We present a case study on the application of formal methods in the railway domain. The case study is part of the FormaSig project, which aims to support the development of EULYNX — a European standard defining generic interfaces for railway equipment — using formal methods. We translate the semi-formal SysML models created within EULYNX to formal mCRL2 models. By adopting a model-centric approach in which a formal model is used both for analyzing the quality of the EULYNX specification and for automated compliance testing, a high degree of traceability is achieved.

The target of our case study is the EULYNX Point subsystem interface. We present a detailed catalog of the safety requirements, and provide counterexamples that show that some of them do not hold without specific fairness assumptions. We also use the mCRL2 model to generate both random and guided tests, which we apply to a third-party software simulator. We share metrics on the coverage and execution time of the tests, which show that guided testing outperforms random testing. The test results indicate several discrepancies between the model and the simulator. One of these discrepancies is caused by a fault in the simulator, the others are caused by false positives; i.e. an over-approximation of fail verdicts by our test setup.

我们提出了一个关于在铁路领域应用形式化方法的案例研究。该案例研究是 FormaSig 项目的一部分，该项目旨在支持使用形式化方法开发 EULYNX（一种定义铁路设备通用接口的欧洲标准）。我们将在 EULYNX 中创建的半正式 SysML 模型转换为正式的 mCRL2 模型。通过采用以模型为中心的方法，其中使用正式模型来分析 EULYNX 规范的质量和自动合规性测试，实现了高度的可追溯性。

我们案例研究的目标是 EULYNX Point 子系统接口。我们提供了安全要求的详细目录，并提供了反例，表明如果没有特定的公平假设，其中一些是不成立的。我们还使用 mCRL2 模型生成随机测试和引导测试，并将其应用于第三方软件模拟器。我们共享有关测试覆盖率和执行时间的指标，这表明引导式测试优于随机测试。测试结果表明模型和模拟器之间存在一些差异。这些差异之一是由模拟器中的故障引起的，其他差异是由误报引起的；即我们的测试设置对失败判断的过度近似。