Testing Safety-critical Discrete- State Systems Mathematical Foundations and Concrete Algorithms

Similar documents
Industrial Verification of Avionic, Automotive, and Railway Systems Practical Applications and Theoretical Foundations

Complete Model-based Testing in Practise

Semantic Families for Cyber-physical Systems

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Test Automation. Foundations and Applications of Model-based Testing

Evaluation and Improvement of ETCS Test Cases for the Ceiling Speed Monitor

TESTING is one of the most important parts of the

Specialised Test Strategies

Industrial-Strength Model-Based Testing - State of the Art and Current Challenges

Testing from a Finite State Machine: An introduction 1

Comparing State Machines: Equivalence and Refinement

CSE 105 THEORY OF COMPUTATION. Spring 2018 review class

Automata and Languages

Lecture Notes On THEORY OF COMPUTATION MODULE -1 UNIT - 2

Testing Distributed Systems

Embedded systems specification and design

CSE 105 THEORY OF COMPUTATION

A SysML Test Model and Test Suite for the ETCS Ceiling Speed Monitor Technical report, Work Package 4

Safety Analysis Using Petri Nets

Course Runtime Verification

Abstractions and Decision Procedures for Effective Software Model Checking

Finite State Machines 2

Complete Model-Based Equivalence Class Testing for the ETCS Ceiling Speed Monitor

FINITE STATE MACHINES (AUTOMATA)

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Using a Minimal Number of Resets when Testing from a Finite State Machine

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

An integration testing method that is proved to find all faults

Alan Bundy. Automated Reasoning LTL Model Checking

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

DVClub Europe Formal fault analysis for ISO fault metrics on real world designs. Jörg Große Product Manager Functional Safety November 2016

Finite Automata and Regular Languages (part III)

Overview. 1 Lecture 1: Introduction. 2 Lecture 2: Message Sequence Charts. Joost-Pieter Katoen Theoretical Foundations of the UML 1/32

The State Explosion Problem

HELLA AGLAIA MOBILE VISION GMBH

Testing for Refinement in CSP

DIAGNOSING MULTIPLE FAULTS IN COMMUNICATING FINITE STATE MACHINES

(Refer Slide Time: 0:21)

PSL Model Checking and Run-time Verification via Testers

Introduction to the Theory of Computation. Automata 1VO + 1PS. Lecturer: Dr. Ana Sokolova.


Automata & languages. A primer on the Theory of Computation. Laurent Vanbever. ETH Zürich (D-ITET) September,

DISTINGUISHABILITY RELATIONS BETWEEN INITIALIZED NONDETERMINISTIC FSMs. Nina Yevtushenko Tomsk State University, Russia April, 12, 2011

Inf2A: Converting from NFAs to DFAs and Closure Properties

Outline. Nondetermistic Finite Automata. Transition diagrams. A finite automaton is a 5-tuple (Q, Σ,δ,q 0,F)

Finite-State Machines (Automata) lecture 12

Homing and Synchronizing Sequences

Recap DFA,NFA, DTM. Slides by Prof. Debasis Mitra, FIT.

Timo Latvala. March 7, 2004

Automata and Languages

Advanced Automata Theory 7 Automatic Functions

UNIT-III REGULAR LANGUAGES

Lecture 05: High-Level Design with SysML. An Introduction to SysML. Where are we? What is a model? The Unified Modeling Language (UML)

Probabilistic testing coverage

The Pumping Lemma. for all n 0, u 1 v n u 2 L (i.e. u 1 u 2 L, u 1 vu 2 L [but we knew that anyway], u 1 vvu 2 L, u 1 vvvu 2 L, etc.

