Incremental Development of a Safety Critical System Combining formal Methods and DSMLs (original) (raw)
Related papers
24th International Conference on Formal Methods for Industrial Critical Systems (FMICS), 2019
In order to assist domain experts, several tools exist for the definition of graphical or textual domain specific modeling languages (DSMLs). The resulting models are useful, but not sufficient, for an overall understanding of the system, especially when formal methods are being applied. Indeed, formal methods failures often result from misunderstandings of the requirements, even if the system is entirely proved. This is confirmed by several industrial experiments which showed that the poor readability of the formal notations is not convenient for communication with domain experts and hence the validation activity is often tedious, time consuming and complex. In order to circumvent this shortcoming, we propose to make domain specific models provable and also executable thanks to the animation of their expected behaviour directly in a dedicated DSML tool. Our approach starts from an intuitive description of the system's operational semantics thanks to high-level Petri-nets which abstract away structural constraints and focus on safety-critical behaviours. Then we take benefit of the B method in order to refine and prove these operational semantics on the one hand, and to merge them with the static semantics of a given DSML, on the other hand. This work is applied to the design of ERTMS/ETCS 3 which is an emergent solution for railway system management.
Towards a Tool-Based Domain Specific Approach for Railway Systems Modeling and Validation
Third International Conference on Reliability, Safety, and Security of Railway Systems (RSSRail)., 2019
In the railway field, graphical representations of domain concepts are omnipresent thanks to their ability to share standardized information with common knowledge about several railway mechanisms: track circuits, signalling rules.. . This paper proposes a domain specific approach for railway systems modeling and validation by combining the Model-Driven Engineering (MDE) paradigm and a formal method. First, an example of a graphical DSL is defined thanks to MDE tools, and then the formal B method is used to define its underlying operational semantics and to guarantee the correctness of the model's behaviour with respect to its safety properties. Our approach is assisted by the Meeduse tool which animates and visualizes execution scenarios of domain models. Starting from a given model designed in the DSL tool, Meeduse asks ProB to animate B operations and gets the reached state by means of B variables valuations. Then, it translates back these valuations to the initial DSL resulting in automatic modifications of the domain model. Our approach allows a more pragmatic domain-centric animation than current visual animation techniques since the resulting DSL tool allows domain experts, who are not necessarily trained in formal methods, to design and validate by themselves the various domain models.
From Place/Transition Petri nets to B abstract machines for safety critical systems
IFAC-PapersOnLine, 2015
Fulfilling the safety requirements is one of the most serious and problematic issues in critical systems design and safety critical software development. In this context, thanks to their analysis power, formal methods have been widely used in the various stages of the design and the implementation of safety critical systems. However, some methods such as the B method, although well adapted to safety issues, are still poorly used in large scale industrial environment. The purpose of this paper is to present a methodology of Place/Transition Petri nets transformation into B abstract machines enabling an interesting combination of the graphical modeling power of Petri nets and the verification tools of the B method. In fact, translating a Petri net to a B abstract machine can have many advantages such as the generation of code, the integration of safety invariants or the aggregation with other formal models. Therefore, the B verification will enlarge the scope of its applicability by having a new modeling alternative and passing through model transformation. An illustrative example of the transformation is presented for a railway study case.
Computers in Railways XI, 2008
This paper aims at showing how it is possible to combine the advantages of highlevel Petri nets and the B method in order to design safety applications. In the railway critical software domain, safety requirements are obviously severe. Indeed, the passing from an informal specification to a formal one is a crucial point in critical software development. High-level Petri nets combine three important features: a graphical representation, a dynamic behaviour and an abstraction of the treatments. The B method allows one to pass from an abstract specification to a concrete implementation. We propose an approach that integrates the structuring and modelling of the system behaviour by means of coloured Petri nets from semi-formal specifications and the generation of a B abstract specification from this Petri net.
