From Formal Test Objectives to TTCN-3 for Verifying ETCS Complex Software Control Systems

The design of a practical but accurate software methodology to guarantee systems correctness and safety is still a big challenge. Where test coverage is dissatisfying, formal analysis grants much higher potential to discover errors or safety vulnerabilities during the design phase of a system. However, formal verification methods often require a strong technical background that limits their usage. In this paper, we present a framework based on testing and verification to ensure the correctness and safety of complex distributed software systems. As a result of the application of our methodology we obtain a more reliable system, in terms of functionality, safety and robustness and a reduction of the time necessary for verification. In order to show the applicability of our solution we applied it on a real industrial case study, that is the European Train Control System (ETCS) [14]. We specify the system using the SDL language [24], and we use a test generation tool to generate abstract test cases in TTCN-3. Based on these standardized tests, we verify using model-checking, some critical properties of the system, in particular these regarding safety requirements. We analyse a real train accident and we demonstrate how the accident could have been avoided if the ETCS system was used.

[1]  Olfa Mosbahi,et al.  R-UML: An UML Profile for Verification of Flexible Control Systems , 2015, ICSOFT.

[2]  André Platzer,et al.  European Train Control System: A Case Study in Formal Verification , 2009, ICFEM.

[3]  Radu Mateescu,et al.  CADP 2010: A Toolbox for the Construction and Analysis of Distributed Processes , 2011, TACAS.

[4]  Mikael Sjödin,et al.  Supporting timing analysis of vehicular embedded systems through the refinement of timing constraints , 2017, Software & Systems Modeling.

[5]  Philippe Schnoebelen,et al.  Systems and Software Verification , 2001, Springer Berlin Heidelberg.

[6]  Ana R. Cavalli,et al.  Using passive testing based on symbolic execution and slicing techniques: Application to the validation of communication protocols , 2013, Comput. Networks.

[7]  K. Merouane,et al.  A Methodology for Interoperability Testing of a MANET Routing Protocol , 2007, 2007 Third International Conference on Wireless and Mobile Communications (ICWMC'07).

[8]  Dániel Varró,et al.  Survey and classification of model transformation tools , 2018, Software & Systems Modeling.

[9]  David Lee,et al.  Principles and methods of testing finite state machines-a survey , 1996, Proc. IEEE.

[10]  Ken Butts,et al.  Simulation-Based Approaches for Verification of Embedded Control Systems: An Overview of Traditional and Advanced Modeling, Testing, and Verification Techniques , 2016, IEEE Control Systems.

[11]  Patrice Godefroid Between Testing and Verification: Dynamic Software Model Checking , 2016, Dependable Software Systems Engineering.

[12]  Gary Alan Bundell Aspects of the safety analysis of an on-board automatic train operation supervisor , 2009, 2009 IEEE International Conference on Systems, Man and Cybernetics.

[13]  Tao Tang,et al.  A Safety Management and Signaling System Integration Method for Communication-Based Train Control System , 2017 .

[14]  Joseph Sifakis,et al.  The IF Toolset , 2004, SFM.

[15]  Hans A. Hansson,et al.  A Survey on Testing for Cyber Physical System , 2015, ICTSS.

[16]  Slim Kallel,et al.  A Model-based Approach for the Modeling and the Verification of Railway Signaling System , 2019, ENASE.

[17]  Philippe Schnoebelen,et al.  Systems and Software Verification, Model-Checking Techniques and Tools , 2001 .

[18]  Radu Mateescu,et al.  CADP 2006: A Toolbox for the Construction and Analysis of Distributed Processes , 2007, CAV.

[19]  Ludovic Henrio,et al.  pNets: An Expressive Model for Parameterised Networks of Processes , 2014, 2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing.

[20]  Radu Mateescu,et al.  A Model Checking Language for Concurrent Value-Passing Systems , 2008, FM.

[21]  Colin Willcock,et al.  An Introduction to TTCN-3: Willcock/An Introduction to TTCN-3 , 2005 .

[22]  Vahid Garousi,et al.  Testing embedded software: A survey of the literature , 2018, Inf. Softw. Technol..

[23]  Gordon Fraser,et al.  Testing with model checkers: a survey , 2009 .

[24]  Luca Manica,et al.  A Methodology for Formal Requirements Validation and Automatic Test Generation and Application to Aerospace Systems , 2018, SAE Technical Paper Series.

[25]  Jianjun Zhao,et al.  The role of model checking in software engineering , 2018, Frontiers of Computer Science.

[26]  Ana R. Cavalli,et al.  Verifying Complex Software Control Systems from Test Objectives: Application to the ETCS System , 2019, ICSOFT.

[27]  Marius Bozga,et al.  IF-2.0: A Validation Environment for Component-Based Real-Time Systems , 2002, CAV.

[28]  Tao Tang,et al.  Formal Modeling and Verification of RBC Handover of ETCS Using Differential Dynamic Logic , 2011, 2011 Tenth International Symposium on Autonomous Decentralized Systems.

[29]  Ana R. Cavalli,et al.  A validation model for the DSR protocol , 2004, 24th International Conference on Distributed Computing Systems Workshops, 2004. Proceedings..

[30]  Allaoua Chaoui,et al.  A Pi-calculus-based approach for the verification of UML2 sequence diagrams , 2015, 2015 10th International Joint Conference on Software Technologies (ICSOFT).

[31]  Leonardo J. Valdivia,et al.  ETCS On-board Unit Safety Testing: Saboteurs, Testing Strategy and Results , 2017 .

[32]  Mohamed Ghazel,et al.  Formalizing a subset of ERTMS/ETCS specifications for verification purposes , 2014 .

[33]  Stéphane Maag,et al.  A Logic-based Passive Testing Approach for the Validation of Communicating Protocols , 2012, ENASE.

[34]  Nikolai Kosmatov,et al.  How Test Generation Helps Software Specification and Deductive Verification in Frama-C , 2014, TAP@STAF.

[35]  Matthew Hennessy,et al.  Symbolic Bisimulations , 1995, Theor. Comput. Sci..

[36]  Ludovic Henrio,et al.  Behavioural semantics for asynchronous components , 2017, J. Log. Algebraic Methods Program..