Nondeterministic Finite Automata

Deterministic Finite Automata

Chapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013

CS243, Logic and Computation Nondeterministic finite automata

CMPSCI 250: Introduction to Computation. Lecture #22: From λ-nfa s to NFA s to DFA s David Mix Barrington 22 April 2013

Peter Wood. Department of Computer Science and Information Systems Birkbeck, University of London Automata and Formal Languages

DISTINGUING NON-DETERMINISTIC TIMED FINITE STATE MACHINES

Understanding Process Semantics

Industrial Automation (Automação de Processos Industriais)

2. Elements of the Theory of Computation, Lewis and Papadimitrou,

Rheological Testing Equipment for Polymers

(b) If G=({S}, {a}, {S SS}, S) find the language generated by G. [8+8] 2. Convert the following grammar to Greibach Normal Form G = ({A1, A2, A3},

CMSC 330: Organization of Programming Languages

EE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories. Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo

Uses of finite automata

On Properties and State Complexity of Deterministic State-Partition Automata

Let us first give some intuitive idea about a state of a system and state transitions before describing finite automata.

Computational Models #1

6.045J/18.400J: Automata, Computability and Complexity Final Exam. There are two sheets of scratch paper at the end of this exam.

CS 530: Theory of Computation Based on Sipser (second edition): Notes on regular languages(version 1.1)

A General Testability Theory: Classes, properties, complexity, and testing reductions

Duality in Probabilistic Automata

Introduction to the Theory of Computation. Automata 1VO + 1PS. Lecturer: Dr. Ana Sokolova.

COSE312: Compilers. Lecture 2 Lexical Analysis (1)

Theory of Computation

Lecture Notes on Inductive Definitions

Finite Automata Theory and Formal Languages TMV027/DIT321 LP4 2018

Further discussion of Turing machines

3 Probabilistic Turing Machines

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Hashing Techniques For Finite Automata

Mixed Criticality in Safety-Critical Systems. LS 12, TU Dortmund

Erly Marsh - a Model-Based Testing tool. Johan Blom, PhD

CISC 4090: Theory of Computation Chapter 1 Regular Languages. Section 1.1: Finite Automata. What is a computer? Finite automata

acs-04: Regular Languages Regular Languages Andreas Karwath & Malte Helmert Informatik Theorie II (A) WS2009/10

Lecture Notes on Inductive Definitions

PDF hosted at the Radboud Repository of the Radboud University Nijmegen

Formal Specification and Verification. Specifications

Exam Computability and Complexity

Theory of Computation p.1/?? Theory of Computation p.2/?? Unknown: Implicitly a Boolean variable: true if a word is

Finite Automata and Regular languages

Classes and conversions

Peled, Vardi, & Yannakakis: Black Box Checking

Finite Automata Theory and Formal Languages TMV027/DIT321 LP4 2018

Introduction to Formal Languages, Automata and Computability p.1/51

Transcription:

Testing Safety-critical Discrete- State Systems Mathematical Foundations and Concrete Algorithms Wen-ling Huang and Jan Peleska University of Bremen {huang,jp}@cs.uni-bremen.de

Background My research group at the University of Bremen Specialised on verification of safety-critical control systems Focus on test automation Collaboration with Prof. Dr. habil. Wen-ling Huang in this field

Background Verified Systems International GmbH Founded 1998 as a spinoff company from the University of Bremen Specialised on verification and validation of safety-critical systems aerospace, railways, automotive Tool development, hardware-in-the-loop test bench development, and service provision Main customers Airbus, Siemens 25 employees

Hardware-in-the-Loop Test Benches For testing integrated HW/SW systems System Under Test

An Observation... Many maths and computer science students in their first semesters seem to think that complex theory and difficult algorithms are only needed to pass exams... This is not true! Many of the most important innovations and products are based on highly complex mathematical foundations and on sophisticated software algorithms

Safety-critical systems Examples

Safety-critical Systems A... safety-critical system is a system whose failure or malfunction may result in one (or more) of the following outcomes: death or serious injury to people loss or severe damage to equipment/property environmental harm Definition taken from https://en.wikipedia.org/wiki/life-critical_system

Safety-critical Systems Examples Airbag controller

Safety-critical Systems Examples Airbag Aircraft controller thrust reversal

Safety-critical Systems Examples Airbag Aircraft Train speed controller thrust reversal supervision

Verification Requirements of International Standards

Verification Requirements of International Standards Safety-critical systems development and verification is controlled by laws These laws state that development and verification must follow the rules specified in applicable standards, such as Avionic domain: RTCA DO-178C Railway domain: CENELEC EN50128:2011 Automotive domain: ISO 26262