European railway traffic management system validation using UML/Petri nets modelling strategy
European Transport Research Review, 2010
Purpose The European Union set up a European management system for rail traffic: the ERTMS system to ensure, in full safety, train circulation on different European networks. As the full deployment of this system is long and expensive, evolutions are necessary and raise other technological challenges. The goal is to determine how to use ERTMS specifications to produce test scenarios. This paper presents methods, models and tools dedicated to the generation of test scenarios for the validation of ERTMS components based on functional requirements. Methods The development of ERTMS system requires adequate methods for modelling and checking its behaviour. Evaluation and certification of the system can be done by generating test scenarios applying formal methods. The Unified Modelling Language (UML) is a widely accepted modelling standard in industry. However, it is a semi-formal language and it does not allow verification of system behaviour. In this case, formal models like Petri Net can be used. Results These methods are used in order to formalize ERTMS specification. Tests scenarios are generated on the basis of Petri net models. One scenario is considered like a firing sequence in the reachability graph of the Petri net. Then, test scenarios are applied on ERTMS platform simulator in order to check the components and to give test verdicts. Conclusions Finally, the approach, developed in this paper, has been applied to ERTMS components in order to demonstrate the validation and certification costs reduction and also to minimize the upgrade and retrofit constraints and validation cost.
A CPN/B method transformation framework for railway safety rules formal validation
European Transport Research Review, 2017
This paper presents a "CPN/B method" based process for railway systems safety analysis. Achieving interoperability through the European Rail Traffic Management System (ERTMS/ETCS) is facing difficulties in railway safety assessment due to the interaction of national and European operating specifications. These specifications have been modeled using several formalisms, which makes it is extremely hard to preserve all requirements when switching between different formalisms. However, this problem, crucial for efficient progress in railway safety research, has received very little attention in the literature. In this respect, the purpose of this contribution is to provide a methodology to demonstrate safety in railway systems by converting CPN models, widely used in modeling, into B abstract machines. It aims at enabling a stronger combination of formal design techniques and analysis tools able to cope with the real complexity of systems and automatically prove that safety properties are unambiguous, consistent and not contradictory, considering an industrial railway context.
A study of railway ERTMS safety with Colored Petri Nets
European railway systems are in a constant technological progression combined with an international interoperability and standardization. This need gave birth to the European Rail Traffic Management System (ERTMS) with the goal to provide the basic framework to the interoperable rail signaling and train control. The analysis, verification and validation of such specifications are naturally crucial. These studies are done on models that are more or less formal. The presented work has chosen Colored Petri Nets (CPN) for the system modeling and analysis. CPN allow not only the modeling of the overall system structure but also its possible evolution in time. It is in this context, that they are applied in this paper to express both: 1. the ERTMS operational procedures as well as 2. the on-board and trackside component communication. The main goal of this work is to test the feasibility of the construction of the complete specification model using a unique modeling approach and to prepar...
Petri net and rewriting logic based formal analysis of multi-agent based safety-critical systems
2020
The formal design and development of multi-agent systems has attracted a considerable attention over the past decades because of their extensive use in safety-critical applications. This paper presents an efficient, hybrid and scalable formal development approach for safetycritical systems based on the multi-agent paradigm. In fact, we aim in this paper to benefit from the advantages of existing tools and techniques for each development stage and then integrate them in one unified approach. In particular approach, we advocate using Petri nets and rewriting logic to facilitate the formalization of multi-agent based systems, as well as we have integrated both the model checking and property-based testing techniques in the verification and testing stages. For illustrating the utilization and effectiveness of the proposed approach, we use it to analyze a simple automated distributing machine.
A model-based system engineering approach to manage railway safety-related decisions
International Journal of Transport Development and Integration, 2019
The safety assessment of Safety Critical Systems (SCSs) is a challenging task since it involves different actors and a combination of several knowledge domains. This increases the complexity of the integration of safety requirements into the design model. Consequently, there is a need for a shared model with an unambiguous terminology aiming to avoid misunderstandings between both safety and design teams. In this paper, we propose a model-based system engineering approach in order to support the goal-oriented safety reasoning and to provide a common model between both safety and requirement engineering driven by goals. Furthermore, the present study considers the safety rules development process based on the Organization-based Access Control (Or-BAC) model, which is normally used to improve the security of the information systems. Then, the common vocabulary proposed for the interpretation of the considered notions of domains is defined. Moreover, safety requirements are expressed with a high level of abstraction according to the required railway knowledge and the requirement traceability process is considered through an up-bottom reasoning using the Unified Modeling Language (UML) diagrams. The proposed approach aims to provide a methodology able to identify safety conditions in order to anticipate risks and to make better safety-related decisions. Finally, the proposed methodology is evaluated through a real accident scenario analysis in order to validate its adaptability to represent real critical situations.