iStar Goal Model to Z Formal Model Translation and Model Checking of CBTC Moving Block Interlocking System
Article No.: 6, Pages 1 - 45
Abstract
The reliability and safety of complex software systems are provided by extracting safety requirements from regulations and operational environments and later specifying these requirements precisely. At the early stage, these extracted safety requirements are informal. Typically, they cope with non-functional requirements. Analysis of early requirements using traditional methods is inadequate because these methods only focus on the WHAT dimension but do not address the WHY dimension of requirements engineering. In this article, we are using a goal-oriented modeling method called iStar to confront these issues. To ensure that the software system developed fulfills the requirements specified in the early phase, it is necessary to integrate early-phase requirements with late-phase requirements. To accomplish this task, in this article, we use the Z formal method to integrate early-phase requirements with late-phase requirements. This integration synergistically resolves the above issues. As a case study, we use the CBTC moving block interlocking system to illustrate the synergy of the iStar and Z combination on complex software systems. Finally, we verify the developed formal model against LTL safety properties using the ProZ model checking tool.
1 Introduction
To ensure that the developed complex software system meets its desired goal and precisely works as stakeholders expect, the analyst must accurately understand, describe, interpret, and purify stakeholders’ requirements. Initially, these requirements are inadequate, inconsistent, ambiguous, incomplete, and informal. Later, these requirements are translated into a concrete software system. This translation requires a clear understanding of why a software system is needed, its functional requirements to carry out its goal, and the restrictions on designing and implementing a software system. This entire process is known as Requirements Engineering [38].
Discovering and analyzing non-functional and functional requirements is not an easy task. Many of the published surveys [13, 16] showed that improper identification and analysis of requirements is the reason behind the failure of complex software systems. Many cases of informal deficient requirements assessment are shown on the website Forum on Risks to the Public in Computers and Related Systems [28]. On average, 40% of the software systems do not meet their desired requirements because of improper requirements analysis [13, 31]. Requirements faults are costly to repair at later stages. According to the NASA article “Error Cost Escalation through the Project Life Cycle” [17], a requirements fault costs more than 8 times to repair during design, more than 16 times after coding, more than 21 times after testing, and more than 29 times after deployment. In 1976, Bell and Thayer did an experiential study on requirements engineering. In this study, they stated that if our identified and analyzed requirements are incomplete, inadequate, ambiguous, or inconsistent, then it significantly affects the quality of the resultant system. Finally, they confessed that “the requirements for a system do not arise naturally; instead, they need to be engineered and have continuing review and revision” [3].
Traditional requirements analysis approaches like SADT, SART, IDEF0, MERISE, SSADM, and UML focus on the WHAT dimension of requirements engineering: what are the functional services essential to satisfying the system’s goal? In these approaches, domain knowledge is learned by communicating with stakeholders and producing specification documents. Later, this document is modeled to have a conceptual schema and confirmed against requirements. These approaches are inadequate because they make system descriptions from a single perspective. Also, do not supply reasoning among multiple alternatives and do not handle requirements conflicts. These approaches are suitable when requirements are steady and remain unchanged. In today’s environment, due to the increasing complexity of systems and advancement in technology, user requirements will vary day by day. Therefore, these approaches are unsuitable for developing complex software systems [48]. In the early 1990s, the Goal-Oriented Requirement Engineering (GORE) method was introduced to address these issues. It ensures that the software system meets its desired goals and prevents using traditional methods for requirements analysis [1, 36].
The GORE method is concerned with eliciting practical goals that encourage the development of a complex software system. The GORE method focuses on all three dimensions of requirements engineering. The WHY dimension finds the system’s goals by obtaining domain knowledge, supplying reasoning among multiple alternatives, handling requirements conflicts, and producing system descriptions from various perspectives. The WHAT dimension finds functional services and constraints needed to satisfy the goals found using the WHY dimension. The WHO dimension assigns the responsibilities for achieving the goals found using the WHY dimension to different stakeholders [1, 36, 37, 38]. In GORE methods, the main problem is structuring specifications. A goal-oriented model-based approach solves the problem of structuring specifications and supplies an abstract description of the target system. It integrates multiple views of the target system to cover all three dimensions of requirements engineering [36, 38].
The goal-oriented model-based methods introduced a clear distinction between early-phase and late-phase requirements. Early-phase requirements focus on the WHY dimension of requirements engineering. That is, they focus on modeling and analysis of the environment of the software system. Also, they illustrate how stakeholders’ needs, motivations, and complex relationships may be addressed by multiple alternatives. Usually, early-phase requirements are non-functional requirements. Non-functional means not only quality requirements. It is also concerned with why functional requirements are essential and how they provide the functional services of the system. The analyst represents early-phase requirements using a semi-formal model. Late-phase requirements focus on the WHAT dimension of requirements engineering. That is, they focus on modeling the software system with its environment. They also discover functional services and constraints essential to satisfy the goals. Usually, late-phase requirements are functional requirements. They focus on adequate, complete, consistent, unambiguous, and automated verification of functional requirements. Hence, a formal model represents these requirements. The paper by Yu [45] clearly distinguished between early-phase and late-phase requirements. It highlighted the importance of the WHY dimension of requirements engineering using the i* framework.
KAOS, AGORA, Albert II, GBRAM, NFR, and iStar goal-oriented model-based frameworks were proposed to address requirements engineering issues. Each has a different requirements analysis technique. The KAOS, AGORA, Albert II, and GBRAM frameworks focus on semi-formal and formal analysis of late-phase requirements. Several articles have witnessed it [6, 10, 14, 21, 30, 33, 40]. All these articles focus only on what a system does and how the system’s behaviors are satisfied. However, they do not address why the system requirements are needed. NFR and iStar emphasize analyzing early-phase requirements and addressing all three dimensions of requirements engineering. Analysis of early-phase requirements is essential to understand the domain, system complexity, multiple technical alternatives, business process, and strategic knowledge, as well as how the system cooperates, changes in organizational requirements, and end-user needs. The iStar framework uses NFR notations to express the rationales behind the actors and represents the system’s operational environment.
This article’s primary objectives are to provide a goal-oriented model of a complex system, translate it into a formal model, and verify the requirements specified at the early stage. To achieve these objectives, we researched several articles for choosing semi-formal and formal modeling languages. Several success stories and survey articles [11, 12, 18, 20, 42] witness the successful application of the B formal method in railway systems. For example, the “SACEM system of RER Line A in Paris” was designed using more than 100k lines of B specification code. Hence, we can use the B formal model. However, a translation of a semi-formal model into the B formal model is not an easy task. Several articles [23, 24, 33] witness mapping the UML semi-formal model notations to the B formal model. However, the UML is an object-oriented model, and this mapping only focused on functional requirements. In all the above articles, the authors’ main intention is to verify functional specifications, so they focused only on the WHAT dimension of requirements engineering. However, they did not focus on the WHY dimension of requirements engineering. They expressed late-phase requirements by a semi-formal model and later formalized them with formal specification language. Therefore, we use the iStar model in this article because it emphasizes the WHY dimension of requirements engineering.
In this article, as a case study, we use the Communication-Based Train Control (CBTC) moving block interlocking system to illustrate the synergy of the iStar and Z combination on complex software systems. We extracted functional and non-functional requirements from the IEEE 1474.1 CBTC specification document [19] and the safety-critical systems handbook [32] to develop the iStar model of the CBTC moving block interlocking system. The iStar model to Z formal model translation helps us to analyze the early-phase requirements of the CBTC moving block interlocking system. It also addresses the variability and vulnerability issues. This model translation is a one-to-one mapping of iStar model elements to the Z-schema. This mapping does not result in any data loss or changes in the meaning of iStar elements. We refine Z-schema by invariant statements and goal fulfillment criteria to formalize late-phase requirements and address vulnerability issues. Finally, we apply the ProZ model checking tool to verify the requirements specified early along with LTL safety properties.
We organize the remaining part of the article as follows: Section 2 discusses the background concepts. Section 3 encompasses the iStar model of the CBTC moving block interlocking system. Section 4 describes integrating early-phase requirements with late-phase requirements. Section 5 describes our developed formal model using the ProZ model checker. Section 6 examines several related works. In the last section, we conclude our article.
2 Background AND Concepts
Here, we review basic concepts about iStar, Z Formal Specification, ProZ model checker, and CBTC.
2.1 iStar Model
i* [44, 45, 46, 47] is an agent-oriented modeling framework invented by Eric Siu-Kwong Yu in 1995. It is a modeling language accompanied by reasoning techniques for analyzing designed models. It supports all three dimensions of requirements engineering (Why, What, and Who) and strategic dimensions (How and Else). We model a social entity as an actor (agent). The intention of an actor is known as an intentional element. An actor is responsible for fulfilling its desired goal. All intentional elements that need to achieve a goal interrelate within the boundaries of an actor. The intentional elements are a goal, a softgoal (quality), a task, a resource, and strategic dependencies [36, 45]. In 2016, the i* community released the extended version of i* called iStar 2.0. From that time onward, it has been known as iStar instead of i*. It evolved the fundamental notions of i* into a more reliable and rich set of core concepts upon which we can build our goal-oriented models [8]. Strategic Dependency (SD) and Strategic Rationale (SR) models are two essential modeling components of the iStar framework.
The SD model is used to illustrate the operational environment of the system to be at an abstract level. That is, it describes the intentionality of the activities inside the operational environment by highlighting what is essential to its dependent members while hiding additional aspects. The SD model is a bunch of dependency links between various actors. During the analysis of late-phase requirements, the SD model handles the functional requirements of actors and vulnerability issues.
The SR model is used to convey in more detail the rationales behind the actor’s dependencies. It communicates these details with the help of various nodes and links. The node may be an intentional element such as a goal, quality, task, or resource. A goal is a system objective that an actor desires to achieve. We denote a goal with an oval symbol. Quality is a soft goal (attribute) that an actor must accomplish to some extent. We denote a quality with a curved cloud-like shape. A task is an action that an actor desires to execute to achieve a goal. We denote a task with a hexagon symbol. A resource is a physical thing that offers information that an actor requires to fulfill its intent. We denote a resource with a rectangle symbol.
We use links to relate each intentional element within a boundary of an actor. A link may be a refinement, neededby, contribution, or qualification. Joining the child node to the parent node by a refinement link forms a refinement hierarchy. There are two refinement links: the decomposition link (AND link) and means-ends link (OR link). In the AND link case, the fulfillment of all child nodes makes the fulfillment of the parent node. We denote the AND link by a T-shaped arrowhead pointing toward the parent node. In the OR link case, the satisfaction of at least one child node makes the satisfaction of the parent node. We denote the OR link by a solid arrowhead pointing toward the parent node. Child nodes refine or specialize the parent node. Hence, a parent node is known as a refined node, and a child node is known as an unrefined node. We can use OR links to resolve variability issues also. The neededby link joins a task with a resource, showing that an actor wants the resource to fulfill the task. We denote the neededby link with a solid circle arrowhead pointing toward the task. Contribution links denote the effect of a goal, task, or resource on quality. There are four contribution links: make, help, hurt, and break. We denote the contribution link by a solid arrow with a label indicating the type of contribution pointing toward the quality. Quality may be fulfilled or denied. The qualification link connects a quality to its themes, such as a goal, task, or resource. We denote the qualification link by a dotted line connecting toward its theme [8, 36, 45]. During the analysis of early-phase requirements, the SR model allows the modeler to analyze the organizational environment by diagrammatically representing all the actors of the system, their goals, and their relationship with other actors. The modeler can envision the current activities inside the operational environment and assess the reasoning behind these activities.
2.2 Z Formal Specification
A specification is a depiction of a product or a system. It has been regarded as formal if expressed in formal (mathematical) notation. The formal specification describes a complex system’s safety properties without restricting how these properties are to be fulfilled. They depict what the system should achieve without expressing how it will be achieved. A formal specification uncovers a requirement’s problems. It reveals errors in the requirement’s specification, avoiding rework to correct the requirement’s problems after the system has been designed.
In 1977, a French computer scientist named Jean-Raymond Abrial invented a formal specification language called ”Z” at Oxford University. This formal language is used to specify and model software systems. It uses conventional mathematical expressions. Its grammar is mathematical, as is its semantics (predicate logic and set theory) [5, 9, 34, 41]. The Z notation is envisioned to provide a precise software system specification. These precise specifications serve as a mathematical model of a system. Hence, these Z specifications are called model-based specifications. We provide an overview of Z notation in the appendix section.
2.3 ProZ Model Checker
ProZ is a model checker and animator that extends the ProB model checker to verify Z specifications. To obtain a formal specification stated in a LaTeX file, ProZ uses the Fuzz Type Checker written by Mike Spivey [34]. The steps below demonstrate the ProZ compilation process:
(1)
The user loads the Z specification stated in a LaTeX file.
(2)
Fuzz Type Checker is used to type-check the specification.
(3)
It identifies various components of the Z specification (axiomatic constants, state, initialization, and operations).
(4)
It expands the schema definition and normalizes it.
(5)
It applies several rules to simplify expressions.
(6)
Now, it internally translates the Z specification into the B specification.
(7)
The ProB model checker processes the translated Z specification in the same way as processing the B specification.
We use ProZ as a comprehensive tool. It features a simple user interface and offers guided state-space animation. The below steps summarize its main functionalities:
(1)
It creates a sequence of operations from the system’s starting state to the state that breaches its invariant specifications.
(2)
It is possible to find an operation that violates its invariant properties by inputting a valid state.
(3)
It allows the animation of the Z specifications. A user can test scenarios starting from a state that meets the invariant properties.
(4)
It allows the user to see a history of operations that led to the present state.
(5)
It allows users to view state-space diagrams.
(6)
It supports model checking of Computation Tree Logic (CTL) and Linear Temporal Logic (LTL) assertions and symbolic and static model checking.
(7)
It allows the user to analyze the counterexample in case of a violation of invariant properties.
2.4 Communications-based Train Control System
The rapid growth of Intelligent Transport System (ITS) technologies at the beginning of the 21st century led to the ability to convey information between the track and train. It enabled the introduction of automation in a train control system. The fast growth in computer, telecommunication, and microcircuit technology has led to the advancement of Automated Train Control (ATC) systems. In ATC systems, computers fulfill all four train control functions: Automatic Train Supervision (ATS), Automatic Train Operation (ATO), Automatic Train Protection (ATP), and Communication. The ATS directs the train headway with the train timetable, the ATO controls the train’s headway and halting at red signals and stations, the ATP avoids derailments and collisions, and the communication exchanges information between the wayside entities and the train-borne entities. This automation eventually led to the launch of highly automated driverless trains. Nowadays, ATC systems are known as “Communication-Based Train Control Systems” [27, 35, 43, 49].
An urban rail aims to shift many passengers from one station to another at a short interval gap of fewer than 5 minutes. Achieving this goal is a significant challenge in the urban railway sector. Allowing faster trains on the same track requires a larger braking distance, which results in safety between trains but increases the interval gap between trains. This decreases the track capacity. Nowadays, to address this challenge, urban railway transportation uses a CBTC moving block interlocking system [35, 43]. CBTC is an automatic train control system to run frequent, rapid, safe, and comfortable trips. Figure 1 shows the modern CBTC solution for urban railway signaling and control systems.