Verification Requirements of International Standards Safety-critical systems development and verification is controlled by laws These Avionic laws state System. that development A control and verification must follow computer the rules in an specified aircraftin applicable standards, such as Avionic domain: RTCA DO-178C Railway domain: CENELEC EN50128:2011 Automotive domain: ISO 26262

Verification Requirements of International Standards These standards differ in many details, but they contain some basic requirements Development must be based on requirements Every piece of software code and every hardware component must be traced back to at least one requirement

For the most critical applications, requirements should be expressed by formal models with mathematical interpretation Syntax and static model semantics: is the model well-formed? Behavioural model semantics: how does the model state, including inputs and outputs, change over time? Requirements (models) must be verified

Code must be verified Does it implement the related requirements correctly? Verification is preferably performed by testing the software integrated in the controller s hardware Verification results need to be checked with respect to completeness and correctness Tools automating development or verification steps need to be qualified

Motivation Safety-critical systems can be developed by starting with a model of the required system behaviour The developed system can then be tested against the model Input data to be exercised on the system under test (SUT) can be derived from the model The behaviour of the SUT can be compared to the expected behaviour specified in the model https://zh.wikipedia.org/wiki/ #.E9.81.8B.E8.BC.B8

Motivation Testing theories Define methods to generate test cases from models Test case. Sequence of input data + expected outputs to produced by the SUT when receiving these inputs Specify which correctness properties are fulfilled if all test cases are passed by the SUT For safety-critical systems, the test strength (= the capability to uncover certain types of errors) of a testing theory must be proven

Example: Model of a brake controller in a train Controller receives commands to activate brakes From train engine driver: man_on, man_off From a speed supervision computer: auto_on, auto_off Controller activates brakes by outputs trigger and release man_on, auto_on man_off, auto_off trigger release

Requirements for the brake controller 1. When brakes are not activated, they can be triggered manually (man_on) or by the speed supervision computer (auto_on) 2. When brakes have been activated manually (man_on), they can only be released manually (man_off) 3. When brakes have been activated via speed supervision computer (auto_on), they can be only released via command auto_off from the computer 4. When the supervision computer sends auto_on while already braking, the brakes can only be released by auto_off

Finite State Machine modelling the behaviour of the brake controller RELEASED auto_off,man_off/release man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller RELEASED auto_off,man_off/release TRIGGERED man_on/trigger man_off/release Which test cases should we derive from the model? auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller RELEASED auto_off,man_off/release TRIGGERED man_on/trigger man_off/release Which test cases should we derive from the model? auto_off, man_on/trigger auto_on/trigger auto_off/release Which correctness conditions can be guaranteed if auto_on/trigger all test cases are passed by the SUT? TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Overview Mathematical definition of Finite State Machines Languages and Conformance Relations FSM properties: observability and minimality Fault Models Testing Theories The W-Method for deterministic FSMs The Wp-Method for nondeterministic FSMs

Finite State Machines M =(Q, q 0,I,O,h) Q 6=?: finite set of states q 0 2 Q: initial state I 6=?: finite set of input alphabet O 6=?: finite set of output alphabet h Q I O Q: transition relation

Finite State Machine modelling the behaviour of the brake controller RELEASED auto_off,man_off/release man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on, auto_on q 1 man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on, auto_on man_off, auto_off q 1 man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on, auto_on man_off, auto_off q 1 man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger Output Alphabet q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on, auto_on man_off, auto_off q 1 man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger Output Alphabet q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on, auto_on man_off, auto_off q 1 man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger Output Alphabet trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on, auto_on man_off, auto_off q 1 man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger Output Alphabet trigger release q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on, auto_on man_off, auto_off q 1 man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger Output Alphabet trigger release Transition Relation q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on, auto_on man_off, auto_off q 1 man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger Output Alphabet trigger release Transition Relation q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on, auto_on man_off, auto_off q 1 man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger Output Alphabet trigger release Transition Relation (q 0, auto on, trigger,q 2 ),... q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } Input Alphabet q 0 RELEASED auto_off,man_off/release man_on, auto_on man_off, auto_off q 1 man_on/trigger man_off/release TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger Output Alphabet trigger release Transition Relation (q 0, auto on, trigger,q 2 ),... q 0 auto on/trigger! q 2 q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Language := I O alphabet := S { k2n 0 1... k L language over :, i 2, 8i =1,...,k} " 2 L L is prefix-closed

