Intervenant - date

Requirement Refinement to Test Case Generation for Embedded Railway Control Systems

by : Ying YANGby : Ying YANG0909/0/066//20112011

Ph.D StudentFrench institute of science and technology for transport, development and networks (IFSTTAR)Lille, France

Intervenant - date

Content

• Introduction and background

• Formal specification– Requirement refinement method– A case study

• Formal verification– Method of conformance testing - a framework

Intervenant - date

Content

• Introduction and background

• Formal specification– Requirement refinement method– A case study

• Formal verification– Method of conformance testing - a framework

Intervenant - date

FERROCOTS project

Cabling technology using relay panels

Railway command-control systems

Cabling technology Use of electronic cards with simple logic gates, transistors, diodes and analog circuits to perform logic functions.

Disadvantages Difficult to update the functions Weight Cost

Disadvantages Difficult to update the functions Weight Cost

1

Intervenant - date

FERROCOTS project

COTS-based technology

Railway command-control systems

FPGA COTS-based technologyUse of Commercial-Off-The-Shelf (COTS) components a COTS is a programmable piece of hardware called High Speed Field-Programmable Gate Array (FPGA).

Space-, Weight-, Cost-saving, Flexible Easily maintained Reuse of components

Cabling technology using relay panels

2

Intervenant - date

Content

• Introduction and background

• Formal specification– Requirement refinement method– A case study

• Formal verification– Method of conformance testing - a framework

Intervenant - date

Transformation from informal to formal requirement

3

What we want:

Formal specification – Describe what the system should do– By building a rigorous mathematical model

How to get formal models:

Transformation from informal to formal requirement

Formal modelsRequirement list

Rn: R2:

R1: fonction requirement

Transformation

Traceability

Intervenant - date

Requirement refinement method Objective and introduction

Properties

Requirement document

Raw requirements

Formalization

Refined requirements

Refinement

Analyze

Verification

Requirement refinement method:• A progressive transformation• Assure the requirement traceability

Formal verification :• model-checking • test/simulation

4

Intervenant - date

Process1: requirement refinement process Three refinement patterns

• Refinement patterns:– «Clarify»– «Split»

AND/OR/XOR

– «Modify»«Add»

«Remove»

«Change»

Choose refinement pattern

[requirement directly formalizable]

[requirement need to be refined]

[inconsistent information or obvious errors detected]

[sub-requirements detected]

[ambiguity or fuzzy information detected]

Choose split type Choose modification type

Split AND Split OR Split XOR Add Remove Change

[and]

[or]

[xor] [wrong information]

[Redundant information]

[missing information]

Formalize requirement Send to verification and validation

Clarify requirement

5Activity diagram of requirement refinement process

Intervenant - date

Process 1: requirement refinement process Intro SysML

• SysML

– Modeling for system engineering– Inspirited by UML 2

• Requirement diagram

6

Intervenant - date

Process1: requirement refinement process New stereotypes defined

SysML profile diagram with new stereotypes and their attributes defined

7

Stereotypes

Refinement patterns

«ClarifyReq» «Clarify»

«SplitReq»AND/OR/XOR

«Split» AND/OR/XOR

«ModifyReq» add/remove/change

«Modify»add/remove»/change

Intervenant - date

Process 2: requirement formalization process Formal framework-CTL*

• Formal framework: a temporal logic CTL*– Classical logic + operators with time– A superset of CTL (Computation Tree Logic) et LTL (Linear Time

Logic)

• Why?– For formal verification

• Model checking / test

– “Intuitive” logic Logic operators directly mapped to natural language words, like

“Globally”, “Finally”

8

Intervenant - date

• Path operators

X (next), F (future), U (until), G (globally)…

|= Gp

• State operators

A (always)

Aφ: the formula φ must hold on every path.

R: the train doors can be opened only when the train speed ≤ 2km/h

AG(dooropen → trainspeed ≤ 2km/h).

