The Verification and Validation activity for a railway control - - PowerPoint PPT Presentation

the verification and validation activity for a railway
SMART_READER_LITE
LIVE PREVIEW

The Verification and Validation activity for a railway control - - PowerPoint PPT Presentation

Feb 01, 2024 474 likes •815 views

Ansaldo Segnalamento Ferroviario The Verification and Validation activity for a railway control system Davide Alagna, Alessandro Romei [alagna.davide@asf.ansaldo.it, romei.alessandro@asf.ansaldo.it] RAMS Department Geneva, 19 th September 2008

slide-1
SLIDE 1

Ansaldo Segnalamento Ferroviario

The Verification and Validation activity for a railway control system

Davide Alagna, Alessandro Romei

[alagna.davide@asf.ansaldo.it, romei.alessandro@asf.ansaldo.it]

RAMS Department

Geneva, 19th September 2008

slide-2
SLIDE 2

Ansaldo Segnalamento Ferroviario

1. Ansaldo signalling systems

  • Overview
  • Safety Logic
  • System Data

2. V&V activities

  • Overview
  • Code inspection
  • Independent generation of System Data
  • Typologies of tests

3. Conclusions

  • Software Problem Report

Summary

slide-3
SLIDE 3

Ansaldo Segnalamento Ferroviario

  • 1. Ansaldo signalling systems
slide-4
SLIDE 4

Ansaldo Segnalamento Ferroviario

  • 1. Ansaldo signalling systems – Overview

Purpose of a signalling system

Safe railway traffic requires a signalling system to

  • assign and control the route
  • support the driver’s behaviour
  • avoid collisions
slide-5
SLIDE 5

Ansaldo Segnalamento Ferroviario

  • 1. Ansaldo signalling systems – Overview

Architecture of Ansaldo ACC interlocking

Field devices Peripheral Posts ACC Central Interlocking Unit Signaller’s desk ART1 server ART2 server

slide-6
SLIDE 6

Ansaldo Segnalamento Ferroviario

Adjacent RBCs

  • 1. Ansaldo signalling systems – Overview

Architecture of Ansaldo Radio Block Centre

RBC Central Interlocking Unit Operator’s desk ART1 server ART2 server Train Interlocking Communication Computer

slide-7
SLIDE 7

Ansaldo Segnalamento Ferroviario

  • 1. Ansaldo signalling systems – Overview

Products and applications

Generic Product:

  • Hardware and Kernel Software (e.g. ACC, RBC)

Generic Application:

  • Signalling Safety Logic (e.g. Italy, UK, ERTMS)

Specific Applications:

  • Systems (e.g. NVC Milano-Bologna, ACC Roma Termini,

RBC Torino-Novara)

slide-8
SLIDE 8

Ansaldo Segnalamento Ferroviario

  • 1. Ansaldo signalling systems – Overview

CIU design guidelines

Same product for different applications Strict separation between invariant and variant parts of the product

  • Invariant: Hardware, Kernel Software
  • Variant: Safety Logic, System Data

Variant parts managed through databases, handled by a common software engine

slide-9
SLIDE 9

Ansaldo Segnalamento Ferroviario

  • 1. Ansaldo signalling systems – Overview

CIU software architecture

Hardware Kernel Software Safety Logic System Data

slide-10
SLIDE 10

Ansaldo Segnalamento Ferroviario

  • 1. Ansaldo signalling systems – Overview

Safety Logic design

Object-Oriented modelling of Safety Logic starting from safety requirements (principle schemes):

  • Entities (classes)
  • Attributes (classes specification)
  • Linked Entities (relationships among classes)
  • Entities state (classes members)
  • Commands (classes methods)
slide-11
SLIDE 11

Ansaldo Segnalamento Ferroviario

  • 1. Ansaldo signalling systems – Overview

Design example

Requirement: a point machine shall not move if it is engaged by a train.

  • Entities (classes):

Point, Track_circuit

  • Attributes (classes specification): -
  • Linked entities (relationships among classes):

Dead_track_circuit

  • Entities state (classes members):

Point.position, Track_circuit.state

  • Commands (classes methods):

Point.move()

slide-12
SLIDE 12

Ansaldo Segnalamento Ferroviario

  • 1. Ansaldo signalling systems – Overview

Safety Logic implementation

Safety Logic developed in a high-level proprietary language

  • Conditional statements
  • Assignments
  • Exceptions
  • No pointers
  • No dynamic memory allocation
  • Restricted use of error-prone statements

Safety Logic compiled in a symbolic language ready to be interpreted by the Logic Handler Process

  • Reflects the strict separation between invariant and

variant parts of the product

  • All
  • bjects

and their relationships are statically instantiated, therefore they can be analyzed offline

slide-13
SLIDE 13

Ansaldo Segnalamento Ferroviario

  • 1. Ansaldo signalling systems – Overview

From Safety Logic to System Data

Requirements, design and implementation of Safety Logic are abstract (generic application) Systems are configured (specific applications) Databases to be instantiated for:

  • entities
  • attributes
  • linked entities
slide-14
SLIDE 14

Ansaldo Segnalamento Ferroviario

  • 1. Ansaldo signalling systems – Overview

Configuration example

Entities: PT.01, PT.03, … TC.110, TC.111, … Attributes: PT.01 is Oleodynamic, PT.07 is Electromechanic Linked entities: PT.01 → TC.161, …

slide-15
SLIDE 15

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities
slide-16
SLIDE 16

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Overview

V&V activities

Generic Product:

