Towards formal methods diversity in railways: an experience report with seven frameworks


In the ever expanding universe of formal methods, several tools exist that can be exploited to validate early system designs, and that are applicable to problems of the railway domain. In this paper, we present an experience report in formal modelling and verification using seven different formal environments, namely UMC, Promela/SPIN, NuSMV, mCRL2, CPN Tools, FDR4 and CADP. In particular, we model and verify an algorithm that addresses a typical railway problem, namely deadlock avoidance in train scheduling. The algorithm is designed according to a prototypical architecture, the so-called blackboard pattern, in which a set of global data are atomically updated by a set of concurrent guarded agents. Our experience, limited to the specific problem, shows that the design of the algorithm can be translated into the different formalisms with acceptable effort, while deep proficiency with the tools is required to optimise the performance. The current paper establishes the preliminary foundations for the concept of formal methods diversity in the development of railway systems. The concept is based on the idea that if different non-certified formal environments are used to verify the same design, this increases the confidence on the verification results. Furthermore, by checking that the number of states generated during the verification process is the same for each framework, the designer can have an initial indication of the equivalence of the diverse models. The industrial application of this promising concept requires further research, and appropriate guidelines shall be established to identify the proper formal environments to use for a specific railway problem, and to define an industrial process in which formal methods diversity can be exploited at its full benefits. The paper presents the different models developed, compares the tools employed in terms of language features and performance, and discusses the industrial implications of the concept of formal methods diversity in the railway domain.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10


  1. 1.

    All the verification experiments have been conducted on a Mac Pro (late 2013) workstation with Quad-core 3.7 GHz Intel Xeon E5, 64 GB RAM running OS X 10.11 (El Capitan).

  2. 2.

  3. 3.

  4. 4.

  5. 5.

    i.e. the sum of the sizes of the current values held by all variables.

  6. 6.

  7. 7.

    The language used by UMC does not support explicit fairness constraints. Instead, fairness-related properties can be specified by means of the supported logics, e.g., \(\mu \)-Calculus.

  8. 8.

  9. 9.

  10. 10.

  11. 11.

  12. 12.

  13. 13.

    CPN Tools requires a Windows system. We made our experiments both on a Windows Virtual Machine running under macOS with 64 GB RAM, and on a dedicated Windows system with 64 GB RAM. In both cases, the used memory remained far below the available memory provided by the System. The “CPN Tools State Space Manual” says that 200,000 nodes are the upper limit for the size of state spaces.

  14. 14.

  15. 15.

    The continuously cycling model (syntactically a minimal variation of the round-trip one) has 159,374,352 states and 810,710,977 transitions.

  16. 16.

    In Table 1 we show the time ranges for the one-way case. We do not show time ranges for the round-trip case, since these times are highly influenced by the memory swapping, and different operating systems were used for the round-trip experiments, due to the constraints explained in Sect. 10.

  17. 17.

    The concept of specification is intended here in Jackson’s terms [40], i.e., the model that, given certain environmental assumptions, shall satisfy the requirements.

  18. 18.

    A difference of + 1 or + 2 among the models is due to the different way in which the system initialisation and the system final state is modelled

  19. 19.


  1. 1.

    1850-2010—IEEE Standard for Property Specification Language (PSL). Accessed 7 Mar 2018

  2. 2.

    Abrial, J.-R.: The B-book: Assigning Programs to Meanings. Cambridge University Press, Cambridge (2005)

    MATH  Google Scholar 

  3. 3.

    Amrani, M., Lucio, L., Selim, G., Combemale, B., Dingel, J., Vangheluwe, H., Le Traon, Y., Cordy, J.R.: A tridimensional approach for studying the formal verification of model transformations. In: 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation (ICST), pp. 921–928. IEEE (2012)

  4. 4.

    Antoni, M., Ammad, N.: Formal validation method and tools for French computerized railway interlocking systems. In: IET Conference Proceedings—4th IET International Conference on Railway Condition Monitoring (RCM 2008), pp. 6–6(10) (2008)

  5. 5.

    Arnold, A., Gaudel, M.C., Marre, B.: An experiment on the validation of a specification by heterogeneous formal means: the transit node. In: 5th IFIP Working Conference on Dependable Computing for Critical Applications (DCCA5), pp. 24–34 (1995)

  6. 6.

