8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 1/20
1
SpecificationandTestCaseGeneration
fortheSafetyKerneloftheNaplesSubway
AntonioCasazza(+),DarioComini(*),AngeloMorzenti(o),
MatteoPradella(o),PierluigiSanPietro(o),FabioSchreiber(o),
(o)DipartimentodiElettronica,PolitecnicodiMilano
(*)MetropolitanaMilanese
(+)AnsaldoSegnalamentoFerroviario
Abstract
Wereportonanexperienceintheapplicationofformalmethodstothespecification,validation
and verification of a railway signalingsystem: thesafety kernel of theNaplesSubway. Theactivitywasperformedexpost ,severalyearsafterfinalsystemdelivery,basedonthedesign
documentation [MM93, Ans94].We first illustrate the requirement specification using the
object-orientedtemporallogicTRIO.Thenwerelateontheuseofthespecification,bymeans
of suitable support tools, to validate therequirements and to generatesomescenarios to be
employedastestcasesintheverificationphase.
1.Introduction
The design and construction of the signaling system in the Naples subway presented an
interesting integrationamonga fewconventional components,suchasthegroundapparatus
that realizes command and control functions for signals and switches, and some moreinnovativeones,suchasthegroundapparatusthatdeterminethefree/blockedtrackstatusand
imposestheminimumdistanceamongtrains.Thesefeaturesdifferentiateitfromotherplants
constructeduntiltheninItaly,astheywererealizedusingmicroprocessor-basedtechnology.In
particular,thesafetycriticalfunctionsofAutomaticTrainBlockwereaccomplishedthroughan
ATIS(AudiofrequencyTransmissionadInterlockingSystem),asystemwhosemainfunctions
are:traindetectiononthetracks,checkoftrackintegrity,andcomputationandtransmissionto
thetrainsoftheinformationregardingthestateofthesignalingdevices,toallowtheonboard
instrumentationtoregulatethetrainrunning.
TheATISwas structured into a centralcomponentcalledTopological Interface,whichwas
connected,throughafiberopticnetwork,toasetofPeripheralPostsdisplacedonthetracks.Theseact asan interface to the trackcircuits,whichconstitute themediumforinformation
transmissiontothetrains.ThecomponentoftheTopologicalInterfacethatselectsthecodesto
be sent to the trains for each automatic block section or for each track circuit, and that
communicateswiththePeripheralPostsiscalledtheSafetyKernel.
ThepresentpaperreportsonthemodelingoftheSafetyKernelthroughaspecificationwritten
intheformalspecificationlanguageTRIO[M&S94],andontheproductionoffunctionaltest
casesbasedontheTRIOmodel,forthepurposeofvalidationofthespecificationitselfandfor
implementationverification.Theactivitywasin factperformedafter theNaplesSubwayhad
beenconstructed,validated,andinoperationsinceseveralyears.Thiswasanexperimentinthe
frameworkofacooperationbetweenMetropolitanaMilaneseandPolitecnicodiMilanointhe
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 2/20
2
application of formal methods to the specification, validation and verification of signaling
systemsfortrainsandsubways.
ThespecificationisnotsostrictlyrelatedtotheNaplesplant,sinceitisparametricwithrespect
to theplant topology. Thus, itcan be easilyreusedtomodeldifferent plantsbymeans ofa
simpleredefinitionofthespecificationmoduledescribingtheplanttopology.
The specification is basedonsome simplifying assumptions,which howeverdo not limit its
completeness and generality. In particular, we ruled out some of the information that the
TopologicalInterfacesendstothetrackcircuits(thetransmissionfrequencyofthenexttrack,
thebrakingprofileandtheremainingsectionlength),whichcanhowevereasilybeadded.The
consideredaspectsconcern therunningdirection,thesectionentranceandexit speed,which
areassumedtobethesameforallthetrackcircuitsofagivensection.Inotherwords,from
theviewpointoftheTopologicalInterfacewedonotdistinguishthevariouscircuitsinsidethe
samesection.Thesesimplifyingassumptionscanbeeasilyremovedwhenevernecessary.
The document is structured as follows: Section 2 presents a brief overview of the TRIO
formalism;Section3includestheTRIOspecificationoftheSafetyKernel;Section4describes
thetestcasegenerationactivitiescarriedoutonthespecification.
2.ThespecificationlanguageTRIO
TRIO is basedonclassical predicatecalculus,extendedwith temporal operators to refer to
time instantsdifferent from thecurrent one,which is leftimplicitin theformula.Toallowa
specifiertodescribetimerelatedentities,TRIOvariables,functions,andpredicatesaredivided
intoTimeDependent (TD) andTime Independent ones.Timedependentvariables represent
physical quantitiesor configurations that are subject to changewith time; time independent
variablesrepresent quantitiesor configurations thatareunrelatedwithtime.Timedependent
functionsandpredicatesdenoterelations,propertiesor eventsthatmayormaynotholdat a
given time instant, while time independent functions and predicates represent facts andpropertiesthatareassumednot tochangewithtime.TRIOisa typedlanguage,inthatevery
variable is associated to the domain of the values that it can assume, every function is
associatedwith adomain/range pair, and adomainis associate to each oftheargumentsof
everypredicate.Amongthedomainsthereexistsadistinguishedone,calledtheTimeDomain,
thatisnumericinnature:it canbe,forinstance,thesetofintegers,real,orrationalnumbers.
Weassumeaspredefined,forallnumericaldomains(andhencefortheTimeDomain)allthe
functionsrepresentingthecommonarithmeticoperations,suchas+,-,*,/,DIV,MOD,etc.,
andtimeindependentpredicatesrepresentingcommonrelationaloperators,suchas=, ≠,<,≤.
Besides variables, functions, and predicates TRIO includes the propositional operators, ‘~’
(NOT),‘−>’(IMPLIES),‘&’(AND),‘|’(OR),‘≡’,‘XOR’,andthequantifiers‘EXISTS’and‘FORALL’. TRIO formulas can also becomposed by usingprimitive and derived temporal
operators,asexplainednext.
PrimitiveOperators
There are two temporal primitive operators, Futr and Past , that allow one to refer,
respectively,toeventsoccurringinthefutureorinthepastwithrespecttothecurrenttime,
whichisleftimplicitintheformula.ForanygivenformulaF ,thecomposedformulasFutr(F ,t )
andPast(F ,t )holdat the current timeif andonly if theproperty denotedbyF holdsatthe
instantt timeunitsafter(respectively,before)thecurrenttime.
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 3/20
3
AFirstExample
Letusconsiderasimplerailwaytrack,whereatrainentersatoneendandexitsattheopposite
endafteragivenmaximumtime,say10seconds.Theeventoftrainarrivalattheentranceend
is represented by the booleanTD variable in; the train exit event is denoted as out. The
requirement that every train exit exactly 10 seconds after its entrance is expressed by the
followingformula:
in->Futr(out,10)
Theformulaexpresses,throughalogicalimplication,theconstraintthatifatrainarrivesatthe
currenttime,atrainwillexitexactly10timeunitsafter.
DerivedOperators
To specifymore complexrelationsTRIOprovides a setofderived temporaloperators.Ina
morerealisticexample,theentranceofatrainintoarailwaytrackisfollowedbyitsexitwithin
agiventime,notexactlyafterthattime.ToexpressthisconstraintitisusefultoemploythederivedoperatorWithinF("withininthe
future"),definedasfollows:
WithinF(A,t)=def existsd(0<d<t&Futr(A,d))
ThemeaningofWithinF( A,t )isthat Awillbetrueatadistancet orlessinthefuture.Thenthe
requirementexpressedinformallybeforeontherailwaytrackcanbeformalizedasfollows:
in->WithinF(out,10)
An evenmorerealistic example is that the traincannot exit beforeagiventime,such as 5
seconds (i.e., thetrainmust runthrougha certaintrackwithagivenspeed limit).Aderived
operatorusefulfordescribingthissituationis Lasts,definedasfollows:
Lasts(A,t)=def foralld(0<d<t->Futr(A,d)).
ThemeaningofLasts(A,t)isthatproperty Aholdsforallnextt timeinstants(presenttimeand
instantatdistancet excluded).Thepreviousconstraintontheminimumtimetoexittherailway
trackisthereforeexpressedasfollows:
in->Lasts(~out,5)&Within(out,10)
Themeaningoftheformulaisthatif inoccursatthecurrenttimethenout willbefalseforat
least5fivetimeunits(thatis,thetrainwillnotexitinthefirstfiveseconds)butitwillbecome
truebefore10secondelapse.
TRIOincludesmanyotherderivedtemporaloperators,whichallowaspecifiertoexpresseven
the most complex timing requirements. For a thorough discussion on the derived temporal
operators, we remind the interested reader to [CC&98], as no other temporal operator is
necessarytodescribethetimerequirementsinthetopologicalinterface.
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 4/20
4
Axioms
EveryaxiomisaTRIOformulathatexpressesaninvariantpropertyofthespecifiedsystem.As
opposedtomethodsbasedonstatesandtransitions,whichdescribewhatthesystemmustdo
byindicatinghowitmustbedone,theTRIOlanguageallowsonetodescribethesystemby
specifying thepropertiesthat itmustsatisfy.Eachproperty isdescribedbyaformula,called
axiom.Therefore,ingeneral,aTRIOspecificationisacollectionofaxioms.
Modularity
TRIO specifications are usually organized in modules. The possibility of structuring a
specification into modules provides a support to an incremental top-down approach, to the
specification activity through successive refinements but also permits to construct reusable
specifications of independent (sub)systems which can be composed in a different manner
dependingon theapplication context.WithTRIOit is alsopossible to describea system at
differentabstractionlevelsandtofocuswithgreaterattentionanddetailonsomemorecritical
andrelevant aspects,without specifying formally, or providingonlyapartial specificationof
otherpartsthatareconsideredaslesscriticalormorestandard.
TRIOmodulesarecalled classes.Aclasscanbesimpleorstructured.Asimpleclassisasetof
axiomsprefixedwith thedeclaration of theclass items, i.e.,of thevariables,predicates, and
functions,bothtimedependentandtimeindependent,thatoccurintheaxioms.Asanexample
of a simple class, let us consider class “topografia”, a fragment of the specification of the
topologyinasubwayplant:
classtopografia
//Sbadenotesthesetofautomaticblocksectionsintheplant.
Outputs:
TIItems //declarationoftimedependentfunctionsandpredicates
functionsvelMax:Sba->Integer//themaximumspeed,inkm/h,allowedinasba
predicatessucc(Sba,Sba); //succ(a,b)holdsiffaisatopologicalsuccessorofb
pred(Sba,Sba); //pred(a,b)holdsiffaisatopologicalpredecessorofb
Axioms
Varss,s1,s2:Sba
1:succ(s1,s2)<->pred(s2,s1)
2:foralls1exists2succ(s1,s2)|pred(s1,s2)
//everysbahasatleastonesuccessororonepredecessor(thereisnoisolatedsba)
3:foralls(velMax(s)IN{0,15,30,45,65,77})// possiblespeedvalues
endtopografia
Structuredclasses
Classesthathavecomponents,calledmodules,belongingtootherclassesarecalledstructured
classes.StructuredclassessupportthedescriptionofmodularTRIOspecifications,suitableto
describesystemswhose partsmustbeclearlyidentified.
Forinstance,thespecificationoftheTopologicalInterfacecanbestructuredintothreeparts:a
route manager (module gestioneItinerari) a topology manager (module topografia) for a
particularplantand amodule thatcomputes theinformation tobesentto thetracksections
(modulecalcoloCurva).Suchaspecificationcanberepresentedbyafigureasfollows.
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 5/20
5
succ
pred
velMax
gestioneItinerari
topografia
calcoloCurva
anormale
direzioneMarcia
liberazione
formato
segnale
deviatoio
InterfacciaTopografica:nucleosicurezza
itinerarioComandatocurva
stato
Figure2.1.ThestructureoftheInterfacciaTopografica.
ThemoduleInterfacciaTopograficareceivesinformationonthestatusoftheplant(itemstato)
andonthedrivenroute(itemitinerarioComandato)andprovidesthespeedcurve(itemcurva)for the track circuits of the route. The three inner modules shown in the figure above,
gestioneItinerari, topografia, and calcoloCurva, correspond to the three parts previously
outlined. Theconnections among themodules represent the exchange of information in the
directionsshownbythearrows.Forinstance,themaximalspeedinasection(itemvelMax)is
providedbymoduletopografiabothtomodulegestoreItinerariandtomodulecalcoloCurva.
3.TheSpecification
3.1Thespecificationentities
Wenowintroducethevariousentitiesthatwillbeformalizedinthespecification.Atrackcircuit(circuitodibinario,orcdb)isanelectricalcircuitwhosepurposeistotransmit
suitable messages, called codes, to the on board devices. A track circuit is the abstract
representationofthephysicalentityconstitutedbyapieceoftrack.Eachcdbisinrelationwith
a peripheralpost(PostoPeriferico)andisacomponentofanautomaticblocksection (sezione
dibloccoautomatico,sba).
An automatic blocksection is thepieceoftrack referencedby themessages thattheground
devicessendto theonboarddevices.Eachsbaincludesoneormoretrackcircuits,withtwo
signals (entrance signals in the two possible running directions) and zero, one, or more
switches.An sba is the piece of track of minimal length for which it is certain that, upon
occurrenceofatrainblock,thetrainwillreachastopwithoutovercomingitsend.Eachsbareceivesformthetopologicalinterfacea code:thatis,theinformationontheentrancespeed
(VISBA)andontheexit speed (VUSBA)ofthesba itself, and onthecurrentlyset running
direction (DIMAR). The runningdirection (direzionedimarcia)ofansbacanbe forward
(normale)orbackward(inversa).Therunningdirectionofarouteis,bydefinition,uniquefor
theentireroute,andisdeterminedbythefirstsbacomposingtheroute.Eachsbaisassociated
totwo finalpoints( puntofinale)correspondingtoitstwoextremities.
Aswitch(deviatoio)canbeinthreepositions forwardblocked (bloccatonormale),backward
blocked (bloccatorovescio),andnotblocked(nonbloccato).
Aroute(itinerario)iscomposedofanorderedsequenceofconsecutivesba,byadrivensignal
(segnale comandato) andby the stateofthefinalpoint ofthe lastsbain the sequence.TherouteisprovidedbytheACEI(seebelowforitsdefinition)uponrequestbythetrainoperators
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 6/20
6
anditalwaysincludes,whenitisconstructed,atleasttwo automaticblocksections.Thefirst
sectionistheonewherethetrainthatisrequestingtherouteiscurrentlypositioned;thesecond
oneistheimmediatelysuccessivesba.Thefinalpointofaroutecanbeeither free(libero),if
the sbadoesnot belong to any route, orblocked (bloccato) otherwise. Ingeneral the final
pointofarouteshouldbeblocked,toindicatethatthelastsbaoftherouteisnotusedforany
otherroute,asituationtobeavoidedbecauseitcancausetraincollision.A signal (segnale) is a semaphore that canbe in one of threepositions:stop (via impedita
imperativa)whennotraincanbeauthorizedtogobeyondthesignal,dark (spento),warning
(rosso permissivo) when the trains must stop but may be authorized to proceed in some
particularcases,anddrive(vialibera).Themainlinkbetweenarouteandasignalisthedriven
signal(segnalecomandato).Adrivensignalisthesignalattheentranceofthesecondsbaofa
route:thissignalisimportant becausethesecondsbaisthefirst followingthesbawherethe
train is running.The peripheral posthandlesthesignalbasedon theoperational stateofthe
relatedtrackcircuit.
Astop( fermata)isasubwaystation.
TheACEI( ApparatoCentraleElettricoapulsantidiItinerario)isthesubsystemthatreceivesfromtheonboarddevicestherequestofaroute,andthatisinchargeofreserving(byblocking
them)thenecessarysections,switches,andsignals.
The peripheralpost(PostoPeriferico,orPP) is thesetofelectronicappliancesthatdefine,
throughthetrackcircuits,thefreeorblockedstateforthepieceoftrackundercontrol.Itcan
exchangedatawiththeACEIandthetopologicalinterface.
The Topological Interface ( Interfaccia Topografica, or IT) is the central subsystem that
managesandselectsthecodes.Itreceivesinformationfromtheperipheralpostsonthestateof
thetrackandontherequestedroutes;itgeneratesallthecodestobesenttoeachtrackcircuit.
Suchcodesarenecessarytosendatrainonagivenroute.
Themainpurposeofthespecificationistodescribetherequirementsofthesafetykernelofthe
topological interface. Under the simplifying hypotheses reported in the introduction, the
individualtrackcircuitsofagivensbaarenotdistinguishedinthepresentspecification,andare
thereforeignored.
3.2TheTRIOSpecification
Thespecificationisparametricwithrespecttothesystem,whichisactuallydefinedbythesets:
Deviatoio,Segnale,Sba,PuntoFinale,Itinerario,andCodice.
Someusefulfunctionsdefinedon Itinerario(route):
Functionlengthofaroute
lung:Itinerario->Integer
returnsthenumberofSbaintheroute;
Functionrest ofaroute
rest:Itinerario->Itinerario
rest(i) returns the route iwithout its first
Sba
Functionelement ofaroute
sba:(Integer,Itinerario)->Sba
sba(k,i)returnsthek-thSbaoftheroutei
Function first ofaroute
prima:Itinerario->Sba
prima(i)≡sba(1,i)
Functionlast ofaroute
ultima:Itinerario->Sba
ultima(i)≡sba(lung(i),i)
Functionlast-but-oneofaroute
penultima:Itinerario->Sba
penultima(i)≡sba(lung(i)-1,i)
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 7/20
7
TheStructureoftheTopologicalInterface
We now describe the structureof the class interfacciaTopografica (theTopological Interface).
Theinputitemsoftheclassarethefunctionstato(thecurrentstateofswitches,blocksections,
sba signals and cdb) and the itinerarioComandato signal (i.e. the driven signal), which
correspondstoarouterequest/block.
The output is the speed curve associated to every sba.The overall structure of the system isrepresented by the modules' diagram, which consists of three modules: gestioneItinerari,
topografiaandcalcoloCurva.
classinterfacciaTopografica
Inputs:
TDItems
functions
Thefunctionstatoisoverloadedoverthesetsofdevicesoftherailnetwork:stato:deviatoio->{bloccatoNormale,bloccoRovescio,nonBloccato}
stato:segnale->{viaImpeditaImperativa,spento,rossoPermissivo,viaLibera}
stato:Sba->{libero,bloccato,occupato}
stato:Cdb->{libero,occupatoDaTreno,occupatoDaDisturbo}stato:PuntoFinale->{libero,bloccato}
predicates
itinerarioComandato(Itinerario)Thesetofthenewroutes(requestedroutes). EveryrequestedrouteincludesatleasttwoSba’s.
Outputs:
TDItems
functions
curva:Sba->Codice
Modules
//ThemoduledecompositionisreportedinFigure2.1
endinterfacciaTopografica
Thetopologicaldatamanagementmodule: topografia
Thetopografiamoduleprovidesthemaintopologicaldatatotheothermodules,gestioneItinerari
and calcoloCurva. It contains all the static and embedded information about the topological
structureofthesystem:itsphysicaldisplacementandthenetworkcharacteristics.
The networkstructure is representedbysucc, pred evelMax.Thesuccpredicateidentifiesthe
topological successor(s) of a given section, with respect to theforward running direction.The
pred predicateidentifiesthetopologicalpredecessor(s)ofagivensection(likewise,succidentifies
successors).Themaximumspeedallowedforasectionisrepresentedbythe velMaxfunction.
Moreover,gestioneItinerariusesthepredicatesegnale,representingthesemaphoresignalatthe
entranceofasection(asusualwithrespecttotheforwardrunningdirection),andthepredicate
deviatoio, representingasection'sswitches.Thecompletespecificationis reported inSection2,
whilethedefinitionofthetopologyoftheNaplesplantisreportedinSection4.
Themodule gestioneItinerari
The module for route managing (gestioneItinerari) provides the module calcoloCurva with
important information about the various routes. Such items of information are called formato,
liberazione,anddirezioneMarcia.
Thetime-dependentitem formatoisthesetofformedroutesateveryinstant.
Thetime-dependentitemliberazione isthesetofrouteswhosenumberofsbahasbeenreduced,
becausethetrainintheroutehascompleteditsfirstsba:suchsbaisthenfreedandmadeavailableto form other routes; in the particular case that a route i was composed of just one sba,
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 8/20
8
liberazione(i)means that route i hasbeen completed, that is the trainarrived at the endof the
route.
Thetime-dependentitemdirezioneMarciasuppliesthedirectionofeveryformedroute,whichcan
beeithernormale(forward)orinversa(backward).
Aninternaltime-dependentsetofgestioneItinerari,calledanormale,isusedtodenotetheroutes
whosebehaviorbecomesabnormal,forinstancebecauseaswitchisnotcorrectlyblocked.
classgestioneItinerari
Input:
TDItems
functions
Thefunctionstatoisoverloaded(itisdescrivedalsoinmoduleInterfacccia
Topografica):
stato:deviatoio->{bloccatoNormale,bloccoRovescio,nonBloccato}
stato:segnale->{viaImpeditaImperativa,spento,rossoPermissivo,viaLibera}stato:Sba->{libero,bloccato,occupato}
stato:Cdb->{libero,occupatoDaTreno,occupatoDaDisturbo}
stato:PuntoFinale->{libero,bloccato}
predicatesitinerarioComandato(itinerario)
segnale:(Sba,{normale,inversa})->Segnali
segnale(s,d)isthesignalofthesbadfortherunningdirectiond(normaleisforward,
inversaisbackward)
Output:
TDitems
predicates
liberazione(Itinerario) setoffreedroutesateveryinstant
formato(Itinerario) setofformedroutesateveryinstant
direzioneMarcia(Itinerario,{normale,inversa}) runningdirectionofroutes
Internal:
TDitems
predicatesanormale(Itinerario) setofabnormalroutesateveryinstant
Axiomsvarsi,i1:Itinerario,s:Sba,d:deviatoi,dir:{normale,inversa}
liberazioneItinerario:
arouteisfreed(liberazione)whenthetrainhascompleteditsfirstsba
liberazione(i)<->past(stato(prima(i))=occupato,1)&stato(prima(i))=libero formazioneItinerario:
arouteisformed(formato)whenitisnotabnormalandoneofthefollowingconditionsholds:
• itisarequestedroute(itinerariocomandato);
• oratthepreviousinstantitwasformedandnotyetfreed(liberazionehasadelayedeffect);
• oritderivesfromafreedroutewhichisnotyetempty.
formato(i)<->~anormale(i)&
(itinerarioComandato(i)|past(formato(i),1)&~liberazione(i)|
existsi1(past(formato(i1)&liberazione(i1),1)&i=rest(i1)&lung(i)>0)
)
direzioneDiMarciaComandati:
Therunningdirectionofarequestedroutecanbederivedfromthetopologyofthesystem,sinceits
lengthisatleast2:
itinerarioComandato(i)->(direzioneMarcia(i,normale)<->pred(penultima(i),ultima(i))&direzioneMarcia(i,inversa)<->succ(penultima(i),ultima(i)))
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 9/20
9
direzioneDiMarciaEsistenti:thedirectionofaformedroutedoesnotchangeintime;moreover,ifaformedrouteisfreed,thenew
correspondingformedroutekeepsthesamedirectionoftheoldone:
formato(i)&~itinerarioComandato(i)->(foralli1(past(formato(i1),1)&(i=i1|past(liberazione(i1),1)&i=rest(i1)->
direzioneMarcia(i,dir)<->direzioneMarcia(i1,dir))
segnaleComandato:thedefinitionofthedrivensignalofaroute:thesignal,intheappropriaterunningdirection,ofthe
irstsbaoftheroute:
formato(i)->existsdir(direzioneMarcia(i,dir)&
segnaleComandato(i)=segnale(sba(2,i),dir))
anormalita':
arouteisabnormal(anormale)when:
itsfinalpointisnotblocked(bloccato)
oroneofitsswitches(deviatoio)isnotblocked
oritsdrivensignal(segnaleComandato)isinthebarredposition(viaImpeditaImperativa)oritisoff
(spento).anormale(i)<->
(stato(puntoFinale(i))<>bloccato| existssexistsd(sINi&deviatoio(d,s)&stato(d)=nonBloccato)|
stato(segnaleComandato(i))=viaImpeditaImperativa|
stato(segnaleComandato(i))=spento
)
endgestioneItinerari
Thespeedcurvemodule: calcoloCurva
The speedcurvemodule (calcoloCurva) calculatesand provides the speedsignalforevery sba
involvedinaroute.ThespeedsignaliscodedusingtherecorditemsVISBA,VUSBAeDIMAR,
whichareItalianacronymsforentrancespeed,exitspeedandrunningdirection,respectively.
TheDIMARitemisfixedineveryformedroute,andcorrespondstoitsfirstsba'sdefaultrunning
direction:thisinformationisprovidedbygestioneItinerari,usingthedirezioneMarciapredicate.
NowconsiderthecaseDIMAR=normale(forwardrunningdirection).Thebackward-direction
caseisimmediatelyobtainedbyswappingVISBAandVUSBA.Thespeedcurveiscomputedas
follows.
Letibethecurrentformedroute,andletsbeitscurrentsba.
• VISBAisthemaxspeedallowedins,verifyingtheequation:
curva(s).VISBA=velMax(s) .
• VUSBAdependsonthenext,withrespecttotheroute,sba'smaximumspeedlimit.If tisthe
nextsection,theconstraintis:
curva(s).VUSBA=velMax(t) .
Wenowconsiderthecaseofthelastsbaofaformedroute.Sinceitisassumedthatthetrainmust
stop,afterfinishingitsroute,thespeedinthelastsbaissetto0.
Anotherconstraintisgivenbythepresenceofanothertraininthenextsba:itisnecessarytokeep
atleastonefreesbabetweentwotrains,asasecuritymeasure.Inthiscasethespeedcurvemust
be0,fromthelast-but-onesba,totheendofthecurrentroute.
TopografiasendstocalcoloCurvaallthetopologyinformationaboutthesba's(thisisdoneusing
thesuccand predpredicates)andtheirspeedlimits(functionvelMax).
The module for route managing supplies the following information about routes: liberazione,direzioneMarciaand formato.
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 10/20
10
TheoutputofcalcoloCurvaisthespeedcurve,computedforeverysection.
Thestateofthenetwork(stato)-providedbythePeripheralPosts-isusedtodetermineifthereis
atraininthefollowingsections.
classcalcoloCurva
Inputs:
TIItems
functionsvelMax:Sba->Integer; sba'sspeedlimit
predicates
succ(Sba,Sba);
pred(Sba,Sba);
TDItems
predicates
formato(Itinerario);
liberazione(Itinerario);
direzioneMarcia(Itinerario,{normale,inversa});
Outputs:
TDItems
functionscurva:Sba->Codice; thespeedcurve
Codice:record
VISBA:Integer;sba'sentrancespeed VUSBA:Integer; sba'sexitspeed
DIMAR:{normale,inversa};sba'scurrentrunningdirectionend;
Internals:
TDItems
predicatestrenoProssimo(i)holdsiffthereisatraininatleastoneoftheiroute
nextadjoiningsectionstrenoProssimo(Itinerario);
Axioms
varsi:Itinerario;s:Sba;k:Integer;
d:{normale,inversa};
Speedcurveforthesectionsnotinformedroutes Everysbanotbelongingtoformedroutesisinadefaultreststate:
VISBA=VUSBA=0.
axNonFormati:foralls
(~existsi(formato(i)&sINi)->(curva(s).VISBA=0&curva(s).VUSBA=0));
Runningdirectionforformedroutes ItissuppliedbythegestioneItinerarimodule,tosendthecurrentDIMARtoverysba.
axDirezMarcia:
foralliforalld(formato(i)&direzioneMarcia(i,d)->forallk (1<=k<=lung(i)->curva(sba(k,i)).DIMAR=d
)));
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 11/20
11
AxiomsfortrenoProssimoTheseaxiomsmanagethelastsectionsofaformedroute:ifthereisatraininatleastoneofthenext
adjoiningsections,thentheroutespeedcurveissetto0inthecurrentsection.Thisassuresthefact
thatbetweedtworunningtrainsthereisatleastonecompletelyfreesection.
Whenaroutehasalengthlessthanorequalto2,calcoloCurvamustconsidereventheaxiomsconcerning"liberazione".
trenoProssimo(i)holdsiffthereisatraininatleastoneoftheiroute'sfollowingadjoiningsections.
axTrenoProssimo:foralli(formato(i)->
(trenoProssimo(i)<->
(direzioneMarcia(i,normale)&existss(succ(s,ultima(i))&
stato(s)=occupato
)|direzioneMarcia(i,inversa)&existss(pred(s,ultima(i))&
stato(s)=occupato))));
Thereisnotaclosetrainintheforwardrunningdirection:thespeedcurveissetto0onlyforthelast
section'sVUSBA.
axNonTrenoProssimoDirNorm:foralli(formato(i)->
(~trenoProssimo(i)&
(lung(i)>2|lung(i)=2&~liberazione(i))&
direzioneMarcia(i,normale)->
(curva(penultima(i)).VISBA=velMax(penultima(i))&curva(penultima(i)).VUSBA=velMax(ultima(i))&
curva(ultima(i)).VISBA=velMax(ultima(i))&
curva(ultima(i)).VUSBA=0)
));
Thereisnotaclosetraininthebackwardrunningdirection:thespeedcurveissetto0onlyforthelast
section'sVISBA(itexchangesitsrolewithVUSBAbecauseofthedirection).
axNonTrenoProssimoDirInv:
foralli(formato(i)->
(~trenoProssimo(i)&
(lung(i)>2|lung(i)=2&~liberazione(i))&
direzioneMarcia(i,inversa)->
(curva(penultima(i)).VUSBA=velMax(penultima(i))&curva(penultima(i)).VISBA=velMax(ultima(i))&
curva(ultima(i)).VUSBA=velMax(ultima(i))&
curva(ultima(i)).VISBA=0)
));
Thereisaclosetrainintheforwardrunningdirection:thespeedcurveissetto0fromthelast-but-one
section'sVUSBAtotheendoftheroute.axTrenoProssimoDirNorm:foralli(formato(i)->(trenoProssimo(i)&(lung(i)>2|lung(i)=2&~liberazione(i))&direzioneMarcia(i,normale)->(curva(penultima(i)).VISBA=velMax(penultima(i))&
curva(penultima(i)).VUSBA=0&curva(ultima(i)).VISBA=0&curva(ultima(i)).VUSBA=0)
));
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 12/20
12
Thereisaclosetraininthebackwardrunningdirection:thespeedcurveissetto0fromthelast-but-
onesection'sVISBA(likebeforeitexchangesitsrolewithVUSBAbecauseofthedirection)totheend
oftheroute.
axTrenoProssimoDirInv:foralli(formato(i)->
(trenoProssimo(i)&(lung(i)>2|lung(i)=2&~liberazione(i))&direzioneMarcia(i,inversa)->
(curva(penultima(i)).VUSBA=velMax(penultima(i))&curva(penultima(i)).VISBA=0&curva(ultima(i)).VUSBA=0&
curva(ultima(i)).VISBA=0)));
Routeswithunitarylength:withaclosetrain,thespeedcurveissetidenticallyto0;without,onlythe
exitspeedissetto0.axLung1:
foralli(formato(i)->(~liberazione(i)&lung(i)=1->
(trenoProssimo(i)->(curva(prima(i)).VISBA=0&curva(prima(i)).VUSBA=0))&
(~trenoProssimo(i)&direzioneMarcia(i,normale)->(curva(prima(i)).VISBA=velMax(prima(i))&curva(prima(i)).VUSBA=0))&(~trenoProssimo(i)&
direzioneMarcia(i,inversa)->(curva(prima(i)).VUSBA=velMax(prima(i))&curva(prima(i)).VISBA=0)
)));
Axiomsfornewandunchangedroutes
VISBAandVUSBAarecomputedinthisway:withaforwardrunningdirection,VISBAissettothe
speedlimit(velMax)ofthesamesection,whileVUSBAissettothelimitofthenextsba.Asusual
VISBAexchangesitsrolewithVUSBAwithabackwardrunningdirection.
Note:thelasttwosectionsaremanagedbythetrenoProssimoaxioms.
-forwardrunningdirectionaxStazionario-NuovoDirNorm:
foralli(formato(i)->(~liberazione(i)&direzioneMarcia(i,normale)->
forallk (1<=k<lung(i)-1->
(curva(sba(k,i)).VISBA=velMax(sba(k,i))&curva(sba(k,i)).VUSBA=velMax(sba(k+1,i))))));
-backwardrunningdirectionaxStazionario-NuovoDirInv:
foralli(formato(i)->(~liberazione(i)&direzioneMarcia(i,inversa)->forallk (1<=k<lung(i)-1->
(curva(sba(k,i)).VUSBA=velMax(sba(k,i))&
curva(sba(k,i)).VISBA=velMax(sba(k+1,i))))));
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 13/20
13
Axiomsforreducedroutes
Theseaxiomsmanagethecaseofreducedroutes:theonce-firstsbaisdisposedandmarkedasfreefor
otherroutes.ItsVISBAandVUSBAcurveitemsaresetto0.Likebefore,the2-lengthcaseispartiallymanagedbythetrenoProssimoaxioms.
Generalcase(routelengthgreaterthan2):thespeedcurveforthefirstsbaissetto0,whilethe
ollowing-withtheexcepitonofthelasttwosections-maintaintheirconfiguration.axLiberatoGenerale:foralli(formato(i)->(liberazione(i)&(lung(i)<>2)->
(curva(prima(i)).VISBA=0&curva(prima(i)).VUSBA=0&forallk
(1<k<lung(i)-1->past(curva(sba(k,i)).VISBA,1)=curva(sba(k,i)).VISBA&past(curva(sba(k,i)).VUSBA,1)=curva(sba(k,i)).VUSBA
)))); Routelengthequalto2:thespeedcurveissetto0inthefirstsba.Thespeedcurveofthelastsba
dependsontrenoProssimo.
axLiberatoLung2:foralli(formato(i)->(liberazione(i)&lung(i)=2->(curva(prima(i)).VISBA=0&curva(prima(i)).VUSBA=0)&(trenoProssimo(i)->(curva(ultima(i)).VISBA=0&
curva(ultima(i)).VUSBA=0))&(~trenoProssimo(i)&
direzioneMarcia(i,normale)->(curva(ultima(i)).VISBA=velMax(ultima(i))&curva(ultima(i)).VUSBA=0)
)&(~trenoProssimo(i)&direzioneMarcia(i,inversa)->
(curva(ultima(i)).VUSBA=velMax(ultima(i))&curva(ultima(i)).VISBA=0))
));endcalcoloCurva
4.TestcasegenerationforthespecificationoftheSafetyKernel
Thetestcasegenerationactivitywasconcentratedonasmallsetofscenarios,whicharesituations
deemedworth averificationactivity.Although consideringotherscenarios could beuseful,theselectedoneswerequitesignificantandthemostimportanttoverifyforthesystem.
ThetestcasegenerationactivityinTRIOisbasedonthegeneration,supportedbysuitabletools,
ofhistoriesforthespecifiedsystem.Suchhistories(henceforthcalledtestcases)describepossible
executionsequencesofthesystem,includingbothinputdatatobeprovidedtothesystemandthe
expected corresponding output data. The supporting tools allow generation of test cases inan
optimized way avoiding as much as possible the production of redundant information,
characterizinginputvs.outputevents,andeffectivehandlingofnondeterministicbehaviors.
In a first phase of the testing activity, test cases canbe used to check the specification itself,
verifyingwhetherwhatwespecifiedisconsistentwiththeknowledgeofexpertsaboutthesystem.
Forinstance,itispossibletoproposeahistoryofthesystembreakingsomesafetyrequirements
and automatically verifyingwhethersuchbehavior is allowed by the specification.Thiskindof
analysis increases confidence in the correctness of the specification,much in the sameway as
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 14/20
14
testingaprogrammay increase theconfidence in itsreliability: in fact, although testingcannot
provetheabsenceoferrors,itisespeciallyvaluableasameanstovalidatefunctionalrequirements.
Inasecondphase,whenthespecificationisconsideredcorrect,thetestcasescanbecollectedand
usedtotesttheimplementationofthesystem.Testingissimplifiedbecausethecorrectoutputdata
arealsoavailable.
In this project, the testing activity has allowed us to find a small, but subtle, error in the
specification,duetoanerroneousinterpretationoftheinformalrequirementsofthesystem.The
errorwasindeedfixedveryeasily.However,thisexperienceisfarfromuncommon:withoutsuch
a validation activity, there are errors in the specification that can easily go undetected and be
includedintheimplementationofthesystem.
Thescenarios
Thestudyhasconsideredsixsba's(calledsba_1, ..,sba_6)andtenroutes(it_1,.., it_10).Every
routecorrespondstothetravelfromonesbatoanotherone,asdescribedinTable4.1.Manyother
routesarepossible,butthestudywasrestrictedtotheroutesoftheproposedscenarios.
route Startingsba arrivalsba
it_1 Sba_1 sba_6
it_2 Sba_2 sba_6
it_3 Sba_3 sba_6
it_4 Sba_4 sba_6
it_5 Sba_5 sba_6
it_6 Sba_6 sba_6
it_7 Sba_1 sba_4
it_8 sba_2 sba_4
it_9 sba_3 sba_4
it_10 sba_4 sba_4
Table4.1:Theroutesconsideredduringthetestingactivity
Thetestcasegenerationactivityhascoveredthefollowingsituations:
1. atraingoesfrombeginningtotheendinforwarddirection(hence,fromsba_1tosba_6);
2. two trains,onefollowingtheother,proceedintheforwarddirection:thefirsttrainproceeds
fromsba_2tosba_6,whilethesecondentersonlylater,goingfromsba_1tosba_4;
3. twotrainsproceedasinthepreviouscase,butaretoocloseonetoeachother,violatingsafetyrequirements;
4. two trains, one following the other, proceed in the backward direction (this scenario is
symmetricaltocase1).
Theresultsshowthatthespecificationcorrectlyallowsthegenerationoftestcasescorresponding
toscenarios1,2and4,whilescenario3is,againcorrectly,rejectedbythetoolsbecauseitviolates
theformalspecification.
