Survey on Formal Methods and Tools in Railways: The ASTRail Approach (original) (raw)
Related papers
The Role of Formal Methods in Software Development for Railway Applications
Concepts, Methodologies, Tools, and Applications
Formal methods for thirty years have promised to be the solution for the safety certification headaches of railway software designers. This chapter looks at the current industrial application of formal methods in the railway domain. After a recall of the dawning of formal methods in this domain, recent trends are presented that focus in particular on formal verification by means of model checking engines, with its potential and limitations. The paper ends with a perspective into the next future, in which formal methods will be expected to pervade in more respects the production of railway software and systems.
IEEE Transactions on Software Engineering, 2021
Formal methods and supporting tools have a long record of successes in the development of safety-critical systems. However, no single tool has emerged as the dominant solution for system design. Each tool differs from the others in terms of the modeling language used, its verification capabilities and other complementary features, and each development context has peculiar needs that require different tools. This is particularly problematic for the railway industry, in which formal methods are highly recommended by the norms, but no actual guidance is provided for the selection of tools. To guide companies in the selection of the most appropriate formal tools to adopt in their contexts, a clear assessment of the features of the currently available tools is required. To address this goal, this paper considers a set of 13 formal tools that have been used for railway system design, and it presents a systematic evaluation of such tools and a preliminary usability analysis of a subset of 7 tools, involving railway practitioners. The results are discussed considering the most desired aspects by industry and earlier related studies. While the focus is on the railway domain, the overall methodology can be applied to similar contexts. Our study thus contributes with a systematic evaluation of formal tools and it shows that despite the poor graphical interfaces, usability and maturity of the tools are not major problems, as claimed by contributions from the literature. Instead, support for process integration is the most relevant obstacle for adoption of most of the tools. ! 1 INTRODUCTION T HE development of railway safety-critical systems, such as platforms for on-board automatic train control [1], [2] or computer-based interlocking infrastructures to route the trains [3], [4], has to follow strict process guidelines to deliver products that are highly dependable and trustworthy [5], [6]. Formal methods are mathematics-based techniques for the specification, development and (manual or automated) verification of software and hardware systems [7], [8], and are particularly indicated when rigor is a main concern. They have a long history of over 30 years of success stories in railway applications [5], [9], [10], with several support tools available in the market [11], [12], [13], [14]. Furthermore, the CENELEC EN 50128 norm [15], which is the standard for the development of railway software in Europe, highly recommends the usage of formal methods for the design and verification of those products that need to meet the highest safety integrity levels. Despite these premises, the adoption of formal methods and their supporting tools by companies is rather limited [16], [17], and railway practitioners ask for more guidance to select the most adequate formal tool, or set of tools, for their development contexts [18], [19], [20]. This is common also to other application domains. As observed by Steffen [20]: "Prospective users have a hard time to orient themselves in the current tool landscape, and even experts typically only have very partial knowledge. Thus, the need for a more systematic approach to establish the profiles of tools and methods is obvious". Previous work on applications of formal methods to railway problems has mostly focused on reporting experiences [1
2020
The terms Formal Methods (FMs) refer to a set of techniques and software toolkits that, based on mathematical rigor, can enhance safety, security, and the efficient operation of a wide range of systems. Considering that several innovative FMs applications have been performed over the last few decades, the utility of toolkits that are based on FMs has already been showcased in several industrial settings, such as the avionics and automotive industries, medical devices, computer software, and hardware systems, and finally, the railways and the railway-signalling sector. The current article focuses on the last of the aforementioned sectors, that of railway signalling, and aims to analyse research directions that regard the adoption of FMs in signalling. Despite the benefits and the availability of reports on the topic, the implementation of the adoption of FMs can be considered yet to be successful in most organizations that develop related systems. The authors have observed that this ...
