Formal specification and validation of a critical system in presence of byzantine errors

This paper describes an experience in formal specification and fault tolerant behavior validation of a railway critical system. The work, performed in the context of a real industrial project, had the following main targets: (a) to validate specific safety properties in the presence of byzantine system components or of some hardware temporary faults; (b) to design a formal model of a critical railway system at a right level of abstraction so that could be possible to verify certain safety properties and at the same time to use the model to simulate the system. For the model specification we used the Promela language, while the verification was performed using the Spin model checker. Safety properties were specified by means of both assertions and temporal logic formulae. To make the problem of validation tractable in the Spin environment, we used ad hoca abstraction techniques.