Evaluation and Improvement of ETCS Test Cases for the Ceiling Speed Monitor

Size: px

Start display at page:

Download "Evaluation and Improvement of ETCS Test Cases for the Ceiling Speed Monitor"

Julius Ramsey
5 years ago
Views:

1 Evaluation and Improvement of ETCS Test Cases for the Ceiling Speed Monitor Jan Peleska, Cecile Braunstein, Wen-ling Huang, Felix Hübner, and Uwe Schulze

2 Background ERTMS/ETCS specification describes system test cases in SUBSET-076 These test cases have the following objectives Verify availability and correctness of essential functions Verify conformance to the standard

3 Evaluation Technique Develop a test model for the CSM Formalise SUBSET-076 CSM tests so that they can be used for test data generation and test execution in RT-Tester model-based testing environment Develop a reference specification

4 Evaluation Technique Create mutants of the reference implementation Test Suite A. Run SUBSET-076 test suite against the mutants Test Suite B. Run extended SUBSET-076 test suite against the mutants, where sub-requirements have been considered Test Suite C. Run standard RT-Tester MBT tests against the mutants (transition coverage, MC/DC coverage ) Test Suite D. Run novel equivalence class strategy against the mutants Compare the model coverage and the mutation score achieved

5 Main Results Requirements Coverage / Model Coverage

6 Main Results Mutation Score

7 Remarks Equivalence class testing method is complete with respect to a given fault domain Every correct behaviour of an SUT will be accepted (soundness) Every erroneous behaviour of the SUT will be rejected, provided that the true SUT behaviour is inside a (very large) set of pre-defined behavioural models (exhaustiveness) Experiments have shown that the equivalence class strategy also shows superior test strength for SUT behaviours outside the fault domain

8 Improvements for SUBSET-076 We can easily improve the ETCS SUBSET-076 test suite by a (not tool large) number of test cases: Add test cases for case distinctions in the guard conditions concerning overspeeding Add some boundary value test

9 CSM-Behaviour Detailed Guard Conditions dv warning (V MRSP )= min{ V MRSP, 5} if V MRSP > if V MRSP apple 110 (1) dv sbi (V MRSP )= min{ VMRSP, 10} if V MRSP > if V MRSP apple 110 (2) dv ebi (V MRSP )= min{ VMRSP, 15} if V MRSP > if V MRSP apple 110 (3)

10 dv ebi (V MRSP )= min{ VMRSP, 15} if V MRSP > if V MRSP apple 110 Admissible tolerance is constant in ranges V_mrsp in [0,110], [210,max] and increases with constant gradient in range [110,210] 15 Test Case 3 Test Case Test Case V mrsp

11 Appendix II The Ceiling Speed Monitoring Model

12 The CSM Model Three variants of speed monitoring are performed by the ETCS onboard computer (EVC European Vital Computer) 1.Ceiling speed monitoring (CSM) supervise observance of maximal speed allowed according to speed profile 2.Target speed monitoring enforce speed restrictions while train brakes to a target 3.Release speed monitoring supervises speed while train approaches end of movement authority

13 The CSM Model SysML Model structure Top-down decomposition of blocks First decomposition shows interface between test environment (TE) and system under test (SUT) Last decomposition is associated with behaviour Model behaviour is represented by means of Block operations State machines

14 The CSM Model TE-SUT Interface

15 The CSM Model TE-SUT Interface V_est: estimated speed V_mrsp: maximal speed allowed

16 The CSM Model TE-SUT Interface allowrevokeeb: release condition for emergency brake SBAvailable: configuration switch for service brake csmswitch: activation switch for CSM functionality

17 The CSM Model TE-SUT Interface DMICmd: indications on drivermachine interface

18 The CSM Model TE-SUT Interface DMICmd: indications on drivermachine interface NORMAL OVERSPEED WARNING INTERVENTION

19 The CSM Model TE-SUT Interface TICmd: Train interface commands to service brake and emergency brake

20 The CSM Model TE-SUT Interface TICmd: Train interface commands to service brake and emergency brake NO_CMD SERVICE_BRAKE_CMD EMER_BRAKE_CMD

