About
242
Publications
42,516
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
3,799
Citations
Publications
Publications (242)
This paper, written in honour of Tiziana Margaria, aims to provide a comprehensive presentation of where mainstream formal methods are currently used for modelling and analysis of railway applications.
We focus on the integration of Formal Methods as mandatory theme in any Computer Science University curriculum. In particular, when considering the ACM Curriculum for Computer Science, the inclusion of Formal Methods as a mandatory Knowledge Area needs arguing for why and how does every computer science graduate benefit from such knowledge. We do n...
In this paper, we address the question of whether general-purpose LLM-based tools may be useful for detecting requirements variability in Natural Language (NL) requirements documents. For this purpose, we conduct a preliminary exploratory study considering OpenAI chatGPT-3.5 and Microsoft Bing. Using two exemplar NL requirements documents, we compa...
Model checking techniques have often been applied to the verification of railway interlocking systems. However, these techniques may fail to scale to interlockings controlling large railway networks, composed by hundreds of controlled entities, due to the state space explosion problem. We have previously proposed a compositional method to reduce th...
In the context of the Shift2Rail open call S2R-OC-IP2-01-2019, one of the two work streams of the 4SECURail project has pursued the objective to corroborate how a clear, rigorous standard interface specification between signaling sub-systems can be designed by applying an approach based on semi-formal and formal methods. The objective is addressed...
This paper considers model checking the safety for members of a product line of railway interlocking systems, where an actual interlocking system is modelled as an instance of a generic model configured over the network under its control. For models over large networks it is a well-known problem that model checking may fail due to state space explo...
The prospected advent of advanced train control systems, such as moving block and virtual coupling, raises the issue of the effects that uncertainty on critical parameters (such as position or speed) can have on dependability. Several approaches to the evaluation of such effects have been proposed, typically based on a state-based formal modelling...
The adoption of formal methods in railway signalling has been the subject of specific tracks of past ISOLA conferences since a decade.
Variability is a characteristic of a software project and describes the fact that a system can be configured in different ways, obtaining different products (variants) from a common code base, accordingly to the software product line paradigm. This paradigm can be conveniently applied in all phases of the software process, starting from the definit...
Reliability of complex Cyber-Physical Systems is necessary to guarantee availability and/or safety of the provided services. Diverse and complex fault tolerance policies are adopted to enhance reliability, that include a varied mix of redundancy and dynamic reconfiguration to address hardware reliability, as well as specific software reliability te...
The progressive adoption of artificial intelligence and advanced communication technologies within railway control and automation has brought up a huge potential in terms of optimisation, learning and adaptation, due to the so-called “self-x” capabilities; however, it has also raised several dependability concerns due to the lack of measurable trus...
The progressive adoption of artificial intelligence and advanced communication technologies within railway control and automation has brought up a huge potential in terms of optimisation, learning and adaptation, due to the so-called “self-x” capabilities; however, it has also raised several dependability concerns due to the lack of measurable trus...
Formal verification of safety of interlocking systems and of their configuration on a specific track layout is conceptually an easy task for model checking. Systems that control large railway networks, however, are challenging due to state space explosion problems. A possible way out is to adopt a compositional approach that allows safety of a larg...
Preprint accepted for publication in the proceedings of "The 4th International Conference on Reliability, Safety and Security of Railway Systems" (RSSRail'22).
Please cite as:
Francesco Flammini, Lorenzo De Donato, Alessandro Fantechi, Valeria Vittorini. A Vision of Intelligent Train Control. Proc. 4th International Conference on Reliability, Safe...
Railways constitute the backbone of urban mobility and, in a Smart City perspective, stations should provide easy access and seamless interchange among transport and operation modes, booking tickets through different channels, paying with different methods, exploiting online services of different providers. Traditionally, station information system...
The substitution of traditional occupancy detecting sensors with an
Autonomous Positioning System (APS) is a promising solution to
contain costs and improve performance of current tramway signalling
systems. APS is an onboard system using satellite positioning and
other inertial platforms to autonomously estimate the position of
the tram with the n...
The combined use of standard interfaces and formal methods is currently under investigation by Shift2Rail, a joint undertaking between railway stakeholders and the EU. Standard interfaces are useful to increase market competition and standardization whilst reducing long-term life cycle costs. Formal methods are needed to achieve interoperability an...