Fig. 1.
The major components of the CBTC signaling and control system [27, 49] are Wayside CBTC, Onboard CBTC, and the ATS System. Wayside CBTC contains interlocking, wayside ATP, and ATO subsystems for supervising every zone in the railway path. Onboard CBTC includes Onboard ATP, Onboard ATO, Interactive Monitor, and Wireless Communication Unit. The onboard ATP subsystem is responsible for accumulating the needed data, such as train location, signal aspects, and temperature inside each train cabin. It regularly uploads them to the wayside ATP via radio signals. The onboard ATO subsystem oversees automated control of the traction and braking effort to preserve the train below the safety distance curve created by the wayside ATP subsystem. An interactive monitor is a vital device that supervises the urban railway traffic and the status of various wayside entities. It includes a dashboard to display signal aspects and speed codes. The main task of the ATS system is to act as a user interface between an operator and the CBTC system. ATS is responsible for managing and scheduling routes and traffic. It triggers an alarm in case of any malfunction. It controls train departure from the terminal station or wayside points. It detects train location and monitors the performance of a train against the schedule.
2.5 Moving Block Interlocking System
The responsibility of an interlocking system is to prevent trains from derailment and collisions. Modern CBTC-based interlocking systems use moving block technology rather than fixed block technology. Traditional train control systems use fixed block technology, which uses axle counters or track circuits to find a train’s presence. A drawback of fixed block systems is that a block length is fixed, and a train enters only a portion of a block if the next block is not occupied. To avoid these drawbacks and to maximize the utilization of the track, that is, run more trains on a single railway line with little train headway between them, the CBTC-based moving block interlocking concept (the train moves with its stated virtual block) was introduced. These moving block technologies use radio as a communication medium to find the presence of a train. In moving block technology, trains move too close to each other while maintaining a safe distance. The segments shown in Figure 1 are moving blocks. The moving blocks are also called virtual segments. Their length is calculated using the train braking distance. We illustrate the computation of moving block length in Section 4.3. The below steps illustrate the functional requirements of the CBTC moving block interlocking system. Figure 1 also illustrates these steps. These requirements are extracted from the IEEE 1474.1 CBTC specification document [19].
(1)
Train A finds its coarse position (a current segment occupied by the train) using a beacon. Using an onboard tachometer, it also finds its fine position (how far Train A is from the beginning of a current segment). Then it calculates its current position by adding the coarse position to the fine position (e.g., current position = Segment 4 + 500m).
(2)
Train A transmits its current position to the wayside CBTC using a wireless radio unit.
(3)
The wayside CBTC calculates the Limit of Movement Authority (LMA) for Train B using the received current position of Train A.
(4)
Train B receives an LMA through a wayside wireless radio unit.
(5)
Train B regulates its speed in accordance with the received LMA.
3 iStar Modeling of CBTC Moving Block Interlocking System
Here we present the iStar model of the CBTC moving block interlocking system. In the iStar SD model, we identified all the actors around the CBTC moving block interlocking system and described their relationship with other actors. In the iStar SR model, we described each actor’s interests and concerns and how to fulfill them. piStar [29] is an online analysis and graphical editor tool for iStar models. It enables us to create high-quality goal models. Using this tool, we designed the iStar goal model of the CBTC moving block interlocking system.
3.1 iStar Strategic Dependency Model
The SD model illustrates a chain of dependencies between diverse actors in the system. These dependencies help us to focus on the WHY dimension of requirements engineering. A depender is an actor who depends on something (dependum) to be required. A dependee is an actor who provides the dependum. The dependum may be a goal, task, quality, or resource. It tells us the type of relationship that exists between the depender and the dependee. Now the question is why the depender needs a dependum and how the dependee will provide the dependum. The answer is that the depender needs a dependum to fulfill the need of its intentional element (depender element). Similarly, the dependee will provide a dependum by fulfilling the need of its intentional element (dependee element). Hence, the dependency relationship exists between the depender element and dependee element. According to the iStar rule, the depender element must be an unrefined intentional element, so usually it is a task. The dependee element may be a task, goal, quality, or resource [8].
The requirements of the CBTC moving block interlocking system might state that before moving a train between two stations, the ATS system must schedule a route and enable it. Once a route is enabled, we must lock its sub-route (set of segments along the route) and point switches prior to permitting a train to move. To lock a sub-route, it must be vacant (not occupied by a train). Once we lock sub-routes and point switches, the wayside ATP system sends a signal to the onboard ATP system to extinguish the signal marker off position. A train starts to move after the onboard ATP system extinguishes the signal marker off position. Once a train starts to move, it communicates its current position to the wayside CBTC via radio. The train uses a beacon and onboard tachometer to detect its current position. Beacons are mounted along the track. Once a train enters the segment, the beacon notices it and informs the train. This position is called the coarse position. Now, a train uses its onboard tachometer to measure the fine position. A fine position is an offset that indicates how far a train traveled from the beginning of the segment. Now, a train computes its current position by adding a coarse position to a fine position. Once a wayside CBTC receives the train’s current position, it calculates the LMA for the train. An LMA always terminates at a ”Conflict Point” in front of the train. A conflict point is a spot on the track ahead of which a train is prohibited from moving. A conflict point is either static or dynamic. A static conflict point is an entry of a route, a buffer stop at the conclusion of a track section, or an entry to a point switch. A dynamic conflict point is always a rear of a train ahead.
Before proceeding with the refinement of the above initial requirements, we need to identify each actor, describe the relationship between them, and address why the relationship exists between actors and why one actor depends on the other. Figure 2 illustrates answers to the above questions using the iStar SD model. This model has 1 resource dependency, 5 goal dependencies, and 15 task dependencies. The actors in our iStar SD model are ‘OnboardCBTC, WaysideCBTC, SignalMan, ATPSegment, SubRouteLockManager, PointLockManager, FrameAxioms, ATS, and PointSwitch’.
Fig. 2.
Now let us see why actors ‘OnboardCBTC’, ‘ATPSegment’, and ‘WaysideCBTC’ depend on each other and how they cooperate to achieve their desired goals. An actor ‘OnboardCBTC’ and an actor ‘ATPSegment’ participate in the dependency relationship called ‘CheckSegmentStatus’. This dependency relationship is a task dependency because the dependum ‘CheckSegmentStatus’ is a task. An actor ‘OnboardCBTC’ needs a segment status, and an actor ‘ATPSegment’ provides the segment status. Now the question is why an actor ‘OnboardCBTC’ needs a segment status and how an actor ‘ATPSegment’ provides it. An actor ‘OnboardCBTC’ needs a segment status to know a train coarse position. An actor ‘ATPSegment’ provides the segment status by fulfilling the goal ‘UpdateSegmentStatus’. To fulfill the goal ‘UpdateSegmentStatus’, an actor ‘ATPSegment’ and an actor ‘OnboardCBTC’ participate in the resource dependency relationship called ‘Beacon’. To update segment status (a segment is occupied or cleared by a train), an actor ‘ATPSegment’ needs a resource ‘Beacon’. An actor ‘OnboardCBTC’ provides this status by fulfilling the goal ‘MoveAndStopTrain’. Once the train’s front head enters the segment, a resource ‘Beacon’ detects it and informs the actor ‘ATPSegment’. An actor ‘ATPSegment’ forwards a train coarse position to an actor ‘OnboardCBTC’. Similarly, an actor ‘WaysideCBTC’ and an actor ‘OnboardCBTC’ participate in the task dependency relationship called ‘ComputeTrainCurrentPosition’. An actor ‘WaysideCBTC’ needs a train current position to fulfill the goal ‘MaintainWorstCaseStoppingDistance’. An actor ‘OnboardCBTC’, provides the current position by adding a coarse position to a fine position. An actor ‘OnboardCBTC’ receives a coarse position by participating in the dependency relationship called ‘CheckSegmentStatus’ and receives a fine position through a resource ‘Tachometer’. Figure 3 shows these scenarios using the iStar hybrid SD/SR model.
Fig. 3.
3.2 iStar Strategic Rationale Model
In the iStar SD model, we described the operational environment and its embedded system on an abstract level. We have shown only the external relationships between various actors but did not show the actor’s interests or concerns. It is necessary to show reasoning about the actor’s interests or concerns, that is, how to handle these interests or how a system’s or environment’s configurations impact these interests. To illustrate this information, we developed the iStar SR model of the CBTC moving block interlocking system. Figure 4 shows the same. In the following paragraphs, we illustrate the actors in our model as well as their intentional elements.
Fig. 4.
‘PointLockManager’
— An actor ‘PointLockManager’ achieves the goal ‘ManagePointLocking’. Point switches must be either in a locked or unlocked state to fulfill this goal. A task ‘LockThePoint’ performs point locking. Similarly, the task ‘UnlockThePoint’ performs point unlocking. These two tasks are linked to a goal ‘ManagePointLocking’ by an ”OR” link. In order to lock or unlock the point switches, an actor ‘PointLockManager’ must receive instruction from the actor ‘FrameAxioms’. Therefore, they participate in a task dependency ‘ReadCommandToLock’.
‘SubRouteLockManager’
— An actor ‘SubRouteLockManager’ achieves the goal ‘ManageSubRouteLocking’. The sub-route must be either in a locked or unlocked state to fulfill this goal. A task ‘LockSubRoute’ performs sub-route locking. Similarly, the task ‘UnlockSubRoute’ performs sub-route unlocking. These two tasks are linked to a goal ‘ManageSubRouteLocking’ by an ”OR” link. We must lock a sub-route before allowing a train to move. In order to lock a sub-route, an actor ‘SubRouteLockManager’ must receive an enabled route from the actor ‘ATS’. Therefore, they participate in a goal dependency ‘UpdateEnabledRouteSegments’. To unlock the sub-route, we need to ensure that a running train eventually terminates a route and that each segment inside the sub-route is vacant. Therefore, an actor ‘SubRouteLockManager’ participates in a goal dependency ‘UpdateRunningTrainVisitedSegments’ with an actor ‘OnboardCBTC’ to verify the status of each segment within a sub-route.
‘PointSwitch’
— An actor ‘PointSwitch’ achieves the goal ‘MovePointPosition’. Point switches must be moved toward either a normal or reverse direction to fulfill this goal. A task ‘MovePointNormal’ moves the point in a normal direction. Similarly, the task ‘MovePointReverse’ moves the point in a reverse direction. These two tasks are linked to a goal ‘MovePointPosition’, by an ”OR” link. In order to move point switches, an actor ‘PointLockManager’ must receive instruction from the actor ‘FrameAxioms’. Therefore, they participate in a goal dependency ‘PointPositionStatus’.
‘FrameAxioms’
— An actor ‘FrameAxioms’ achieves the goal ‘CommandPointPosition’. Point switches are commanded for either locking or unlocking to fulfill this goal. A task ‘CommandPtPosToLockThePoint’ issues the command for locking. Similarly, the task ‘CommandPtPosToUnlockThePoint’ issues the command for unlocking. These two tasks are linked to a goal ‘CommandPointPosition’ by an ”OR” link. Before releasing the command, it must check the point switch’s status and sub-route locking status. Therefore, an actor ‘FrameAxioms’ participates in task dependencies ‘CheckPointLockStatus’ with an actor ‘PointLockManager’ to check the status of the point lock. Similarly, it participates in task dependencies ‘CheckSubRouteLockStatus’ with an actor ‘SubRouteLockManager’ to check the status of the sub-route lock.
‘ATPSegment’
— An actor ‘ATPSegment’ achieves the goal ‘UpdateSegmentStatus’. Segments are updated as either occupied or unoccupied (clear) to fulfill this goal. A task ‘SetFrontSegmentStatus’ updates the segment status as occupied. Similarly, the task ‘UnsetRearSegmentStatus’ updates the segment status as unoccupied. These two tasks are linked to a goal ‘UpdateSegmentStatus’ by an ”OR” link. It uses the resource ‘Beacon’ to check segment occupancy. Therefore, an actor ‘ATPSegment’ participates in a resource dependency ‘Beacon’ with an actor ‘OnboardCBTC’. Similarly, to unset a segment status, an actor ‘ATPSegment’ participates in a goal dependency ‘RunningTrainRearSegmentStatus’ with an actor ‘OnboardCBTC’ to check whether a train has completely passed the segment.
‘SignalMan’
— An actor ‘SignalMan’ achieves the goal ‘ExtinguishingSignal’. A signal marker is extinguished as either “OFF” or “ON” to fulfill this goal. A task ‘Extinguishing_A_MarkerOffPosition’ extinguish the signal marker as“OFF”. Similarly, the task ‘Extinguishing_A_MarkerOnPosition’ extinguishes the signal marker as“ON”. These two tasks are linked to a goal, ‘ExtinguishingSignal’, by an“OR”link. Sub-route and point switches must be locked to extinguish the signal“OFF”. Hence, an actor ‘SignalMan’ participates in a task dependency ‘CheckPointLockStatus’ with an actor ‘PointLockManager’ to check the lock status of the point. Likewise, sub-route and point switches must be unlocked to extinguish the signal“ON”. Hence, an actor ‘SignalMan’ participates in a task dependency ‘CheckPointUnlockStatus’ with an actor ‘PointLockManager’ to check the unlock status of the point switch.
‘ATS’
— An actor ‘ATS’ achieves the goal ‘ControlRoutes’. Routes are either enabled or disabled to fulfill this goal. A task ‘EnableRoute’ enables the route. This task checks that, initially, all routes are in disabled mode before enabling them. It also ensures that conflict routes are not enabled at the same time. Similarly, the task ‘DisableRoute’ disables the route. These two tasks are linked to a goal ‘ControlRoutes’ by an“OR” link. Sub-route and point switches must be unlocked to disable a route. Therefore, an actor ‘ATS’ participates in a task dependency ‘CheckSubRouteUnlockStatus’ with an actor ‘SubRouteLockManager’ to check the sub-route unlock status.
‘WaysideCBTC’
— An actor ‘WaysideCBTC’, achieves the goal ‘MaintainWorstCaseStoppingDistance’. It receives a train’s current position, computes an LMA, and sends an LMA. A task ‘ReceiveTrainCurrentPosition’ obtains a train’s current position, a task ‘ComputeLMA’ computes an LMA for the approaching train, and a task ‘SendLMA’ transmits the LMA. These tasks are linked to a goal ‘MaintainWorstCaseStoppingDistance’ by an“AND” link. It uses a resource called a ‘WirelessRadioUnit’ to receive a train’s current position and send an LMA. To receive a train’s current position, an actor ‘WaysideCBTC’ participates in task dependency ‘ComputeTrainCurrentPosition’ with an actor ‘OnboardCBTC’. An actor ‘WaysideCBTC’ is also responsible for the quality ‘SafeTransportation’. To fulfill this quality, it must accurately compute an LMA. A make contribution link denotes the fulfillment of the quality ‘SafeTransportation’. In Figure 4, we show a make contribution link from task ‘ComputeLMA’ to the quality ‘SafeTransportation’.