Language := I O alphabet := S { k2n 0 1... k L language over :, i 2, 8i =1,...,k} " 2 L L is prefix-closed 8 = 1... k 2 L : 1... i 2 L, 8i apple k

Finite State Machine modelling the behaviour of the brake controller q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

q 0 auto on/trigger! q 2 auto o /release! q 0 q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

q 0 auto on/trigger! q 2 auto o /release! q 0 (auto on, trigger).(auto o, release) 2 L(q 0 ) q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/trigger

Language of FSM M =(Q, q 0,I,O,h) L(q) :={ 2 9q 0 2 Q, q! q 0 } language of q q q 0 :, L(q) =L(q 0 ) qq 0 are equivalent L(M) :=L(q 0 ) language of M

Conformance Relations M =(Q, q 0,I,O,h), M 0 =(Q 0,q 0 0,I,O,h 0 )twofsm. M and M 0 are I/O equivalent : L(M 0 )=L(M) M 0 is an I/O reduction of M : L(M 0 ) L(M)

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 q

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 q x1

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 q x1

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 q x1 x2

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 q x1 x2

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 x1 q x2

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 q x1 x2 xn

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 q x1 x2 xn

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2 q

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2 q

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2 q

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2 x/y1 q

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2 x/y1 q

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2 x/y1 q q1

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2 q x/y1 x/y2 q1

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2 q x/y1 x/y2 q1

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2 q x/y1 q1 x/y2 q2

FSM Properties M =(Q, q 0,I,O,h) M is input-complete : 8q 2 Q ^ x 2 I,9y 2 O ^ q 0 2 Q : q x/y! q 0 M is deterministic : 8q x/y 1! q 1,q x/y 2! q 2 2 h ) y 1 = y 2 ^ q 1 = q 2 q x/y1=x/y2 q1 =q2

FSM Properties M is observable, if 8q x/y! q 1,q x/y! q 2 2 h ) q 1 = q 2

FSM Properties M is observable, if 8q x/y! q 1,q x/y! q 2 2 h ) q 1 = q 2 M is deterministic ) M is observable

FSM Properties M is observable, if 8q x/y! q 1,q x/y! q 2 2 h ) q 1 = q 2 M is deterministic ) M is observable

FSM Properties M is observable, if 8q x/y! q 1,q x/y! q 2 2 h ) q 1 = q 2 M is deterministic ) M is observable M is minimal, if 8q 2 Q, 9 2 L(q 0 ):q 0! q 8q 1 6= q 2 2 Q ) L(q 1 ) 6= L(q 2 )

FSM Properties M is observable, if 8q x/y! q 1,q x/y! q 2 2 h ) q 1 = q 2 M is deterministic ) M is observable M is minimal, if 8q 2 Q, 9 2 L(q 0 ):q 0! q initial connected 8q 1 6= q 2 2 Q ) L(q 1 ) 6= L(q 2 )

Signature Sig is a set of input-complete minimal observable finite state machines over = I O 8M over, 9M 0 2 Sig : L(M) =L(M 0 )

Finite State Machine modelling the behaviour of the brake controller Q = {q 0,q 1,q 2 } q 0 RELEASED auto_off,man_off/release Input Alphabet man_on, auto_on man_off, auto_off q 1 TRIGGERED man_on/trigger man_off/release auto_off, man_on/trigger auto_on/trigger auto_off/release q 0 deterministic input complete minimal auto o /release! q0 auto_on/trigger q 1 q 2 auto o /trigger! q1 auto o /release! q0 Output Alphabet trigger release q 2 TRIGGERED_AUTO q 0 q 2 man o /release! q0 man o /trigger! q2 man_off,man_on,auto_on/trigger

M =(Q, q 0,I,O,h),M 0 =(Q 0,q 0 0,I,O,h 0 ) 2 Sig L(M) =L(M 0 ), M,M 0 isomorphic 9f : M! M 0 : Q 7! Q 0 bijection q 0 7! q 0 0 I 7! I identity map O 7! O identity map q 1 x/y! q 2 2 h, f(q 1 ) x/y! f(q 2 ) 2 h 0

