Skip to main content
SpringerLink
Log in

Validation of the Hybrid ERTMS/ETCS Level 3 using Spin

  • ABZ 2018
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

The Hybrid ERTMS/ETCS Level 3 is a standard for the management and interoperation of signalling for railways by the European Union. Its aim was to increase the throughput of railway tracks, by integrating the physical information coming from the trackside detection system with information transmitted by the train itself regarding its position and integrity. In this paper, we propose a formal model of the Hybrid ERTMS/ETCS Level 3 (ver. 1A) in Promela and its validation using Spin. We describe how we derived the model from the informal requirements and the abstractions we applied during this process; moreover, we explain how we validated and verified the model, and the ambiguities we detected in the requirements document. Although Spin provides very good verification facilities, it lacks a proper support for performing user-driven validation by simulation and scenario specification; therefore, we propose two facilities built upon the Promela language (having different expressive power) that allow for easy specification of scenario execution.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. Actually, two trains can be in a TTD if they are operating in on-sight mode in which the drivers are fully responsible for the train movement; this setting, however, is an exceptional case that is not a part of normal operational mode.

  2. The command we used for testing the scenarios was: spin -X -B -Dsce=1 model.pml. This leads to a formatted output with not much overwhelming information.

  3. The complete report on requirements coverage is available at https://github.com/jankofron/abz18-casestudy-spin/blob/master/reqs.md.

  4. All the models, scenarios, and verification results are available online at https://github.com/jankofron/abz18-casestudy-spin.

  5. We discuss the limitations of our model later in Sect. 3.1.

  6. Note that the case study assignment [1] considers movement only in one direction, i.e. no backward moves. In reality, however, this can occur due to train stretching after releasing the brake close to a TTD boundary.

  7. Note that we allow at most two trains in the system.

  8. Note that the same logging facilities are also available in normal simulation and in the DSL mode.

  9. The only log of the changes is in the Modification history [23] that reports “Corrections after ENIF test” for version 1B and “Further corrections after review 1B” for version 1C.

  10. http://spinroot.com/spin/success.html.

References

  1. Hoang, T.S., Butler, M., Reichl, K.: The Hybrid ERTMS/ETCS Level 3 Case Study. In: Butler, M., Raschke, A., Hoang, T.S., Reichl, K. (eds.) Abstract State Machines, Alloy, B, TLA, VDM, and Z, pp. 251–261. Springer, Cham (2018)

    Chapter  Google Scholar 

  2. Hybrid ERTMS/ETCS Level 3, version 1A. Technical report, EEIG ERTMS Users Group, 07 (2017)

  3. Leuschel, M.: The high road to formal validation. In: Börger, E., Butler, M., Bowen, J.P., Boca, P. (eds.) Abstract State Machines, B and Z: First International Conference, ABZ 2008, London, UK, September 16–18, 2008. Proceedings, pp. 4–23. Springer, Berlin (2008)

    Chapter  Google Scholar 

  4. Börger, E., Raschke, A.: Modeling Companion for Software Practitioners. Springer, Berlin (2018)

    Book  Google Scholar 

  5. Abrial, J.-R.: Modeling in Event-B: System and Software Engineering. Cambridge University Press, Cambridge (2010)

    Book  Google Scholar 

  6. Arcaini, P., Gargantini, A., Riccobene, E.: AsmetaSMV: a way to link high-level ASM models to low-level NuSMV specifications. In: Proceedings of the 2nd International Conference on Abstract State Machines, Alloy, B and Z (ABZ 2010). LNCS, vol. 5977, pp. 61–74. Springer (2010)

  7. Leuschel, M., Butler, M.: ProB: an automated analysis toolset for the B method. Int. J. Softw. Tools Technol. Transf. 10(2), 185–203 (2008)

    Article  Google Scholar 

  8. Chen, J., Cui, H.: Translation from adapted UML to Promela for CORBA-based applications. In: Graf, S., Mounier, L. (eds.) Model Checking Software, pp. 234–251. Springer, Berlin (2004)

    Chapter  Google Scholar 

  9. Prigent, A., Cassez, F., Dhaussy, P., Roux, O.: Extending the translation from SDL to Promela. In: Bošnački, D., Leue, S. (eds.) Mod. Check. Softw., pp. 79–94. Springer, Berlin (2002)

    Chapter  Google Scholar 

  10. Meenakshi, B., Bhatnagar, A., Roy, S.: Tool for translating Simulink models into input language of a model checker. In: Liu, Z., He, J. (eds.) Formal Methods and Software Engineering, pp. 606–620. Springer, Berlin (2006)