A Formal IDE for Railways: Research Challenges
Springer eBooks, 2023
The development of modern railways applications must be supported by trusted tools, able to cover the whole development process. In this paper we report on the research challenges underlying a comprehensive toolset for the design of computer-based interlocking systems. Following a VV development process, the framework adopts a clear separation between the abstract interlocking logic and the instantiations characterizing the single stations. The challenges include the definition of adequate specification languages, the generation of executable code and simulation infrastructure, traceability, test case generation, and formal verification. Keywords: Railways interlocking systems • Model-based design • Formal verification • Automated test case generation • Reverse engineering This invited contribution is based on the keynote presentation given by Alessandro Cimatti at the 2022 F-IDE workshop, affiliated with SEFM'22, Berlin (DE).
On the Industrial Uptake of Formal Methods in the Railway Domain
Integrated Formal Methods, 2018
The railway sector has seen a large number of successful applications of formal methods and tools. However, up-to-date, structured information about the industrial usage and needs related to formal tools in railways is limited. As a first step to address this, we present the results of a questionnaire submitted to 44 stakeholders with experience in the application of formal tools in railways. The questionnaire was oriented to gather information about industrial projects, and about the functional and quality features that a formal tool should have to be successfully applied in railways. The results show that the most used tools are, as expected, those of the B family, followed by an extensive list of about 40 tools, each one used by few respondents only, indicating a rich, yet scattered, landscape. The most desired features concern formal verification, maturity, learnability, quality of documentation, and ease of integration in a CENELEC process. This paper extends the body of knowledge on formal methods applications in the railway industry, and contributes with a ranked list of tool features considered relevant by railway stakeholders.
24th International Conference on Formal Methods for Industrial Critical Systems (FMICS), 2019
In order to assist domain experts, several tools exist for the definition of graphical or textual domain specific modeling languages (DSMLs). The resulting models are useful, but not sufficient, for an overall understanding of the system, especially when formal methods are being applied. Indeed, formal methods failures often result from misunderstandings of the requirements, even if the system is entirely proved. This is confirmed by several industrial experiments which showed that the poor readability of the formal notations is not convenient for communication with domain experts and hence the validation activity is often tedious, time consuming and complex. In order to circumvent this shortcoming, we propose to make domain specific models provable and also executable thanks to the animation of their expected behaviour directly in a dedicated DSML tool. Our approach starts from an intuitive description of the system's operational semantics thanks to high-level Petri-nets which abstract away structural constraints and focus on safety-critical behaviours. Then we take benefit of the B method in order to refine and prove these operational semantics on the one hand, and to merge them with the static semantics of a given DSML, on the other hand. This work is applied to the design of ERTMS/ETCS 3 which is an emergent solution for railway system management.
Urban Rail Transit
This paper presents a formal model-based methodology to support railway engineers in the design of safe electronic urban railway control systems. The purpose of our research is to overcome the deficiencies of existing traditional design methodologies, namely the incompleteness and the potential presence of contradictions in the system specification resulting from non-formal development techniques. We illustrate the application of the methodology via a case study of a tram-road level crossing protection system. It was chosen partly because it has a simple architecture and a small number of elements, thus it fits the scope limitations of this article. At the same time, it is suitable for presenting all essential features of our methodology. The proposed solution provides a specification/verification environment that facilitates the construction of correct, complete, consistent, and verifiable functional specifications during the development, while hiding all the formal method-related ...
A formal design of the hybrid European rail traffic management system
Proceedings of the 13th European Conference on Software Architecture - Volume 2, 2019
Railway Transportation Management Systems are an emerging field in the context of advanced distributed software systems. Methods and techniques supporting rigorous formal design of system architecture where software components interact with each other and control physical components are highly demanded to assure reliability of the system operation. We present a formal model of the Hybrid ERTMS/ETCS Level 3, the new standard of the European Rail Traffic Management System, aiming to replace the different national train control and command systems by a unique European railway management system. We use the Abstract State Machine (ASM) formal method to provide a complete specification of the standard. The model has been developed through a sequence of model refinement steps following the incremental way in which requirements describe train operation. We have exploited the ASMETA tool-set supporting the ASMs to simulate the abstract models and validate them with respect to the operational...