Testing Railway Interlockings with

1
Testing Railway Interlockings with

• N. Ioustinova, J. van de Pol, N. Goga
• Centrum voor Wiskunde en Informatica
• Amsterdam, The Netherlands

TT-Medal Review Berlin, Germany September 28, 2005
This work is done in cooperation with ProRail
2
Goal
Provide a framework for testing railway
interlockings with TTCN-3
Railway Control System
Apply the framework for testing interlocking
software for Hoorn-Kersenboogerd station
3
Infrastructure of Hoorn-Kersenboogerd
Platform 1
60
68
74
Road
66C
66B
66A
74B
69A
73B
74A
72
70A
69B
73A
52D
62A
62B
62C
70B
70C
Platform 2
64
62
tracks
signals
level crossing
two-coupled point
4
Vital Processor Interlocking (VPI)

• Vital Processor Interlocking is a hardware that
  runs
• hardware checks and
• a program
• Program defines the control cycle
• update inputs that represent state of
  infrastructure objects and logistic
• calculate the outputs
• stay idle
• set the outputs controlling the infrastructure
  objects

VPI can handle about 320 inputs/outputs VPI is
timed system
5
Development of Test Cases
standards
test suite for interlocking
on railway safety
of Hoorn-Kersenboogerd
8
10
1
3
5
7
9
11
4
2
6
6
Development of Test Cases (cont.)

• Mapping from general scenario to a particular
  scenario
• Physical objects
• Input values
• Output values

Platform 1
60
68
74
Road
66C
66B
66A
74B
69A
73B
74A
72
70A
69B
73A
52D
62A
62B
62C
70B
70C
Platform 2
64
62
7
Development of Test System
SUT
TTCN-3 Test System for
railway
interlockings
Interlocking Simulator
Interlocking Program
Special feature
time control simulated time
Simulated time solution is based on Dijkstras
distributed termination detection algorithm
8
Test Execution Normal Train Departure
Final situation train at 66B and 68 remains
yellow
Expected trace
Initial situation train on 66C
66C
66B
66A
74B
Setting the initial situation costs 21
cycles. Failure is detected in 1 cycle.
68
60
Observed trace
66C
66B
66A
74B
60
68
9
Market Relevance

• In the European railway sector, the current
  target is to increase the proportion of railway
  transportation by 100-150 within a short period
  (www.railway-technology.com)
• European integration (www.euro-interlocking.org)
  requires new standards for specification (UML)
  and testing (TTCN-3)
• TTCN-3 enables to bring together
• Vendors
• Standardization
• Certification
• Operators in EU

10
TTCN-3 for the Railway Domain

• Advantages
• Standardization a standard language to specify
  test suites for railway applications
• Reusability one test suite can be used to test
  software from different vendors
• Independency from implementation details of
  simulators for railway software
• Automation of test execution for railway domain
• Benefits
• High-quality test suites ? reliable railway
  control systems
• Reduction of costs for testing on the long run

11
Conclusions

• We translated a subset of CENELEC safety
  requirements into TTCN-3 test cases.
• TTCN-3 is suitable to specify test cases for
  railway control systems
• According to ProRail, TTCN-3 is a significant
  step towards automation and standardization of
  testing process in the railway domain
• TTCN-3 test system is extended by time
  simulation option
• We have covered whole test-process starting from
  developing test cases, proceeding with
  implementing the test system and finally
  executing tests and interpreting results
• Using this approach we found violations of
  general safety requirements

12
Dissemination

• Change request for TTCN-3 standard (TCI)
• 5th International Workshop on Formal
  Approachesto Testing of Software FATES 2005,
  July 2005, LNCS
• TTCN-3 User Conference, Sophia-Antipolis, June
  2005, outstanding presentation award
• CWI in bedrijf (CWI for industry) symposium,
  Amsterdam, October 2005
• 6th ITEA Symposium, Helsinki, October 2005
• 11th Dutch Testing Day, Twente, November 2005