‘OnboardCBTC’
— An actor ‘OnboardCBTC’ achieves the goal ‘MoveAndStopTrain’. A train should move on a track and stop at the conflict point. A task ‘MoveTrain’ moves a train on the track. Similarly, the task ‘StopTrain’ stops a train at the conflict point. These two tasks are linked to a goal ‘MoveAndStopTrain’ by an“AND” link. To move a train, it needs an LMA and segment status. Therefore, an actor ‘OnboardCBTC’ depends on actors ‘WaysideCBTC’ and ‘ATPSegment’. To stop a train, it needs to clear the buffer stop at the end of a track segment and reverse the engine. To do this task, it depends on a goal dependency ‘ClearEndSegmentStatus’.
4 FormaliZation of the iStar Goal Model
As we know, iStar is well suited for analysis of early requirements, and the Z formal method is well suited for analysis of late requirements. Nowadays, to solve complex system problems, it is necessary to integrate these two different methods. This integration synergistically resolves the requirements problem. We formalize the iStar goal model into the Z formal model first and then discuss the translated Z formal model.
All iStar elements, such as actors and their intentional elements, have unique names. We use the fundamental set type ‘NAME’ to describe them in the Z notation. As a result, the names of all actors, all actors’ intentional elements, and all dependencies are included in the subsets ‘allActorNames’, ‘allElementsNames’, and ‘allDependumNames’, respectively. Figure 5 illustrates these mappings.
Fig. 5.
The Z-free type definition ‘Type’ is applied to specify the different intentional elements of the iStar. The Z-free type definition ‘State’ specifies the states of the intentional elements both prior to and after realization. The state ‘Created’ is held after the creation of an intentional element but before realization. If realization is successful, the state ‘Fulfilled’ is maintained; if realization is unsuccessful, the state ‘NotFulfilled’ is maintained. We use the states ‘Fulfilled’, ‘NotFulfilled’, and ‘Undetermined’ for the softgoal (quality) element. If a softgoal’s realization is unclear, it is said to be an ‘Undetermined’ state. To uniquely identify each intentional element defined inside the boundary of an actor, in Z we defined a state variable ‘elementType’, which is a total function between sets ‘Name’ and ‘Type’. Similar to this, state variables ‘dependumType’, ‘dependerElement’, and ‘dependeeElement’ are used to specify the type of dependency, the depender intentional element, and the dependee intentional element, respectively. The iStar rule states that the depender intentional element cannot be refined or contributed. Hence, we restricted it to a task element only. The state variable ‘childsOfParentNode’ provides a set of child-intentional elements of a specific parent element. Figure 6 illustrates these mappings.
Fig. 6.
The Z-free type definition ‘RefinementType’ is applied to provide the refinement link type of the iStar. The Z-free type definition ‘ContributionType’ is applied to specify the type of the contribution link for the iStar. It is used to signify the effects of intentional elements on softgoals. To identify the type of refinement link, in Z we defined a state variable ‘elementRefinementType’, which is a partial function between sets ‘Name’ and ‘RefinementType’. Similarly, to identify the type of contribution link, in Z we defined a state variable ‘elementContributionType’, which is a partial function between sets ‘Name’ and ‘ContributionType’. Figure 7 illustrates these mappings.
Fig. 7.
A resource is an external physical object that an actor requires to carry out a certain task. In iStar the ‘neededby’ link is used to relate a task element to a resource. Using the Z-state schema, we formalize a resource in iStar. The ‘resourceNeededBy’ state variable, which is a total function between the sets ‘Name’ and ‘Command’, is defined inside the state schema to connect a task with a resource. A command is a ‘Boolean’ set. Figure 8 illustrates these mappings.
Fig. 8.
To identify each dependency relationship in the iStar model, we defined a Z-state schema called ‘iStarSD’. Inside the ‘iStarSD’ state schema, we defined a state variable ‘dependumState’, which is a total function between sets ‘Name’ and ‘State’, which identify the state of dependencies. Figure 9 illustrates the mapping of the iStar SD model.
Fig. 9.
To identify each actor in the iStar model, we defined a Z-state schema called ‘iStarSR’. Inside the ‘iStarSR’ state schema, we defined a state variable ‘actorsState’, which is a total function between sets ‘Name’ and ‘State’, which identify the state of actors. Figure 10 illustrates the mapping of the iStar SR model.
Fig. 10.
In iStar, all intentional elements within an actor’s boundary are interrelated and usually linked hierarchically. We are therefore formalizing these intentional elements as parent and child elements. The ‘ParentElement’ is a state schema composed of state variables and invariants. Figure 11 illustrates the mapping of iStar parent intentional elements. A variable ‘parentElementName?’ is an input variable of type ‘Name’, which takes an input of type ‘Name’ from an external source. The ‘childElementNames’ is a state variable of type ‘ \(\mathbb {P}\ Name\) ’, where ‘ \(\mathbb {P}\ Name\) ’ is the set of all the subsets of type ‘Name’. A state variable ‘childElementNames’ holds the names of all child elements of a parent element. The state variable ‘childElementsState’ is of type ‘ \(Name \rightarrow State\) ’, where ‘ \(Name \rightarrow State\) ’ is a total function between sets ‘Name’ and ‘State’. The state variable ‘childElementsState’ holds the fulfillment status of each child element. The ‘resource’ is a state variable of type ‘ResourceElement’, where ‘ResourceElement’ is a state schema. A state variable ‘resource’ is used to find the fulfillment condition of a resource. State variables ‘positiveEvidence’ and ‘negativeEvidence’ are of integer type \(\mathbb {Z}\) , which are used to count the number of positive and negative evidence of quality intentional elements. A variable ‘parentElementState!’ is an output variable of type ‘State’, which outputs the value of type ‘State’ that is a parent element state to an external source. Similarly, a variable ‘childElementState!’ is an output variable of type ‘State’, which outputs the value of type ‘State’ that is a child element state to an external source.
Fig. 11.
We list the state invariants for the ‘ParentElement’ state schema in the box’s second compartment. The first invariant informs us that the input variable ‘parentElementName?’ must be a member of a set ‘allElementsNames’. The second invariant informs us that the domain part of the variable ‘childElementsState’ should be a subset of a set ‘allElementsNames’. The third invariant informs us that the state variable ‘childElementNames’ must be a subset or equal to the range part of the variable ‘childsOfParentNode’. The fourth invariant outputs the value of the type ‘State’ that is a parent element state to an external source based on conditions. If the refinement type is“AND,” then the fulfillment of all child elements makes the parent element fulfilled; if the refinement type is“OR,” then the fulfillment of any child element makes the parent element fulfilled; if the parent element type is a“Task” and it needs a resource, then it makes the parent element fulfilled; if the parent element type is“Quality” and positive evidence is higher than negative evidence, then it makes the parent element fulfilled; if positive evidence is equal to the negative evidence, then it makes the parent element undetermined; otherwise, it makes the parent element not fulfilled.
In the case of a dependency relationship, the dependum is an object. Hence, we formalize it as a state schema. Figure 12 illustrates mapping of iStar dependum elements. The following ‘Dependum’ is a state schema that is composed of state variables and state invariants. A variable ‘dependumElementName?’ is an input variable of type ‘Name’ that takes an input of type ‘Name’ from an external source. Similarly, variables ‘dependerElementName?’ and ‘dependeeElementName?’ are input variables of type ‘Name’ that take an input of type ‘Name’ from an external source. A variable ‘dependumElementState!’ is an output variable of type ‘State’ that outputs the value of type ‘State’ that is a dependum element state to an external source. Boolean variables ‘constraintsOnDependerElement’ and ‘constraintsOnDependeeElement’ are used to identify where the constraints are restricted, on the depender element or the dependee element, to fulfill the dependency relationship.
Fig. 12.
We list the state invariants for the ‘Dependum’ state schema in the box’s second compartment. The first three invariants inform us that the input variables ‘dependumElementName?’, ‘dependerElementName?’, and ‘dependeeElementName?’ must be members of the domain of state variables ‘dependumType’, ‘dependerElement’, and ‘dependeeElement’, respectively. The fourth invariant outputs the value of type ‘State’ that is a dependum element state to an external source based on conditions. The vulnerability issues arise because the depender relies on the dependee to fulfill a dependum (resource, quality, goal, or task). The dependum describes the type of dependency relationship between the depender and the dependee. If the dependee fails to achieve its assigned dependum, then the depender becomes vulnerable. Hence, we put constraints in place to handle these vulnerability issues. We treat resource and goal dependencies as critical dependencies and task dependencies as committed dependencies. If we fail to achieve critical dependency, then it is the depender of all actions to achieve a goal will fail. Similarly, if we fail to achieve a committed dependency, then it is the depender of some actions to achieve a goal will fail. If the dependum type is a“Goal,” then constraints are imposed on the dependee element; if the dependum type is a“Task,” then constraints are imposed on the depender element; if the dependum type is a“Quality,” then constraints are imposed on either the depender element or the dependee element. The fulfillment of these constraints allows the fulfillment of the dependum. In the case of resource dependency, the depender element must be a“Task” that makes use of resources provided by the dependee element.
The ‘ChildElement’ schema shown in Figure 13 is an operational schema that changes the state of the ‘ParentElement’ and ‘DependumElement’ schemas. In the first compartment of this schema box, we have three identifiers. Identifiers ‘ \(\Delta ParentElement\) ’ and ‘ \(\Delta DependumElement\) ’ indicate that a schema ‘ChildElement’ is an operational schema, and it allows us to modify the state of the ‘ParentElement’ and ‘DependumElement’ schemas. An identifier ‘childElementName?’ is an input variable of type ‘Name’ that takes an input of type ‘Name’ from an external source.
Fig. 13.
In this schema box’s second compartment, we list the pre-condition and post-condition of state variables. For our convenience, we separate them with a blank line. We use pre-conditions (input assertions) to check that operations have never been used outside of their domain. We use state invariants to check the preconditions of state variables. They must be true to update state variables. The first pre-condition says that an input variable ‘childElementName?’ must belong to the subset ‘allElementsNames’ and its name is not the same as the parent element. The second pre-condition says that the parent element should not be in a fulfilled state. If these pre-conditions are true, then only the post-conditions of state variables will be updated. The first post-condition adds the child element name to the set ‘childElementNames’. The second post-condition updates the ‘resourceNeededBy’ state variable if the child element is a “Resource” and the parent element is a “Task.” The third post-condition updates the Boolean variable ‘constraintsOnDependerElement’ if the dependency relationship is a “Task” or “Quality” and the child element is a depender element. The fourth post-condition updates the Boolean variable ‘constraintsOnDependeeElement’ if the dependency relationship is a “Goal” or “Quality” and the child element is a dependee element. The fifth post-condition updates the resource dependency if the dependency relationship is a “Resource” and the child element is a dependee element. The sixth post-condition updates the integer variable ‘positiveEvidence’ if the parent element is “Quality” and the child element contribution type is “Make” or “Help.” The seventh post-condition updates the integer variable ‘negativeEvidence’ if the parent element is a “Quality” and the child element contribution type is “Break” or “Hurt.” The eighth and ninth post-conditions update the child element fulfillment status.
The ‘Actor’ schema shown in Figure 14 is a read-only schema for the state ‘ParentElement’. It reads the status of the actor’s parent element; if the parent element status is fulfilled, then it outputs the actor’s status as fulfilled; otherwise, it outputs as not fulfilled.
Fig. 14.
The ‘Dependee’ schema shown in Figure 15 is an operational schema for the state ‘iStarSD’. It updates the status of the dependency relationship. A dependee is an actor who provides the dependum. Hence, the status of the dependency relationship of an actor is updated based on the fulfillment status of the dependee.
Fig. 15.
The ‘Depender’ schema shown in Figure 16 is an operational schema for the state ‘iStarSR’. It updates the status of the actor. A depender is an actor who needs the dependum to do some tasks. Hence, the status of an actor is updated based on the fulfillment status of the depender.
Fig. 16.
4.1 An Example of Formal Modeling of an iStar Goal Model
Here, we describe the formalization of the iStar goal model of the CBTC moving block interlocking system. The Z-schema describes all of the pertinent information associated with a state. During model translation, we mapped iStar model elements to the Z-schema. Inside the iStar model, the state variables that are used to alter the state of the system to be and environment variables of the system as is are not specified. The environment variables are global in scope, and the values inside these variables are constant. In the Z formal model, we define state and environment variables using a free-type definition and an axiomatic definition, respectively. These variables are essential for verification and analysis purposes. Hence, we include them inside the Z-schema.
Our case study’s entire Z formal specification is available in the Zenodo repository [22]. It is too vast to offer a full formal model of our case study here. Therefore, we describe a formal specification of the ‘ATS’ actor and its intentional elements are specified in Figure 17 for illustrative purposes.
Fig. 17.
4.1.1 Free-type Definition.
The state variables tell the actor what happens after accomplishing the goal. Here, we represent a type of state variable as a set. To define sets, we use a free-type definition of Z notation. Figure 18 illustrates a free-type definition for the sets ‘Train, Route, RouteStatus, RouteStatusMsg, Command, and Segments’.
Fig. 18.
4.1.2 Axiomatic Definition.
We began our formal model with the system’s static structure as a starting point. The static structure of the system as is is provided using a track layout. We use a simple track layout, illustrated in Figure 19, for modeling the CBTC moving block interlocking system. It has 4 stations, 4 switch points, and 12 segments. Here, we represent these static structures using an axiomatic definition (global declaration) of Z notation. Figure 20 illustrates an axiomatic definition of the track layout. In the first compartment of Figure 20, we declare a global variable ‘trackLayout’ as a total function between a set ‘Route’ and a sequence of ‘Segments’. In the second compartment of Figure 20, we assigned a static structure, specified in Figure 19, to the global variable ‘trackLayout’. The axiomatic description in Figure 21 specifies the names of ‘ATS’ actor intentional elements and their dependencies. The axiomatic description in Figure 22 specifies the state variables that are used to uniquely identify each intentional element of an actor ‘ATS’. The axiomatic description in Figure 23 specifies the state variables that are used to uniquely identify each dependency of an actor ‘ATS’.
Fig. 19.
Fig. 20.
Fig. 21.
Fig. 22.
Fig. 23.
4.1.3 Initialization of the State.
In the Z formal model, there must be a schema called ‘Init’. It describes the initialization of the state, and it must include precisely one schema inside the first compartment. To initialize the formal model of the CBTC moving block interlocking system, we designed a schema called ‘CBTCInterlockingSystem’. It specifies all of our model’s state schemas. Later, we created an initialization schema called ‘InitCBTCInterlockingSystem’. In the first compartment of this schema, we include the ‘CBTCInterlockingSystem’ schema as an identifier to specify all of our model’s state schemas. In the second compartment of this schema, we include initialization predicates (invariants). Figure 24 illustrates the initialization of the CBTC moving block interlocking system.
Fig. 24.