M =(Q, q 0,I,O,h),M 0 =(Q 0,q 0 0,I,O,h 0 ) 2 Sig L(M) =L(M 0 ), M,M 0 isomorphic 9f : M! M 0 : Q 7! Q 0 bijection q 0 7! q 0 0 I 7! I identity map O 7! O identity map q 1 x/y! q 2 2 h, f(q 1 ) x/y! f(q 2 ) 2 h 0

Fault Models F(M,I,O,apple, D) M 2 Sig, reference model apple Sig Sig, conformance relation (I/O equivalence or I/O reduction) D Sig, fault domain

Test Cases Test case of deterministic FSM: I/O sequence = x 1 /y 1...x k /y k 2 M passes, if 2 L(M 0 ) M fails, if 62 L(M 0 )

Test Suite test suite TS: a collection of test cases. M passes TS,if 8 2 TS, M passes. M fails TS,if 9 2 TS, M fails.

Complete Test Suites F(M,I,O,apple, D), fault model TS, testsuite Soundness: 8M 0 2D: M 0 apple M ) M 0 pass TS Exhaustiveness: 8M 0 2D: M 0 pass TS ) M 0 apple M Completeness: Soundness + Exhaustiveness 8M 0 2D: M 0 apple M, M 0 pass TS

Testing Theories Deterministic FSM: T-Method Product Automata W-Method, Wp-Method Nondeterministic FSM: W-Method, Wp-Method Adaptive Testing

Signature Sig is the set of input-complete minimal deterministic finite state machines over = I O

T-Method F(M,I,O,apple, D O ), fault model M =(Q, q 0,I,O,h), 8M 0 2 D O Sig: M 0 =(Q, q 0,I,O,h 0 ) 9f : h! h 0 bijective, x/y x/y 0 (q 1! q 2 ) 7! (q 1! q 2 )

State Cover State cover V of M =(Q, q 0,I,O,h) V L(M) " 2 V 8q 2 Q, 9 2 V : q 0! q. q 0 -after- = q

State Cover exists? finite? State cover V of M =(Q, q 0,I,O,h) V L(M) " 2 V 8q 2 Q, 9 2 V : q 0! q. q 0 -after- = q

Lemma Let M =(Q, q 0,I,O,h) 2 Sig and " 2 U L(M). Then U is a state cover of M or {q 0 -after-. 2 U ^ 2 ^. 2 L(M)} {q 0 -after- 2 U}.

Transition Cover Transition cover P of M =(Q, q 0,I,O,h) P L(M) " 2 P 8q 2 Q, = x/y 2 L(q), 9 2 P : q 0! q ^. 2 P

Transition Cover Transition cover P of M =(Q, q 0,I,O,h) P L(M) " 2 P 8q 2 Q, = x/y 2 L(q), 9 2 P : q 0! q ^. 2 P

Transition Cover Concatenation For any A, B 6=?. A.B := {. 2 A, 2 B} Example: = {a, b, c} A = {"},B = {a.b},c = {a, c} A.B = {".a.b} = {a.b} = B B.C = {a.b.a, a.b.c} Transition cover P of M =(Q, q 0,I,O,h) P L(M) " 2 P 8q 2 Q, = x/y 2 L(q), 9 2 P : q 0! q ^. 2 P

Transition Cover Concatenation For any A, B 6=?. A.B := {. 2 A, 2 B} Example: = {a, b, c} A = {"},B = {a.b},c = {a, c} A.B = {".a.b} = {a.b} = B B.C = {a.b.a, a.b.c} Transition cover P of M =(Q, q 0,I,O,h) P L(M) " 2 P 8q 2 Q, = x/y 2 L(q), 9 2 P : q 0! q ^. 2 P V is a state cover ) V ({"} [ ) = V.({"} [ ) \ L(M) = V [ {. 2 L(M) 2 V, 2 } is a transition cover