    Avizienis, A.: The N-version approach to fault-tolerant software. IEEE Trans. Softw. Eng. 12, 1491–1501 (1985)

    Article  Google Scholar 

  7. 7.

    Barnat, J., Brim, L., Havel, V., Havlíček, J., Kriho, J., Lenčo, M., Ročkai, P., Štill, V., Weiser, J.: DiVinE 3.0—an explicit-state model checker for multithreaded C & C++ programs. In: International Conference on Computer Aided Verification, pp. 863–868. Springer (2013)

  8. 8.

    Behm, P., Benoit, P., Faivre, A., Meynadier, J.M.: METEOR: a successful application of B in a large project. In: International Symposium on Formal Methods, pp. 369–387. Springer (1999)

  9. 9.

    Benaissa, N., Bonvoisin, D., Feliachi, A., Ordioni, J.: The PERF approach for formal verification. In: International Conference on Reliability, Safety and Security of Railway Systems, pp. 203–214. Springer (2016)

  10. 10.

    BBlom, S., van de Pol, J., Weber, M.: LTSmin: distributed and symbolic reachability. In: International Conference on Computer Aided Verification, pp. 354–359. Springer (2010)

  11. 11.

    Bonacchi, A., Fantechi, A., Bacherini, S., Tempestini, M., Cipriani, L.: Validation of railway interlocking systems by formal verification, a case study. In: International Conference on Software Engineering and Formal Methods, pp. 237–252. Springer (2013)

  12. 12.

    Brilliant, S.S., Knight, J.C., Leveson, N.G.: Analysis of faults in an n-version software experiment. IEEE Trans. Softw. Eng. 16(2), 238–247 (1990)

    Article  Google Scholar 

  13. 13.

    CENELEC. EN 50128:2011: Railway Applications—Communication, Signalling and Processing Systems—Software for Railway Control and Protection Systems. Technical Report (2011)

  14. 14.

    Chiappini, A., Cimatti, A., Macchi, L., Rebollo, O., Roveri, M., Susi, A., Tonetta, S., Vittorini, B.: Formalization and validation of a subset of the European train control system. In: 2010 ACM/IEEE 32nd International Conference on Software Engineering, vol. 2, pp. 109–118. IEEE (2010)

  15. 15.

    Cho, C.H., Choi, D.H., Quan, Z.H., Choi, S.A., Park, G.S., Ryou, M.S.: Modeling of CBTC carborne ATO functions using SCADE. In: 2011 11th International Conference on Control, Automation and Systems (ICCAS), pp. 1089–1093. IEEE (2011)

  16. 16.

    Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: Nusmv 2: an opensource tool for symbolic model checking. In: International Conference on Computer Aided Verification, pp. 359–364. Springer (2002)

  17. 17.

    Clarke, E.M., Grumberg, O., Peled, D.: Model Checking. MIT Press, Cambridge (1999)

    Google Scholar 

  18. 18.

    DaSilva, C., Dehbonei, B., Mejia, F.: Formal specification in the development of industrial applications: subway speed control system. In: Proceedings of the IFIP TC6/WG6. 1 Fifth International Conference on Formal Description Techniques for Distributed Systems and Communication Protocols: Formal Description Techniques, V, pp. 199–213. North-Holland Publishing Co. (1992)

  19. 19.

    De Nicola, R., Hennessy, M.C.B.: Testing equivalences for processes. Theor. Comput. Sci. 34(1–2), 83–133 (1984)

    MathSciNet  Article  MATH  Google Scholar 

  20. 20.

    De Nicola, R., Vaandrager, F.: Three logics for branching bisimulation. J. ACM (JACM) 42(2), 458–487 (1995)

    MathSciNet  Article  MATH  Google Scholar 

  21. 21.

    Dong, J., Chen, S., Jeng, J-J.: Event-based blackboard architecture for multi-agent systems. In: International Conference on Information Technology: Coding and Computing, 2005. ITCC 2005, vol. 2, pp. 379–384. IEEE (2005)

  22. 22.

    Dormoy, F.-X.: Scade 6: a model based solution for safety critical software development. In: Proceedings of the 4th European Congress on Embedded Real Time Software (ERTS08), pp. 1–9 (2008)

  23. 23.

    D’silva, Vijay, Kroening, Daniel, Weissenbacher, Georg: A survey of automated techniques for formal software verification. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 27(7), 1165–1178, (2008)

  24. 24.