4.1.4 State Schema of an Actor ATS.
An actor’s ATS has one parent element called ‘ControlRoutes’ and two child elements called ‘EnableRoute’ and ‘DisableRoute’. The parent element is a“Goal”; hence, we map it to the Z-state schema, child elements to the Z-operational schema because they refine the parent element, and an actor ATS to the Z-read-only schema. Figure 25 illustrates the Z specification for a goal ‘ControlRoutes’.
Fig. 25.
To define that a goal ‘ControlRoutes’ is a parent element, we incorporated a ‘ParentElement’ schema within the state schema of ‘ControlRoutes’. In Figure 25, a goal ‘ControlRoutes’ is a state schema composed of state variables and invariants. An identifier ‘ParentElement’ indicates schema inclusion. We list state variables such as ‘enabledRoutes’, ‘enabledRtSegments’, ‘enabledRtTrains’, ‘controlRtSt’, and ‘routeCmd’ in the first compartment of the state schema box. The ‘enabledRoutes’ is a state variable of type \(\mathbb {F}\ Route\) , where \(\mathbb {F}\ Route\) is the set of all the finite subsets of type ‘Route’. A state variable ‘enabledRoutes’ holds routes that are currently enabled. The state variable ‘enabledRtSegments’ is a sequence of type ‘Segments’ that holds enabled route segments. The state variable ‘enabledRtTrains’ is a sequence of type ‘Train’ that holds enabled route trains. The state variable ‘controlRtSt’ is of type \(Route \nrightarrow RouteStatus\) , where \(Route \nrightarrow RouteStatus\) is a partial function between sets ‘Route’ and ‘RouteStatus’. The state variable ‘controlRtSt’ holds route status. That is, a route is set or unset. The state variable ‘routeCmd’ is of type \(Route \nrightarrow Command\) , where \(Route \nrightarrow Command\) is a partial function between sets ‘Route’ and ‘Command’. A ‘Command’ is a set of ‘Boolean’ type. The state variable ‘routeCmd’ holds a route command. That is, a route command is true or false. In Figure 25, we list the state invariants for the ‘ControlRoutes’ state schema in the box’s second compartment. The first invariant \(\rm {dom}\ controlRtSt \subseteq \rm {dom}\ trackLayout\) informs us that the domain part of the variable ‘controlRtSt’ must be a subset of or equal to the domain part of the variable ‘trackLayout’. The second invariant \(\rm {dom}\ routeCmd \subseteq \rm {dom}\ trackLayout\) informs us that the domain part of the variable ‘routeCmd’ must be a subset of or equal to the domain part of the variable ‘trackLayout’. The third invariant \(parentElementName? = ControlRoutes\) assigns the name ‘ControlRoutes’ to the input variable ‘parentElementName?’.
An actor ‘ATS’ participates in a task dependency ‘CheckSubRouteUnlockStatus’ with an actor ‘ManageSubRouteLocking’ to check the sub-route unlock status. Similarly, it participates in a goal dependency ‘UpdateEnabledRouteSegments’ to update enabled route segments with an actor ‘ManageSubRouteLocking’. We map each dependum, that is, an object of dependency, to a Z-state schema. To define that schemas ‘CheckSubRouteUnlockStatus’ and ‘UpdateEnabledRouteSegments’ are dependums, we incorporated a ‘Dependum’ schema within the state schemas of ‘CheckSubRouteUnlockStatus’ and ‘UpdateEnabledRouteSegments’. Figure 26 illustrates the Z specification for dependums ‘CheckSubRouteUnlockStatus’ and ‘ManageSubRouteLocking’.
Fig. 26.
Figure 27 illustrates the Z specification for a task ‘EnableRoute’. To define that a task ‘EnableRoute’ is a child element, we incorporated a ‘ChildElement’ schema within the operational schema of ‘EnableRoute’. In Figure 27, a task ‘EnableRoute’ is an operational schema for the state ‘ControlRoutes’. In the first compartment of this schema box, we have five identifiers, namely ‘ChildElement’, ‘ \(\Delta ControlRoutes\) ’, ‘ \(\Delta UpdateEnabledRouteSegments\) ’, ‘ \(enabledRt?\) ’, and ‘ \(routeSt!\) ’. An identifier ‘ChildElement’ indicates schema inclusion. An identifier ‘ \(\Delta ControlRoutes\) ’ indicates that a schema ‘EnableRoute’ is an operational schema, allowing us to alter the state of ‘ControlRoutes’. Similarly, an identifier ‘ \(\Delta UpdateEnabledRouteSegments\) ’ indicates that a schema ‘EnableRoute’ is an operational schema, allowing us to alter the state of ‘UpdateEnabledRouteSegments’. An identifier ‘enabledRt?’ is an input variable of type ‘Route’, which takes an input of type ‘Route’ from an external source. An identifier ‘routeSt!’ is an output variable of type ‘RouteStatusMsg’, which outputs the value of type ‘RouteStatusMsg’ to an external source.
Fig. 27.
In the second compartment of this schema box, we list the pre-condition and post-condition of state variables. For our convenience, we separate them by a blank line. Pre-conditions are input assertions that are used to check that operations are never used outside of their domain. We use state invariants to check the pre-conditions of state variables. They must be true to update state variables. The pre-conditions of state variables are listed below:
—
\(\rm {dom}\ trackLayout = \lbrace R1, R2, R3, R4, R5, R6, R7, R8\rbrace\)
—
\(controlRtSt = \lbrace R1 \mapsto Unset, R2 \mapsto Unset, R3 \mapsto Unset, R4 \mapsto Unset, R5 \mapsto Unset, R6 \mapsto Unset, R7 \mapsto Unset, R8 \mapsto Unset\rbrace\)
—
\(routeCmd = \lbrace R1 \mapsto True, R2 \mapsto True, R3 \mapsto True, R4 \mapsto True, R5 \mapsto True, R6 \mapsto True, R7 \mapsto True, R8 \mapsto True\rbrace\)
—
\(enabledRtSegments =~\emptyset\)
—
\(enabledRtTrains =~\emptyset\)
—
\(enabledRoutes =~\emptyset\)
—
\(enabledRt? = R1\)
The first invariant \(enabledRt? \in \rm {dom}\ trackLayout\) informs us that the value of the input variable ‘ \(enabledRt?\) ’ must belong to the domain part of the variable ‘trackLayout’. As we see from the pre-condition, route ‘R1’ belongs to the set domain part of the variable ‘trackLayout’. Hence, this invariant is true.
The second invariant \(enabledRt? \notin enabledRoutes\) informs us that the value of the input variable ‘ \(enabledRt?\) ’ does not belong to the set ‘enabledRoutes’. As we see from the pre-condition, route ‘R1’ does not belong to the set ‘enabledRoutes’, which is initially empty. Hence, this invariant is true.
The third invariant \((enabledRt? \mapsto Set) \notin controlRtSt \wedge (enabledRt? \mapsto True) \in routeCmd\) informs us that an ordered pair \((enabledRt? \mapsto Set)\) does not belong to the state variable ‘controlRtSt’, and an ordered pair \((enabledRt? \mapsto True)\) must belong to the state variable ‘routeCmd’. As we see from the pre-condition, an ordered pair \((R1 \mapsto Set)\) does not belong to the state variable ‘controlRtSt’. An ordered pair \((R1 \mapsto True)\) belongs to the state variable ‘routeCmd’. Hence, this invariant is true. Now all three invariants are true, so we update state variables. Figure 28 illustrates evaluating pre-conditions of a task ‘EnableRoute’ using the ProZ model checker.
Fig. 28.
The formula \(controlRtSt^{\prime } = controlRtSt \oplus \lbrace enabledRt? \mapsto Set\rbrace\) updates the state variable ‘controlRtSt’. The symbol“ \(\oplus\) ” indicates the relational overriding. It creates a new relation of all ordered pairs from ‘controlRtSt’ whose domain elements do not belong to the value of ‘ \(enabledRt?\) ’ and then adds \(\lbrace enabledRt? \mapsto Set\rbrace\) to the ‘controlRtSt’. The prime symbol“ \(^{\prime }\) ” indicates the post-condition of the state variable ‘controlRtSt’, which is the same as ‘controlRtSt’ except for the value of ‘RouteStatus’ it associates with ‘ \(enabledRt?\) ’.
The formula \(enabledRoutes^{\prime } = enabledRoutes \cup \lbrace enabledRt?\rbrace\) updates the state variable ‘enabledRoutes’; the symbol“ \(\cup\) ” indicates union. It merges the members of both the sets ‘enabledRoutes’ and ‘ \({enabledRt?}\) ’. The prime symbol“ \(^{\prime }\) ” indicates the post-condition of the state variable ‘enabledRoutes’, which is the same as ‘enabledRoutes’ except that it also contains the new entry ‘ \(enabledRt?\) ’.
The formula \(enabledRtSegments^{\prime } = enabledRtSegments \frown trackLayout (enabledRt?)\) updates the state variable ‘enabledRtSegments’. The symbol“ \(\frown\) ” indicates concatenation. It combines the sequence ‘enabledRtSegments’ and the sequence \(trackLayout(enabledRt?)\) . The prime symbol“ \(^{\prime }\) ” indicates the post-condition of the state variable ‘enabledRtSegments’, which is the same as ‘enabledRtSegments’ except that it also contains the new elements of the sequence \(trackLayout(enabledRt?)\) . Similarly, the formula \(enabledRtTrains^{\prime } = enabledRtTrains \frown trainRoutes (enabledRt?)\) updates the state variable ‘enabledRtTrains’.
The formula \(routeCmd^{\prime } =~\bigcup \lbrace \lbrace R1 \mapsto False\rbrace , \lbrace R2 \mapsto False\rbrace , \lbrace R3 \mapsto False\rbrace , \lbrace R4 \mapsto False\rbrace , \lbrace R5 \mapsto False\rbrace , \lbrace R6 \mapsto False\rbrace , \lbrace R7 \mapsto False\rbrace , \lbrace R8 \mapsto False\rbrace \rbrace\) updates the state variable ‘routeCmd’. The symbol“ \(\bigcup\) ” indicates a generalized union, which is the set that consists of all the elements that are members of at least one of the enclosed sets. The prime symbol“ \(^{\prime }\) ” indicates the post-condition of the state variable ‘routeCmd’, which is the same as ‘routeCmd’ except that the value of ‘Command’ is updated for each route.
The formula \(routeSt! = RouteSet\) assigns the state ‘RouteSet’ to the output variable ‘ \(routeSt!\) ’. The post-conditions of state variables are listed below:
—
\(\rm {dom}\ trackLayout = \lbrace R1, R2, R3, R4, R5, R6, R7, R8\rbrace\)
—
\(controlRtSt^{\prime } = \lbrace R1 \mapsto Set, R2 \mapsto Unset, R3 \mapsto Unset, R4 \mapsto Unset, R5 \mapsto Unset, R6 \mapsto Unset, R7 \mapsto Unset, R8 \mapsto Unset\rbrace\)
—
\(routeCmd^{\prime } = \lbrace R1 \mapsto False, R2 \mapsto False, R3 \mapsto False, R4 \mapsto False, R5 \mapsto False, R6 \mapsto False, R7 \mapsto False, R8 \mapsto False\rbrace\)
—
\(enabledRtSegments^{\prime } =~\langle segment1, segment2, segment3, segment4, segment5, end \rangle ~\)
—
\(enabledRtTrains =~\langle T1, T2 \rangle ~\)
—
\(enabledRoutes =~\lbrace R1\rbrace\)
—
\(enabledRt? = R1\)
—
\(routeSt! = RouteSet\)
Figure 29 illustrates the Z specification for an actor ‘ATS’. To define that an actor ‘ATS’ is a depender of the dependency ‘UpdateEnabledRouteSegments’, we incorporated a ‘Depender’ schema within the read-only schema of ‘ATS’.
Fig. 29.
In Figure 29, an actor ‘ATS’ is a read-only schema for the state ‘ControlRoutes’. In the first compartment of this schema box, we have four identifiers, namely ‘ \(Depender, \Xi ControlRoutes, route?\) , and \(routeSt!\) ’. The identifier ‘Depender’ indicates schema inclusion. The identifier ‘ \(\Xi ControlRoutes\) ’ indicates that a schema ‘ATS’ is a read-only schema, allowing us to read the state of the goal ‘ControlRoutes’. The identifier ‘ \(route?\) ’ is an input variable of type ‘Route’, which takes an input of type ‘Route’ from an external source. The identifier ‘ \(routeSt!\) ’ is an output variable of type ‘RouteStatusMsg’, which outputs the value of type ‘RouteStatusMsg’ to an external source. In the second compartment of this schema box, we read the status of a route using the invariant \((route? \mapsto Set) \in controlRtSt \Rightarrow routeSt! = RouteSet\) . It informs us if an ordered pair \((route? \mapsto Set)\) belongs to the state variable ‘controlRtSt’, and then it sets an output variable ‘ \(routeSt!\) ’ to a value ‘RouteSet’. Figure 30 illustrates the Z specification for a goal ‘ManageSubRouteLocking’.
Fig. 30.
To define that a goal ‘ManageSubRouteLocking’ is a parent element, we incorporated a ‘ParentElement’ schema within the state schema of ‘ManageSubRouteLocking’. In Figure 30, a goal ‘ManageSubRouteLocking’ is a state schema composed of state variables and invariants. An identifier ‘ParentElement’ indicates schema inclusion. We list state variables such as ‘lockedSubroutes’, ‘subRouteLockSt’, ‘enabledRtTrainsSubroutes’, ‘lockCmd’, and ‘subRoutesUnlocked’ in the first compartment of the state schema box. An identifier ‘ \(\Xi ControlRoutes\) ’ indicates that it is participating in the goal dependency ‘UpdateEnabledRouteSegments’ with a task ‘EnableRoute’ to read an enabled route segments. The ‘lockedSubroutes’ is a state variable of type seq Segments, where seq Segments is the sequence of type ‘Segments’ that holds locked sub-routes. The state variable ‘subRouteLockSt’ is of type \(Segments \rightarrow LockStatus\) , where \(Segments \rightarrow LockStatus\) is a total function between sets ‘Segments’ and ‘LockStatus’. The state variable ‘subRouteLockSt’ holds sub-routes’ lock status. The state variable ‘enabledRtTrainsSubroutes’ is of type \(Train \nrightarrow {\rm seq } Segments\) , where \(Train \nrightarrow {\rm seq } Segments\) is a partial function between sets ‘Train’ and ‘Segments’. A ‘Command’ is a set of ‘Boolean’ type. The state variable ‘lockCmd’ holds a sub-route lock command. Similarly, the state variable ‘subRoutesUnlocked’ holds a sub-route unlock command. In Figure 30, we list the state invariants for the ‘ManageSubRouteLocking’ state schema in the box’s second compartment. The first invariant \(\rm {dom}\ subRouteLockSt \subseteq Segments\) informs us that the domain part of the variable ‘subRouteLockSt’ must be a subset or equal to the set ‘Segments’. The second invariant \(parentElementName? = ManageSubRouteLocking\) assigns the name ‘ManageSubRouteLocking’ to the input variable ‘parentElementName?’.
