Specification and Test Case Generation

8/8/2019 Specification and Test Case Generation

http://slidepdf.com/reader/full/specification-and-test-case-generation 1/20

1

SpecificationandTestCaseGeneration

fortheSafetyKerneloftheNaplesSubway

AntonioCasazza(+),DarioComini(*),AngeloMorzenti(o),

MatteoPradella(o),PierluigiSanPietro(o),FabioSchreiber(o),

(o)DipartimentodiElettronica,PolitecnicodiMilano

(*)MetropolitanaMilanese

(+)AnsaldoSegnalamentoFerroviario

Abstract

Wereportonanexperienceintheapplicationofformalmethodstothespecification,validation

and verification of a railway signalingsystem: thesafety kernel of theNaplesSubway. Theactivitywasperformedexpost ,severalyearsafterfinalsystemdelivery,basedonthedesign

documentation [MM93, Ans94].We first illustrate the requirement specification using the

object-orientedtemporallogicTRIO.Thenwerelateontheuseofthespecification,bymeans

of suitable support tools, to validate therequirements and to generatesomescenarios to be

employedastestcasesintheverificationphase.

1.Introduction

The design and construction of the signaling system in the Naples subway presented an

interesting integrationamonga fewconventional components,suchasthegroundapparatus

that realizes command and control functions for signals and switches, and some moreinnovativeones,suchasthegroundapparatusthatdeterminethefree/blockedtrackstatusand

imposestheminimumdistanceamongtrains.Thesefeaturesdifferentiateitfromotherplants

constructeduntiltheninItaly,astheywererealizedusingmicroprocessor-basedtechnology.In

particular,thesafetycriticalfunctionsofAutomaticTrainBlockwereaccomplishedthroughan

ATIS(AudiofrequencyTransmissionadInterlockingSystem),asystemwhosemainfunctions

are:traindetectiononthetracks,checkoftrackintegrity,andcomputationandtransmissionto

thetrainsoftheinformationregardingthestateofthesignalingdevices,toallowtheonboard

instrumentationtoregulatethetrainrunning.

TheATISwas structured into a centralcomponentcalledTopological Interface,whichwas

connected,throughafiberopticnetwork,toasetofPeripheralPostsdisplacedonthetracks.Theseact asan interface to the trackcircuits,whichconstitute themediumforinformation

transmissiontothetrains.ThecomponentoftheTopologicalInterfacethatselectsthecodesto

be sent to the trains for each automatic block section or for each track circuit, and that

communicateswiththePeripheralPostsiscalledtheSafetyKernel.

ThepresentpaperreportsonthemodelingoftheSafetyKernelthroughaspecificationwritten

intheformalspecificationlanguageTRIO[M&S94],andontheproductionoffunctionaltest

casesbasedontheTRIOmodel,forthepurposeofvalidationofthespecificationitselfandfor

implementationverification.Theactivitywasin factperformedafter theNaplesSubwayhad

beenconstructed,validated,andinoperationsinceseveralyears.Thiswasanexperimentinthe

frameworkofacooperationbetweenMetropolitanaMilaneseandPolitecnicodiMilanointhe



2

application of formal methods to the specification, validation and verification of signaling

systemsfortrainsandsubways.

ThespecificationisnotsostrictlyrelatedtotheNaplesplant,sinceitisparametricwithrespect

to theplant topology. Thus, itcan be easilyreusedtomodeldifferent plantsbymeans ofa

simpleredefinitionofthespecificationmoduledescribingtheplanttopology.

The specification is basedonsome simplifying assumptions,which howeverdo not limit its

completeness and generality. In particular, we ruled out some of the information that the

TopologicalInterfacesendstothetrackcircuits(thetransmissionfrequencyofthenexttrack,

thebrakingprofileandtheremainingsectionlength),whichcanhowevereasilybeadded.The

consideredaspectsconcern therunningdirection,thesectionentranceandexit speed,which

areassumedtobethesameforallthetrackcircuitsofagivensection.Inotherwords,from

theviewpointoftheTopologicalInterfacewedonotdistinguishthevariouscircuitsinsidethe

samesection.Thesesimplifyingassumptionscanbeeasilyremovedwhenevernecessary.

The document is structured as follows: Section 2 presents a brief overview of the TRIO

formalism;Section3includestheTRIOspecificationoftheSafetyKernel;Section4describes

thetestcasegenerationactivitiescarriedoutonthespecification.

2.ThespecificationlanguageTRIO

TRIO is basedonclassical predicatecalculus,extendedwith temporal operators to refer to

time instantsdifferent from thecurrent one,which is leftimplicitin theformula.Toallowa

specifiertodescribetimerelatedentities,TRIOvariables,functions,andpredicatesaredivided

intoTimeDependent (TD) andTime Independent ones.Timedependentvariables represent

physical quantitiesor configurations that are subject to changewith time; time independent

variablesrepresent quantitiesor configurations thatareunrelatedwithtime.Timedependent

functionsandpredicatesdenoterelations,propertiesor eventsthatmayormaynotholdat a

given time instant, while time independent functions and predicates represent facts andpropertiesthatareassumednot tochangewithtime.TRIOisa typedlanguage,inthatevery

variable is associated to the domain of the values that it can assume, every function is

associatedwith adomain/range pair, and adomainis associate to each oftheargumentsof

everypredicate.Amongthedomainsthereexistsadistinguishedone,calledtheTimeDomain,

thatisnumericinnature:it canbe,forinstance,thesetofintegers,real,orrationalnumbers.

Weassumeaspredefined,forallnumericaldomains(andhencefortheTimeDomain)allthe

functionsrepresentingthecommonarithmeticoperations,suchas+,-,*,/,DIV,MOD,etc.,

andtimeindependentpredicatesrepresentingcommonrelationaloperators,suchas=, ≠,<,≤.

Besides variables, functions, and predicates TRIO includes the propositional operators, ‘~’

(NOT),‘−>’(IMPLIES),‘&’(AND),‘|’(OR),‘≡’,‘XOR’,andthequantifiers‘EXISTS’and‘FORALL’. TRIO formulas can also becomposed by usingprimitive and derived temporal

operators,asexplainednext.

PrimitiveOperators

There are two temporal primitive operators, Futr and Past , that allow one to refer,

respectively,toeventsoccurringinthefutureorinthepastwithrespecttothecurrenttime,

whichisleftimplicitintheformula.ForanygivenformulaF ,thecomposedformulasFutr(F ,t )

andPast(F ,t )holdat the current timeif andonly if theproperty denotedbyF holdsatthe

instantt timeunitsafter(respectively,before)thecurrenttime.