Transition Cover Concatenation For any A, B 6=?. A.B := {. 2 A, 2 B} Example: = {a, b, c} A = {"},B = {a.b},c = {a, c} A.B = {".a.b} = {a.b} = B B.C = {a.b.a, a.b.c} Transition cover P of M =(Q, q 0,I,O,h) P L(M) " 2 P 8q 2 Q, = x/y 2 L(q), 9 2 P : q 0! q ^. 2 P V is a state cover ) V ({"} [ ) = V.({"} [ ) \ L(M) M = V [ {. 2 L(M) 2 V, 2 } is a transition cover

Finite State Machine modelling the behaviour of the brake controller state cover V = {", man on/trigger, auto on/trigger} q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO transition cover P = V [ (V ) = {", man on/trigger, auto on/trigger, man o /release, auto o /release, man on/trigger.man on/trigger, man on/trigger.auto on/trigger, man on/trigger.man o /release, man on/trigger.auto o /trigger, auto on/trigger.man on/trigger, auto on/trigger.auto on/trigger, auto on/trigger.man o /trigger, auto on/trigger.auto o /release} man_off,man_on,auto_on/tr

Finite State Machine modelling the behaviour of the brake controller state cover V = {", man on/trigger, auto on/trigger} q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO transition cover P = V [ (V ) = {", man on/trigger, auto on/trigger, man o /release, auto o /release, man on/trigger.man on/trigger, man on/trigger.auto on/trigger, man on/trigger.man o /release, man on/trigger.auto o /trigger, auto on/trigger.man on/trigger, auto on/trigger.auto on/trigger, auto on/trigger.man o /trigger, auto on/trigger.auto o /release} man_off,man_on,auto_on/tr

T-Method Every TS = P transition cover of M is a complete test suite of F(M,I,O,, D O )

Proof: Suppose M 0,M are not I/O equivalent. Then there exists 2, 6= 0 2 such that. 2 L(M) and. 0 2 L(M 0 )with I = I 0. 0 Let q 0! q, q! q1 2 h, and q! q 1 2 h 0. Since TS is a transition cover, there is 2 TS such that q 0! q 2 h and. 2 TS. 0 Let q 0! q 2 h 0 with I = I 0. Then q 0 0! q 0! q 1 2 h 0 and q 0! q! q1 2 h. Since 0 I. 0 I = I. I and 0 O. 0 O 6= O. O, wehave. 62 L(M 0 ) Hence M 0 fails the test case. 2 TS.

W-Method M. P. Vasilevskii 1973 and Tsun S. Chow 1978 F(M,I,O,apple, D m ), fault model D m = {M 0 =(Q 0,q 0 0,I,O,h 0 ) 2 Sig Q 0 apple m}

Characterization Set Characterization set W of M =(Q, q 0,I,O,h) W is a set of I/O sequences 8q 1 6= q 2 2 Q, 9 1 6= 2 2 W : 1I = 2I ^ i 2 L(q i ),i=1, 2

Finite State Machine modelling the behaviour of the brake controller state cover V = {", man on/trigger, auto on/trigger} transition cover P = V [ V q 0 RELEASED auto_off,man_off/release man_on/trigger man_off/release q 1 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/

Finite State Machine modelling the behaviour of the brake controller state cover V = {", man on/trigger, auto on/trigger} transition cover P = V [ V q 0 RELEASED auto_off,man_off/release q 0 auto o /release! q0 man_on/trigger man_off/release q 1 auto o /trigger! q1 q 1 q 2 auto o /release! q0 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release q 0 man o /release! q0 q 2 man o /trigger! q2 auto_on/trigger q 2 TRIGGERED_AUTO man_off,man_on,auto_on/

Finite State Machine modelling the behaviour of the brake controller state cover V = {", man on/trigger, auto on/trigger} transition cover P = V [ V q 0 RELEASED auto_off,man_off/release q 0 auto o /release! q0 man_on/trigger man_off/release q 1 auto o /trigger! q1 q 1 q 2 auto o /release! q0 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release q 0 man o /release! q0 q 2 man o /trigger! q2 auto_on/trigger {man o /release, auto o /release } L(q 0 ) {man o /release, auto o /trigger } L(q 1 ) q 2 TRIGGERED_AUTO man_off,man_on,auto_on/ {man o /trigger, auto o /release } L(q 2 )