    Fantechi, Alessandro: Twenty-five years of formal methods and railways: what next? In International Conference on Software Engineering and Formal Methods, pp. 167–183. Springer, (2013)

  25. 25.

    Fantechi, A., Gnesi, S., Lapadula, A., Mazzanti, F., Pugliese, R., Tiezzi, F.: A logical verification methodology for service-oriented computing. ACM Transactions on Software Engineering and Methodology (TOSEM) 21(3), 16 (2012)

    Article  Google Scholar 

  26. 26.

    Ferrari, A., Fantechi, A., Gnesi, S.: Lessons learnt from the adoption of formal model-based development. In: Goodloe, A.E., Person, S. (eds.) NASA Formal Methods Symposium (NFM 2012). Lecture Notes in Computer Science, vol 7226. Springer, Berlin, pp. 24–38 (2012)

  27. 27.

    Ferrari, A., Fantechi, A., Gnesi, S., Magnani, G.: Model-based development and formal methods in the railway industry. IEEE Softw. 30(3), 28–34 (2013)

    Article  Google Scholar 

  28. 28.

    Ferrari, A., Fantechi, A., Magnani, G., Grasso, D., Tempestini, M.: The metrô rio case study. Sci. Comput. Program. 78(7), 828–842 (2013)

    Article  Google Scholar 

  29. 29.

    Ferrari, A., Magnani, G., Grasso, D., Fantechi, A.: Model checking interlocking control tables. In: FORMS/FORMAT 2010, pp. 107–115. Springer, (2011)

  30. 30.

    Ferrari, A., Spagnolo, G.O., Martelli, G., Menabeni, S.: From commercial documents to system requirements: an approach for the engineering of novel CBTC solutions. Int. J. Softw. Tools Technol. Transf. 16(6), 647–667 (2014)

    Article  Google Scholar 

  31. 31.

    Fitzgerald, J., Larsen, P.G.: Balancing insight and effort: the industrial uptake of formal methods. In: Formal Methods and Hybrid Real-Time Systems, pp. 237–254. Springer (2007)

  32. 32.

    Frappier, M., Fraikin, B., Chossart, R., Chane-Yack-Fa, R., Ouenzar, M.: Comparison of model checking tools for information systems. In: International Conference on Formal Engineering Methods, pp. 581–596. Springer (2010)

  33. 33.

    Garavel, H., Lang, F., Mateescu, R., Serwe, W.: CADP 2011: a toolbox for the construction and analysis of distributed processes. STTT 15(2), 89–107 (2013)

    Article  MATH  Google Scholar 

  34. 34.

    Garavel, H., Lang, F., Serwe, W.: From LOTOS to LNT. In: ModelEd, TestEd, TrustEd—Essays Dedicated to Ed Brinksma on the Occasion of His 60th Birthday, volume 10500 of Lecture Notes in Computer Science, pp. 3–26. Springer (2017)

  35. 35.

    Gibson-Robinson, T., Armstrong, P., Boulgakov, A., Roscoe, A.W.: FDR3A modern refinement checker for CSP. In: International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 187–201. Springer (2014)

  36. 36.

    Gnesi, S., Margaria, T.: Formal Methods for Industrial Critical Systems: A Survey of Applications. Wiley, Hoboken (2012)

    Book  Google Scholar 

  37. 37.

    Gnesi, S., Mazzanti, F.: An abstract, on the fly framework for the verification of service-oriented systems. In: Rigorous Software Engineering for Service-Oriented Systems, volume 6582 of LNCS, pp. 390–407. Springer (2011)

  38. 38.

    Groote, J.F., Mousavi, M.R.: Modeling and Analysis of Communicating Systems. MIT Press, Cambridge (2014)

    MATH  Google Scholar 

  39. 39.

    Gruner, S., Kumar, A., Maibaum, T.: Towards a body of knowledge in formal methods for the railway domain: identification of settled knowledge. In: International Workshop on Formal Techniques for Safety-Critical Systems, pp. 87–102. Springer (2015)

  40. 40.

    Gunter, C.A., Gunter, E.L., Jackson, M., Zave, P.: A reference model for requirements and specifications. IEEE Softw. 17(3), 37–43 (2000)

    Article  Google Scholar 

  41. 41.