3

AFirstExample

Letusconsiderasimplerailwaytrack,whereatrainentersatoneendandexitsattheopposite

endafteragivenmaximumtime,say10seconds.Theeventoftrainarrivalattheentranceend

is represented by the booleanTD variable in; the train exit event is denoted as out. The

requirement that every train exit exactly 10 seconds after its entrance is expressed by the

followingformula:

in->Futr(out,10)

Theformulaexpresses,throughalogicalimplication,theconstraintthatifatrainarrivesatthe

currenttime,atrainwillexitexactly10timeunitsafter.

DerivedOperators

To specifymore complexrelationsTRIOprovides a setofderived temporaloperators.Ina

morerealisticexample,theentranceofatrainintoarailwaytrackisfollowedbyitsexitwithin

agiventime,notexactlyafterthattime.ToexpressthisconstraintitisusefultoemploythederivedoperatorWithinF("withininthe

future"),definedasfollows:

WithinF(A,t)=def existsd(0<d<t&Futr(A,d))

ThemeaningofWithinF( A,t )isthat Awillbetrueatadistancet orlessinthefuture.Thenthe

requirementexpressedinformallybeforeontherailwaytrackcanbeformalizedasfollows:

in->WithinF(out,10)

An evenmorerealistic example is that the traincannot exit beforeagiventime,such as 5

seconds (i.e., thetrainmust runthrougha certaintrackwithagivenspeed limit).Aderived

operatorusefulfordescribingthissituationis Lasts,definedasfollows:

Lasts(A,t)=def foralld(0<d<t->Futr(A,d)).

ThemeaningofLasts(A,t)isthatproperty Aholdsforallnextt timeinstants(presenttimeand

instantatdistancet excluded).Thepreviousconstraintontheminimumtimetoexittherailway

trackisthereforeexpressedasfollows:

in->Lasts(~out,5)&Within(out,10)

Themeaningoftheformulaisthatif inoccursatthecurrenttimethenout willbefalseforat

least5fivetimeunits(thatis,thetrainwillnotexitinthefirstfiveseconds)butitwillbecome

truebefore10secondelapse.

TRIOincludesmanyotherderivedtemporaloperators,whichallowaspecifiertoexpresseven

the most complex timing requirements. For a thorough discussion on the derived temporal

operators, we remind the interested reader to [CC&98], as no other temporal operator is

necessarytodescribethetimerequirementsinthetopologicalinterface.



4

Axioms

EveryaxiomisaTRIOformulathatexpressesaninvariantpropertyofthespecifiedsystem.As

opposedtomethodsbasedonstatesandtransitions,whichdescribewhatthesystemmustdo

byindicatinghowitmustbedone,theTRIOlanguageallowsonetodescribethesystemby

specifying thepropertiesthat itmustsatisfy.Eachproperty isdescribedbyaformula,called

axiom.Therefore,ingeneral,aTRIOspecificationisacollectionofaxioms.

Modularity

TRIO specifications are usually organized in modules. The possibility of structuring a

specification into modules provides a support to an incremental top-down approach, to the

specification activity through successive refinements but also permits to construct reusable

specifications of independent (sub)systems which can be composed in a different manner

dependingon theapplication context.WithTRIOit is alsopossible to describea system at

differentabstractionlevelsandtofocuswithgreaterattentionanddetailonsomemorecritical

andrelevant aspects,without specifying formally, or providingonlyapartial specificationof

otherpartsthatareconsideredaslesscriticalormorestandard.

TRIOmodulesarecalled classes.Aclasscanbesimpleorstructured.Asimpleclassisasetof

axiomsprefixedwith thedeclaration of theclass items, i.e.,of thevariables,predicates, and

functions,bothtimedependentandtimeindependent,thatoccurintheaxioms.Asanexample

of a simple class, let us consider class “topografia”, a fragment of the specification of the

topologyinasubwayplant:

classtopografia

//Sbadenotesthesetofautomaticblocksectionsintheplant.

Outputs:

TIItems //declarationoftimedependentfunctionsandpredicates

functionsvelMax:Sba->Integer//themaximumspeed,inkm/h,allowedinasba

predicatessucc(Sba,Sba); //succ(a,b)holdsiffaisatopologicalsuccessorofb

pred(Sba,Sba); //pred(a,b)holdsiffaisatopologicalpredecessorofb

Axioms

Varss,s1,s2:Sba

1:succ(s1,s2)<->pred(s2,s1)

2:foralls1exists2succ(s1,s2)|pred(s1,s2)

//everysbahasatleastonesuccessororonepredecessor(thereisnoisolatedsba)

3:foralls(velMax(s)IN{0,15,30,45,65,77})// possiblespeedvalues

endtopografia

Structuredclasses

Classesthathavecomponents,calledmodules,belongingtootherclassesarecalledstructured

classes.StructuredclassessupportthedescriptionofmodularTRIOspecifications,suitableto

describesystemswhose partsmustbeclearlyidentified.

Forinstance,thespecificationoftheTopologicalInterfacecanbestructuredintothreeparts:a

route manager (module gestioneItinerari) a topology manager (module topografia) for a

particularplantand amodule thatcomputes theinformation tobesentto thetracksections

(modulecalcoloCurva).Suchaspecificationcanberepresentedbyafigureasfollows.



5

succ

pred

velMax

gestioneItinerari

topografia

calcoloCurva

anormale

direzioneMarcia

liberazione

formato

segnale

deviatoio

InterfacciaTopografica:nucleosicurezza

itinerarioComandatocurva

stato

Figure2.1.ThestructureoftheInterfacciaTopografica.

ThemoduleInterfacciaTopograficareceivesinformationonthestatusoftheplant(itemstato)

andonthedrivenroute(itemitinerarioComandato)andprovidesthespeedcurve(itemcurva)for the track circuits of the route. The three inner modules shown in the figure above,

gestioneItinerari, topografia, and calcoloCurva, correspond to the three parts previously

outlined. Theconnections among themodules represent the exchange of information in the

directionsshownbythearrows.Forinstance,themaximalspeedinasection(itemvelMax)is

providedbymoduletopografiabothtomodulegestoreItinerariandtomodulecalcoloCurva.