Figure 31 illustrates the Z specification for an actor ‘SubRouteLockManager’. To define that an actor ‘SubRouteLockManager’ is a dependee of the dependency ‘UpdateEnabledRouteSegments’, we incorporated a ‘Dependee’ schema within the read-only schema of ‘SubRouteLockManager’.
Fig. 31.
In Figure 31, an actor ‘SubRouteLockManager’ is a read-only schema for the state ‘ManageSubRouteLocking’. In the first compartment of this schema box, we have four identifiers, namely ‘ \(Dependee, \Xi ManageSubRouteLocking, seg?\) , and \(subRtLockSt!\) ’. The identifier ‘Dependee’ indicates schema inclusion. The identifier ‘ \(\Xi ManageSubRouteLocking\) ’ indicates that a schema ‘SubRouteLockManager’ is a read-only schema, allowing us to read the state of the goal ‘ManageSubRouteLocking’. The identifier ‘ \(seg?\) ’ is an input variable of type ‘Segments’, which takes an input of type ‘Segments’ from an external source. The identifier ‘ \(subRtLockSt!\) ’ is an output variable of type ‘LockStatus’, which outputs the value of type ‘LockStatus’ to an external source. In the second compartment of this schema box, we read the status of a sub-route lock using the invariant \((seg? \mapsto Lock) \in subRouteLockSt \Rightarrow subRtLockSt! = Lock\) . It informs us if an ordered pair \((seg? \mapsto Lock)\) belongs to the state variable ‘subRouteLockSt’, and then it sets an output variable ‘ \(subRtLockSt!\) ’ to a value ‘LockStatus’.
4.2 Computing Limit of Movement Authority
The trains running on a railway track must be provided with an adequate distance in which they can stop to make commuter journeys comfortable and safe. Having too long of a distance decreases the track usage capacity. Too short of a distance leads to a collision. Therefore, proper computation of the LMA is essential, especially in the case of urban railway transport systems. We need signal aspects and braking distance to generate LMA [26]. A train LMA will ultimately conclude at a ‘conflict point’. A conflict point is a spot on the railway track where a train’s current authority ends. It is always at the leading train’s rear, the stop point (station endpoint), or the switch point.
Modern train control systems such as CBTC cab signaling and CBTC moving block systems use the four-aspect signal. It maximizes the track’s usage and reduces headway between trains [26, 27]. In these systems, rather than adding a fourth color, they added a second lamp to indicate different aspects using a combination of the existing three colors. Figure 32 illustrates these signal aspects. Here, we use the Green-Green signal aspect for proceeding with unrestricted speed (Clear); the Green-Yellow signal aspect for being prepared for the restricted speed at the next signal (Approach-Limited); the Green-Red signal aspect for being prepared to stop at the next signal (Approach); the Yellow-Yellow signal aspect for caution, reverse switch ahead; and the Red-Red signal aspect for stop, do not proceed.
Fig. 32.
In our formal model, we specify these signal aspects in the form of speed codes, and we define them as an axiomatic definition. We specify the Green-Green signal aspect as an UnrestrictedSpeed1 (50mph), the Green-Yellow signal aspect as an UnrestrictedSpeed2 (45mph), the Green-Red signal aspect as an UnrestrictedSpeed3 (30mph), the Yellow-Yellow signal aspect as a RestrictedSpeed (20mph), and the Red-Red signal aspect as a Stop (0mph). In CBTC-based moving block interlocking systems, a train track is divided into a series of virtual blocks known as segments. The segment length is the distance needed for the train to decelerate from Normal to Approach-Limited speed or the distance required from Approach-Limited to Stop, whichever is greater, with a margin of safety added to balance the variations in train-braking characteristics; plus, latency value has been added to reimburse the time consumed for establishing a connection to the wayside CBTC, wayside CBTC processing, and responding time by the device. Using the David Barney braking distance equation [2], we calculate the braking distance from Normal to Approach-Limited or Approach-Limited to Stop. Equation (1) illustrates this braking distance, and it is based on Newton’s motion law and kinematic equations:
\begin{equation} s = \frac{\left(v^2 - u^2 \right)}{2 \times \left(a -g \right)}, \end{equation}
(1)
where
v
is the train stoppage speed (zero speed),
u
is the train current speed when the brake was applied,
a
is the deceleration provided by the train braking system,
-g
is the acceleration due to gravity, and
s
is the braking distance.
Using Equation (1), we compute the braking distance for 50mph to 45mph (Normal to Approach-Limited) speed, by assuming acceleration due to gravity as 9.79ms \(^2\) , average gradient of the railway track on the approach side of LMA as 83.33, and acceleration as 0.3ms \(^2\) :
\begin{equation} s = \frac{\left(45 \times \left(\frac{1609}{3600}\right)\right)^2 - \left(50 \times \left(\frac{1609}{3600}\right)\right)^2}{2 \times \left(-0.3 - \left(\frac{9.79}{83.33}\right)\right)} = 113.6m. \end{equation}
(2)
Using Equation (1), we compute the braking distance for 45mph to 0mph (Approach-Limited to Stop) speed, by assuming acceleration due to gravity as 9.79ms \(^2\) , average gradient of the railway track on the approach side of LMA as 83.33, and acceleration as 0.3ms \(^2\) :
\begin{equation} s = \frac{\left(0)^2 - \left(45 \times (\frac{1609}{3600}\right)\right)^2}{2 \times \left(-0.3 - \left(\frac{9.79}{83.33}\right)\right)} = 485m. \end{equation}
(3)
Now, we compute the segment length by assuming that the latency will take almost 1 second on average. If the train’s current speed is 80km/hour (50mph), then latency is 80,000/3,600 = 22m. The safety margin is 30m, and the largest breaking distance is 485m. Therefore, \(segment length = 485+22+30 = 537m\) .
In Figure 32, we illustrate how the train approaches LMA using a four-aspect signaling system. Train A is halted in Segment 5, and Train B is approaching from Segment 1. There is a separation of three segments between them. Train B receives an LMA of Green-Green (in our model, 50mph). Hence, it proceeds at an unrestricted speed. At the entry to Segment 2, Train B receives an LMA of Green-Yellow (in our model, 45mph), indicating that it is ready for the restricted speed at the next signal. At the entry to Segment 3, Train B receives an LMA of Green-Red (in our model, 30mph), indicating that it is ready to stop at the next signal because there is a conflict point at Segment 5 (rear of Train A). At the entry to Segment 4, Train B receives an LMA of Red-Red (in our model, 0mph), indicating do not proceed/stop the train. In Figure 32, both Train A and Train B are too close to each other. This is not conceivable in the scenario of a fixed block system. Hence, CBTC makes use of a moving block system. Once Train A enters Segment 6, Train B receives an LMA of Green-Red, and both trains move one by one, maintaining a safe distance between them. If any of the segments contains a switch point to connect to the branch segment, then the train receives an LMA of Yellow-Yellow (in our model, 20mph), indicating a conflict point. That is a reverse switch ahead. The Z specification code for the LMA operation specified in Figure 32 is available in our Zenodo repository [22].
5 Model Checking
Verifying the software system against the requirements model built in the early stage is essential to ensure the correctness of the software system. We can use dynamic analysis techniques like simulation and model-based testing to ensure the system’s correctness. Neither of these techniques explores all system states nor demonstrates the absence of errors. Also, the quality of test case generation affects testing success. Formal verification is checking a system against its functional and system requirements. The system and its requirements are translated into a mathematical (formal) model. Later, the verification is performed algorithmically by searching through the model for requirements violations. Model checking is a formal verification method that automates the verification process [7]. It discovers all potential states of a system graphically. Hence, it is easy to find out the absence of errors. It produces a counterexample if any requirements are violated. A counterexample is a path that leads to a state that breaches a specified requirement. The drawback of model checking is the state-space explosion dilemma: the size of the system’s state-space grows exponentially as the number of system states grows. Innovative methods like symbolic and bounded model checking avoid this dilemma [4].
We translated the iStar goal model into the Z formal model to model-check the early requirements of our case study. To check the correctness of the translated model, we used the ProZ model checker. It algorithmically checks the model for requirements violations. If a violation of requirements is found, then it produces a counterexample. In addition, we employ the ProZ model checker to verify safety properties specified in LTL formulae against our Z formal model. We input Z specifications written in a Latex file to the ProZ model checker. After inputting a Latex file, it automatically type-checks Z specifications using the Fuzz Type Checker by Mike Spivey [34]. After type-checking, we use the ProZ model checker to execute the operations thoroughly and try to discover any erroneous state in the model. For model checking, we use the default search strategy ‘Mixed DF/BF’. It combines breadth- and depth-first search techniques to find an erroneous state in the model. Figure 33 depicts the results of the model-checking process; it processed 3,677 states by covering all operations. No error states are generated. To model check, it took 200 seconds and 169 Mbytes of memory.
Fig. 33.
5.1 Verification of LTL Properties
To verify LTL safety properties, we employ the ProZ model checker. A safety property asserts that a system is never going to be in an unsafe state. For instance, derailments and collisions are unsafe. We express the safety properties to be verified on our Z formal model with LTL formulas. These safety properties are extracted from our iStar goal model and IEEE 1474.1 CBTC specification document [19]. The LTL formulas may contain the following temporal operators; Table 1 describes the LTL safety properties that we verified”
Table 1.
| Specification 1 | A train’s speed should not exceed the block limit it received. |
| LTL Formula | \(G (\lbrace trainLMA(T1) = Green\_Green \wedge trainLMASt(T1) = On \Rightarrow trainCurrentSpeed(T1) \ge UnrestrictedSpeed2 \wedge trainCurrentSpeed(T1) \le UnrestrictedSpeed1\rbrace)\) |
| Specification 2 | To avoid a head-to-tail collision, the down train’s head and the up train’s tail cannot occupy the same position simultaneously. |
| LTL Formula | \(G (\lbrace trainLMA(T1) \ne Red\_Red \wedge trainLMA(T2) \ne Red\_Red \Rightarrow trainHeadPos(\lbrace T2 \mapsto Front\rbrace) \ne trainHeadPos(\lbrace T1 \mapsto Rear\rbrace)\rbrace)\) |
| Specification 3 | A switch point should be set in the right direction to prevent a derailment before allowing the train to resume its path. |
| LTL Formula | \(G (\lbrace trainLMA(T1) = Yellow\_Yellow \wedge trainLMASt(T1) = On \Rightarrow (pointsofSubRoute \ (trainHeadPos \ (\lbrace T1 \mapsto Front\rbrace)) \cap lockedPoints) \ne \emptyset \rbrace)\) |
| Specification 4 | Liveness requirements: if any train arrives at a route, it will finally conclude that route. |
| LTL Formula | \(G ([EnableRoute] \Rightarrow F ([DisableRoute]))\) |
| Specification 5 | A sub-route and switch points must be locked to move a train. |
| LTL Formula | \(G (\lbrace trainSignal(T1) = Green\_Green \Rightarrow (enabledRtSegments \cap lockedSubroutes) = enabledRtSegments \wedge (lockedPoints = \lbrace P1, P2, P3, P4\rbrace)\rbrace)\) |
| Specification 6 | If all sub-routes and points are unlocked, then the route must be disabled. |
| LTL Formula | \(F ((\lbrace enabledRtSegments \cap lockedSubroutes = \emptyset \wedge lockedPoints = \emptyset \rbrace \Rightarrow e(DisableRoute)))\) |
| Specification 7 | A point switch should not be locked until it receives a command to do so. |
| LTL Formula | \((\lbrace (P1 \mapsto Lock) \notin pointLockSt\rbrace U \lbrace P1 \mapsto CDN \in pointCmd \vee P1 \mapsto CDR \in pointCmd\rbrace)\) |
| Specification 8 | A point switch should be locked until it receives a command to unlock. |
| LTL Formula | \((\lbrace P1 \mapsto Lock \in pointLockSt\rbrace U \lbrace P1 \mapsto CFN \in pointCmd \vee P1 \mapsto CFR \in pointCmd\rbrace)\) |
| Specification 9 | Eventually, a train should stop only at the conflicting point. |
| LTL Formula | \(F (\lbrace trainLMA(T2) = Red\_Red \Rightarrow trainHeadPos(\lbrace T1 \mapsto Rear\rbrace) \mapsto Occupied \in updateSegSt \vee end \mapsto Occupied \in updateSegSt\rbrace)\) |
| Specification 10 | Eventually, point switches should be in concordance with each other. |
| LTL Formula | \(F (\lbrace pointCmd(P1) = pointCmd(P2) \wedge pointPosSt(P1) = pointPosSt(P2) \wedge (pointCmd(P3) = pointCmd(P4) \wedge pointPosSt(P3) = pointPosSt(P4))\rbrace)\) |
| Specification 11 | It is necessary to set point switches in the right direction and command them for locking. |
| LTL Formula | \(G ((e(LockThePoint) \Rightarrow \lbrace (pointCmd(P1) = CDR \vee pointCmd(P1) = CDN) \vee (pointCmd(P3) = CDR \vee pointCmd(P3) = CDN) \vee (pointCmd(P2) = CDR \vee pointCmd(P2) = CDN) \vee (pointCmd(P4) = CDR \vee pointCmd(P4) = CDN)\rbrace))\) |
| Specification 12 | To move a train, the signal must be extinguished (glow green light). |
| LTL Formula | \(F (e (MoveTrain1) \Rightarrow \lbrace trainSignal(runningTrain) = Green\_Green\rbrace)\) |
| Specification 13 | If a route is enabled, then all sub-routes of a route and point switches should be locked. |
| LTL Formula | \(G ([EnableRoute] \Rightarrow X \lbrace enabledRtSegments \ne \emptyset \rbrace \Rightarrow e (LockSubRoute) \Rightarrow X \lbrace lockedSubroutes \ne \emptyset \rbrace \Rightarrow e(CommandPtPosToLockThePoint) \Rightarrow X \lbrace (pointCmd(P1) = CR \vee pointCmd(P1) = CN) \vee (pointCmd(P3) = CR \vee pointCmd(P3) = CN) \vee (pointCmd(P2) = CR \vee pointCmd(P2) = CN) \vee (pointCmd(P4) = CR \vee pointCmd(P4) = CN)\rbrace \Rightarrow e (LockThePoint) \Rightarrow F \lbrace lockedPoints \ne \emptyset \rbrace)\) |
| Specification 14 | To unlock the point switch, first unlock sub-routes and then command them for unlocking. |
| LTL Formula | \(G ((e(UnlockThePoint) \Rightarrow \lbrace pointCmd(P1) = CFR \vee pointCmd(P1) = CFN \vee (pointCmd(P3) = CFR \vee pointCmd(P3) = CFN) \vee (pointCmd(P2) = CFR \vee pointCmd(P2) = CFN) \vee (pointCmd(P4) = CFR \vee pointCmd(P4) = CFN)\rbrace))\) |
| Specification 15 | Once a train enters the segment, we should mark it as occupied. |
| LTL Formula | \(G ([SetFrontSegmentStatus] \Rightarrow X \lbrace updateSegSt (trainHeadPos(\lbrace runningTrain \mapsto Front\rbrace)) = Occupied\rbrace)\) |
—
“G f”: The formula“f” is valid in all states globally.