    Halbwachs, N., Caspi, P., Raymond, P., Pilaud, D.: The synchronous data flow programming language LUSTRE. Proc. IEEE 79(9), 1305–1320 (1991)

    Article  Google Scholar 

  42. 42.

    Hamon, G., Dutertre, B., Erkok, L., Matthews, J., Sheridan, D., Cok, D., Rushby, J., Bokor, P., Shukla, S., Pataricza, A., et al.: Simulink design verifier-applying automated formal methods to simulink and stateflow. In: AFM08: Third Workshop on Automated Formal Methods, 14 July 2008, Princeton, New Jersey (2008)

  43. 43.

    Havelund, K., Pressburger, T.: Model checking java programs using java pathfinder. Int. J. Softw. Tools Technol. Transf. (STTT) 2(4), 366–381 (2000)

    Article  MATH  Google Scholar 

  44. 44.

    Haxthausen, A.E.: Automated generation of formal safety conditions from railway interlocking tables. Int. J. Softw. Tools Technol. Transf. 16(6), 713–726 (2014)

    Article  Google Scholar 

  45. 45.

    Hoare, C.A.R.: Communicating sequential processes. In: Hansen, P.B. (ed.) The Origin of Concurrent Programming. Springer, New York, NY (1978).

  46. 46.

    Holzmann, G.: The Spin Model Checker: Primer and Reference Manual. Addison-Wesley Professional, Boston (2003)

    Google Scholar 

  47. 47.

    Hordvik, S., Øseth, K., Blech, J.O., Herrmann, P.: A methodology for model-based development and safety analysis of transport systems. In: 11th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE) (2016)

  48. 48.

    Jackson, D.: Software Abstractions: Logic, Language, and Analysis. MIT Press, Cambridge (2012)

    Google Scholar 

  49. 49.

    James, P., Lawrence, A., Moller, F., Roggenbach, M., Seisenberger, M., Setzer, A., Kanso, K., Chadwick, S.: Verification of solid state interlocking programs. In: International Conference on Software Engineering and Formal Methods, pp. 253–268. Springer (2013)

  50. 50.

    Jansen, L., Meyer Zu Horste, M., Schnieder, E.: Technical issues in modelling the European train control system (etcs) using coloured petri nets and the design/cpn tools. In: Proceedings of the Workshop on Practical Use of Coloured Petri Nets and Desgin/CPN, pp. 103–115. Aarhus University (1998). Accessed 7 Mar 2018

  51. 51.

    Jensen, K., Kristensen, L.M.: Coloured Petri Nets: Modelling and Validation of Concurrent Systems. Springer, Berlin (2009)

    Book  MATH  Google Scholar 

  52. 52.

    Latif-Shabgahi, G., Bass, J.M., Bennett, S.: A taxonomy for software voting algorithms used in safety-critical systems. IEEE Trans. Reliab. 53(3), 319–328 (2004)

    Article  Google Scholar 

  53. 53.

    Magree, J.: Behavioral analysis of software architectures using LTSA. In: Proceedings of the 1999 International Conference on Software Engineering, 1999, pp. 634–637. IEEE (1999)

  54. 54.

    Mateescu, R., Thivolle, D.: A model checking language for concurrent value-passing systems. In: FM 2008: Formal Methods, 15th International Symposium on Formal Methods, Turku, Finland, May 26–30, 2008, Proceedings, volume 5014 of Lecture Notes in Computer Science, pp. 148–164. Springer (2008)

  55. 55.

    Mazzanti, F.: An experience in Ada multicore programming: parallelisation of a model checking engine. In: Ada-Europe International Conference on Reliable Software Technologies, volume 9695 of LNCS, pp. 94–109. Springer (2016)

  56. 56.

    Mazzanti, F., Ferrari, A., Spagnolo, G.O.: Experiments in formal modelling of a deadlock avoidance algorithm for a CBTC system. In: International Symposium on Leveraging Applications of Formal Methods, pp. 297–314. Springer (2016)

  57. 57.

    Mazzanti, F., Spagnolo, G.O., Della Longa, S., Ferrari, A.: Deadlock avoidance in train scheduling: a model checking approach. In: International Workshop on Formal Methods for Industrial Critical Systems, volume 8718 of LNCS, pp. 109–123. Springer (2014)

  58. 58.

