dependable Systems , 1997, IEEE Trans. Parallel Distributed Syst..

[3]  Alessio Ferrari,et al.  From commercial documents to system requirements: an approach for the engineering of novel CBTC solutions , 2014, International Journal on Software Tools for Technology Transfer.

[4]  A. W. Roscoe,et al.  FDR3 - A Modern Refinement Checker for CSP , 2014, TACAS.

[5]  Franco Mazzanti,et al.  Designing a Deadlock-Free Train Scheduler: A Model Checking Approach , 2014, NASA Formal Methods.

[6]  Xiang Chen,et al.  Modeling and Verification of Zone Controller: The SCADE Experience in China's Railway Systems , 2015, 2015 IEEE/ACM 1st International Workshop on Complex Faults and Failures in Large Software Systems (COUFLESS).

[7]  Lubos Brim,et al.  DiVinE 3.0 - An Explicit-State Model Checker for Multithreaded C & C++ Programs , 2013, CAV.

[8]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[9]  Bruce H. Krogh,et al.  Integration of Formal Analysis into a Model-Based Software Development Process , 2007, FMICS.

[10]  Michael Jackson,et al.  A Reference Model for Requirements and Specifications , 2000, IEEE Softw..

[11]  Rocco De Nicola,et al.  Testing Equivalences for Processes , 1984, Theor. Comput. Sci..

[12]  Paul Strooper,et al.  Tool support for checking railway interlocking designs , 2006 .

[13]  Stefania Gnesi,et al.  An Abstract, on the Fly Framework for the Verification of Service-Oriented Systems , 2011, Results of the SENSORIA Project.

[14]  Benoît Fraikin,et al.  Comparison of Model Checking Tools for Information Systems , 2010, ICFEM.

[15]  Alessio Ferrari,et al.  Model Checking Interlocking Control Tables , 2010, FORMS/FORMAT.

[16]  Stephan Merz,et al.  Model Checking , 2000 .

[17]  Jing Dong,et al.  Event-based blackboard architecture for multi-agent systems , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[18]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[19]  Simon Hordvik,et al.  A Methodology for Model-based Development and Safety Analysis of Transport Systems , 2016, ENASE.

[20]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[21]  Marc Antoni,et al.  Formal validation method and tools for French computerized railway interlocking systems , 2008 .

[22]  E. Schnieder,et al.  TECHNICAL ISSUES IN MODELLING THE EUROPEAN TRAIN CONTROL SYSTEM (ETCS) USING COLOURED PETRI NETS AND THE DESIGN/CPN TOOLS , 1998 .

[23]  Radu Mateescu,et al.  A Model Checking Language for Concurrent Value-Passing Systems , 2008, FM.

[24]  Rocco De Nicola,et al.  Three logics for branching bisimulation , 1995, JACM.

[25]  Tiziana Margaria,et al.  Formal Methods for Industrial Critical Systems: A Survey of Applications , 2012 .

[26]  Radu Mateescu,et al.  CADP 2011: a toolbox for the construction and analysis of distributed processes , 2012, International Journal on Software Tools for Technology Transfer.

[27]  Algirdas Avizienis,et al.  The N-Version Approach to Fault-Tolerant Software , 1985, IEEE Transactions on Software Engineering.

[28]  Anne Elisabeth Haxthausen,et al.  Formal modelling and verification of interlocking systems featuring sequential release , 2014, Sci. Comput. Program..

[29]  Alessandro Fantechi,et al.  Twenty-Five Years of Formal Methods and Railways: What Next? , 2013, SEFM Workshops.

[30]  Franco Mazzanti An Experience in Ada Multicore Programming: Parallelisation of a Model Checking Engine , 2016, Ada-Europe.

[31]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[32]  Simon Hordvik,et al.  Model-Based Engineering and Spatiotemporal Analysis of Transport Systems , 2016, ENASE.

[33]  Frédéric Lang,et al.  From LOTOS to LNT , 2017, ModelEd, TestEd, TrustEd.

[34]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[35]  Somsak Vanit-Anunchai Application of Coloured Petri Nets in Modelling and Simulating a Railway Signalling System , 2016, FMICS-AVoCS.