    Chapter  Google Scholar 

  11. Holzmann, G.J.: The SPIN Model Checker-Primer and Reference Manual. Addison-Wesley, Boston (2004)

    Google Scholar 

  12. Cimatti, A., Clarke, E.M., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV version 2: an opensource tool for symbolic model checking. In: Proceedings International Conference on Computer-Aided Verification (CAV 2002). LNCS, vol. 2404. Springer (2002)

  13. Git. https://git-scm.com/. Accessed 30 May 2019

  14. The Spin model checker website. http://spinroot.com/. Accessed 30 May 2019

  15. Arcaini, P., Ježek, P., Kofroň, J.: Modelling the Hybrid ERTMS/ETCS Level 3 Case Study in Spin. In: Butler, M., Raschke, A., Hoang, T.S., Reichl, K. (eds.) Abstract State Machines, Alloy, B, TLA, VDM, and Z. Springer, Cham (2018)

    Google Scholar 

  16. Drážní inspekce (The Rail Safety Inspection of the Czech Republic): Investigation Report of Railway Accident: Collision of a locomotive running solo as train No. 72461 with passenger train No. 5011 in Moravany station (2008). http://www.dicr.cz/uploads/Zpravy/MU/MU_Moravany.pdf. Accessed 30 May 2019

  17. Das Eisenbahn-Bundesamt (EBA): The German Federal Railway Authority. Erweiterte Regelung zur Bedienung der Sandstreueinrichtung (2013). https://www.eba.bund.de/SharedDocs/Downloads/DE/GesetzeundRegelwerk/Allgemeinverf/34_allgvfg_sandstreu1.pdf?__blob=publicationFile&v=3. Accessed 30 May 2019

  18. Ladenberger, L., Bendisposto, J., Leuschel, M.: Visualising Event-B models with B-Motion Studio. In: Alpuente, M., Cook, B., Joubert, C. (eds.) Formal Methods for Industrial Critical Systems: 14th International Workshop, FMICS 2009, Eindhoven, The Netherlands, November 2–3, 2009., pp. 202–204. Springer, Berlin (2009)

    Chapter  Google Scholar 

  19. Fraser, G., Wotawa, F., Ammann, P.E.: Testing with model checkers: a survey. Softw. Test. Verif. Reliab. 19(3), 215–261 (2009)

    Article  Google Scholar 

  20. Espada, A.R., del Mar Gallardo, M., Salmerón, A., Merino, P.: Using model checking to generate test cases for android applications. In: Pakulin, N., Petrenko, A.K., Schlingloff, B.-H. (eds.) Proceedings Tenth Workshop on Model Based Testing, London, UK, 18th April 2015, Volume 180 of Electronic Proceedings in Theoretical Computer Science, pp. 7–21. Open Publishing Association, London (2015)

    Google Scholar 

  21. Benerecetti, M., De Guglielmo, R., Gentile, U., Marrone, S., Mazzocca, N., Nardone, R., Peron, A., Velardi, L., Vittorini, V.: Dynamic state machines for modelling railway control systems. Sci. Comput. Program. 133, 116–153 (2017). Formal Techniques for Safety-Critical Systems (FTSCS 2014)

    Article  Google Scholar 

  22. Glossary of terms and abbreviations. Technical report, ERA * UNISIG * EEIG ERTMS USERS GROUP, 5 (2016)

  23. Hybrid ERTMS/ETCS Level 3, version 1C. Technical report, EEIG ERTMS Users Group, 07 (2018)

  24. Dick, J., Hull, E., Jackson, K.: Requirements Engineering, 4th edn. Springer, Berlin (2017)

    Book  Google Scholar 

  25. Cunha, A., Macedo, N.: Validating the Hybrid ERTMS/ETCS Level 3 concept with electrum. In: Butler, M., Raschke, A., Hoang, T.S., Reichl, K. (eds.) Abstract State Machines, Alloy, B, TLA, VDM, and Z, pp. 307–321. Springer, Cham (2018)

    Chapter  Google Scholar 

  26. Abrial, J.-R.: The ABZ-2018 case study with Event-B. In: Butler, M., Raschke, A., Hoang, T.S., Reichl, K. (eds.) Abstract State Machines, Alloy, B, TLA, VDM, and Z, pp. 322–337. Springer, Cham (2018)

    Chapter  Google Scholar 

  27. Mammar, A., Frappier, M., Fotso, S.J.T., Laleau, R.: An Event-B model of the hybrid ERTMS/ETCS Level 3 standard. In: Butler, M., Raschke, A., Hoang, T.S., Reichl, K. (eds.) Abstract State Machines, Alloy, B, TLA, VDM, and Z, pp. 353–366. Springer, Cham (2018)