    Mazzanti, F., Spagnolo, G.O., Ferrari, A.: Designing a deadlock-free train scheduler: a model checking approach. In: NASA Formal Methods Symposium, volume 8430 of LNCS, pp. 264–269. Springer (2014)

  59. 59.

    Mazzanti, F., Spagnolo, G.O., Ferrari, A.: Formal Tool Diversity—Experiments Data Repository (2017)., Accessed 7 Mar 2018

  60. 60.

    Miller, S.P., Whalen, M.W., Cofer, D.D.: Software model checking takes off. Commun. ACM 53(2), 58–64 (2010)

    Article  Google Scholar 

  61. 61.

    Owre, S., Rushby, J.M., Shankar, N.: PVS: A prototype verification system. In: International Conference on Automated Deduction, pp. 748–752. Springer (1992)

  62. 62.

    Powell, D., Arlat, J., Beus-Dukic, L., Bondavalli, A., Coppola, P., Fantechi, A., Jenn, E., Rabéjac, C., Wellings, A.: Guards: a generic upgradable architecture for real-time dependable systems. IEEE Trans. Parallel Distrib. Syst. 10(6), 580–599 (1999)

    Article  Google Scholar 

  63. 63.

    Qian, J., Liu, J., Chen, X., Sun, J.: Modeling and verification of zone controller: the scade experience in China’s railway systems. In: 2015 IEEE/ACM 1st International Workshop on Complex Faults and Failures in Large Software Systems (COUFLESS), pp. 48–54. IEEE (2015)

  64. 64.

    RTCA. DO-178C Software Considerations in Airborne Systems and Equipment Certification (2012)

  65. 65.

    ter Beek, M.H., Fantechi, A., Gnesi, S., Mazzanti, F.: A state/event-based model-checking approach for the analysis of abstract system properties. Sci. Comput. Program. 76(2), 119–135 (2011)

    Article  MATH  Google Scholar 

  66. 66.

    ter Beek, M.H., Gnesi, S., Mazzanti, F.: From EU projects to a family of model checkers. In: Software, Services, and Systems, volume 8950 of LNCS, pp. 312–328. Springer (2015)

  67. 67.

    Vanit-Anunchai, S.: Application of coloured petri nets in modelling and simulating a railway signalling system. In: International Workshop on Formal Methods for Industrial Critical Systems, pp. 214–230. Springer (2016)

  68. 68.

    Vu, L.H., Haxthausen, A.E., Peleska, J.: Formal modelling and verification of interlocking systems featuring sequential release. Sci. Comput. Program. 133, 91–115 (2017)

    Article  Google Scholar 

  69. 69.

    Whalen, M., Cofer, D., Miller, S., Krogh, B.H., Storm, W.: Integration of formal analysis into a model-based software development process. In: International Workshop on Formal Methods for Industrial Critical Systems, pp. 68–84. Springer (2007)

  70. 70.

    Winter, K., Johnston, W., Robinson, P., Strooper, P., Van Den Berg, L.: Tool support for checking railway interlocking designs. In: Proceedings of the 10th Australian Workshop on Safety Critical Systems and Software, vol. 55, pp. 101–107. Australian Computer Society, Inc. (2006)

  71. 71.

    Woodcock, J., Larsen, P.G., Bicarregui, J., Fitzgerald, J.: Formal methods: Practice and experience. ACM Comput. Surv. (CSUR) 41(4), 19 (2009)

    Article  Google Scholar 

  72. 72.

    Zave, P.: A practical comparison of alloy and spin. Formal Aspects Comput. 27(2), 239 (2015)

    Article  Google Scholar 

Download references


This wok has been partially funded by the ASTRail project. This project received funding from the Shift2Rail Joint Undertaking under the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 777561. The content of this paper reflects only the authors’ view, and the Shift2Rail Joint Undertaking is not responsible for any use that may be made of the included information.

Author information



Corresponding author

Correspondence to Franco Mazzanti.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Mazzanti, F., Ferrari, A. & Spagnolo, G.O. Towards formal methods diversity in railways: an experience report with seven frameworks. Int J Softw Tools Technol Transfer 20, 263–288 (2018).

Download citation


  • Formal methods diversity
  • Model checking
  • Deadlock avoidance
  • Train scheduling
  • Railways
  • Automatic train protection
  • CBTC