3.TheSpecification

3.1Thespecificationentities

Wenowintroducethevariousentitiesthatwillbeformalizedinthespecification.Atrackcircuit(circuitodibinario,orcdb)isanelectricalcircuitwhosepurposeistotransmit

suitable messages, called codes, to the on board devices. A track circuit is the abstract

representationofthephysicalentityconstitutedbyapieceoftrack.Eachcdbisinrelationwith

a peripheralpost(PostoPeriferico)andisacomponentofanautomaticblocksection (sezione

dibloccoautomatico,sba).

An automatic blocksection is thepieceoftrack referencedby themessages thattheground

devicessendto theonboarddevices.Eachsbaincludesoneormoretrackcircuits,withtwo

signals (entrance signals in the two possible running directions) and zero, one, or more

switches.An sba is the piece of track of minimal length for which it is certain that, upon

occurrenceofatrainblock,thetrainwillreachastopwithoutovercomingitsend.Eachsbareceivesformthetopologicalinterfacea code:thatis,theinformationontheentrancespeed

(VISBA)andontheexit speed (VUSBA)ofthesba itself, and onthecurrentlyset running

direction (DIMAR). The runningdirection (direzionedimarcia)ofansbacanbe forward

(normale)orbackward(inversa).Therunningdirectionofarouteis,bydefinition,uniquefor

theentireroute,andisdeterminedbythefirstsbacomposingtheroute.Eachsbaisassociated

totwo finalpoints( puntofinale)correspondingtoitstwoextremities.

Aswitch(deviatoio)canbeinthreepositions forwardblocked (bloccatonormale),backward

blocked (bloccatorovescio),andnotblocked(nonbloccato).

Aroute(itinerario)iscomposedofanorderedsequenceofconsecutivesba,byadrivensignal

(segnale comandato) andby the stateofthefinalpoint ofthe lastsbain the sequence.TherouteisprovidedbytheACEI(seebelowforitsdefinition)uponrequestbythetrainoperators



6

anditalwaysincludes,whenitisconstructed,atleasttwo automaticblocksections.Thefirst

sectionistheonewherethetrainthatisrequestingtherouteiscurrentlypositioned;thesecond

oneistheimmediatelysuccessivesba.Thefinalpointofaroutecanbeeither free(libero),if

the sbadoesnot belong to any route, orblocked (bloccato) otherwise. Ingeneral the final

pointofarouteshouldbeblocked,toindicatethatthelastsbaoftherouteisnotusedforany

otherroute,asituationtobeavoidedbecauseitcancausetraincollision.A signal (segnale) is a semaphore that canbe in one of threepositions:stop (via impedita

imperativa)whennotraincanbeauthorizedtogobeyondthesignal,dark (spento),warning

(rosso permissivo) when the trains must stop but may be authorized to proceed in some

particularcases,anddrive(vialibera).Themainlinkbetweenarouteandasignalisthedriven

signal(segnalecomandato).Adrivensignalisthesignalattheentranceofthesecondsbaofa

route:thissignalisimportant becausethesecondsbaisthefirst followingthesbawherethe

train is running.The peripheral posthandlesthesignalbasedon theoperational stateofthe

relatedtrackcircuit.

Astop( fermata)isasubwaystation.

TheACEI( ApparatoCentraleElettricoapulsantidiItinerario)isthesubsystemthatreceivesfromtheonboarddevicestherequestofaroute,andthatisinchargeofreserving(byblocking

them)thenecessarysections,switches,andsignals.

The peripheralpost(PostoPeriferico,orPP) is thesetofelectronicappliancesthatdefine,

throughthetrackcircuits,thefreeorblockedstateforthepieceoftrackundercontrol.Itcan

exchangedatawiththeACEIandthetopologicalinterface.

The Topological Interface ( Interfaccia Topografica, or IT) is the central subsystem that

managesandselectsthecodes.Itreceivesinformationfromtheperipheralpostsonthestateof

thetrackandontherequestedroutes;itgeneratesallthecodestobesenttoeachtrackcircuit.

Suchcodesarenecessarytosendatrainonagivenroute.

Themainpurposeofthespecificationistodescribetherequirementsofthesafetykernelofthe

topological interface. Under the simplifying hypotheses reported in the introduction, the

individualtrackcircuitsofagivensbaarenotdistinguishedinthepresentspecification,andare

thereforeignored.

3.2TheTRIOSpecification

Thespecificationisparametricwithrespecttothesystem,whichisactuallydefinedbythesets:

Deviatoio,Segnale,Sba,PuntoFinale,Itinerario,andCodice.

Someusefulfunctionsdefinedon Itinerario(route):

Functionlengthofaroute

lung:Itinerario->Integer

returnsthenumberofSbaintheroute;

Functionrest ofaroute

rest:Itinerario->Itinerario

rest(i) returns the route iwithout its first

Sba

Functionelement ofaroute

sba:(Integer,Itinerario)->Sba

sba(k,i)returnsthek-thSbaoftheroutei

Function first ofaroute

prima:Itinerario->Sba

prima(i)≡sba(1,i)

Functionlast ofaroute

ultima:Itinerario->Sba

ultima(i)≡sba(lung(i),i)

Functionlast-but-oneofaroute

penultima:Itinerario->Sba

penultima(i)≡sba(lung(i)-1,i)



7

TheStructureoftheTopologicalInterface

We now describe the structureof the class interfacciaTopografica (theTopological Interface).

Theinputitemsoftheclassarethefunctionstato(thecurrentstateofswitches,blocksections,

sba signals and cdb) and the itinerarioComandato signal (i.e. the driven signal), which

correspondstoarouterequest/block.

The output is the speed curve associated to every sba.The overall structure of the system isrepresented by the modules' diagram, which consists of three modules: gestioneItinerari,

topografiaandcalcoloCurva.

classinterfacciaTopografica

Inputs:

TDItems

functions

Thefunctionstatoisoverloadedoverthesetsofdevicesoftherailnetwork:stato:deviatoio->{bloccatoNormale,bloccoRovescio,nonBloccato}

stato:segnale->{viaImpeditaImperativa,spento,rossoPermissivo,viaLibera}

stato:Sba->{libero,bloccato,occupato}

stato:Cdb->{libero,occupatoDaTreno,occupatoDaDisturbo}stato:PuntoFinale->{libero,bloccato}

predicates

itinerarioComandato(Itinerario)Thesetofthenewroutes(requestedroutes). EveryrequestedrouteincludesatleasttwoSba’s.