—
“F f”: The formula“f” is finally true in some states.
—
“X f”: In the following state, the formula“f” is valid.
—
“f U g”: Until the formula“g” is true, the formula“f” is true.
—
e (op): It checks whether an operation“op” is enabled or not. It is an operator of the ProZ model checker.
Figure 34 illustrates the results of verification of the above LTL properties, where the checkmark indicates that LTL specification is successfully verified. The above safety properties are executed on a Windows 10 operating system with 16 GB of RAM and a 3.90 GHz 10th-generation Intel Core i7-1065G7 machine. The above safety properties took a total of 190.607 seconds to execute.
Fig. 34.
To test our Z formal model and the adequacy of the safety properties used on it, we write a counter-specification to derail a train. This counter-specification allows the train to continue its path while points are unlocked. However, it made our assertion false and generated a counterexample showing that point switches are locked while a train is moving. A counterexample is a method that enters a state in which the checked specifications are not satisfied. Figure 35 illustrates a counterexample for violation of counter-specification, where the history pane shows the counterexample.
Fig. 35.
Counter-specification
— Derail a train. That is, points should be unlocked while a train is moving.
LTL Formula
— G (trainLMA(T1) = Yellow_Yellow \(\wedge\) trainLMASt(T1) = On \(\Rightarrow\) (pointsofSubRoute(trainHeadPos(T1 \(\mapsto\) Front)) \(\cap\) lockedPoints) = \(\emptyset\) )
In the above LTL formula, ‘ \(trainLMA(T1) = Yellow\_Yellow\) ’ indicates that an LMA of Yellow-Yellow (20mph) is computed for train T1 because a reverse switch is ahead. The ‘ \(trainLMASt(T1) = On\) ’ indicates that train T1 successfully received an LMA. The formula ‘ \((pointsofSubRoute\) \((trainHeadPos({T1 \mapsto Front})) \cap lockedPoints) = \emptyset\) ’ indicates that a fork segment occupied by train T1 contains a switch point to connect to the branch segment, and it should be unlocked.
6 Related Works
Many researchers have tackled the problem of transforming early-phase requirements into late-phase requirements over the last few years. This section describes and compares a handful of them that are relevant to our work.
The article by Fuxman et al. [15] describes a framework for verifying early requirements using Formal Tropos. In this article, first, they integrated the semiformal model i* into the Formal Tropos. Later, they used their framework called T-Tool to verify the early requirements. As a case study, they used a course-exam management system. Formal Tropos is a language for explicitly specifying the i* model. However, they have not provided proof to guarantee that Formal Tropo’s specifications are correct. T-Tool performs verification of Formal Tropos specifications in two phases. In the first phase, it automatically translates Formal Tropos specifications into auxiliary language specifications. It then passes the auxiliary language specifications to the NuSMV model checker for verification in the second phase. While translating Formal Tropos specifications into an intermediate language specification, they did not preserve the strategic aspects of the i* model and focused only on dynamic aspects. Also, in the case of a dependency relationship, they fulfilled the dependency relationship using assertion statements but did not show how this dependency fulfillment triggers the state changes in the depender.
The article by Vilkomir et al. [39] describes a one-to-one mapping of i* notations into the Z formal model. For each of the i* elements, they provided their corresponding general structure of the Z schema. In i*, the dependency relationship exists between the depender element and the dependee element. The depender needs a dependum (a goal, task, quality, or resource) to fulfill the need of its intentional element (depender element). Similarly, the dependee will provide a dependum by fulfilling the need of its intentional element (dependee element). They did not preserve this rule in their mapping. They have not shown how the dependee will provide the dependum by fulfilling the need of its intentional element. They only gave a general schema structure for the dependum. The dependee imposes some constraints to fulfill the need of its intentional element. On fulfillment of these constraints, the dependee will release the dependum. Hence, we mapped the dependum to the invariant constraints inside the predicate part of the dependee element schema and made the dependee element an operational schema of the depender. The fulfillment of these constraints automatically triggers state changes in the depender. According to the iStar rule, the depender element must be an unrefined intentional element, so usually, it is a task. They did not preserve this rule also in their mapping. In i*, the refinement links are used to change the state of the parent node by the child node. Hence, refinement links are guard conditions (pre-conditions) that must be true for the transition. They did not map these constraints. Finally, they unverified their translated specification.
The chapter by Lapouchnian and Lespérance [25] describes a methodology for integrating i* models into ConGolog and its extended version, Cognitive Agents Specification Language (CASL). To analyze early-phase requirements represented in the i* model, they integrated the i* model into a formal multiagent system specification language called “ConGolog”. To glue the i* model with ConGolog, they introduced an intermediate notation called “annotated SR (ASR)” diagrams. ASR diagrams include all i* elements except the softgoal and dependency relationships. Because ConGolog did not support softgoal and dependency relationships, this leads to loss of information and misuse of original aspects of the i* model. With the help of their proposed mapping rules, they translated each ASR element into the ConGolog model. The translated specifications are validated using the ConGolog simulation tool. These mapping rules are similar to those we defined for transitioning from the iStar model to the Z model. For example, the goal node they mapped to the ConGolog formula represents the desired state and procedure for achieving it. We mapped the goal to the Z-state schema. They mapped the refinement links to the guard conditions, and we did the same. For a softgoal, instead of mapping, they converted it into a goal (hard goal). We mapped the iStar softgoal to the LTL formulas and verified them during model checking. To model the goal dependency relationship, they used CASL. To glue the i* model with CASL, they devised an intermediary notation known as “intentional annotated SR (iASR) diagrams”. iASR diagrams include all i* intentional elements needed to establish goal dependency relationships. They mapped the dependum to the guard condition inside the procedural part of the dependee element, and fulfillment of these conditions automatically triggers the state changes in the depender. We did the same thing for mapping goal dependency relationships. They did not give any rules for mapping other dependencies, but we gave rules for each dependency. Finally, they verified translated specifications using the CASLve theorem prover. We verified translated specifications using the ProZ model checker.
7 Conclusions
It is easy to recognize the system’s requirements regarding its services. However, it is not easy to know how system services are provided, who provides them, and why they are provided. So, answering these questions requires analysis of early requirements and integrating them with late requirements. In this article, we illustrate the necessity of blending early-phase requirements with late-phase requirements by considering a case study of the CBTC moving block interlocking system. We used a goal-oriented modeling method called iStar to address early requirements. We translated the iStar model into the Z formal model to verify that a developed system satisfies these requirements. We also exhibited the step-by-step procedure of mapping the iStar model into the Z formal model. This integration synergistically addressed all early requirements and vulnerability issues and helped us discover variability issues. A train stops only at a conflict site in the case of the CBTC’s moving block interlocking system. It is dynamic in terms of the rear of the train ahead of it. Alternatively, it is static in the case of a point switch or buffer stop at the station. Also, a point switch is mutable, which means it is active or inactive. Active means it is a conflict point, and inactive means it is not a conflict point. Addressing this kind of variability issue is essential in the case of complex systems. Finally, we employed the ProZ model checker to verify the Z formal model of the CBTC moving block interlocking system.
The ProZ model checker is an enhanced version of the ProB model checker. It automatically type-checked Z specifications specified in the LaTeX file using the Fuzz Type Checker. After type-checking, we employed the ProZ model checker to execute the operations thoroughly and try to discover any erroneous state in the model. We used a combination of breadth- and depth-first search techniques to find an erroneous state in the model. The ProZ model checker processed 3,677 states by covering all operations. No error states were found. The safety properties were specified in the form of LTL specifications. We wrote 110 invariants and 15 LTL formulas. We specified invariants within the Z-schema in the form of a predicate formula. We verified all invariants and LTL specifications, but no properties were violated. Finally, we conclude that the iStar and Z combination is a fruitful approach for specifying and verifying early-phase and late-phase requirements regarding complex software systems. Automating one-to-one mapping rules for the iStar model to Z formal model translation, efficient handling of variability issues, and model-based testing and test case generation of a formal model requires more examination and will be one of the primary goals of our future research.
Appendix
A Z Formal Notation
A.1 Z Schema
The Z schema is employed to organize all relevant information related to a system specification. The state space of a given system specification is defined through a state schema. It is made up of identifiers, an initialization, a set of operations, and predicates. Figure 36 shows a two-dimensional graphical representation of the Z schema. Variables are included in the schema signature and given a set-theoretic type. Schema predicates are formulas that relate to schema signature components. They are also called invariants. We specify the schema signature inside the declaration part (first compartment) and schema predicates inside the predicate part (second compartment) of the schema’s box.
Fig. 36.
In Z, an identifier with a suffix with \(?\) denotes an input variable, \(!\) denotes an output variable, and \(^{\prime }\) represents a variable that takes on a new value when an operation is completed. In Z, a schema name can be used as an identifier in the signature section of another schema. Prefixes denote the operations on a state schema, which are mentioned below.
—
\(\Delta\) describes an operational schema,
—
\(\Xi\) describes a read-only schema.
To specify state transitions, we need operations on Z schema. An operational schema modifies the state of a system and represents a state after the transition. A read-only schema does not change a system’s state and represents a state before transition.
A.2 Axiomatic Definition
Figure 37 exemplifies an axiomatic definition (global declaration) of Z notation, where the declaration part introduces one or more global variables and the predicate part consists of a formula that constrains the values of variables declared in the declaration part. If the predicate part is absent, then by default the formula is true.
Fig. 37.
A.3 Propositional Connectives
Model-theory semantics deals with constructs like truth, interpretation, and satisfiability. Table 2 depicts the model theory of the propositional calculus connectives and their meaning.
Table 2.
| Notation | Name | Example | Description |
|---|---|---|---|
| \(\lnot\) | Negation | \(\lnot ponitLock\) | A formula ( \(\lnot ponitLock\) ) is false if and only if ponitLock is true. |
| \(\wedge\) | Conjunction | \(ponitLock \wedge subRouteLock\) | A formula ( \(ponitLock \wedge subRouteLock\) ) is true if both ponitLock and subRouteLock are true, else it is false. |
| \(\vee\) | Disjunction | \(ponitLock \vee subRouteLock\) | A formula ( \(ponitLock \vee subRouteLock\) ) is false if both ponitLock and subRouteLock are false, else it is true. |
| \(\Rightarrow\) | Implication | \(ponitLock \Rightarrow subRouteLock\) | A formula ( \(ponitLock \Rightarrow subRouteLock\) ) is false if and only if ponitLock is true and subRouteLock is false, else it is true. |
| \(\iff\) | Bi implication | \(ponitLock \iff subRouteLock\) | A formula ( \(ponitLock \iff subRouteLock\) ) is true if both ponitLock and subRouteLock have the same truth values, else it is false. |
A.4 Quantifiers
A declarative sentence is an open statement comprising one or more variables. The open statements are also called predicates. For predicates, we cannot guess their truth values. Hence, they are not a proposition. For example, the predicate “ \(x^2 \lt 10\) ” is not a proposition but can become a proposition by adding a quantifier. For example, “There exists a positive integer x, such that \(x^2 \lt 10\) ” is a proposition, and“there exists” is a quantifier. Table 3 describes the quantifiers available in Z.
Table 3.
| Notation | Name | Example | Description |
|---|---|---|---|
| \(\exists\) | Existential quantifier | \(\exists x: \mathbb {Z} | 0 \lt x @ (x * x) \lt 10\) | There exists a positive value of x, which has a square less than 10. |
| \(\forall\) | Universal quantifier | \(\forall x: \mathbb {Z} | x \in \lbrace 1, 3, 5, 7, 9\rbrace @ x \lt 11\) | Every integer in the set {1, 3, 5, 7, 9} is less than 11. |
| \(\exists _1\) | Unique existential quantifier | \(\exists _1 x: \mathbb {Z} | 0 \lt x @ x = 10\) | There is a unique positive value of x, equal to 10. |
A.5 Sets
A set is a group of elements that satisfy some property. In Z, we can make sets by enumeration or by comprehension. In the enumeration method, the elements of the set are just enumerated. For example, a set X contains three elements, x1, x2, and x3, defined as X == {x1, x2, x3}. We may also define sets by enumeration using the free-type definition. For instance, a set X is defined as X ::= x1 | x2 | x3. The symbol == is the Z notation for the abbreviation definition, and the symbol ::= is for the free-type definition. In the comprehension method, sets are formed from other sets. For example, a set of each positive whole number is specified as \(\lbrace m: \mathbb {Z} | 0 \lt m @ m\rbrace\) .
Z is a typed language. A type in Z notation is a maximum set. Built-in type \(\mathbb {Z}\) in Z represents the set of all integers. By enclosing the basic type name in square brackets, specifiers can create any other type. For example, \([SEGMENTS]\) is a set of all track segments. There are two types of constructors in Z: the Cartesian product ( \(\times\) ) and the power set ( \(\mathbb {P}\) ). For example, suppose ROUTE and ROUTESTATUS are types; then \(ROUTE \times ROUTESTATUS\) is the type of all the ordered pairs whose first entity is drawn from ROUTE and whose second entity is drawn from ROUTESTATUS. \(\mathbb {P}\ ROUTE\) is the type of all the sets whose entities are of type ROUTE. An empty set ( \(\emptyset\) ) denotes a set with no members. Table 4 describes the propositions about the relationship between sets and their member elements, where we assume a set \(enabledRoutes == \lbrace route1, route2, route3, route4\rbrace\) and a set \(disabledRoutes == \lbrace route1, route2\rbrace\) .
Table 4.
| Notation | Name | Example | Description |
|---|---|---|---|
| \(\in\) | Membership | \(route1 \in enabledRoutes\) | The formula ( \(route1 \in enabledRoutes\) ) is true if \(route1\) belongs to set \(enabledRoutes\) . |
| \(\notin\) | Non-membership | \(route1 \notin enabledRoutes\) | The formula ( \(route1 \notin enabledRoutes\) ) is true only if \(route1\) is not a member of set \(enabledRoutes\) . |
| \(\subseteq\) | Subset | \(disabledRoutes \subseteq enabledRoutes\) | The formula ( \(disabledRoutes \subseteq enabledRoutes\) ) is true if and only if each member of set \(disabledRoutes\) is also a member of set \(enabledRoutes\) . |
| \(\subset\) | Proper subset | \(disabledRoutes \subset enabledRoutes\) | The formula ( \(disabledRoutes \subset enabledRoutes\) ) is true if and only if set disabledRoutes is not the same as set enabledRoutes and disabledRoutes is a subset of enabledRoutes. |
| \(=\) | Equality | \(disabledRoutes = enabledRoutes\) | The formula ( \(disabledRoutes = enabledRoutes\) ) is true if and only if set \(disabledRoutes\) is a subset of \(enabledRoutes\) and \(enabledRoutes\) is a subset of disabledRoutes. |
| \(\ne\) | Not equal | \(disabledRoutes \ne enabledRoutes\) | The formula ( \(disabledRoutes \ne enabledRoutes\) ) is true if and only if either set \(disabledRoutes\) is not a subset of \(enabledRoutes\) or \(enabledRoutes\) is not a subset of \(disabledRoutes\) . |
Table 5 describes the operations on sets, where we assume a set \(route1Segments == \lbrace segment1,\) \(segment2, segment3\rbrace\) , \(route2Segments == \lbrace segment3, segment4, segment5\rbrace\) , and \(route3Segments == \lbrace segment1, segment3, segment6 \rbrace\) .