21 The CSM Model CSM Block

22 The CSM Model CSM Behaviour

23 CSM-Behaviour Detailed Guard Conditions dv warning (V MRSP )= min{ V MRSP, 5} if V MRSP > if V MRSP apple 110 (1) dv sbi (V MRSP )= min{ VMRSP, 10} if V MRSP > if V MRSP apple 110 (2) dv ebi (V MRSP )= min{ VMRSP, 15} if V MRSP > if V MRSP apple 110 (3)

24 dv ebi (V MRSP )= min{ VMRSP, 15} if V MRSP > if V MRSP apple 110 Admissible tolerance is constant in ranges V_mrsp in [0,110], [210,max] and increases with constant gradient in range [110,210] V mrsp

25 Appendix II Complete Model-based Equivalence Class Partitioning Strategy

26 Complete Test Strategy System domain Strategy is specified on semantic level: Reactive State Transition Systems (RSTS) All concrete modelling formalisms whose semantics can be encoded as RSTS, inherit test strategy from RSTS

27 Complete Test Strategy Reactive State Transition Systems (RSTS) S = (S, s 0,R) S V! D Variable valuation functions V = I [ M [ O Input, internal, output variable symbols D = Variable domains R S S transition relation Types of input variables may be infinite

28 Complete Test Strategy Reactive State Transition Systems (RSTS) Quiescent states: accept inputs, have quiescent or transient post states Transient states: do not accept inputs, have quiescent post states Livelock free

29 Complete Test Strategy q changes outputs and internal state, deterministic q t q only inputs change Reactive State Transition Systems (RSTS)

30 Complete Test Strategy I/O equivalence Two states are I/O-equivalent if every input trace applied to these states lead to the same output trace observable in quiescent states Two systems are I/O-equivalent if their initial states are I/O equivalent s s 0 8 = ~c 1...~c n 2 D I :(s/ ) O =(s 0 / ) O

31 Complete Test Strategy I/O equivalence Two states are I/O-equivalent if every input trace applied to these states lead to the same output trace observable in quiescent states Two systems are I/O-equivalent if their initial states are I/O equivalent s s 0 8 = ~c 1...~c n 2 D I :(s/ ) O =(s 0 / ) O input trace

32 Complete Test Strategy I/O equivalence Two states are I/O-equivalent if every input trace applied to these states lead to the same output trace observable in quiescent states Two systems are I/O-equivalent if their initial states are I/O equivalent s s 0 8 = ~c 1...~c n 2 D I :(s/ ) O =(s 0 / ) O resulting quiescent state trace, restricted to outputs

33 Complete Test Strategy Input Equivalence Class Partitioning (IECP) Factorise quiescent states into I/O-equivalence classes q Factorise input space into input equivalence classes (IEC) X, such that For all inputs c of input equivalence class X For all I/O-equivalence classes q For all states s in q s/c resides in the same target I/O-equivalence class B(q,X)

34 Complete Test Strategy Input Equivalence Class Partitioning (IECP) Factorise quiescent states into I/O-equivalence classes q Factorise input space into input equivalence classes (IEC) X, such that For all inputs c of input equivalence class X For all I/O-equivalence classes q For all states s in q target state resulting from changing inputs in state s to c s/c resides in the same target I/O-equivalence class B(q,X)

35 Complete Test Strategy Fault model Reference model Conformance relation Fault domain F =(S,, D(S, m, I 2 ))

36 Complete Test Strategy CSM model as RSTS semantic representation of SysML model F =(S,, D(S, m, I 2 ))

37 Complete Test Strategy I/O-equivalence as conformance relation F =(S,, D(S, m, I 2 ))

38 Complete Test Strategy Maximal number of I/O-equivalence classes for each member of the fault domain F =(S,, D(S, m, I 2 ))

39 Complete Test Strategy A refined IECP satisfying 8X 2I,X 0 2I 0 : X \ X 0 6=? ) 9X 2 2I 2 : X 2 X \ X 0 F =(S,, D(S, m, I 2 ))

40 Complete Test Strategy IECP of CSM reference model A refined IECP satisfying 8X 2I,X 0 2I 0 : X \ X 0 6=? ) 9X 2 2I 2 : X 2 X \ X 0 F =(S,, D(S, m, I 2 ))