[36]  Peter Gorm Larsen,et al.  Balancing Insight and Effort: The Industrial Uptake of Formal Methods , 2007, Formal Methods and Hybrid Real-Time Systems.

[37]  E. Schnieder TECHNICAL ISSUES IN MODELLING THE EUROPEAN TRAIN CONTROL SYSTEM (ETCS) USING COLOURED PETRI NETS AND THE DESIGN/CPN TOOLS , 1998 .

[38]  M. Gaudel,et al.  An Experiment on the Validation of a Speci cation by Heterogeneous Formal Means: the Transit Node , 1995 .

[39]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[40]  Maurice H. ter Beek,et al.  A state/event-based model-checking approach for the analysis of abstract system properties , 2011, Sci. Comput. Program..

[41]  Babak Dehbonei,et al.  Formal specification in the development of industrial applications: Subway speed control system , 1992, FORTE.

[42]  Abderrahmane Feliachi,et al.  The PERF Approach for Formal Verification , 2016, RSSRail.

[43]  Lars Michael Kristensen,et al.  Coloured Petri Nets - Modelling and Validation of Concurrent Systems , 2009 .

[44]  Stefania Gnesi,et al.  Model-Based Development and Formal Methods in the Railway Industry , 2013, IEEE Software.

[45]  Pamela Zave A practical comparison of Alloy and Spin , 2014, Formal Aspects of Computing.

[46]  François-Xavier Dormoy,et al.  SCADE 6 A Model Based Solution For Safety Critical Software Development , 2007 .

[47]  Stuart Bennett,et al.  A taxonomy for software voting algorithms used in safety-critical systems , 2004, IEEE Transactions on Reliability.

[48]  Jan Friso Groote,et al.  Modeling and Analysis of Communicating Systems , 2014 .

[49]  Maurice H. ter Beek,et al.  From EU Projects to a Family of Model Checkers - From Kandinsky to KandISTI , 2015, Software, Services, and Systems.

[50]  Nancy G. Leveson,et al.  Analysis of Faults in an N-Version Software Experiment , 1990, IEEE Trans. Software Eng..

[51]  Franco Mazzanti,et al.  Experiments in Formal Modelling of a Deadlock Avoidance Algorithm for a CBTC System , 2016, ISoLA.

[52]  Stefania Gnesi,et al.  A logical verification methodology for service-oriented computing , 2012, TSEM.

[53]  Paul Benoit,et al.  Météor: A Successful Application of B in a Large Project , 1999, World Congress on Formal Methods.

[54]  Anne Elisabeth Haxthausen Automated generation of formal safety conditions from railway interlocking tables , 2013, International Journal on Software Tools for Technology Transfer.

[55]  Jeff Magee,et al.  Behavioral analysis of software architectures using LTSA , 1999, ICSE '99.

[56]  Stefan Gruner,et al.  Towards a Body of Knowledge in Formal Methods for the Railway Domain: Identification of Settled Knowledge , 2015, FTSCS.

[57]  Alessandro Fantechi,et al.  Validation of Railway Interlocking Systems by Formal Verification, A Case Study , 2013, SEFM Workshops.

[58]  Faron Moller,et al.  Verification of Solid State Interlocking Programs , 2013, SEFM Workshops.

[59]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[60]  Darren D. Cofer,et al.  Software model checking takes off , 2010, Commun. ACM.

[61]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[62]  Stefania Gnesi,et al.  Lessons Learnt from the Adoption of Formal Model-Based Development , 2012, NASA Formal Methods.

[63]  Daniel Kroening,et al.  A Survey of Automated Techniques for Formal Software Verification , 2008, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[64]  Dong-Hyuk Choi,et al.  Modeling of CBTC carborne ATO functions using SCADE , 2011, 2011 11th International Conference on Control, Automation and Systems.

[65]  Jürgen Dingel,et al.  A Tridimensional Approach for Studying the Formal Verification of Model Transformations , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[66]  Franco Mazzanti,et al.  Deadlock Avoidance in Train Scheduling: A Model Checking Approach , 2014, FMICS.

[67]  Marco Roveri,et al.  Formalization and validation of a subset of the European Train Control System , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[68]  Alessio Ferrari,et al.  The Metrô Rio case study , 2013, Sci. Comput. Program..