“The bride is dressed in red and the groom in white.” Sometimes someone cannot believe their own ears, thinking they have misunderstood, and instead the communication is clear and exact, Egon actually got married in white and Donatella was in red. Some other times someone believe they have understood and instead the message is ambiguous and unclear...
Reliability Block Diagrams (RBDs) are widely used in reliability engineering to model how the system reliability depends on the reliability of components or subsystems. In this paper, we present librbd, a C library providing a generic, efficient and open-source solution for time-dependent reliability evaluation of RBDs. The library has been develop...
Predictive diagnosis of wheel wear plays a fundamental role in maintenance of railway vehicles. While on-board installation of wear sensors is affordable only for modern high-performance trains (e.g., high-speed trains), evaluation of wheel wear is mostly performed through periodic measures in maintenance sites for low-performance trains (e.g., sec...
We provide a brief comparison of the modelling and analysis capabilities of two different formalisms and their associated simulation-based tools, acquired from experimenting with these methods and tools on one specific case study. The case study is a cyber-physical system from an industrial railway project, namely a railroad switch heater, and the...
The growingly wide deployment of ERTMS-ETCS systems on high speed lines as well as on freight corridors is already a witness to the possible achievement of high safety standards by means of distributed control algorithms, that span over geographical areas and are able to safely control large physical systems.
The Shift2Rail Innovation Programme is focussing on in- novative technologies to enhance the overall railway market segments. Formal methods and standard interfaces have been identified as two key concepts to reduce time-to-market and costs, whilst ensuring safety, in- teroperability and standardization. However, the decision to start us- ing forma...
We report on the experience made with three Natural Language Processing analysis tools, aimed to compare their performance in detecting ambiguity and under-specification in requirements documents, and to compare them with respect to other qualities like learnability, usability, and efficiency. Two industrial tools, Requirements Scout and QVscribe,...
Formal methods and tools have a long history of successful applications in the design of safety-critical railway products. However, most of the experiences focused on the application of a single method at once, and little work has been performed to compare the applicability of the different available frameworks to the railway context. As a result,...
In the last decades, the socio-demographic evolution of the population has substantially changed mobility demand, posing new challenges in minimizing urban congestion and reducing environmental impact. In this scenario, understanding how different modes of transport can efficiently share (partially or totally) a common infrastructure is crucial for...
Stefania Gnesi was born in Livorno in 1954. She studied Computer Science at the University of Pisa, where she graduated summa cum laude in 1978.
The railway sector has seen a large number of successful applications of formal methods and tools. However, up-to-date, structured information about the industrial usage and needs related to formal tools in railways is limited. Two Shift2Rail projects, X2Rail-2 and ASTRail, have addressed this issue by performing a systematic search over the state...
In this demo paper we present how to use the QuARS tool to extract variability information from requirements documents. The main functionality of QuARS is to detect ambiguity in Natural Language (NL) requirement documents.
Ambiguity in requirements may be due to intentional or unintentional indication of possible variability; an ambiguity detecting...
The research project SISTER aims to improve the safety and autonomy of light rail trains by developing and integrating novel technologies for remote sensing and object detection, safe positioning, and broadband radio communication. To prove safety of the SISTER solution, CENELEC-compliant Verification and Validation (V&V) is obviously required. In...
One promising option to improve performance and contain costs of current tramway signalling systems is to introduce an Autonomous Positioning System (APS) in substitution of traditional occupancy detecting sensors. APS is an onboard system that uses a plurality of sensors (such as GPS or inertial platform) and a Sensor Fusion Algorithm (SFA) to aut...
The research project SISTER aims to improve the safety and autonomy of light rail trains by developing and integrating novel technologies for remote sensing and object detection, safe positioning, and broadband radio communication. To prove safety of the SISTER solution, CENELEC-compliant Verification and Validation (V&V) is obviously required. In...
We present a research trajectory of the authors and colleagues dealing with the correctness and meaningful composition of software components, trajectory that incrementally traverses successive paradigms and approaches: open distributed processing, contract based reasoning, behavioural typing and session types. This research is grounded on the foun...
Early work on automated formal verification produced pioneering model-checking algorithms, in which system computations were modelled either as sequences of distinguished states in which the system evolves or as sequences of events or actions occurring during the system’s state transitions. In both cases, automata-like structures generally known as...