Finite State Machine modelling the behaviour of the brake controller state cover V = {", man on/trigger, auto on/trigger} transition cover P = V [ V q 0 RELEASED auto_off,man_off/release q 0 auto o /release! q0 man_on/trigger man_off/release q 1 auto o /trigger! q1 q 1 q 2 auto o /release! q0 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release q 0 man o /release! q0 q 2 man o /trigger! q2 auto_on/trigger {man o /release, auto o /release } L(q 0 ) {man o /release, auto o /trigger } L(q 1 ) q 2 TRIGGERED_AUTO man_off,man_on,auto_on/ {man o /trigger, auto o /release } L(q 2 ) characterization set W = {man o /trigger, man o /release, auto o /trigger, auto o /release }

W-Method S m n+1 Every TS = V i=0 i W is a complete test suite of F(M,I,O,, D m ),n= Q

W-Method S m n+1 Every TS = V i=0 i W is a complete test suite of F(M,I,O,, D m ),n= Q TS I = V I. S m n+1 i=0 I i.w I

Step 1. M =(Q, q 0,I,O,h),M 0 =(Q 0,q 0 0,I,O,h 0 ) 2 Sig. Suppose 9f : Q! Q 0 : f(q 0 )=q 0 0 (q 1,x,y,q 2 ) 2 h ) (f(q 1 ),x,y,f(q 2 )) 2 h 0 Then L(M) =L(M 0 ).

Step 1. M =(Q, q 0,I,O,h),M 0 =(Q 0,q0,I,O,h 0 0 ) 2 Sig. Suppose 9f : Q! Q 0 : f(q 0 )=q0 0 homomorphism (q 1,x,y,q 2 ) 2 h ) (f(q 1 ),x,y,f(q 2 )) 2 h 0 Then L(M) =L(M 0 ).

Proof of step 1. Suppose f : Q! Q 0,f(q 0 )=q 0 0, is a homomorphism. Then 8x 1...x k /y 1...y k 2 L(M), 9q i 2 Q, i =1,...,k: q 0 x 1 /y 1! q 1 x 2 /y 2! xk/y k! q k and q 0 0 = f(q 0 ) x 1/y 1! f(q 1 ) x 2/y 2! xk/y k! f(q k ) Then x 1...x k /y 1...y k 2 L(M 0 ) and L(M) L(M 0 ). Since M,M 0 are input complete and deterministic, we have L(M 0 )=L(M).

Step 2. M 0 =(Q 0,q 0 0,I,O,h 0 ) 2 D m. Suppose M 0 pass V S m n S m n i=0 i W Then V i=0 i is a state cover of M 0 and S m n+1 V i=0 i is a transition cover of M 0.

Proof of step 2. 1. M 0 pass(v. S m n+1 i=0 i.w ) \ L(M) ) (V. S m n+1 i=0 i.w ) \ L(M) =(V. S m n+1 i=0 i.w ) \ L(M 0 ) S m n+1 ) V i=0 i 0 W = V S m n+1 i=0 i 0 W 2. {q 0 0-after- ) 2 V } n 3. {q 0 0-after- 2 V S m n i=0 i } = Q 0

Proof of {{q 0 0-after- 2 V} n Let 0 = " { i i =0,...,n 1} V state cover of M q 0 q 0 0 i! qi i! q 0 i

Then i 6= j ) q 0 i 6= q0 j : 1. q i 6= q j )9 i 6= j 2 W : ii = ji, i 2 L(q i ), j 2 L(q j ) (W is a characterisation set of M) 2. i 2 L 0 (q 0 i ), j 2 L 0 (q 0 j ) ^ i I = ji 3. M 0 is deterministic ) L 0 (q 0 i ) 6= L0 (q 0 j ) ) q0 i 6= q0 j Hence n = {q 0 0,...,q 0 n 1} apple {q 0 0-after- 2 V }

Step 3. M 0 =(Q 0,q0,I,O,h 0 0 ) 2 D m. Suppose M 0 S m n+1 pass V i=0 i W. Then 9f : M 0! M homomorphism.