Table 5.
| Notation | Name | Example | Description |
|---|---|---|---|
| \(\cup\) | Union | \(route1Segments \cup route2Segments\) \(= \lbrace segment1, segment2, segment3,\) \(segment4, segment5\rbrace\) | The formula ( \(route1Segments \cup route2Segments\) ) is the set obtained by merging all their members. |
| \(\cap\) | Intersection | \(route1Segments \cap route2Segments\) \(= \lbrace segment3\rbrace\) | The formula ( \(route1Segments \cap route2Segments\) ) is the set that consists of members that belong to both set \(route1Segments\) and set \(route2Segments\) . |
| \(\setminus\) | Set difference | \(route1Segments \setminus route2Segments\) \(= \lbrace segment1, segment2\rbrace\) | The formula ( \(route1Segments \setminus route2Segments\) ) is the set consisting of all those elements of \(route1Segments\) that are not in \(route2Segments\) . |
| \(\bigcup\) | Generalized union | \(\bigcup \lbrace route1Segments, route2Segments,\) \(route3Segments\rbrace\) \(= \lbrace segment1, segment2,\) \(segment3, segment4, segment5,\) \(segment6\rbrace\) | The formula \(\bigcup \lbrace route1Segments, route2Segments,\) \(route3Segments\rbrace\) is the set that consists of all the elements that are members of at least one of the sets \(route1Segments\) , \(route2Segments\) , or \(route3Segments\) . |
| \(\bigcap\) | Generalized intersection | \(\bigcap \lbrace route1Segments, route2Segments,\) \(route3Segments\rbrace\) \(= \lbrace segment3\rbrace\) | The formula \(\bigcap \lbrace route1Segments, route2Segments,\) \(route3Segments\rbrace\) is the set that consists of all the elements that belong to every set \(route1Segments\) , \(route2Segments\) , and \(route3Segments\) . |
A.6 Relations
A relation is a set of Cartesian pairs. The notation \(\leftrightarrow\) denotes a binary relation. If ROUTE and ROUTESTATUS are set, then \(ROUTE \leftrightarrow ROUTESTATUS\) is the set of binary relations between ROUTE and ROUTESTATUS. That is, \(ROUTE \leftrightarrow ROUTESTATUS == \mathbb {P}\ (ROUTE \times ROUTESTATUS)\) . The notation \(\mapsto\) (maplet) denotes an ordered pair of relations. For example, \((route1 \mapsto set) \in ROUTE \leftrightarrow ROUTESTATUS\) states that the ordered pair \((route1 \mapsto set)\) is a member of the relation \(ROUTE \leftrightarrow ROUTESTATUS\) . The various operations on relations are described below.
Domain (dom R)
— Let \(R: ROUTE \leftrightarrow ROUTESTATUS\) be a binary relation; then the domain of R is the set of all elements of ROUTE that are related by R to at least one element in ROUTESTATUS.
\(\forall R: ROUTE \leftrightarrow ROUTESTATUS @ dom R == \lbrace rt: ROUTE; st: ROUTESTATUS | rt \mapsto st \in R @ rt\rbrace\)
Example: Let \(R = \lbrace route1 \mapsto set, route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set\rbrace\) ; then
\(dom R = \lbrace route1, route2, route3, route4\rbrace\)
Range (ran R)
— Let \(R: ROUTE \leftrightarrow ROUTESTATUS\) be a binary relation; then the range of R is the set of all elements of ROUTESTATUS to which at least one element in ROUTE is related by R.
\(\forall R: ROUTE \leftrightarrow ROUTESTATUS @ ran R == \lbrace rt: ROUTE; st: ROUTESTATUS | rt \mapsto st \in R @ st\rbrace\)
Example: Let \(R = \lbrace route1 \mapsto set, route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set\rbrace\) ; then \(ran R = \lbrace set, unset\rbrace\)
Union ( \(\cup\) ) — Let \(R: ROUTE \leftrightarrow ROUTESTATUS\) be a binary relation; then we can use a union to add a new ordered pair to R. \(R^{\prime }\) indicates a new state.
Example: Let \(R = \lbrace route1 \mapsto set, route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set\rbrace\) ; then \(R^{\prime } = R \cup \lbrace route5 \mapsto set \rbrace\) .
Now, \(R^{\prime } = \lbrace route1 \mapsto set, route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set, route5 \mapsto set\rbrace .\)
Set difference ( \(\setminus\) ) — Let \(R: ROUTE \leftrightarrow ROUTESTATUS\) be a binary relation; then we can use set difference to remove an ordered pair from R. \(R^{\prime }\) indicates a new state.
Example: Let \(R = \lbrace route1 \mapsto set, route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set, route5 \mapsto set\rbrace\) ; then \(R^{\prime } = R \setminus \lbrace route1 \mapsto set \rbrace\) .
Now, \(R^{\prime } = \lbrace route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set, route5 \mapsto set\rbrace .\)
Relational inversion ( \(R\sim\) ) — Let \(R: ROUTE \leftrightarrow ROUTESTATUS\) be a binary relation; then \(R\sim\) is an R with each element flipped over.
\(\forall R: ROUTE \leftrightarrow ROUTESTATUS @ R\sim == \lbrace rt: ROUTE; st: ROUTESTATUS | rt \mapsto st \in R @ st \mapsto rt\rbrace .\)
Example: Let \(R = \lbrace route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set, route5 \mapsto set\rbrace\) ; then
\(R\sim = \lbrace unset \mapsto route2, unset \mapsto route3, set \mapsto route4, set \mapsto route5 \rbrace .\)
Domain restriction ( \(S \triangleleft R\) ) — Let \(R: ROUTE \leftrightarrow ROUTESTATUS\) be a binary relation, and \(S:\mathbb {P}\ ROUTE\) ; then \(S \triangleleft R\) creates a new restricted relation of all ordered pairs from R whose domain elements are restricted to elements in S.
\(\forall S: \mathbb {P}\ ROUTE ;R: ROUTE \leftrightarrow ROUTESTATUS @ S \triangleleft R == \lbrace rt: ROUTE; st: ROUTESTATUS | rt \in ROUTE \wedge rt \mapsto st \in R @ rt \mapsto st\rbrace .\)
Example: Let \(R = \lbrace route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set, route5 \mapsto set\rbrace\) , and \(S = \lbrace route2, route3\rbrace ;\) then
\(S \triangleleft R = \lbrace route2 \mapsto unset, route3 \mapsto unset \rbrace .\)
Domain subtraction ( \(S ⩤ R\) ) — Let \(R: ROUTE \leftrightarrow ROUTESTATUS\) be a binary relation, and \(S:\mathbb {P}\ ROUTE\) ; then \(S ⩤ R\) creates a new anti-restricted relation of all ordered pairs from R whose domain elements are not in S.
\(\forall S: \mathbb {P}\ ROUTE ;R: ROUTE \leftrightarrow ROUTESTATUS @ S ⩤ R == \lbrace rt: ROUTE; st: ROUTESTATUS | rt \notin ROUTE \wedge rt \mapsto st \in R @ rt \mapsto st\rbrace\)
Example: Let \(R = \lbrace route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set, route5 \mapsto set\rbrace\) , and \(S = \lbrace route2, route3\rbrace ;\) then
\(S ⩤ R = \lbrace route4 \mapsto set, route5 \mapsto set\rbrace .\)
Range restriction ( \(R \triangleright T\) ) — Let \(R: ROUTE \leftrightarrow ROUTESTATUS\) be a binary relation, and \(T:\mathbb {P}\ ROUTESTATUS\) ; then \(R \triangleright T\) creates a new restricted relation of all ordered pairs from R whose range elements are restricted to elements in T.
\(\forall R: ROUTE \leftrightarrow ROUTESTATUS; T: \mathbb {P}\ ROUTESTATUS @ R \triangleright T == \lbrace rt: ROUTE; st: ROUTESTATUS | rt \mapsto st \in R \wedge st \in ROUTESTATUS @ rt \mapsto st\rbrace .\)
Example: Let \(R = \lbrace route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set, route5 \mapsto set\rbrace\) , and \(T = \lbrace set\rbrace ;\) then
\(R \triangleright T = \lbrace route4 \mapsto set, route5 \mapsto set \rbrace .\)
Range subtraction ( \(R ⩥ T\) ) — Let \(R: ROUTE \leftrightarrow ROUTESTATUS\) be a binary relation, and \(T:\mathbb {P}\ ROUTESTATUS\) ; then \(R ⩥ T\) creates a new anti-restricted relation of all ordered pairs from R whose range elements are not in T.
\(\forall R: ROUTE \leftrightarrow ROUTESTATUS; T: \mathbb {P}\ ROUTESTATUS @ R ⩥ T == \lbrace rt: ROUTE; st: ROUTESTATUS | rt \mapsto st \in R \wedge st \notin ROUTESTATUS @ rt \mapsto st\rbrace .\)
Example: Let \(R = \lbrace route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set, route5 \mapsto set\rbrace\) , and \(T = \lbrace set\rbrace ;\) then
\(R ⩥ T = \lbrace route2 \mapsto unset, route3 \mapsto unset \rbrace .\)
Relational image ( \(R (| S |)\) ) — Let \(R: ROUTE \leftrightarrow ROUTESTATUS\) be a binary relation, and \(S:\mathbb {P}\ ROUTE\) ; then \(R (| S |)\) creates a new set of all those elements of the range of R to which R maps elements of S.
\(\forall S: \mathbb {P}\ ROUTE ;R: ROUTE \leftrightarrow ROUTESTATUS @ R (| S |) == \lbrace rt: ROUTE; st: ROUTESTATUS | rt \in ROUTE \wedge rt \mapsto st \in R @ st\rbrace .\)
Example: Let \(R = \lbrace route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set, route5 \mapsto set\rbrace\) , and \(S = \lbrace route2, route4\rbrace ;\) then
\(R (| S |) = \lbrace unset, set\rbrace\)
Relational overriding ( \(R \oplus S\) ) — Let \(R: ROUTE \leftrightarrow ROUTESTATUS\) be a relation and \(S: ROUTE \leftrightarrow ROUTESTATUS\) also be a relation of the same type; then \(R \oplus S\) first creates a new relation of all ordered pairs from R whose domain elements do not belong to the domain of S and then adds all members of S to the R.
\(\forall R, S: ROUTE \leftrightarrow ROUTESTATUS @ R \oplus S == ((dom S) ⩤ R) \cup S.\)
Example: Let \(R = \lbrace route2 \mapsto unset, route3 \mapsto unset, route4 \mapsto set, route5 \mapsto set\rbrace\) , and \(S = \lbrace route2 \mapsto set\rbrace ;\) then
\(R \oplus S = \lbrace route2 \mapsto set, route3 \mapsto unset, route4 \mapsto set, route5 \mapsto set\rbrace .\)
Relational composition (R;P)— Let \(R: POINT \leftrightarrow POINTCOMMAND\) be a relation and \(P: POINTCOMMAND \leftrightarrow POINTPOSITION\) also be a relation; then R;P : \(POINT \leftrightarrow POINTPOSITION\) is a new relation created by composing relations R and P.
\(\forall R : POINT \leftrightarrow POINTCOMMAND; P: POINTCOMMAND \leftrightarrow POINTPOSITION @\) R;P \(== \lbrace pt: POINT; pc: POINTCOMMAND; ps: POINTPOSITION | pt \mapsto pc \in R \wedge pc \mapsto ps \in P @ pt \mapsto ps \rbrace .\)
Example: Let \(R = \lbrace point1 \mapsto cn, point2 \mapsto cr\rbrace\) , and \(P = \lbrace cn \mapsto normal, cr \mapsto reverse\rbrace ;\) then R;P \(= \lbrace point1 \mapsto normal, point2 \mapsto reverse\rbrace\)
A.7 Functions
A function (map or transformation) is a special kind of relation in which a unique corresponding range element exists for each domain element. In Z, functions have both set-theoretic and function characteristics. Therefore, we can apply both set operations and function applications to Z functions. For instance, let \(f: C \nrightarrow D\) be a partial function, let \(c1 \in dom f\) , and let d1 be the element of D associated with c1 by f. Then, rather than using ( \(c1 \mapsto d1) \in f\) , we can also use \(f(c1) = d1\) ; both are valid. The total and partial functions available in Z are described below:
Partial function ( \(\nrightarrow\) ) — Let \(TRAIN \nrightarrow SIGNALASPECT\) be a partial function; then there exists at most one element in SIGNALASPECT corresponding to a single element in TRAIN.
\(TRAIN \nrightarrow SIGNALASPECT == \lbrace f: TRAIN \leftrightarrow SIGNALASPECT | (\forall tn: TRAIN; s1, s2: SIGNALASPECT @ (tn \mapsto s1) \in f \wedge (tn \mapsto s2) \in f \Rightarrow s1 = s2)\rbrace .\)
Example: Let \(TRAIN == \lbrace train1, train2, train3, train4\rbrace\) and \(SIGNALASPECT == \lbrace green, red, yellow\rbrace\) ; then
\(TRAIN \nrightarrow SIGNALASPECT = \lbrace train1 \mapsto green, train2 \mapsto red\rbrace .\)
Total function ( \(\rightarrow\) ) — Let \(POINT \rightarrow POINTPOSITION\) be a total function; then for each element in POINT, there exists a corresponding unique element in POINTPOSITION.
\(POINT \rightarrow POINTPOSITION == \lbrace f: POINT \nrightarrow POINTPOSITION | dom f = POINT \rbrace .\)
Example: Let \(POINT == \lbrace point1, point2, point3, point4\rbrace\) and \(POINTPOSITION == \lbrace normal, reverse\rbrace\) ; then
\(POINT \rightarrow POINTPOSITION = \lbrace point1 \mapsto normal, point2 \mapsto reverse, point3 \mapsto reverse, point4 \mapsto normal\rbrace .\)
A.8 Sequences
In Z, a sequence is a finite function from the natural numbers to a set K, whose domain elements are natural numbers from 1 to the length of the sequence. It is denoted as seq K.
seq \(K == \lbrace g: \mathbb {N}\) ⤕ \(K |\) dom \(g = 1 ..\) # \(g\rbrace .\)
A literal sequence is a list of elements represented within angle brackets. For example, \(\langle segment1, segment2, segment3\rangle\) represents the sequence containing elements segment1, segment2, and segment3, in that order. The notation \(\langle \rangle\) is used to represent an empty sequence. The various operations on sequences are described below:
Concatenation ( \(\frown\) ) — Concatenation operation is used to merge two arbitrary sequences together.
Example: \(\langle segment3, segment2, segment1\rangle \frown \langle segment5, segment4\rangle = \langle segment3, segment2, segment1, segment5, segment4\rangle .\)
Filter operation ( \(\upharpoonright\) ) — Suppose m is a sequence and C is set. In that case, filter operation \(m \upharpoonright C\) generates the largest subsequence of m containing only those elements that occur in set C.