  • Hardware testing
  • Kernel Software testing

Generic and Specific Application:

  • Code inspection of Safety Logic code
  • Coverage analysis
  • Independent generation of System Data
  • Automatic and manual testing in simulated environment
  • Field testing on target system
slide-17
SLIDE 17

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Code inspection

Code inspection

Automatic analysis provides:

  • Context diagrams
  • Used vs not used variables
  • Used vs not used attributes and linked entities

Manual analysis focuses on:

  • UML modelling of safety logic code
  • Check lists for good programming style
  • Functional analysis, search for critical complex scenarios

Tools under development for:

  • Automatic UML modelling of safety logic code through its

translation in C++ or Java, thus allowing off-the-shelf environments to be positively used

slide-18
SLIDE 18

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Code inspection

Coverage analysis

Performed after the completion of automatic and manual test sets Focuses on either Code or Data Automatic analysis provides:

  • Coverage statistics
  • Reports and databases

Manual analysis focuses on:

  • Non covered branches, attributes and linked entities
  • Feedback to test specifications
slide-19
SLIDE 19

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Code inspection

Tools for Coverage analysis

Entities Commands Safety Logic code Statistics

slide-20
SLIDE 20

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Independent generation of System Data

Independent generation of System Data

Aims at verifying the correctness and completeness of System Data

  • Independent generation of:
  • entities
  • attributes
  • linked entities

according to the design model of Safety Logic

  • Comparison

with System Data produced by the Development Team

  • Evaluation of differences
slide-21
SLIDE 21

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Independent generation of System Data

Independent generation of System Data

Design model

  • f Safety Logic

Configuration Rules (Development)

System Data

Scheme Scheme

CT SP Ansaldo Proprietary Query Processor Query Processor Off-the-shelf (Microsoft Access)

=

Configuration Rules (V&V)

System Data

slide-22
SLIDE 22

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Typologies of tests

Typologies of tests

Functional tests: all functional requirements are correctly implemented by Safety Logic code

  • Scope: generic application

Configuration tests: all System Data required by the Safety Logic are correctly configured, and no spurious data are present

  • Scope: specific application

Stress tests: critical functions of the system are stressed introducing a set of random inputs

  • Scope: both generic and specific application (in particular

RBC)

slide-23
SLIDE 23

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Typologies of tests

Functional tests

A Test Case is specified for each Safety Logic requirement, according to a black-box approach Abstract Test Scripts are implemented

  • Level of abstraction ≡ classes of equivalence

Test Scripts are executed in a fully or partially simulated environment Both positive and negative results are analysed, leading to Code Coverage Analysis

slide-24
SLIDE 24

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Typologies of tests

Configuration tests

A Test Case can be defined:

  • for each attribute and for each linked entity, according to a

white-box approach based on the Safety Logic design model

  • for each relationship among data, according to a black-

box approach based on System Data requirements Abstract Test Scripts are implemented

  • Level of abstraction ≡ entity

Test Scripts are executed in a fully or partially simulated environment Both positive and negative results are analysed, leading to Data Coverage Analysis

slide-25
SLIDE 25

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Typologies of tests

Stress tests

Identification of a set of critical functions with references both to safety and complexity issues System stressed with a set of random inputs System behaviour analysed searching for:

  • compliance with pre-defined properties of state variables
  • unforeseen evolutions of state variables

based on Chronological Events Recording (RCE) Suitable for reactive systems such as RBC

slide-26
SLIDE 26

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Typologies of tests

Testing approach and development

The white-box approach requires a detailed knowledge of the Safety Logic

  • Applied to Italian ACC interlocking

The black-box approach is independent from the system implementation

  • Applied to projects developed incrementally, such as UK

ACC interlocking and RBC Tools under development for:

  • Specifying black-box test cases with UML class and

sequence diagrams

  • Automatic generations of test scripts from UML model
slide-27
SLIDE 27

Ansaldo Segnalamento Ferroviario

Signaller Tester CIU CIU Simulator Station Station Simulator

  • 2. V&V activities – Typologies of tests

Simulated Testing Environment (ACC)

Peripheral Posts ART1 ART2 Peripheral Posts Simulator

slide-28
SLIDE 28

Ansaldo Segnalamento Ferroviario

Train Adjacent RBCs

  • 2. V&V activities – Typologies of tests

Simulated Testing Environment (RBC)

CIU Operator ART1 ART2 Interlocking RBC Simulator IXL Simulator Tester CIU Simulator Communication computer Protocol stack Train Simulator

slide-29
SLIDE 29

Ansaldo Segnalamento Ferroviario

  • 2. V&V activities – Typologies of tests

Field testing on target system

Functional tests which cannot be completed in a simulated environment, e.g.

  • Integration with adjacent systems
  • Interfacing with target field devices
  • Diagnostic issues and fault tolerance

Tests on the correct set-up of field devices (track circuits, point machines, signal heads) and peripheral posts Tests with real trains

slide-30
SLIDE 30

Ansaldo Segnalamento Ferroviario

  • 3. Conclusions
slide-31
SLIDE 31

Ansaldo Segnalamento Ferroviario

  • 3. Conclusions – Software Problem Report

Management of non-compliances

Production of Software Problem Reports (SPR)

  • Causes
  • Safety issues
  • Impacts

Problem Resolution by the Development Team New V&V cycle

  • Evaluation of the impact of changes
  • Regression tests
  • SPR closure (if possible)
  • New SPR production (if any)
slide-32
SLIDE 32

Ansaldo Segnalamento Ferroviario

Thank you for your kind attention