Proof of step 3. Let Q 0 =: {q0,...,q 0 m 0 1} {"} [ { i i =1,...m a state cover of M 0. 1} V S m n i=0 i, f : Q 0! Q, f(q 0 0)=q 0 and f(q 0 i )=q 0-after- i.

Proof of step 3. Let Q 0 =: {q0,...,q 0 m 0 1} {"} [ { i i =1,...m a state cover of M 0. 1} V S m n i=0 i, f : Q 0! Q, f(q 0 0)=q 0 and f(q 0 i )=q 0-after- i. Then f(q) is the unique state of M such that 2 L(q 0 ), 2 L(f(q)), 8 2 W

Proof of step 3. Let Q 0 =: {q0,...,q 0 m 0 1} {"} [ { i i =1,...m a state cover of M 0. 1} V S m n i=0 i, f : Q 0! Q, f(q 0 0)=q 0 and f(q 0 i )=q 0-after- i. Then f(q) is the unique state of M such that 2 L(q 0 ), 2 L(f(q)), 8 2 W

Then x/y 2 L(q 0 i ), x/y 2 L(q i), 8x/y 2 m n [q 0,q0 0 pass V [ i ] i=0 2 L(q 0 i ), 2 L(q i), 8 2 W m n [q 0,q0 0 pass V [ i W ] i=0 (x/y). 2 L(q 0 i ), (x/y). 2 L(q i), 8x/y 2, 2 W m n [q 0,q0 0 pass V [ i W ] i=0

q 0 0 i! q 0 i x/y! q 0 f f f? q 0 i! qi x/y! q 2 L(q 0 ), 2 L(q), 8 2 W ) f(q 0 )=q

Wp-Method F(M,I,O,apple, D m ), fault model D m = {M 0 =(Q 0,q 0 0,I,O,h 0 ) Sig Q 0 applem}

1. V a state cover of M. 2. P = V ({"} [ ) a transition cover of M 3. R = P \ V. 4. W a characterisation set of M. 5. {W 0,...,W n 1 } state identification sets of M, such that W i pref(w ) for i =0,...,n 1. W i distinguishes q i from all other states in Q.

Finite State Machine modelling the behaviour of the brake controller state cover V = {", man on/trigger, auto on/trigger} transition cover P = V [ V q 0 RELEASED auto_off,man_off/release q 0 auto o /release! q0 man_on/trigger man_off/release q 1 auto o /trigger! q1 q 1 q 2 auto o /release! q0 TRIGGERED auto_off, man_on/trigger auto_on/trigger auto_off/release q 0 man o /release! q0 q 2 man o /trigger! q2 auto_on/trigger {man o /release, auto o /release } L(q 0 ) W0 {man o /release, auto o /trigger } L(q 1 ) q 2 TRIGGERED_AUTO man_off,man_on,auto_on/ W2 W1 {man o /trigger, auto o /release } L(q 2 ) characterization set W = {man o /trigger, man o /release, auto o /trigger, auto o /release }

Wp-Method Wp 1 = V S m n i=0 i W Wp 2 = R m n {W 0,...,W n 1 } TS = Wp 1 [ Wp 2 is a complete test suite of F =(M,I,O,, D m ). U {W 0,...,W n 1 } = S 2U^q i =q 0 -after- { }.W i

Wp-Method Wp 1 = V S m n i=0 i W Wp 2 = R m n {W 0,...,W n 1 } TS = Wp 1 [ Wp 2 is a complete test suite of F =(M,I,O,, D m ). U {W 0,...,W n 1 } = S 2U^q i =q 0 -after- { }.W i

Further Reading 1. Publications of Jan Peleska, Wen-ling Huang, and their co-authors. http:// www.informatik.uni-bremen.de/agbs/jp/jp_papers_e.html 2. ERTMS/ETCS SystemRequirements Specification, Chapter 3, Principles, volume Subset-026-3, Issue 3.4.0 (2015), available under http://www.era.europa.eu/ Document-Register/Pages/Set-2-System-Requirements-Specification.aspx 3. Nancy Leveson. SafeWare: System Safety and Computers. Addison Wesley 1995. 4. Neil Storey. Safety-critical Computer Systems. Addison-Welly, 1996.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback