Formal Verification and Validation of ERTMS Industrial Railway Train Spacing System

Abstract. Formal verification and validation is a fundamental step for the certifi-cation of railways critical systems. Many railways safety standards (e.g. the CEN-ELEC EN-50126, EN-50128 and EN-50129 standards implement the mandatory safety requirements of IEC-61508-7 standard for Functional and Safety) currently mandate the use of formal methods in the design to certify correctness. In this paper we describe an industrial application of formal methods for the ver-ification and validation of “Logica di Sicurezza ” (LDS), the safety logic of a railways ERTMS Level 2 system developed by Ansaldo-STS. LDS is a generic control software that needs to be instantiated on a railways network configuration. We developed a methodology for the verification and validation of a critical sub-set of LDS deployed on typical realistic railways network configurations. To show feasibility, effectiveness and scalability, we have experimented with several state of the art symbolic software model checking techniques and tools on different network configurations. From the experiments, we have successfully identified an effective strategy for the verification and validation of our case study. More-over, the results of experiments show that formal verification and validation is feasible and effective, and also scales reasonably well with the size of the config-uration. Given the results, Ansaldo-STS is currently integrating the methodology in its internal Development and Verification & Validation Flow.

Supporting requirement analysis through requirement rationale capture and traceability

Manufacturers of complex engineering systems are increasingly recognising the importance of identifying, understanding and satisfying stakeholders’ needs in order to produce high-quality products. The analysis of these needs into a formal requirement specification is a time consuming and complex process for which little support is offered to design engineers. This can result in requirements being poorly documented and with little or no traceability to their origins. This dissertation reports an investigation to understand the process of requirement analysis and develop computational support for this important phase of the engineering design process. The key argument of this research is that the existing practice of requirement analysis can be improved by providing better support for requirement rationale capture and enabling greater requirement traceability. The research consisted of three main phases. In the first phase, literature related to the requirement analysis was reviewed and led to the creation of a requirement analysis model. In the second phase, the practices of a global engineering organisation were investigated using document analysis as well as interviews with and shadowing of company engineers. The research found that requirement analysis lacks support for requirement rationale capture and traceability. On the basis of this result, a workflow for requirement analysis was proposed. The workflow involves the use of the Decision Rationale editor tool to capture requirement rationale and enable requirement traceability. In the third phase, four studies were undertaken to validate the workflow. These studies investigated: 1) application of the workflow to requirements generated through reverse-engineering a low-complexity consumer product; 2) requirements extracted from documents produced by a graduate engineering team during a twelve-week project; 3) the requirement analysis process undertaken by two graduate engineering teams during twelve-week projects; and 4) requirements for a new aircraft engine development programme. The studies showed that the proposed workflow is feasible, practical, and scalable when applied to engineering projects. Requirement rationales were classified into categories, namely product design and use, pre-existing rationale, and project management. In order to fully support requirement traceability, it was found that it is important to make traceable four types of requirement transformations: newly introduced, copied, updated, and deleted requirements. The research demonstrated that the proposed workflow is a successful proof-of-concept and can lead to improved quality of requirement documentation and requirement traceability.Open Acces