Example: \(\langle segment3, segment2, segment1\rangle \upharpoonright \lbrace segment2\rbrace = \langle segment2\rangle .\)
Extraction operation ( \(\upharpoonleft\) ) — Suppose m is a sequence and C is a set of positive numbers. In that case, extraction operation \(C \upharpoonleft m\) generates a sequence of elements in m whose index position is specified in C.
Example: \(\lbrace 1, 3\rbrace \upharpoonleft \langle segment3, segment2, segment1\rangle = \langle segment3, segment1\rangle .\)
Head operator (head) — The head operator gives the initial element of a given sequence.
Example: \(head \langle segment3, segment2, segment1, segment5\rangle = segment3.\)
Last operator (last) — The last operator gives the final element of a given sequence.
Example: \(last \langle segment3, segment2, segment1, segment5\rangle = segment5.\)
Front operator (front)
— The front operator gives all elements of a given sequence except the final element.
Example: \(front \langle segment3, segment2, segment1, segment5\rangle = \langle segment3, segment2, segment1 \rangle .\)
Tail operator (tail)
— The tail operator gives all elements of a given sequence except the first element.
Example: \(tail \langle segment3, segment2, segment1, segment5\rangle = \langle segment2, segment1, segment5 \rangle .\)
Reverse operator (rev)
— The rev operator reverses all elements of a given sequence.
Example: \(rev \langle segment3, segment2, segment1, segment5\rangle = \langle segment5, segment1, segment2, segment3 \rangle .\)
A.9 Arrays
In Z, arrays are modeled as a total function from a range of integers to a certain arbitrary set from which the array elements are drawn. For example, let min and max be integers that represent the two endpoints of an array of books. If a table is the name of the array, then
\(table: min..max \rightarrow Books\) .
To access an array element, we apply it to the element’s index. For example, if \(i \in min..max\) , then \(table(i)\) is the book stored at the index i in the array table. Updating an array is done by an overriding operator. For example, the following statement will replace the book in the array at position i by“Z-notation”:
\(table^{\prime } = table \oplus \lbrace i \mapsto Z-notation\rbrace .\)
References
[1]
Daniel Amyot, Sepideh Ghanavati, Jennifer Horkoff, Gunter Mussbacher, Liam Peyton, and Eric Yu. 2010. Evaluating goal models within the goal-oriented requirement language. International Journal of Intelligent Systems 25, 8 (June2010), 841–877.
[2]
David Barney, David Haley, and George Nikandros. 2001. Calculating train braking distance. In Proceedings of the 6th Australian Workshop on Safety Critical Systems and Software - Volume 3 (SCS’01). Australian Computer Society, Inc., 23–29.
[3]
Thomas E. Bell and T. A. Thayer. 1976. Software requirements: Are they really a problem? In Proceedings of the 2nd International Conference on Software Engineering (ICSE’76). IEEE Computer Society Press, Washington, DC, 61–68.
[4]
Armin Biere, Marijn Heule, and Hans van Maaren (Eds.). 2021. Handbook of Satisfiability (2nd ed.). Frontiers in Artificial Intelligence and Applications, Vol. 336. IOS Press, Amsterdam, Washington, DC.
[5]
Jonathan P. Bowen. 1996. Formal Specification and Documentation Using Z: A Case Study Approach (1st ed.). International Thomson Computer Press, London.
[6]
Jon Haël Brenas, Rachid Echahed, and Martin Strecker. 2016. Ensuring correctness of model transformations while remaining decidable. In Theoretical Aspects of Computing (ICTAC’16), Augusto Sampaio and Farn Wang (Eds.). Vol. 9965. Springer International Publishing, Cham, 315–332. Series Title: Lecture Notes in Computer Science.
[7]
Edmund M. Clarke, Thomas A. Henzinger, Helmut Veith, and Roderick Bloem (Eds.). 2018. Handbook of Model Checking. Springer International Publishing, Cham.
[8]
Fabiano Dalpiaz, Xavier Franch, and Jennifer Horkoff. 2016. iStar 2.0 language guide. Version Number: 3.
[9]
Antoni Diller. 1994. Z: An Introduction to Formal Methods (2nd ed.). John Wiley & Sons.
[10]
Eric Dubois, Eric Yu, and Michaël Petit. 1998. From early to late formal requirements: A process-control case study. In Proceedings of the 9th International Workshop on Software Specification and Design. IEEE Computer Society, 34–42.
[11]
Alessio Ferrari, Alessandro Fantechi, Stefania Gnesi, and Gianluca Magnani. 2013. Model-based development and formal methods in the railway industry. IEEE Software 30, 3 (2013), 28–34.
[12]
Alessio Ferrari and Maurice H. ter Beek. 2022. Formal methods in railways: A systematic mapping study. Computing Surveys (March2022), 1–37.
[13]
Anthony Finkelstein and J. Dowell. 1996. A comedy of errors: The London ambulance service case study. In Proceedings of the 8th International Workshop on Software Specification and Design. IEEE Computer Society Press, 2–4.
[14]
Steve Jeffrey Tueno Fotso, Marc Frappier, Régine Laleau, and Amel Mammar. 2020. Modeling the hybrid ERTMS/ETCS level 3 standard using a formal requirements engineering approach. International Journal on Software Tools for Technology Transfer 22, 3 (June2020), 349–363. ISSN: 1433-2779, 1433-2787.
[15]
Ariel Fuxman, Lin Liu, John Mylopoulos, Marco Pistore, Marco Roveri, and Paolo Traverso. 2004. Specifying and analyzing early requirements in Tropos. Requirements Engineering 9, 2 (May2004), 132–150. ISSN: 0947-3602, 1432-010X.
[16]
Tracy Hall, Sarah Beecham, and Austen RainerHall. 2002. Requirements problems in twelve software companies: An empirical analysis. IEE Proceedings - Software 149, 5 (2002), 153–160.
[17]
Bill Haskins, Jonette Stecklein, Brandon Dick, Gregory Moroney, Randy Lovell, and James Dabney. 2004. Error cost escalation through the project life cycle. INCOSE International Symposium 14, 1 (June2004), 1723–1737. ISSN: 23345837.
[18]
Anne E. Haxthausen, Jan Peleska, and Sebastian Kinder. 2011. A formal approach for the construction and verification of railway control systems. Formal Aspects of Computing 23, 2 (March2011), 191–219. ISSN: 0934-5043.
[19]
IEEE. 2005. IEEE Std 1474.1-2004 (Revision of IEEE Std 1474.1-1999): IEEE Standard for Communications-based Train Control (CBTC) Performance and Functional Requirements. 1–52 pages.
[20]
Lokanna Kadakolmath and Umesh D. Ramu. 2021. A survey on formal specification and verification of smart mass transit railway interlocking system. International Journal of Safety and Security Engineering 11, 6 (Dec.2021), 671–682. ISSN: 20419031, 2041904X.
[21]
Lokanna Kadakolmath and Umesh D. Ramu. 2022. i*-based goal-oriented modeling and requirements specification of an urban railway interlocking system. Journal of Scientific Research 66, 2 (2022), 30–39. ISSN: 04479483.
[22]
Lokanna Kadakolmath and Umesh D. Ramu. 2022. Z Formal Specification of CBTC Moving Block Interlocking System.
[23]
R. Laleau and A. Mammar. 2000. An overview of a method and its support tool for generating B specifications from UML notations. In Proceedings Fifteen15 IEEE International Conference on Automated Software Engineering (ASE’00). IEEE, 269–272.
[24]
Régine Laleau and Fiona Polack. 2002. Coming and going from UML to B: A proposal to support traceability in rigorous IS development. In Formal Specification and Development in Z and B (ZB’02), Gerhard Goos, Juris Hartmanis, Jan van Leeuwen, Didier Bert, Jonathan P. Bowen, Martin C. Henson, and Ken Robinson (Eds.). Vol. 2272. Springer, Berlin, 517–534. Series Title: Lecture Notes in Computer Science.
[25]
Alexei Lapouchnian and Yves Lespérance. 2009. Using the ConGolog and CASL formal agent specification languages for the analysis, verification, and simulation of i* models. In Conceptual Modeling: Foundations and Applications, Alexander T. Borgida, Vinay K. Chaudhri, Paolo Giorgini, and Eric S. Yu (Eds.). Vol. 5600. Springer, Berlin, 483–503. Series Title: Lecture Notes in Computer Science.
[26]
L. Lindqvist and R. Jadhav. 2006. Application of communication based moving block systems on existing metro lines. In Computers in Railways X, Vol. 1. WIT Press, Prague, Czech Republic, 391–400. ISSN: 1743-3509, 1746-4498.
[27]
S. Morar. 2012. Evolution of communication based train control worldwide. In IET Professional Development Course on Railway Signalling and Control Systems (RSCS’12). IET, 218–226.
[28]
Peter G. Neumann. 1985. Forum on risks to the public in computers and related systems. In The RISKS Digest, ACM Committee on Computers and Public Policy. Retrieved January, 20, 2022, from http://catless.ncl.ac.uk/Risks/
[29]
Joāo Pimentel. 2021. piStar Tool: An Open-source, Online Goal Modeling Tool for i* 2.0. Retrieved April, 10, 2022, from https://www.cin.ufpe.br/jhcp/pistar/tool/
[30]
Christophe Ponsard, Philippe Massonet, A. Rifaut, J. F. Molderez, Axel van Lamsweerde, and Hieu Tran-Van. 2005. Early verification and validation of mission critical systems. Electronic Notes in Theoretical Computer Science 133 (May2005), 237–254. ISSN: 15710661.
[31]
Douglas T. Ross and Kenneth E. Schoman. 1977. Structured analysis for requirements definition. IEEE Transactions on Software Engineering SE-3, 1 (Jan.1977), 6–15. ISSN: 0098-5589.
[32]
David J. Smith and Kenneth G. L. Simpson. 2016. The Safety Critical Systems Handbook: A Straightforward Guide to Functional Safety: IEC 61508 (2010 Edition), IEC 61511 (2016 Edition) & Related Guidance: Including Machinery and Other Industrial Sectors (4th ed.). BH/Elsevier, Amsterdam, Boston.
[33]
Colin Snook and Michael Butler. 2006. UML-B: Formal modeling and design aided by UML. ACM Transactions on Software Engineering and Methodology 15, 1 (Jan.2006), 92–122. ISSN: 1049-331X, 1557-7392.
[34]
J. M. Spivey. 1989. The Z Notation: A Reference Manual. Prentice Hall, Englewood Cliffs, NJ.
[35]
Tao Tang, Shuo Liu, and Xi Wang. 2013. Study on modeling and verification of CBTC interlocking system. In 5th IET International Conference on Wireless, Mobile and Multimedia Networks (ICWMMN’13). Institution of Engineering and Technology, 350–354.
[36]
Axel van Lamsweerde. 2000. Goal-oriented requirements engineering: A guided tour. In Proceedings of the 5th IEEE International Symposium on Requirements Engineering. IEEE Computer Society, 249–262.
[37]
Axel van Lamsweerde. 2009. Reasoning about alternative requirements options. In Conceptual Modeling: Foundations and Applications: Essays in Honor of John Mylopoulos. Springer-Verlag, Berlin, 380–397.
[38]
Axel van Lamsweerde. 2009. Requirements Engineering: From System Goals to UML Models to Software Specifications. John Wiley, Chichester, England, Hoboken, NJ.
[39]
Sergiy A. Vilkomir, Aditya K. Ghose, and Aneesh Krishna. 2004. Combining agent-oriented conceptual modelling with formal methods. In 2004 Australian Software Engineering Conference Proceedings. IEEE, 147–155.
[40]
Roel Wleringa and Eric Dubois. 1998. Integrating semi-formal and formal software specification techniques. Information Systems 23, 3–4 (May1998), 159–178. ISSN: 03064379.
[41]
Jim Woodcock and Jim Davies. 1996. Using Z: Specification, Refinement, and Proof. Prentice Hall, London, New York. http://www.usingz.com/
[42]
Jim Woodcock, Peter Gorm Larsen, Juan Bicarregui, and John Fitzgerald. 2009. Formal methods: Practice and experience. ACM Computing Surveys 41, 4, Article 19 (Oct.2009), 36 pages. ISSN: 0360-0300.
[43]
Fei Yan. 2011. Studying formal methods applications in CBTC. In 2011 International Conference on Management and Service Science. IEEE, 1–3.
[44]
Eric S. Yu. 1996. Modelling Strategic Relationships for Process Reengineering. PhD Thesis. University of Toronto, Canada.
[45]
Eric S. Yu. 1997. Towards modelling and reasoning support for early-phase requirements engineering. In Proceedings of the 3rd IEEE International Symposium on Requirements Engineering (ISRE’97). IEEE Computer Society Press, Annapolis, MD, 226–235.
[46]
Eric S. Yu. 2009. Social modeling and i*. In Conceptual Modeling: Foundations and Applications, Alexander T. Borgida, Vinay K. Chaudhri, Paolo Giorgini, and Eric S. Yu (Eds.). Vol. 5600. Springer, Berlin, 99–121. Series Title: Lecture Notes in Computer Science.
[47]
Eric S. Yu, Paolo Giorgini, Neil Maiden, and John Mylopoulos (Eds.). 2011. Social Modeling for Requirements Engineering. MIT Press, Cambridge, MA.
[48]
Pamela Zave. 1990. A comparison of the major approaches to software specification and design. In Systems and Software Requirements Engineering, R. H. Thayer and Merlin Dorfman (Eds.). IEEE Computer Society Press, Tutorial, 197–199.
[49]
Li Zhu, Richard F. Yu, and Fei Wang. 2016. Introduction to communications-based train control. In Advances in Communications-based Train Control Systems, Richard F. Yu (Ed.). CRC Press.
Index Terms
- iStar Goal Model to Z Formal Model Translation and Model Checking of CBTC Moving Block Interlocking System
Recommendations
State-Based Model Checking of Event-Driven System Requirements
It is demonstrated how model checking can be used to verify safety properties for event-driven systems. SCR tabular requirements describe required system behavior in a format that is intuitive, easy to read, and scalable to large systems (e.g. the ...
Traceability and model checking to support safety requirement verification
FSE 2014: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software EngineeringEnsuring safety-critical software safety requires strict verification of the conformance between safety requirements and programs. Formal verification techniques, such as model checking and theorem proving, can be used to partially realize this ...
Elaborating Requirements Using Model Checking and Inductive Learning
The process of Requirements Engineering (RE) includes many activities, from goal elicitation to requirements specification. The aim is to develop an operational requirements specification that is guaranteed to satisfy the goals. In this paper, we ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 20 March 2024
Online AM: 27 November 2023
Accepted: 10 November 2023
Revised: 03 September 2023
Received: 24 July 2022
Published in FAC Volume 36, Issue 1
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 545Total Downloads
- Downloads (Last 12 months)545
- Downloads (Last 6 weeks)104
Reflects downloads up to 28 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in