Author| Wang Yiling, System Modeling Group of Shanghai Kongan Trusted Software Innovation Research Institute
Section| Jianyuan Forum · View model
Community | Add WeChat ID " TICPShanghai " and join "Shanghai Kongan 51fusa Security Community"
Introduction: The previous articles introduced the development history and specific technologies of formal methods, and introduced the engineering of formal methods from an overall perspective. This article will focus on the field of rail transit, starting with Prema, a domain-specific requirements writing and analysis tool, to introduce the practical application of formal methods in industry.
01
background
With the rapid development of cities, the construction and distribution of rail transit has increasingly become an important symbol of urban transportation convenience and economic development. During the "13th Five-Year Plan" period, the operating mileage of urban rail transit has reached 6,600 kilometers. It is estimated that by 2025, the proportion of commuters covered by rail stations with a radius of 800 meters in megacities will not be less than 30%. The control software of rail transit determines the safety of the system operation. If the control software does not operate as expected, it may cause property damage and casualties. Therefore, the quality and safety of rail traffic control software is critical, and the country has also issued strict safety standards for this.
In the field of rail transit, the automatic train control system (Automatic Train Control, ATC) system includes three parts, ATP (Automatic Train Protection, automatic train protection system), ATO (Automatic Train Operation, automatic train operation system), and ATS (Automatic Train Supervision, automatic train monitoring system), which provides a high level of train safety by automatically preventing mistakes by train drivers. As shown in Figure 1, ATO is a system to control the automatic operation of trains, which is composed of on-board equipment and ground equipment; ATP is a system to ensure that the train immediately brakes once it exceeds the specified speed, and it is also composed of on-board equipment and ground equipment ; ATS system is to complete the automatic monitoring system of the train, which is composed of control center, station, yard and on-board equipment. The relationship between the three is that under the protection of the ATP system, the ATO system realizes the automatic driving of the train, the automatic adjustment of the speed and the automatic control of the train door according to the instructions of the ATS.
Fig.1 Structure of automatic train control system
Requirements analysis is the basis of software design and the most critical and earliest link in software development activities. The requirements document contains the functional description of the train control system. By analyzing the requirements of the train control system, errors in the functional description of the system in the requirements can be found. After long-term research and practice, both academia and industry realize the necessity of checking the functional requirements of the train control system from the requirements stage. However, in the current industry, manually checking the train control system requirements described in natural language is not only inefficient, but also unable to ensure the correctness of functional requirements.
02
An overview of formal modeling methods
There will be ambiguity in using natural language to describe requirements, so some expressions that are clear to the writer may be understood by others as other meanings. As a result, different developers have ambiguous understandings of the same requirements and designs, resulting in reduced development efficiency. To avoid this from happening, we use a standard form to describe requirements and designs. This standard form is generally based on the language of mathematics. This standardized description specification forms the basis of formal methods.
Formal methods are techniques based on mathematics for specification writing, software development, and software verification for digital systems. Its mathematical foundations include formal logic, discrete mathematics, and machine-recognizable languages. A formal model is an unambiguous model described by mathematical syntax and semantics, and is an abstract expression of many aspects of the software, used for subsequent analysis, simulation and code generation (under some conditions, directly from Model generation code may not be possible). The basis of applying formal methods is to establish a formal model of the software to be developed.
Formal methods include two main branches, formal specification technology and formal verification technology, and formal verification technology is divided into two branches, theorem proving and model checking, as shown in Figure 2.
Figure 2 The composition of the formal method
In academia and industry, in order to ensure the safe operation of trains, scholars and engineers mainly research on rail transit control systems from the following aspects: formal requirements description, model building and verification, and system simulation. These three are not isolated, and are often studied together, such as using formal methods to describe the requirements of the system, then building models, analyzing and verifying.
In order to achieve the purpose of using formal methods to ensure the safety of rail transit control systems, we propose a formal engineering method for the requirements modeling of rail transit control systems, and develop a tool Prema ( Precise Requirements Editing, Modeling and Analysis (Precise Requirements Editing, Modeling and Analysis) is used to assist the application of formal engineering methods.
03
Prema, a solution in the field of rail transit
Prema's application of formal technology mainly includes two aspects, formal requirements specification and model checking. In order to describe the requirements formally, we propose the CASDL language adapted to the field of rail transit. After the requirements modeling of the system requirements described in the formal language, it can be verified in the requirements model whether the constraint properties described by Boolean expressions hold true.
The main interface of the Prema tool interface is shown in Figure 3 below. The figure is mainly divided into the editing bar on the left and the display bar on the right. Users can write requirements on the left, while the final generated document style is displayed in real time on the right area, and there are some shortcut tools above the editing area for users to write requirements.
Figure 3 Prema tool interface
3.1 Formal requirements specification
The user writes the formal requirements in the CASDL language in the edit column on the left. The following is a brief introduction to the CASDL language specification.
Since the control system in the rail transit field usually runs periodically, the cycle in CASDL has a special meaning to indicate which cycle the current system operation has gone through, and its syntax can be expressed as follows:
● md :: = (cycle, Block, DefBlock, DataDictionary)
● Block :: = (identifier, Precondition, initial, State, Transition)
● DefBlock :: = (name, identifier, Tasks)
● Tasks :: = CFG
● Transition ::= (Source, Target, Condition, Action)
● DataDictionary ::= (V)
CASDL consists of 4 parts. The Block part describes the state transition of the system. In the Block, it is identified by a unique identifier. Precondition is used to judge whether the conditions for system state transition are met. Initial is used to indicate the value before the system state transition. State stores For all variable values that have changed state values, Transaction describes the specific process of state transition, and the structure describing the process is also expressed in the above. Among them, Source and Target respectively represent the value before the state change and the value after the state change. Condition records the set of conditions that need to be met for state transition to occur. The last item Action records how the state transition process occurs.