Formal methods and tools have been widely applied to thedevelopment of railway systems during the last decades. However, no uni-versally accepted formal framework has emerged, and railway companieswishing to introduce formal methods have little guidance for the selec-tion of the most appropriate methods and tools to adopt. A work pack-age (WP) of t...
One promising option to improve performance and contain costs of current tramway signalling systems is to introduce an Autonomous Positioning System (APS) in substitution of traditional occupancy detecting sensors. APS is an onboard system that uses a plurality of sensors (such as GPS or inertial platform) and a Sensor Fusion Algorithm (SFA) to aut...
This volume was published in honor of Stefania Gnesi’s 65th birthday. The Festschrift volume contains 32 papers written by close collaborators and friends of Stefania and was presented to her on October 8, 2019 one-day colloquium held in Porto, Portugal,
The Festschrift consists of eight sections, seven of which reflect the main research areas to w...
FIND THE PREPRINT at
http://rdcu.be/HtDi
In the railway safety-critical domain requirements documents have to abide to strict quality criteria. Rule-based natural language processing (NLP) techniques have been developed to automatically identify quality defects in natural language requirements. However, the literature is lacking empirical studie...
A product line perspective may help to understand the possible variants in interactions between the subsystems of a large, cyber-physical system. This observation is exemplified in this paper by proposing a feature model of the family of ERTMS/ETCS train control systems and their foreseen extensions. This model not only shows the different componen...
In several large scale systems (e.g. robotic plants or transportation systems) safety is guaranteed by granting to some process or physical object an exclusive access to a particular set of physical areas or objects before starting its own action: some mechanism should in this case interlock the action of the former with the availability of the lat...
Natural language (NL) requirements documents can be a precious source to identify variability information. This information can be later used to define feature models from which different systems can be instantiated. In this paper, we are interested in validating the approach we have recently proposed to extract variability issues from the ambiguit...
The railway sector has seen a large number of successful ap- plications of formal methods and tools. However, up-to-date, structured information about the industrial usage and needs related to formal tools in railways is limited. As a first step to address this, we present the results of a questionnaire submitted to 44 stakeholders with experience...
The configuration of a complex, generic, real-time application into a specifically customized signalling embedded application has an important impact on time to market, deployment costs and safety guarantees for a railway signalling manufacturer. In this paper we focus on the aspect of real-time schedulability analysis, that takes an important port...
Significant research efforts for the convergence of web and telecommunication services have been recently spent by research and industry stakeholders. The IETF and W3C are cooperating in specifying how web browsers should evolve to natively support communication services. In this perspective, devising novel mechanisms for signaling message exchange...
The feature interaction problem has been recognized as a general problem of software engineering. The problem appears when a combination of features interacts generating a conflict, exhibiting a behaviour that is unexpected for the features considered in isolation, possibly resulting in some critical safety violation. Verification of absence of cri...
Railway interlocking systems are responsible to grant exclusive access to a route, that is a sequence of track elements, through a station or a network. Formal verification that basic safety rules regarding exclusive access to routes are satisfied by an implementation is still a challenge for networks of large size due to the exponential computatio...
In the railway domain safety is guaranteed by an interlocking system which translates operational decisions into commands leading to field operations. Such a system is safety critical and demands thorough formal verification during its development process. Within this context, our work has focused on the extension of a compositional model checking...
Software requirements are generally expressed in Natural Language. NL is intrinsically ambiguous, and this is seen as a possible source of problems in the later interpretation of requirements. However, ambiguity or under-specification at requirements level can in some cases give an indication of possible variability, either in design choice, in imp...
Context and motivation: In the railway safety-critical domain requirements documents have to abide to strict quality criteria. Rule-based natural language processing (NLP) techniques have been developed to automatically identify quality defects in natural language requirements. However, the literature is lacking empirical studies on the application...
This volume constitutes the proceedings of the Second International Conference on Reliability, Safety and Security of Railway Systems, RRSRail 2017, held in Pistoia, Italy, in November 2017.
The 16 papers presented in this volume were carefully reviewed and selected from 34 submissions. They are organized in topical sections named: communication ch...
The railway signalling sector has historically been a source of success stories about the adoption of formal methods in the certification of software safety of computer-based control equipment.