Outputs:

TDItems

functions

curva:Sba->Codice

Modules

//ThemoduledecompositionisreportedinFigure2.1

endinterfacciaTopografica

Thetopologicaldatamanagementmodule: topografia

Thetopografiamoduleprovidesthemaintopologicaldatatotheothermodules,gestioneItinerari

and calcoloCurva. It contains all the static and embedded information about the topological

structureofthesystem:itsphysicaldisplacementandthenetworkcharacteristics.

The networkstructure is representedbysucc, pred evelMax.Thesuccpredicateidentifiesthe

topological successor(s) of a given section, with respect to theforward running direction.The

pred predicateidentifiesthetopologicalpredecessor(s)ofagivensection(likewise,succidentifies

successors).Themaximumspeedallowedforasectionisrepresentedbythe velMaxfunction.

Moreover,gestioneItinerariusesthepredicatesegnale,representingthesemaphoresignalatthe

entranceofasection(asusualwithrespecttotheforwardrunningdirection),andthepredicate

deviatoio, representingasection'sswitches.Thecompletespecificationis reported inSection2,

whilethedefinitionofthetopologyoftheNaplesplantisreportedinSection4.

Themodule gestioneItinerari

The module for route managing (gestioneItinerari) provides the module calcoloCurva with

important information about the various routes. Such items of information are called formato,

liberazione,anddirezioneMarcia.

Thetime-dependentitem formatoisthesetofformedroutesateveryinstant.

Thetime-dependentitemliberazione isthesetofrouteswhosenumberofsbahasbeenreduced,

becausethetrainintheroutehascompleteditsfirstsba:suchsbaisthenfreedandmadeavailableto form other routes; in the particular case that a route i was composed of just one sba,



8

liberazione(i)means that route i hasbeen completed, that is the trainarrived at the endof the

route.

Thetime-dependentitemdirezioneMarciasuppliesthedirectionofeveryformedroute,whichcan

beeithernormale(forward)orinversa(backward).

Aninternaltime-dependentsetofgestioneItinerari,calledanormale,isusedtodenotetheroutes

whosebehaviorbecomesabnormal,forinstancebecauseaswitchisnotcorrectlyblocked.

classgestioneItinerari

Input:

TDItems

functions

Thefunctionstatoisoverloaded(itisdescrivedalsoinmoduleInterfacccia

Topografica):

stato:deviatoio->{bloccatoNormale,bloccoRovescio,nonBloccato}

stato:segnale->{viaImpeditaImperativa,spento,rossoPermissivo,viaLibera}stato:Sba->{libero,bloccato,occupato}

stato:Cdb->{libero,occupatoDaTreno,occupatoDaDisturbo}

stato:PuntoFinale->{libero,bloccato}

predicatesitinerarioComandato(itinerario)

segnale:(Sba,{normale,inversa})->Segnali

segnale(s,d)isthesignalofthesbadfortherunningdirectiond(normaleisforward,

inversaisbackward)

Output:

TDitems

predicates

liberazione(Itinerario) setoffreedroutesateveryinstant

formato(Itinerario) setofformedroutesateveryinstant

direzioneMarcia(Itinerario,{normale,inversa}) runningdirectionofroutes

Internal:

TDitems

predicatesanormale(Itinerario) setofabnormalroutesateveryinstant

Axiomsvarsi,i1:Itinerario,s:Sba,d:deviatoi,dir:{normale,inversa}

liberazioneItinerario:

arouteisfreed(liberazione)whenthetrainhascompleteditsfirstsba

liberazione(i)<->past(stato(prima(i))=occupato,1)&stato(prima(i))=libero formazioneItinerario:

arouteisformed(formato)whenitisnotabnormalandoneofthefollowingconditionsholds:

• itisarequestedroute(itinerariocomandato);

• oratthepreviousinstantitwasformedandnotyetfreed(liberazionehasadelayedeffect);

• oritderivesfromafreedroutewhichisnotyetempty.

formato(i)<->~anormale(i)&

(itinerarioComandato(i)|past(formato(i),1)&~liberazione(i)|

existsi1(past(formato(i1)&liberazione(i1),1)&i=rest(i1)&lung(i)>0)

)

direzioneDiMarciaComandati:

Therunningdirectionofarequestedroutecanbederivedfromthetopologyofthesystem,sinceits

lengthisatleast2:

itinerarioComandato(i)->(direzioneMarcia(i,normale)<->pred(penultima(i),ultima(i))&direzioneMarcia(i,inversa)<->succ(penultima(i),ultima(i)))



9

direzioneDiMarciaEsistenti:thedirectionofaformedroutedoesnotchangeintime;moreover,ifaformedrouteisfreed,thenew

correspondingformedroutekeepsthesamedirectionoftheoldone:

formato(i)&~itinerarioComandato(i)->(foralli1(past(formato(i1),1)&(i=i1|past(liberazione(i1),1)&i=rest(i1)->

direzioneMarcia(i,dir)<->direzioneMarcia(i1,dir))

segnaleComandato:thedefinitionofthedrivensignalofaroute:thesignal,intheappropriaterunningdirection,ofthe

irstsbaoftheroute:

formato(i)->existsdir(direzioneMarcia(i,dir)&

segnaleComandato(i)=segnale(sba(2,i),dir))

anormalita':

arouteisabnormal(anormale)when:

itsfinalpointisnotblocked(bloccato)

oroneofitsswitches(deviatoio)isnotblocked

oritsdrivensignal(segnaleComandato)isinthebarredposition(viaImpeditaImperativa)oritisoff

(spento).anormale(i)<->

(stato(puntoFinale(i))<>bloccato| existssexistsd(sINi&deviatoio(d,s)&stato(d)=nonBloccato)|

stato(segnaleComandato(i))=viaImpeditaImperativa|

stato(segnaleComandato(i))=spento

)

endgestioneItinerari

Thespeedcurvemodule: calcoloCurva

The speedcurvemodule (calcoloCurva) calculatesand provides the speedsignalforevery sba

involvedinaroute.ThespeedsignaliscodedusingtherecorditemsVISBA,VUSBAeDIMAR,

whichareItalianacronymsforentrancespeed,exitspeedandrunningdirection,respectively.

TheDIMARitemisfixedineveryformedroute,andcorrespondstoitsfirstsba'sdefaultrunning

direction:thisinformationisprovidedbygestioneItinerari,usingthedirezioneMarciapredicate.

NowconsiderthecaseDIMAR=normale(forwardrunningdirection).Thebackward-direction

caseisimmediatelyobtainedbyswappingVISBAandVUSBA.Thespeedcurveiscomputedas

follows.

Letibethecurrentformedroute,andletsbeitscurrentsba.

• VISBAisthemaxspeedallowedins,verifyingtheequation:

curva(s).VISBA=velMax(s) .

• VUSBAdependsonthenext,withrespecttotheroute,sba'smaximumspeedlimit.If tisthe

nextsection,theconstraintis:

curva(s).VUSBA=velMax(t) .

Wenowconsiderthecaseofthelastsbaofaformedroute.Sinceitisassumedthatthetrainmust

stop,afterfinishingitsroute,thespeedinthelastsbaissetto0.

Anotherconstraintisgivenbythepresenceofanothertraininthenextsba:itisnecessarytokeep

atleastonefreesbabetweentwotrains,asasecuritymeasure.Inthiscasethespeedcurvemust

be0,fromthelast-but-onesba,totheendofthecurrentroute.

TopografiasendstocalcoloCurvaallthetopologyinformationaboutthesba's(thisisdoneusing

thesuccand predpredicates)andtheirspeedlimits(functionvelMax).

The module for route managing supplies the following information about routes: liberazione,direzioneMarciaand formato.



10

TheoutputofcalcoloCurvaisthespeedcurve,computedforeverysection.

Thestateofthenetwork(stato)-providedbythePeripheralPosts-isusedtodetermineifthereis

atraininthefollowingsections.

classcalcoloCurva

Inputs:

TIItems

functionsvelMax:Sba->Integer; sba'sspeedlimit

predicates

succ(Sba,Sba);

pred(Sba,Sba);

TDItems

predicates

formato(Itinerario);

liberazione(Itinerario);

direzioneMarcia(Itinerario,{normale,inversa});

Outputs:

TDItems

functionscurva:Sba->Codice; thespeedcurve

Codice:record

VISBA:Integer;sba'sentrancespeed VUSBA:Integer; sba'sexitspeed

DIMAR:{normale,inversa};sba'scurrentrunningdirectionend;

Internals:

TDItems

predicatestrenoProssimo(i)holdsiffthereisatraininatleastoneoftheiroute

nextadjoiningsectionstrenoProssimo(Itinerario);

Axioms

varsi:Itinerario;s:Sba;k:Integer;

d:{normale,inversa};

Speedcurveforthesectionsnotinformedroutes Everysbanotbelongingtoformedroutesisinadefaultreststate:

VISBA=VUSBA=0.

axNonFormati:foralls

(~existsi(formato(i)&sINi)->(curva(s).VISBA=0&curva(s).VUSBA=0));

Runningdirectionforformedroutes ItissuppliedbythegestioneItinerarimodule,tosendthecurrentDIMARtoverysba.

axDirezMarcia:

foralliforalld(formato(i)&direzioneMarcia(i,d)->forallk (1<=k<=lung(i)->curva(sba(k,i)).DIMAR=d

)));



11

AxiomsfortrenoProssimoTheseaxiomsmanagethelastsectionsofaformedroute:ifthereisatraininatleastoneofthenext

adjoiningsections,thentheroutespeedcurveissetto0inthecurrentsection.Thisassuresthefact

thatbetweedtworunningtrainsthereisatleastonecompletelyfreesection.

Whenaroutehasalengthlessthanorequalto2,calcoloCurvamustconsidereventheaxiomsconcerning"liberazione".

trenoProssimo(i)holdsiffthereisatraininatleastoneoftheiroute'sfollowingadjoiningsections.

axTrenoProssimo:foralli(formato(i)->

(trenoProssimo(i)<->

(direzioneMarcia(i,normale)&existss(succ(s,ultima(i))&

stato(s)=occupato

)|direzioneMarcia(i,inversa)&existss(pred(s,ultima(i))&

stato(s)=occupato))));

Thereisnotaclosetrainintheforwardrunningdirection:thespeedcurveissetto0onlyforthelast

section'sVUSBA.

axNonTrenoProssimoDirNorm:foralli(formato(i)->

(~trenoProssimo(i)&

(lung(i)>2|lung(i)=2&~liberazione(i))&

direzioneMarcia(i,normale)->

(curva(penultima(i)).VISBA=velMax(penultima(i))&curva(penultima(i)).VUSBA=velMax(ultima(i))&

curva(ultima(i)).VISBA=velMax(ultima(i))&

curva(ultima(i)).VUSBA=0)

));

Thereisnotaclosetraininthebackwardrunningdirection:thespeedcurveissetto0onlyforthelast

section'sVISBA(itexchangesitsrolewithVUSBAbecauseofthedirection).

axNonTrenoProssimoDirInv:

foralli(formato(i)->

(~trenoProssimo(i)&

(lung(i)>2|lung(i)=2&~liberazione(i))&

direzioneMarcia(i,inversa)->

(curva(penultima(i)).VUSBA=velMax(penultima(i))&curva(penultima(i)).VISBA=velMax(ultima(i))&

curva(ultima(i)).VUSBA=velMax(ultima(i))&

curva(ultima(i)).VISBA=0)

));

Thereisaclosetrainintheforwardrunningdirection:thespeedcurveissetto0fromthelast-but-one

section'sVUSBAtotheendoftheroute.axTrenoProssimoDirNorm:foralli(formato(i)->(trenoProssimo(i)&(lung(i)>2|lung(i)=2&~liberazione(i))&direzioneMarcia(i,normale)->(curva(penultima(i)).VISBA=velMax(penultima(i))&

curva(penultima(i)).VUSBA=0&curva(ultima(i)).VISBA=0&curva(ultima(i)).VUSBA=0)

));



12

Thereisaclosetraininthebackwardrunningdirection:thespeedcurveissetto0fromthelast-but-

onesection'sVISBA(likebeforeitexchangesitsrolewithVUSBAbecauseofthedirection)totheend

oftheroute.

axTrenoProssimoDirInv:foralli(formato(i)->

(trenoProssimo(i)&(lung(i)>2|lung(i)=2&~liberazione(i))&direzioneMarcia(i,inversa)->

(curva(penultima(i)).VUSBA=velMax(penultima(i))&curva(penultima(i)).VISBA=0&curva(ultima(i)).VUSBA=0&

curva(ultima(i)).VISBA=0)));

Routeswithunitarylength:withaclosetrain,thespeedcurveissetidenticallyto0;without,onlythe

exitspeedissetto0.axLung1:

foralli(formato(i)->(~liberazione(i)&lung(i)=1->

(trenoProssimo(i)->(curva(prima(i)).VISBA=0&curva(prima(i)).VUSBA=0))&

(~trenoProssimo(i)&direzioneMarcia(i,normale)->(curva(prima(i)).VISBA=velMax(prima(i))&curva(prima(i)).VUSBA=0))&(~trenoProssimo(i)&

direzioneMarcia(i,inversa)->(curva(prima(i)).VUSBA=velMax(prima(i))&curva(prima(i)).VISBA=0)

)));

Axiomsfornewandunchangedroutes

VISBAandVUSBAarecomputedinthisway:withaforwardrunningdirection,VISBAissettothe

speedlimit(velMax)ofthesamesection,whileVUSBAissettothelimitofthenextsba.Asusual

VISBAexchangesitsrolewithVUSBAwithabackwardrunningdirection.

Note:thelasttwosectionsaremanagedbythetrenoProssimoaxioms.

-forwardrunningdirectionaxStazionario-NuovoDirNorm:

foralli(formato(i)->(~liberazione(i)&direzioneMarcia(i,normale)->

forallk (1<=k<lung(i)-1->

(curva(sba(k,i)).VISBA=velMax(sba(k,i))&curva(sba(k,i)).VUSBA=velMax(sba(k+1,i))))));

-backwardrunningdirectionaxStazionario-NuovoDirInv:

foralli(formato(i)->(~liberazione(i)&direzioneMarcia(i,inversa)->forallk (1<=k<lung(i)-1->

(curva(sba(k,i)).VUSBA=velMax(sba(k,i))&

curva(sba(k,i)).VISBA=velMax(sba(k+1,i))))));



13

Axiomsforreducedroutes

Theseaxiomsmanagethecaseofreducedroutes:theonce-firstsbaisdisposedandmarkedasfreefor

otherroutes.ItsVISBAandVUSBAcurveitemsaresetto0.Likebefore,the2-lengthcaseispartiallymanagedbythetrenoProssimoaxioms.

Generalcase(routelengthgreaterthan2):thespeedcurveforthefirstsbaissetto0,whilethe

ollowing-withtheexcepitonofthelasttwosections-maintaintheirconfiguration.axLiberatoGenerale:foralli(formato(i)->(liberazione(i)&(lung(i)<>2)->

(curva(prima(i)).VISBA=0&curva(prima(i)).VUSBA=0&forallk

(1<k<lung(i)-1->past(curva(sba(k,i)).VISBA,1)=curva(sba(k,i)).VISBA&past(curva(sba(k,i)).VUSBA,1)=curva(sba(k,i)).VUSBA

)))); Routelengthequalto2:thespeedcurveissetto0inthefirstsba.Thespeedcurveofthelastsba

dependsontrenoProssimo.

axLiberatoLung2:foralli(formato(i)->(liberazione(i)&lung(i)=2->(curva(prima(i)).VISBA=0&curva(prima(i)).VUSBA=0)&(trenoProssimo(i)->(curva(ultima(i)).VISBA=0&

curva(ultima(i)).VUSBA=0))&(~trenoProssimo(i)&

direzioneMarcia(i,normale)->(curva(ultima(i)).VISBA=velMax(ultima(i))&curva(ultima(i)).VUSBA=0)

)&(~trenoProssimo(i)&direzioneMarcia(i,inversa)->

(curva(ultima(i)).VUSBA=velMax(ultima(i))&curva(ultima(i)).VISBA=0))

));endcalcoloCurva

4.TestcasegenerationforthespecificationoftheSafetyKernel

Thetestcasegenerationactivitywasconcentratedonasmallsetofscenarios,whicharesituations

deemedworth averificationactivity.Although consideringotherscenarios could beuseful,theselectedoneswerequitesignificantandthemostimportanttoverifyforthesystem.

ThetestcasegenerationactivityinTRIOisbasedonthegeneration,supportedbysuitabletools,

ofhistoriesforthespecifiedsystem.Suchhistories(henceforthcalledtestcases)describepossible

executionsequencesofthesystem,includingbothinputdatatobeprovidedtothesystemandthe

expected corresponding output data. The supporting tools allow generation of test cases inan

optimized way avoiding as much as possible the production of redundant information,

characterizinginputvs.outputevents,andeffectivehandlingofnondeterministicbehaviors.

In a first phase of the testing activity, test cases canbe used to check the specification itself,

verifyingwhetherwhatwespecifiedisconsistentwiththeknowledgeofexpertsaboutthesystem.

Forinstance,itispossibletoproposeahistoryofthesystembreakingsomesafetyrequirements

and automatically verifyingwhethersuchbehavior is allowed by the specification.Thiskindof

analysis increases confidence in the correctness of the specification,much in the sameway as



14

testingaprogrammay increase theconfidence in itsreliability: in fact, although testingcannot

provetheabsenceoferrors,itisespeciallyvaluableasameanstovalidatefunctionalrequirements.

Inasecondphase,whenthespecificationisconsideredcorrect,thetestcasescanbecollectedand

usedtotesttheimplementationofthesystem.Testingissimplifiedbecausethecorrectoutputdata

arealsoavailable.

In this project, the testing activity has allowed us to find a small, but subtle, error in the

specification,duetoanerroneousinterpretationoftheinformalrequirementsofthesystem.The

errorwasindeedfixedveryeasily.However,thisexperienceisfarfromuncommon:withoutsuch

a validation activity, there are errors in the specification that can easily go undetected and be

includedintheimplementationofthesystem.

Thescenarios

Thestudyhasconsideredsixsba's(calledsba_1, ..,sba_6)andtenroutes(it_1,.., it_10).Every

routecorrespondstothetravelfromonesbatoanotherone,asdescribedinTable4.1.Manyother

routesarepossible,butthestudywasrestrictedtotheroutesoftheproposedscenarios.

route Startingsba arrivalsba

it_1 Sba_1 sba_6

it_2 Sba_2 sba_6

it_3 Sba_3 sba_6

it_4 Sba_4 sba_6

it_5 Sba_5 sba_6

it_6 Sba_6 sba_6

it_7 Sba_1 sba_4

it_8 sba_2 sba_4

it_9 sba_3 sba_4

it_10 sba_4 sba_4

Table4.1:Theroutesconsideredduringthetestingactivity

Thetestcasegenerationactivityhascoveredthefollowingsituations:

1. atraingoesfrombeginningtotheendinforwarddirection(hence,fromsba_1tosba_6);

2. two trains,onefollowingtheother,proceedintheforwarddirection:thefirsttrainproceeds

fromsba_2tosba_6,whilethesecondentersonlylater,goingfromsba_1tosba_4;

3. twotrainsproceedasinthepreviouscase,butaretoocloseonetoeachother,violatingsafetyrequirements;

4. two trains, one following the other, proceed in the backward direction (this scenario is

symmetricaltocase1).

Theresultsshowthatthespecificationcorrectlyallowsthegenerationoftestcasescorresponding

toscenarios1,2and4,whilescenario3is,againcorrectly,rejectedbythetoolsbecauseitviolates

theformalspecification.

Forreasonsofefficiencyofexecution,thetopologyoftheNaplessubwayhasbeenincludedinthe

formofconstraintsforeveryhistoryratherthanasaxioms.Suchconstraintsdescribethevalues,

forsuchparticularsubway,ofthefollowingtimeindependentitems:

therelation pred betweenpairsofcontiguoussba's;



15

thefunctionrest ,whichmapseveryroutetothecorrespondingroutedeprivedofthefirstsba;

thefunctionsba,whichgivesthei-thsbaofagivenroute;

thefunctionvelMax,denotingthemaximumspeedforeachsba;

thefunctionlung,whichgivesthenumber(length)ofsbaofeveryroute;

the puntoFinalefunction,whichgivesbacktheindicationofthefinalpointofeveryroute.

pred(sba_1,sba_2): [1. .60] pred(sba_2,sba_3): [1..60] pred(sba_3,sba_4) :[1..60]

pred(sba_4,sba_5):[1..60] pred(sba_5,sba_6):[1..60]

rest(it_1)=it_2:[1..60] rest(it_2)=it_3:[1..60] rest(it_3)=it_4:[1..60]

rest(it_4)=it_5:[1..60] rest(it_5)=it_6:[1..60] rest(it_6)=undef:[1..60]

rest(it_7)=it_8:[1..60] rest(it_8)=it_9:[1..60] rest(it_9)=it_10:[1..60]

rest(it_10)=undef:[1..60] sba(1,it_1)=sba_1:[1..60]

sba(1,i t_2)=sba_2: [1. .60] sba(1,i t_3)=sba_3: [1..60] sba(1, it_4)=sba_4:[1..60]

sba(1,it_5)=sba_5:[1..60] sba(1,it_6)=sba_6:[1..60]


sba(1,i t_10)=sba_4:[1..60] sba(2,i t_1)=sba_2: [1..60] sba(2, it_2)=sba_3:[1..60]sba(2,i t_3)=sba_4: [1. .60] sba(2,i t_4)=sba_5: [1..60] sba(2, it_5)=sba_6:[1..60]






sba(6,i t_1)=sba_6: [1. .60] sba(5,i t_7)=undef:[1..60] sba(6, it_7)=undef:[1..60]

sba(4,i t_8)=undef :[1..60] sba(5,i t_8)=undef:[1..60] sba(6, it_8)=undef:[1..60]


sba(6,i t_9)=undef :[1..60] sba(2,i t_10)=undef: [1. .60] sba(3, it_10)=undef: [1..60]

sba(4,i t_10)=undef: [1. .60] sba(5,i t_10)=undef: [1. .60] sba(6, it_10)=undef: [1..60]






velMax(sba_1)=v30:[1..60] velMax(sba_2)=v65:[1..60] velMax(sba_3)=v77:[1..60]

velMax(sba_4)=v77:[1..60] velMax(sba_5)=v65:[1..60] velMax(sba_6)=v30:[1..60]

lung(it_1)=6:[1..60] lung(it_2)=5:[1..60] lung(it_3)=4:[1..60]



lung(it_10)=1:[1..60] puntoFinale(it_1)=pf6 : [1..60] puntoFinale(it_2)=pf6 : [1..60]

puntoFinale(it_3)=pf6:[1..60] puntoFinale(it_4)=pf6:[1..60] puntoFinale(it_5)=pf6:[1..60]

puntoFinale(it_6)=pf6:[1..60] puntoFinale(it_7)=pf4_5:[1..60] puntoFinale(it_8)=pf4_5:[1..60]

puntoFinale(it_9)=pf4_5:[1..60] puntoFinale(it_10)=pf4_5:[1..60]

Table4.2:ThetopologyoftheNaplessubway



16

Experimentalresults

Scenario1:onetrain

Thisisthemostbasicscenario:thereisonlyatrainrunninginthesubway.Thistrainmustcover,

withaforwardrunningdirection,everysectionofthesubway.Therearenodelays,faultsorother

abnormalbehaviors.

Therequestedrouteisit_1atinstant5.Thiscausesthetrain,initiallyinthesba_1section,tobegin

itsmarch,headedtowardssba_6.

As wecan see in the following figure, sba_1'sVISBA andVUSBA are set to theirmaximum

values,duringthetimeinterval5.10-i.e.whenthetrainisonsba_1.

Atinstant11thetrainpassessba_1:it_1routeisfreedandthecurrentroutebecomesit_2(i.e.

fromsba_2tosba_6).

Similarly,everyteninstantsthetrainpassesansba,whichisreleased:thetrainreachessba_3at

21;sba_4at31etc.

Atinstant51thetrainsstops:thedestination(sba_6)isreached.

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_1

VUSBAsba_1

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_2

VUSBAsba_2

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_3

VUSBAsba_3

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_4

VUSBAsba_4



17

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_5

VUSBAsba_5

t

v

0

10

20

30

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_6

VUSBAsba_6

Figure4.1.Thetimeprogressofthespeedcurve-theVISBAandVUSBAitems

Scenario2:twotrains

The secondscenario ismore complex:there aretwo trains (train 1and 2)placed in sba_2and

sba_1,respectively.The first trainmustcoversba_2to sba_6witha forwardrunningdirection.

Thesecondtrainstartsfromsba_1andmustreachsba_4,clearlywiththesamerunningdirection.

Thetworoutesareit_2andit_7,respectively.

Therequestedrouteisit_7atinstant5:train1startsup.Asdepictedinthenextfigure,train1

remainsonsba_2untilinstant13.Thenitcoverssba_3,thensba_4atinstant23,andsba_5at31.

From31to50itisblockedinsba_5.

Atinstant33therouteit_7becomesactive-thetrain2issetinmotiontoreachsba_4.Ittakes5

instants to get through sba_1. It then reaches sba_2 at instant 38, then sba_3 at 41.Here the

secondtrainstops,becausetrain1blockssba_5.Actually,thespecificationstatesthattheremust

beatleastonecompletelyfreesbabetweentwotrains-namely,sba_4.

Sba_4isavailableonlysinceinstant51,becausetrain1passestosba_6.Sotrain2cangothrough

sba_3toreachitsdestination:sba_4.Thisistheendofthescenario:thetwotrainsattendedtheir

duties.



18

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_1

VUSBAsba_1

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_2

VUSBAsba_2

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_3

VUSBAsba_3

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_4

VUSBAsba_4

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_5

VUSBAsba_5

t

v

0

10

20

30

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_6

VUSBAsba_6

Figure4.2.Thetimeprogressofthespeedcurve-theVISBAandVUSBAitemsforscenario2.



19

Scenario3:twotrainsinapotentiallydangeroussituation

Asaninterestingcriticalsituation,weforcedaspeedcurveinwhichthetwotrains-describedin

scenario2-cancollide.Particularly,weconsiderthecaseofanon-zerospeedcurveinsba_3and

sba_4whenthetwotrainsareinsba_5andsba_3,respectively(seefigure4.3).

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_3

VUSBAsba_3

t

v

0

20

40

60

80

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57

VISBAsba_4

VUSBAsba_4

Figure4.3.Themodifieddangerousspeedcurveofscenario3.

Thisisaverydangeroussituation,becausetrain2couldreachtrain1andthencrash.However,as

we can see in figure 4.4, the TRIO semantics tools immediately reject this pattern: it is not

compatiblewiththespecificationofthespeedcurve-computingmodule.In fact the executiontraceshow that theTRIO toolsreject thehistoryatinstant41: theaxiom

axNonTrenoProssimoDirNormaledoesnothold.

F o r m u l a a x N o n F o r m a t i i s T r u e a t 4 0

F o r m u l a a x D i r e z M a r c i a i s T r u e a t 4 0

F o r m u l a a x T r e n o P r o s s i m o i s T r u e a t 4 0

F o r m u l a a x N o n T r e n o P r o s s i m o D i r N o r m i s T r u e a t 4 0

F o r m u l a a x N o n T r e n o P r o s s i m o D i r In v i s T r u e a t 4 0

F o r m u l a a x T r e n o P r o s s i m o D i r N o r m i s T r u e a t 4 0

F o r m u l a a x T r e n o P r o s s i m o D i r In v i s T r u e a t 4 0

F o r m u l a a x L u n g 1 i s T r u e a t 4 0

F o r m u l a a x S t a z i o n a r i o N u o v o D i r N o r m i s T r u e a t 4 0

F o r m u l a a x S ta z i o n a r i o N u o v o D i r I n v i s T r u e a t 4 0

F o r m u l a a x L i b e r a to G e n e r a l e i s T r u e a t 4 0

F o r m u l a a x L i b e r a t o L u n g 2 i s T r u e a t 4 0

F o r m u l a a x N o n F o r m a t i i s T r u e a t 4 1

F o r m u l a a x D i r e z M a r c i a i s T r u e a t 4 1

F o r m u l a a x T r e n o P r o s s i m o i s T r u e a t 4 1

F o r m u l a a x N o n T r e n o P r o s s i m o D i r N o r m i s F a l s e a t 4 1

Figure4.4:ExecutiontraceoftheTRIOtestingtoolsforthedangerousscenario3.



Scenario4:twotrainsmovingbackward

This last scenario is practically identical to the second one: the only difference is the running

direction,whichisbackwardforthetwotrains.

Actually,thetopologicalconfigurationisthefollowing:

/***invertedTopologicalConfiguration***/

pred(sba_2,sba_1):[1..60]pred(sba_3,sba_2):[1..60]

pred(sba_4,sba_3):[1..60]



Weusedthescenariototesttheaxiomsforthebackwardrunningdirection.Theresultsturnedout

tobe,asexpected,whollysymmetricaltothoseoftheforwardrunningdirectionscenarioandare

omittedhere.

5Conclusions

ThemaingoalofthisstudywastoinvestigateandassessthepotentialapplicabilityoftheTRIO

technique in thefieldofrailwaysignalingsystems.Theexperimentwascertainlysuccessful.We

derived from the informal documentation of theSafety Kernel of theNaplesSubway a formal

specificationoftherequirements,writtenintheTRIOlanguage.Thenavalidationphase,basedon

testingtechniqueswasperformedonthespecification,leadingtothediscoveryofasubtleerrorin

thespecification.Thevalidationactivityalsoproducedasmallsetofscenariosthatcouldbeused

asfunctionaltestcases.AsamodelinglanguageTRIOcertainlyprovedtobeadequatetodescribe

thedataandtimingrequirementsoftheSafetyKernel.Webelievethattheadoptionof thesame

formalmethodwouldbeverybeneficialinthedevelopmentofotherverycriticalcomponentsof

the signaling system of the subway such as the ACEI and the Peripheral Post. Ingeneral, we

estimate that the adoption of the TRIO language and tool environment would provide betterspecifications and improve the quality of the test plans, in terms of: a explicit correspondence

between testcasesand propertiesthey aremeantto verify, apreciseevaluationoftheobtained

coverage, and a greater confidence of test case correctness (test cases would be obtained

systematicallybymeansofsemiautomatictoolsfromthespecification).

References

[Ans94] ”METRONAPOLI–InterfacciaTopografica–DescrizioneFunzionale”,AnsaldoTrasporti,

Gennaio1994.

[CC&99] E.Ciapessoni, A.Coen-Porisini, E.Crivelli, D.Mandrioli, P.Mirandola, A.Morzenti, “From

formal models to formally-based methods: an industrial experience”, ACM TOSEM -TransactionsOnSoftwareEngineeringandMethodologies,vol.8,No1,January1999,pages

80-115.

[M&S94] A.Morzenti,P.SanPietro,“Object-OrientedLogicSpecificationsofTimeCriticalSystems”,

ACMTOSEM-TransactionsonSoftwareEngineeringandMethodologies,vol.3,n.1,January

1994,pp.56-98.

[MM93] “Impianti di segnalamento e automazione. Relazione di integrazione al progeto esecutivo”,

MetropolitanaMilanese,Progettazioneedirezionelavori,Novembre1993.

Specification and Test Case Generation

Documents

Transcript of Specification and Test Case Generation