41 Complete Test Strategy IECP of fault domain member A refined IECP satisfying 8X 2I,X 0 2I 0 : X \ X 0 6=? ) 9X 2 2I 2 : X 2 X \ X 0 F =(S,, D(S, m, I 2 ))

42 Complete Test Strategy A refined IECP satisfying 8X 2I,X 0 2I 0 : Refined IECP X \ X 0 6=? ) 9X 2 2I 2 : X 2 X \ X 0 F =(S,, D(S, m, I 2 ))

43 If X triggers behaviour in some CSM state s, and X triggers non-conforming behaviour of RSTS representing SUT behaviour, then there exists X2 in intersection of X, X, and a member of X2 will be used in the test 8X 2I,X 0 2I 0 : X \ X 0 6=? ) 9X 2 2I 2 : X 2 X \ X 0 F =(S,, D(S, m, I 2 ))

44 Complete Test Strategy Theorem. Given any IECP, create input alphabet A by selecting one input candidate c from each IEC X. For arbitrary input trace ɩ, there exists another input trace τ in A*, such that ɩ and τ produce the same outputs, when applied to any start state s. 8 2 D I : 9 2A : 8s 2 S :# =# ^ (s/ ) O =( / ) O

45 Complete Test Strategy I/O-equivalence class factorisation and IECP induce complete DFSM abstraction of test model Extract input DFSM alphabet A from refined IECP I_2 Apply complete DFSM strategy for DFSM fault model with maximal number of states m and conformance relation DFSM-equivalence Complete DFSM strategies are, e.g., W-Method or Wp-Method Theorem. DFSM(reference model) DFSM-equivalent to DFSM(implementation) if and only if RSTS(reference model) I/O-equivalent to RSTS(implementation)

46 ~c 3,~c 4 /(3, 0) ~c 6 /(4, 2) ~c 1,~c 3,~c 4,~c 5,~c 6 /(4, 2) Warning ~c 5 /(4, 2 sb 0 ) Service Brake Intervention ~c 6 /(4, 2) Emergency Brake Intervention ~c 5 /(4, 2 sb 0 ) ~c 3,~c 4,~c 5 /(4, 2 sb 0 ) ~c 6 /(4, 2) ~c 4 /(3, 0) ~c 1,~c 2 /(0, 0) ~c 1,~c 2 /(0, 0) ~c 2 /(0, 0) Normal or Overspeed ~c 1,~c 2 /(0, 0) ~c 3 /(2, 0)

47 Test suites resulting from W-Method application ~c i V est V MRSP allowrevokeeb X i specified by ~c X 1 0 <V est apple V MRSP ^ allowrevokeeb =0 ~c X 2 V est =0_ (V est apple V MRSP ^ allowrevokeeb = 1) ~c X 3 V MRSP <V est apple V MRSP + dv warning (V MRSP ) ~c X 4 V MRSP + dv warning (V MRSP ) <V est apple V MRSP + dv sbi (V MRSP ) ~c X 5 V MRSP + dv sbi (V MRSP ) <V est apple V MRSP + dv ebi (V MRSP ) ~c X 6 V MRSP + dv ebi (V MRSP ) <V est Coarsest IECP EST SUITE sb0 =1 = {~c i.~c j.~c k.~c 3 i, j, k =1,...,6}[ {~c j.~c i.~c k.~c h.~c 3 h, i, k =1,...,6, j =4,...,6} EST SUITE sb0 =0 = {~c i.~c j.~c h.~c g h, i, j =1,...,6, g =1, 3}[ {~c j.~c i.~c k.~c h.~c g h, i, k =1,...,6, j =4,...,6, g =1, 3}

A SysML Test Model and Test Suite for the ETCS Ceiling Speed Monitor Technical report, Work Package 4

Downloaded from orbit.dtu.dk on: Dec 25, 2018 A SysML Test Model and Test Suite for the ETCS Ceiling Speed Monitor Technical report, Work Package 4 Braunstein, Cécile; Peleska, Jan; Schulze, Uwe; Hübner,