9

Process 2: requirement formalization process Formal framework-CTL*

Intervenant - date

Case study Train Door Control system

COTS(FPGA)

central console

series of subsystemsSensorsAlarmsFire detectionDoor (un)locking… Local

command

General command

General command

10

Inputs

when a passenger push the button to open one of the doors in the right side of train, the COTS receives a local command, then it verify whether authorization of right-hand doors is true…

Intervenant - date

• The requirement of generating the authorization of door opening is described as follows: – 1) some buttons can allow the driver to generate the authorization for

door opening. a) A push button for cancelling the signal of closing the right-hand doors, which is located on the console. b) A push button for cancelling the signal of closing the left-hand doors, which is located on the console. c) A push button for cancelling the signal of closing the right-hand doors, which is located near the right side of the window in the driving cabin. d) A push button for cancelling the signal of closing the left-hand doors, which is located near the left side of the window in the driving cabin.

– 2) When the train speed is ≤ 2km/h, if the doors are closed and locked, the doors can be authorized to be opened.

11

Case study Train Door Control system

Intervenant - date 12

1) some buttons can allow the driver to generate the authorization for door opening. a) A push button for cancelling the signal of closing the right-hand doors, which is located on the console. b) A push button for cancelling the signal of closing the left-hand doors, which is located on the console. c) A push button for cancelling the signal of closing the right-hand doors, which is located near the right side of the window in the driving cabin. d) A push button for cancelling the signal of closing the left-hand doors, which is located near the left side of the window in the driving cabin.

2) When the train speed is ≤ 2km/h, if the doors are closed and locked, the doors can be authorized to be opened.

1) some buttons can allow the driver to generate the authorization for door opening. a) A push button for cancelling the signal of closing the right-hand doors, which is located on the console. b) A push button for cancelling the signal of closing the left-hand doors, which is located on the console. c) A push button for cancelling the signal of closing the right-hand doors, which is located near the right side of the window in the driving cabin. d) A push button for cancelling the signal of closing the left-hand doors, which is located near the left side of the window in the driving cabin.

2) When the train speed is ≤ 2km/h, if the doors are closed and locked, the doors can be authorized to be opened.

Intervenant - date

R1.1.3 is formalized by P1.1.3 its variables:• PB(C-CD-R)_1: push button 1 for

cancelling the signal of closing the right-hand doors

• PB(C-CD-R)_2 : push button 2 for cancelling the signal of closing the right-hand doors

• AU-OD-R : authorization for opening right-hand doors

P1.1.3 :

))2_)RCDC(PB1_)RCDC(PB(

R)-OD-AU((

AG

13

Case study Train Door Control system

Intervenant - date

P1.1.4 similar to P1.1.3

14

Case study Train Door Control system

))2_)LCDC(PB1_)LCDC(PB(

L)-OD-AU((

AG

Intervenant - date

R1.3.1 is formalized by P1.3.1its variables :• TS: the train speed is ≤ 2km/h• door_R: the set of all the right-hand

doors• close_R and lock_R: the state of right-

hand doors• AU-OD-R : authorization for opening

right-hand doors

P1.3.1 :

P1.3.2 :

)))(_)(_(

)_door((

TB R)-OD-AU((

xRlockxRclose

Rx

AG

15

Case study Train Door Control system

)))(L_)(L_(

)L_door((

TB L)-OD-AU((

xlockxclose

x

AG

Intervenant - date

))2_)(1_)((

)))(_)(_)(door_R((

TB R)-OD-AU((

RODCPBRODCPB

xRlockxRclosex

AG

16

Case study Train Door Control system

))2_)L(1_)L((

)))(L_)(L_)(door_L((

TB L)-OD-AU((

ODCPBODCPB

xlockxclosex

AG

Intervenant - date

Content

• Introduction and background

• Formal specification– Requirement refinement method– A case study

• Formal verification– Method of conformance testing - a framework

Intervenant - date

test generation

EFSM specification

s

test executionvia simultion

test suite Ts

IUT (VDHL) i

test suite tranformation

VDHL test benchTb

conforms to

test verdict log

Conformance testing - a framework

Verification Phase

17

Properties

Formalization

Refined requirements

Testing process

Specification Phase

Model-checking

Testing

Intervenant - date

JING YANG

IFSTTAR, ESTAS, F-59650 Villeneuve d’Ascq, France

Email: jing.yang@ifsttar.fr