A smart transportation system can be seen as an aggregate of transportation opportunities and services, accompanied by advanced management services that make the access to the system easier for the user. In this paper, we exploit the product line paradigm to address the variability of an exemplary smart transportation system: a bike-sharing system....
Because interlocking systems are highly safety-critical complex systems, their automated safety verification is an active research topic investigated by several groups, employing verification techniques to produce important cost and time savings in their certification. However, such systems also pose a big challenge to current verification methodol...
The technological evolution of railway signalling equipment promises significant increases in transport capacity, in operation regularity, in quality and safety of the service offered.
This evolution is based on the massive use of computer control units on board trains and on the ground, that aims at improving the performance of rail transport and...
In Product Lines Engineering many studies are focused on the research of the best behavioural model useful to describe a product family and to reason about properties of the family itself. In addition the model must allow to describe in a simple way different types of variability needed to characterize several products of the family. Modal Transiti...
An interlocking system monitors the status of the objects in a railway yard, allowing or denying the movement of trains, in accordance with safety rules. The high number of complex interlocking rules that guarantee the safe movements of independent trains in a large station makes the verification of such systems a complex task, which needs to be ad...
We present the formal underpinnings of a modelling and analysis framework for the specification and verification of variability in product families. We address variability at the behavioural level by modelling the family behaviour by means of a Modal Transition System (MTS) with an associated set of variability constraints expressed over action lab...
We show how the FMC model checker can successfully be used to model and analyze behavioural variability in Software Product Lines. FMC accepts parameterized specifications in a process-algebraic input language and allows the verification of properties of such models by means of efficient on-the-fly model checking. The properties can be expressed in...
Engineering a Collective Adaptive System (CAS) requires the support of a framework for quantitative modeling and analysis of the system. In order to jointly address variability and quantitative analysis, we apply the Product Lines paradigm, considered at the level of system engineering, to a case study of the European project QUANTICOL, by first de...
This book constitutes the refereed proceedings of the 7th International Workshop on Software Engineering for Resilient Systems, SERENE 2015, held in Paris, France, in September 2015. The 10 revised technical papers presented were carefully reviewed and selected from 18 submissions. The papers are organized in topical sections on development of resi...
An interlocking system monitors the status of the objects in a railway yard, allowing or denying the movement of trains, in accordance with safety rules. These rules depend on the topology of the station and hence every single delivered system obeys a particular set of rules. On the other hand, being safety critical systems, interlocking are subjec...
The term intelligent transportation systems (ITS) refers to information and communication technology (applied to transport infrastructure and vehicles) that improve transport outcomes such as transport safety, transport productivity, travel reliability, informed travel choices, social equity, environmental performance and network operation resilien...
Bike-sharing systems are becoming popular not only as a sustainable means of transportation in the urban environment, but also as a challenging case study that presents interesting run-time optimization problems. As a side-study within a research project aimed at quantitative analysis that used such a case study, we have observed how the deployed s...
Welcome to SPLC 2014, the 18th International Software Product Line Conference. SPLC is the premier forum for practitioners and researchers to present and discuss novel ideas, research results, experiences as well as issues and problems in the field.
This year, the program of the conference consists of a variety of exciting events such as keynote ta...
Railway interlocking systems still represent a challenge for formal verification by model checking: the high number of complex interlocking rules that guarantee the safe movements of independent trains in a large station makes the verification of such systems typically incur state space explosion problems. In this paper we describe a study aimed to...
In recent years, there has been a significant development in the world of conventional and/or urban railway systems. The evolution of technologies is leading to deployment of new signaling and control systems, including the Communication-Based Train Control widespread primarily in metro network. Strengths of this technology are continuous bi-direct...
We elaborate on previous work in which we presented SeB, a formalised subset of BPEL extended to support session-based interaction. Sessions are endowed with types that prescribe the correct structure of interactions, and a typed system can be checked for interaction safety. In our previous approach, the communication model was based on reliable FI...
Notwithstanding the large amount of attempts to formally verify them, railway interlocking systems still represent a challenging problem for automatic verification. Interlocking systems controlling sufficiently large stations, due to their inherent complexity related to the high number of variables involved, are not readily amenable to automatic ve...
Since more than 25 years, railway signalling is the subject of successful industrial application of formal methods in the development and verification of its computerized equipment.
However the evolution of the technology of railways signalling systems in this long term has had a strong influence on the way formal methods can be applied in their de...