Forreasonsofefficiencyofexecution,thetopologyoftheNaplessubwayhasbeenincludedinthe
formofconstraintsforeveryhistoryratherthanasaxioms.Suchconstraintsdescribethevalues,
forsuchparticularsubway,ofthefollowingtimeindependentitems:
therelation pred betweenpairsofcontiguoussba's;
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 15/20
15
thefunctionrest ,whichmapseveryroutetothecorrespondingroutedeprivedofthefirstsba;
thefunctionsba,whichgivesthei-thsbaofagivenroute;
thefunctionvelMax,denotingthemaximumspeedforeachsba;
thefunctionlung,whichgivesthenumber(length)ofsbaofeveryroute;
the puntoFinalefunction,whichgivesbacktheindicationofthefinalpointofeveryroute.
pred(sba_1,sba_2): [1. .60] pred(sba_2,sba_3): [1..60] pred(sba_3,sba_4) :[1..60]
pred(sba_4,sba_5):[1..60] pred(sba_5,sba_6):[1..60]
rest(it_1)=it_2:[1..60] rest(it_2)=it_3:[1..60] rest(it_3)=it_4:[1..60]
rest(it_4)=it_5:[1..60] rest(it_5)=it_6:[1..60] rest(it_6)=undef:[1..60]
rest(it_7)=it_8:[1..60] rest(it_8)=it_9:[1..60] rest(it_9)=it_10:[1..60]
rest(it_10)=undef:[1..60] sba(1,it_1)=sba_1:[1..60]
sba(1,i t_2)=sba_2: [1. .60] sba(1,i t_3)=sba_3: [1..60] sba(1, it_4)=sba_4:[1..60]
sba(1,it_5)=sba_5:[1..60] sba(1,it_6)=sba_6:[1..60]
sba(1,i t_7)=sba_1: [1. .60] sba(1,i t_8)=sba_2: [1..60] sba(1, it_9)=sba_3:[1..60]
sba(1,i t_10)=sba_4:[1..60] sba(2,i t_1)=sba_2: [1..60] sba(2, it_2)=sba_3:[1..60]sba(2,i t_3)=sba_4: [1. .60] sba(2,i t_4)=sba_5: [1..60] sba(2, it_5)=sba_6:[1..60]
sba(2,i t_7)=sba_2: [1. .60] sba(2,i t_8)=sba_3: [1..60] sba(2, it_9)=sba_4:[1..60]
sba(3,i t_1)=sba_3: [1. .60] sba(3,i t_2)=sba_4: [1..60] sba(3, it_3)=sba_5:[1..60]
sba(3,i t_4)=sba_6: [1. .60] sba(3,i t_7)=sba_3: [1..60] sba(3, it_8)=sba_4:[1..60]
sba(4,i t_1)=sba_4: [1. .60] sba(4,i t_2)=sba_5: [1..60] sba(4, it_3)=sba_6:[1..60]
sba(4,i t_7)=sba_4: [1. .60] sba(5,i t_1)=sba_5: [1..60] sba(5, it_2)=sba_6:[1..60]
sba(6,i t_1)=sba_6: [1. .60] sba(5,i t_7)=undef:[1..60] sba(6, it_7)=undef:[1..60]
sba(4,i t_8)=undef :[1..60] sba(5,i t_8)=undef:[1..60] sba(6, it_8)=undef:[1..60]
sba(3,i t_9)=undef :[1..60] sba(4,i t_9)=undef:[1..60] sba(5, it_9)=undef:[1..60]
sba(6,i t_9)=undef :[1..60] sba(2,i t_10)=undef: [1. .60] sba(3, it_10)=undef: [1..60]
sba(4,i t_10)=undef: [1. .60] sba(5,i t_10)=undef: [1. .60] sba(6, it_10)=undef: [1..60]
sba(2,i t_6)=undef :[1..60] sba(3,i t_6)=undef:[1..60] sba(4, it_6)=undef:[1..60]
sba(5,i t_6)=undef :[1..60] sba(6,i t_6)=undef:[1..60] sba(3, it_5)=undef:[1..60]
sba(4,i t_5)=undef :[1..60] sba(5,i t_5)=undef:[1..60] sba(6, it_5)=undef:[1..60]
sba(4,i t_4)=undef :[1..60] sba(5,i t_4)=undef:[1..60] sba(6, it_4)=undef:[1..60]
sba(5,i t_3)=undef :[1..60] sba(6,i t_3)=undef:[1..60] sba(6, it_2)=undef:[1..60]
velMax(sba_1)=v30:[1..60] velMax(sba_2)=v65:[1..60] velMax(sba_3)=v77:[1..60]
velMax(sba_4)=v77:[1..60] velMax(sba_5)=v65:[1..60] velMax(sba_6)=v30:[1..60]
lung(it_1)=6:[1..60] lung(it_2)=5:[1..60] lung(it_3)=4:[1..60]
lung(it_4)=3:[1..60] lung(it_5)=2:[1..60] lung(it_6)=1:[1..60]
lung(it_7)=4:[1..60] lung(it_8)=3:[1..60] lung(it_9)=2:[1..60]
lung(it_10)=1:[1..60] puntoFinale(it_1)=pf6 : [1..60] puntoFinale(it_2)=pf6 : [1..60]
puntoFinale(it_3)=pf6:[1..60] puntoFinale(it_4)=pf6:[1..60] puntoFinale(it_5)=pf6:[1..60]
puntoFinale(it_6)=pf6:[1..60] puntoFinale(it_7)=pf4_5:[1..60] puntoFinale(it_8)=pf4_5:[1..60]
puntoFinale(it_9)=pf4_5:[1..60] puntoFinale(it_10)=pf4_5:[1..60]
Table4.2:ThetopologyoftheNaplessubway
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 16/20
16
Experimentalresults
Scenario1:onetrain
Thisisthemostbasicscenario:thereisonlyatrainrunninginthesubway.Thistrainmustcover,
withaforwardrunningdirection,everysectionofthesubway.Therearenodelays,faultsorother
abnormalbehaviors.
Therequestedrouteisit_1atinstant5.Thiscausesthetrain,initiallyinthesba_1section,tobegin
itsmarch,headedtowardssba_6.
As wecan see in the following figure, sba_1'sVISBA andVUSBA are set to theirmaximum
values,duringthetimeinterval5.10-i.e.whenthetrainisonsba_1.
Atinstant11thetrainpassessba_1:it_1routeisfreedandthecurrentroutebecomesit_2(i.e.
fromsba_2tosba_6).
Similarly,everyteninstantsthetrainpassesansba,whichisreleased:thetrainreachessba_3at
21;sba_4at31etc.
Atinstant51thetrainsstops:thedestination(sba_6)isreached.
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_1
VUSBAsba_1
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_2
VUSBAsba_2
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_3
VUSBAsba_3
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_4
VUSBAsba_4
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 17/20
17
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_5
VUSBAsba_5
t
v
0
10
20
30
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_6
VUSBAsba_6
Figure4.1.Thetimeprogressofthespeedcurve-theVISBAandVUSBAitems
Scenario2:twotrains
The secondscenario ismore complex:there aretwo trains (train 1and 2)placed in sba_2and
sba_1,respectively.The first trainmustcoversba_2to sba_6witha forwardrunningdirection.
Thesecondtrainstartsfromsba_1andmustreachsba_4,clearlywiththesamerunningdirection.
Thetworoutesareit_2andit_7,respectively.
Therequestedrouteisit_7atinstant5:train1startsup.Asdepictedinthenextfigure,train1
remainsonsba_2untilinstant13.Thenitcoverssba_3,thensba_4atinstant23,andsba_5at31.
From31to50itisblockedinsba_5.