DefBlock describes the computing module, which includes the module name name, unique identifier identifier, and computing tasks Tasks composed of control flow.
The Dictionary records the variables that appear in the modeling process of the requirements document.
Figure 4 shows an example written in CASDL. In this example, the red part represents the Block part that shows the state transition. It has no return value and only changes the value of the state variable to change the state of the system. That is, state transition. The (k-1) followed by State indicates the k-1th cycle. The yellow part shows the defBlock part that describes the calculation task.
Figure 4 Block and DefBlock examples
CASDL also defines some expressions to describe the calculation process of calculation-oriented tasks in DefBlock. The syntax of the expressions is as follows:
● SExpr :: = Const | Var | f(n)(SExpr)
● BTerm :: = True | False | p(n)(SExpr)
● IExpr :: = (after | duration)(BTerm,SExpr)
● BExpr :: = BTerm | ¬BExpr | BExpr ∨ BExpr | BExpr ∧ BExpr
Wherein, the statement expression is composed of a constant, a variable or multiple statement expressions, and the value of the Boolean variable is True or False or derived from the value of the state expression. Interval expressions are mainly used to describe time-related demand fragments, such as a Boolean value or a calculated value of a statement expression within a certain period of time or after a certain period of time. Boolean expressions, on the other hand, consist of a Boolean value, the negation of a Boolean value, an OR value, or an AND value.
At the same time, CASDL also defines several statement structures:
● stmts :: = pStmt | cStmt
● pStmt :: = aStmt | skip
● aStmt :: = x := SExpr
● cStmt :: = stmts | if BExpr then stmts else stmts
The statement set contains compound statements or individual statements, among which pStmt is composed of assignment statement or skip statement, the assignment statement can be expressed as a variable is assigned the value of an expression, and the compound statement is composed of a statement set or a selection statement structure constitute.
Generally speaking, CASDL conforms to the usage habits of engineers, and the cost of learning and understanding is very low. This python-like language is easy to accept, but its semantics are still different from python. For example, k is a special letter in CASDL, It represents the cycle of system operation.
3.2 Model checking
After the requirements are written, the Prema tool provides functions such as static analysis, state machine simulation execution, and requirements nature verification to verify the correctness of the written requirements. Requirement nature verification is model checking.
Requirement nature verification is to verify the requirement model such as invariant or reachability after the requirement checks without grammatical errors. Its main purpose is to analyze whether the changes between certain variables that have an impact relationship will definitely affect the changes of related variables, which plays a vital role in understanding and analyzing the logical relationship of requirements. The flow chart of property verification is shown in Figure 5:
Figure 5 Flowchart of property verification
The Prema property verification interface is shown in Figure 6. The user can select the configuration options used before, or re-select. In the verification interface, the user selects which requirement items need to be verified. After the selection is completed, click the Go button to generate a complete verification interface.
Figure 6 Schematic diagram of property verification interface
The tool will generate a variable relationship diagram according to the requirement item selected by the user, reminding the requirement engineer of the content described in the requirement item, and also avoiding wrongly checking the requirement item. After confirming that the correct requirement item has been selected, write the property to be verified in the property writing area. Currently, the property to be verified only supports Boolean expressions. After filling in the initial state (optional) and properties, you can click the check button to verify whether the filled properties are Boolean expressions.
After the user selects the requirement item and nature to be verified, and clicks the Verify button, the interface displays the verification result. Requirements engineers can check whether the requirement satisfies the property according to the feedback information, and if the property is not satisfied, a counterexample will be given when the property is not satisfied.
By using the Prema tool, the ambiguity and ambiguity of the requirement statement can be effectively eliminated, and the correctness of the requirement can be guaranteed.
04
Summarize
Through continuous efforts in recent years, formal methods have not only achieved great development in academia, but also have been widely used in industry. Formal methods first need to define domain-related requirements description language, which can completely cover all requirements characteristics in this domain. Secondly, describe and describe the demand model through the established description language, and provide matching algorithms to analyze and verify the demand model. Since the field of rail transit has strict requirements for the control system, this provides a prerequisite for the application of formal methods. In the future, formal methods will be better integrated with industrial practices to protect industrial safety.
main reference:
[1] Guangming.com. "The 14th Five-Year Plan for National Urban Infrastructure Construction" was issued [EB/OL].(2022-08-03)[2022-8-16].https://m.gmw.cn /baijia/2022-08/03/35929147.html.
[2] Wang Xiuchao. Model extraction and analysis of train control system requirements documents [D]. Guiyang: Guizhou University, 2017
[3] Wei Qun, Wang Yu. Analysis of software defects and their impact on software reliability [J]. Computer Applications and Software. 2011, 28(1): 145-149.
[4] Bao Danzhu. Rail Transit System Requirements Analysis and Consistency Test [D]. Shanghai: East China Normal University, 2016
[5] Liu Yang. Analysis and verification of demand model for rail transit control system [D]. Shanghai: East China Normal University, 2017
[6] Zheng Hanyue. Research on Requirements-Based Automatic Generation of Test Cases in the Field of Rail Transit Control [D]. Shanghai: East China Normal University, 2021
[7] Huang Y , Feng J , Zheng H ,et al.Prema: A Tool for Precise Requirements Editing, Modeling and Analysis[J]. 2019.DOI:10.1109/ASE.2019.00128.