Intervenant - date Requirement Refinement to Test Case Generation for Embedded Railway Control Systems by : Ying YANG 09/06/2011 Ph.D Student French institute of science and technology for transport, development and networks (IFSTTAR) Lille, France

Intervenant - date Content Introduction and background Formal specification –Requirement refinement method –A case study Formal verification –Method of conformance testing - a framework

Intervenant - date Content Introduction and background Formal specification –Requirement refinement method –A case study Formal verification –Method of conformance testing - a framework

Intervenant - date FERROCOTS project Cabling technology using relay panels Cabling technology using relay panels Railway command- control systems Cabling technology Use of electronic cards with simple logic gates, transistors, diodes and analog circuits to perform logic functions. Disadvantages Difficult to update the functions Weight Cost Disadvantages Difficult to update the functions Weight Cost 1

Intervenant - date FERROCOTS project COTS-based technology COTS-based technology Railway command- control systems FPGA COTS-based technology Use of Commercial-Off-The-Shelf (COTS) components a COTS is a programmable piece of hardware called High Speed Field-Programmable Gate Array (FPGA). Space-, Weight-, Cost-saving, Flexible Easily maintained Reuse of components Cabling technology using relay panels Cabling technology using relay panels 2

Intervenant - date Content Introduction and background Formal specification –Requirement refinement method –A case study Formal verification –Method of conformance testing - a framework

Intervenant - date Transformation from informal to formal requirement 3 What we want: Formal specification –Describe what the system should do –By building a rigorous mathematical model How to get formal models: Transformation from informal to formal requirement Formal models Requirement list Rn: R2: R1: fonction requirement Transformation Traceability

Intervenant - date Requirement refinement method Objective and introduction Properties Requirement document Raw requirements Formalization Refined requirements Refinement Analyze Verification Requirement refinement method: A progressive transformation Assure the requirement traceability Formal verification : model-checking test/simulation 4

Intervenant - date Process1: requirement refinement process Three refinement patterns Refinement patterns: –«Clarify» –«Split» AND/OR/XOR –«Modify» «Add» «Remove» «Change» 5 Activity diagram of requirement refinement process

Intervenant - date Process 1: requirement refinement process Intro SysML SysML –Modeling for system engineering –Inspirited by UML 2 Requirement diagram 6

Intervenant - date Process1: requirement refinement process New stereotypes defined SysML profile diagram with new stereotypes and their attributes defined 7 Stereotypes Refinement patterns «ClarifyReq»«Clarify» «SplitReq» AND/OR/XOR «Split» AND/OR/XOR «ModifyReq» add/remove/ change «Modify» add/remove»/ change

Intervenant - date Process 2: requirement formalization process Formal framework-CTL* Formal framework: a temporal logic CTL* –Classical logic + operators with time –A superset of CTL (Computation Tree Logic) et LTL (Linear Time Logic) Why? –For formal verification Model checking / test –Intuitive logic Logic operators directly mapped to natural language words, like Globally, Finally 8

Intervenant - date Path operators X (next), F (future), U (until), G (globally)… |= G p State operators A (always) Aφ: the formula φ must hold on every path. R: the train doors can be opened only when the train speed 2km/h AG(dooropen trainspeed 2km/h). 9 Process 2: requirement formalization process Formal framework-CTL*

Intervenant - date Case study Train Door Control system COTS (FPGA) central console series of subsystems Sensors Alarms Fire detection Door (un)locking … Local command General command 10 Inputs when a passenger push the button to open one of the doors in the right side of train, the COTS receives a local command, then it verify whether authorization of right-hand doors is true…

Intervenant - date The requirement of generating the authorization of door opening is described as follows: –1) some buttons can allow the driver to generate the authorization for door opening. a) A push button for cancelling the signal of closing the right-hand doors, which is located on the console. b) A push button for cancelling the signal of closing the left-hand doors, which is located on the console. c) A push button for cancelling the signal of closing the right-hand doors, which is located near the right side of the window in the driving cabin. d) A push button for cancelling the signal of closing the left-hand doors, which is located near the left side of the window in the driving cabin. –2) When the train speed is 2km/h, if the doors are closed and locked, the doors can be authorized to be opened. 11 Case study Train Door Control system

Intervenant - date 12 1)some buttons can allow the driver to generate the authorization for door opening. a) A push button for cancelling the signal of closing the right-hand doors, which is located on the console. b) A push button for cancelling the signal of closing the left-hand doors, which is located on the console. c) A push button for cancelling the signal of closing the right-hand doors, which is located near the right side of the window in the driving cabin. d) A push button for cancelling the signal of closing the left-hand doors, which is located near the left side of the window in the driving cabin. 2) When the train speed is 2km/h, if the doors are closed and locked, the doors can be authorized to be opened. 1)some buttons can allow the driver to generate the authorization for door opening. a) A push button for cancelling the signal of closing the right-hand doors, which is located on the console. b) A push button for cancelling the signal of closing the left-hand doors, which is located on the console. c) A push button for cancelling the signal of closing the right-hand doors, which is located near the right side of the window in the driving cabin. d) A push button for cancelling the signal of closing the left-hand doors, which is located near the left side of the window in the driving cabin. 2) When the train speed is 2km/h, if the doors are closed and locked, the doors can be authorized to be opened.

Intervenant - date R1.1.3 is formalized by P1.1.3 its variables: PB(C-CD-R)_1: push button 1 for cancelling the signal of closing the right-hand doors PB(C-CD-R)_2 : push button 2 for cancelling the signal of closing the right-hand doors AU-OD-R : authorization for opening right-hand doors P1.1.3 : 13 Case study Train Door Control system

Intervenant - date P1.1.4 similar to P Case study Train Door Control system

Intervenant - date R1.3.1 is formalized by P1.3.1 its variables : TS: the train speed is 2km/h door_R: the set of all the right-hand doors close_R and lock_R: the state of right- hand doors AU-OD-R : authorization for opening right-hand doors P1.3.1 : P1.3.2 : 15 Case study Train Door Control system

Intervenant - date 16 Case study Train Door Control system

Intervenant - date Content Introduction and background Formal specification –Requirement refinement method –A case study Formal verification –Method of conformance testing - a framework

Intervenant - date Conformance testing - a framework Verification Phase 17 Properties Formalization Refined requirements Testing process Specification Phase Model- checking Testing

Intervenant - date JING YANG IFSTTAR, ESTAS, F Villeneuve dAscq, France