Atinstant33therouteit_7becomesactive-thetrain2issetinmotiontoreachsba_4.Ittakes5
instants to get through sba_1. It then reaches sba_2 at instant 38, then sba_3 at 41.Here the
secondtrainstops,becausetrain1blockssba_5.Actually,thespecificationstatesthattheremust
beatleastonecompletelyfreesbabetweentwotrains-namely,sba_4.
Sba_4isavailableonlysinceinstant51,becausetrain1passestosba_6.Sotrain2cangothrough
sba_3toreachitsdestination:sba_4.Thisistheendofthescenario:thetwotrainsattendedtheir
duties.
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 18/20
18
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_1
VUSBAsba_1
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_2
VUSBAsba_2
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_3
VUSBAsba_3
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_4
VUSBAsba_4
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_5
VUSBAsba_5
t
v
0
10
20
30
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_6
VUSBAsba_6
Figure4.2.Thetimeprogressofthespeedcurve-theVISBAandVUSBAitemsforscenario2.
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 19/20
19
Scenario3:twotrainsinapotentiallydangeroussituation
Asaninterestingcriticalsituation,weforcedaspeedcurveinwhichthetwotrains-describedin
scenario2-cancollide.Particularly,weconsiderthecaseofanon-zerospeedcurveinsba_3and
sba_4whenthetwotrainsareinsba_5andsba_3,respectively(seefigure4.3).
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_3
VUSBAsba_3
t
v
0
20
40
60
80
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57
VISBAsba_4
VUSBAsba_4
Figure4.3.Themodifieddangerousspeedcurveofscenario3.
Thisisaverydangeroussituation,becausetrain2couldreachtrain1andthencrash.However,as
we can see in figure 4.4, the TRIO semantics tools immediately reject this pattern: it is not
compatiblewiththespecificationofthespeedcurve-computingmodule.In fact the executiontraceshow that theTRIO toolsreject thehistoryatinstant41: theaxiom
axNonTrenoProssimoDirNormaledoesnothold.
F o r m u l a a x N o n F o r m a t i i s T r u e a t 4 0
F o r m u l a a x D i r e z M a r c i a i s T r u e a t 4 0
F o r m u l a a x T r e n o P r o s s i m o i s T r u e a t 4 0
F o r m u l a a x N o n T r e n o P r o s s i m o D i r N o r m i s T r u e a t 4 0
F o r m u l a a x N o n T r e n o P r o s s i m o D i r In v i s T r u e a t 4 0
F o r m u l a a x T r e n o P r o s s i m o D i r N o r m i s T r u e a t 4 0
F o r m u l a a x T r e n o P r o s s i m o D i r In v i s T r u e a t 4 0
F o r m u l a a x L u n g 1 i s T r u e a t 4 0
F o r m u l a a x S t a z i o n a r i o N u o v o D i r N o r m i s T r u e a t 4 0
F o r m u l a a x S ta z i o n a r i o N u o v o D i r I n v i s T r u e a t 4 0
F o r m u l a a x L i b e r a to G e n e r a l e i s T r u e a t 4 0
F o r m u l a a x L i b e r a t o L u n g 2 i s T r u e a t 4 0
F o r m u l a a x N o n F o r m a t i i s T r u e a t 4 1
F o r m u l a a x D i r e z M a r c i a i s T r u e a t 4 1
F o r m u l a a x T r e n o P r o s s i m o i s T r u e a t 4 1
F o r m u l a a x N o n T r e n o P r o s s i m o D i r N o r m i s F a l s e a t 4 1
Figure4.4:ExecutiontraceoftheTRIOtestingtoolsforthedangerousscenario3.
8/8/2019 Specification and Test Case Generation
http://slidepdf.com/reader/full/specification-and-test-case-generation 20/20
Scenario4:twotrainsmovingbackward
This last scenario is practically identical to the second one: the only difference is the running
direction,whichisbackwardforthetwotrains.
Actually,thetopologicalconfigurationisthefollowing:
/***invertedTopologicalConfiguration***/
pred(sba_2,sba_1):[1..60]pred(sba_3,sba_2):[1..60]
pred(sba_4,sba_3):[1..60]
pred(sba_5,sba_4):[1..60]
pred(sba_6,sba_5):[1..60]
Weusedthescenariototesttheaxiomsforthebackwardrunningdirection.Theresultsturnedout
tobe,asexpected,whollysymmetricaltothoseoftheforwardrunningdirectionscenarioandare
omittedhere.
5Conclusions
ThemaingoalofthisstudywastoinvestigateandassessthepotentialapplicabilityoftheTRIO
technique in thefieldofrailwaysignalingsystems.Theexperimentwascertainlysuccessful.We
derived from the informal documentation of theSafety Kernel of theNaplesSubway a formal
specificationoftherequirements,writtenintheTRIOlanguage.Thenavalidationphase,basedon
testingtechniqueswasperformedonthespecification,leadingtothediscoveryofasubtleerrorin
thespecification.Thevalidationactivityalsoproducedasmallsetofscenariosthatcouldbeused
asfunctionaltestcases.AsamodelinglanguageTRIOcertainlyprovedtobeadequatetodescribe
thedataandtimingrequirementsoftheSafetyKernel.Webelievethattheadoptionof thesame
formalmethodwouldbeverybeneficialinthedevelopmentofotherverycriticalcomponentsof
the signaling system of the subway such as the ACEI and the Peripheral Post. Ingeneral, we
estimate that the adoption of the TRIO language and tool environment would provide betterspecifications and improve the quality of the test plans, in terms of: a explicit correspondence
between testcasesand propertiesthey aremeantto verify, apreciseevaluationoftheobtained
coverage, and a greater confidence of test case correctness (test cases would be obtained
systematicallybymeansofsemiautomatictoolsfromthespecification).
References
[Ans94] ”METRONAPOLI–InterfacciaTopografica–DescrizioneFunzionale”,AnsaldoTrasporti,
Gennaio1994.
[CC&99] E.Ciapessoni, A.Coen-Porisini, E.Crivelli, D.Mandrioli, P.Mirandola, A.Morzenti, “From
formal models to formally-based methods: an industrial experience”, ACM TOSEM -TransactionsOnSoftwareEngineeringandMethodologies,vol.8,No1,January1999,pages
80-115.
[M&S94] A.Morzenti,P.SanPietro,“Object-OrientedLogicSpecificationsofTimeCriticalSystems”,
ACMTOSEM-TransactionsonSoftwareEngineeringandMethodologies,vol.3,n.1,January
1994,pp.56-98.
[MM93] “Impianti di segnalamento e automazione. Relazione di integrazione al progeto esecutivo”,
MetropolitanaMilanese,Progettazioneedirezionelavori,Novembre1993.