    Chapter  Google Scholar 

  28. Dghaym, D., Poppleton, M., Snook, C.: Diagram-led formal modelling using iUML-B for Hybrid ERTMS Level 3. In: Butler, M., Raschke, A., Hoang, T.S., Reichl, K. (eds.) Abstract State Machines, Alloy, B, TLA, VDM, and Z, pp. 338–352. Springer, Cham (2018)

    Chapter  Google Scholar 

  29. Leue, S., Holzmann, G.J.: v-Promela: a visual, object-oriented language for SPIN. In: Proceedings 2nd IEEE International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC’99) (Cat. No.99-61702), pp. 14–23 (1999)

  30. Hansen, D., Leuschel, M., Schneider, D., Krings, S., Körner, P., Naulin, T., Nayeri, N., Skowron, F.: Using a formal B model at runtime in a demonstration of the ETCS Hybrid Level 3 concept with real trains. In: Butler, M., Raschke, A., Hoang, T.S., Reichl, K. (eds.) Abstract State Machines, Alloy, B, TLA, VDM, and Z, pp. 292–306. Springer, Cham (2018)

    Chapter  Google Scholar 

  31. Bencomo, N., France, R.B., Cheng, B.H.C., Aßmann, U. (eds.): Models@run.time—Foundations, Applications, and Roadmaps [Dagstuhl Seminar 11481, November 27–December 2, 2011]. Lecture Notes in Computer Science, vol. 8378. Springer, Cham (2014)

    Google Scholar 

  32. Fotso, S.J.T., Frappier, M., Laleau, R., Mammar, A.: Modeling the hybrid ERTMS/ETCS Level 3 standard using a formal requirements engineering approach. In: Butler, M., Raschke, A., Hoang, T.S., Reichl, K. (eds.) Abstract State Machines, Alloy, B, TLA, VDM, and Z, pp. 262–276. Springer, Cham (2018)

    Chapter  Google Scholar 

  33. Fuxman, A., Liu, L., Mylopoulos, J., Pistore, M., Roveri, M., Traverso, P.: Specifying and analyzing early requirements in Tropos. Requir. Eng. 9(2), 132–150 (2004)

    Article  Google Scholar 

  34. Cimatti, A., Giunchiglia, F., Mongardi, G., Romano, D., Torielli, F., Traverso, P.: Formal verification of a railway interlocking system using model checking. Form. Asp. Comput. 10(4), 361–380 (1998)

    Article  Google Scholar 

  35. Gnesi, S., Latella, D., Lenzini, G., Abbaneo, C., Amendola, A.M., Marmo, P.: A formal specification and validation of a critical system in presence of byzantine errors. In: Graf, S., Schwartzbach, M. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, pp. 535–549. Springer, Berlin (2000)

    Chapter  Google Scholar 

  36. Lamport, L., Shostak, R., Pease, M.: The byzantine generals problem. ACM Trans. Program. Lang. Syst. 4, 382–401 (1982)

    Article  Google Scholar 

  37. Mazzanti, F., Ferrari, A., Spagnolo, G.O.: Towards formal methods diversity in railways: an experience report with seven frameworks. Int. J. Softw. Tools Technol. Transf. 20(3), 263–288 (2018)

    Article  Google Scholar 

  38. Arvind, N.D., Katelman, M.: Getting formal verification into design flow. In: Cuellar, J., Maibaum, T., Sere, K. (eds.) FM 2008: Formal Methods: 15th International Symposium on Formal Methods, Turku, Finland, May 26–30, 2008 Proceedings, pp. 12–32. Springer, Berlin (2008)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. National Institute of Informatics, Tokyo, Japan

    Paolo Arcaini

  2. Faculty of Mathematics and Physics, Charles University, Prague, Czech Republic

    Jan Kofroň & Pavel Ježek

Authors
  1. Paolo Arcaini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jan Kofroň
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pavel Ježek
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Paolo Arcaini.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

P. Arcaini is supported by ERATO HASUO Metamathematics for Systems Design Project (No. JPMJER1603), JST, Funding Reference No.: 10.13039/501100009024 ERATO. J. Kofroň is supported by the Czech Science Foundation Project No. 17-12465S.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Arcaini, P., Kofroň, J. & Ježek, P. Validation of the Hybrid ERTMS/ETCS Level 3 using Spin. Int J Softw Tools Technol Transfer 22, 265–279 (2020). https://doi.org/10.1007/s10009-019-00539-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-019-00539-x

Keywords

Search

Navigation