Abstract
Model checking techniques have often been applied to the verification of railway interlocking systems. However, these techniques may fail to scale to interlockings controlling large railway networks, composed by hundreds of controlled entities, due to the state space explosion problem. We have previously proposed a compositional method to reduce the size of networks to be model checked: the idea is to divide the network of the system to be verified into two sub-networks and then model check the model instances for these sub-networks instead of that for the full network. If given well-formedness conditions are satisfied by the network and the kind of division performed, it is proved that model checking safety properties of all such sub-networks guarantees safety properties of the full network. In this paper we observe that such a network division can be repeated, so that in the end, the full network has been divided into a number of sub-networks of minimal size, each being an instance of one of a limited set of “elementary networks”, for which safety proofs have easily been given by model checking once for all. The paper defines a division algorithm, and shows how, applying it to some examples of different complexity, a network can be automatically decomposed into a set of elementary networks, hence proving its safety. The execution time for such a verification turns out to be a very small fraction of the time needed for a model checker to verify safety of the full network.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
We are considering modern ERTMS level 2 based interlocking systems for which there are no physical signals. They are replaced by markerboards, and in the control system there are virtual signals associated with the markerboards. Throughout the paper we use the term signal as a synonym for markerboard.
- 4.
A network is loop-free, if there are no physically possible path through the network containing the same section more than once.
- 5.
Throughout this paper, as generic model and safety properties, we are using those from [20]. The properties are the no collision and no derailment properties, shared by the vast literature on interlocking verification.
- 6.
The notion of flank protection is explained in the end of Sect. 4.2.
- 7.
By connected we mean that by navigating the graph of the not yet visited part of the network starting from the two sides we eventually reach a common point.
- 8.
Note that when coming from the stem, we do not have such a problem, as a route cannot pass through a point via its two branches.
- 9.
The decompose function was repeatedly invoked with each of the network’s borders as the border parameter b of decompose, and then the average execution time was computed. Note that the invocations with different b on the same network sometimes produce slightly different sets of networks: the cardinalities of the sets of networks returned by two different invocations are the same and networks are usually the same, except that sometimes a linear section may be included in a different sub-network.
References
Fantechi, A., Gori, G., Haxthausen, A.E., Limbrée, C.: Compositional verification of railway interlockings: comparison of two methods. In: Dutilleul, S.C., Haxthausen, A.E., Lecomte, T. (eds.) RSSRail 2022. LNCS, vol. 13294, pp. 3–19. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-05814-1_1
Fantechi, A., Haxthausen, A.E., Macedo, H.D.: Compositional verification of interlocking systems for large stations. In: Cimatti, A., Sirjani, M. (eds.) SEFM 2017. LNCS, vol. 10469, pp. 236–252. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66197-1_15
Ferrari, A., ter Beek, M.H.: Formal methods in railways: a systematic mapping study. ACM Comput. Surv. 55(4), 1–37 (2022)
Ferrari, A., Magnani, G., Grasso, D., Fantechi, A.: Model checking interlocking control tables. In: Schnieder, E., Tarnai, G. (eds.) FORMS/FORMAT 2010, pp. 107–115. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-14261-1_11
Ferrari, A., Mazzanti, F., Basile, D., ter Beek, M.H.: Systematic evaluation and usability analysis of formal methods tools for railway signaling system design. IEEE Trans. Softw. Eng. 48(11), 4675–4691 (2022)
Ferrari, A., Mazzanti, F., Basile, D., ter Beek, M.H., Fantechi, A.: Comparing formal tools for system design: a judgment study. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, ICSE 2020, pp. 62–74. Association for Computing Machinery, New York (2020)
Haxthausen, A.E., Fantechi, A., Gori, G.: Decomposing the verification of interlocking systems. In: Haxthausen, A.E., Huang, W., Roggenbach, M. (eds.) Applicable Formal Methods for Safe Industrial Products. LNCS, vol. 14165, pp. 96–113. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-40132-9_7
Haxthausen, A.E., Fantechi, A.: Compositional verification of railway interlocking systems. Formal Aspects Comput. 35(1) (2023). https://doi.org/10.1145/3549736
James, P., Möller, F., Nguyen, H.N., Roggenbach, M., Schneider, S., Treharne, H.: Decomposing scheme plans to manage verification complexity. In: Schnieder, E., Tarnai, G. (eds.) 10th Symposium on Formal Methods for Automation and Safety in Railway and Automotive Systems, FORMS/FORMAT 2014, pp. 210–220. Institute for Traffic Safety and Automation Engineering, Technische Univ. Braunschweig (2014)
Limbrée, C., Cappart, Q., Pecheur, C., Tonetta, S.: Verification of railway interlocking - compositional approach with OCRA. In: Lecomte, T., Pinger, R., Romanovsky, A. (eds.) RSSRail 2016. LNCS, vol. 9707, pp. 134–149. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33951-1_10
Limbrée, C., Pecheur, C.: A framework for the formal verification of networks of railway interlockings - application to the Belgian railway. Electron. Commun. Eur. Assoc. Study Sci. Technol. 76 (2018)
Limbrée, C.: Formal verification of railway interlocking systems. Ph.D. thesis, UCL Louvain (2019)
Macedo, H.D., Fantechi, A., Haxthausen, A.E.: Compositional verification of multi-station interlocking systems. In: Margaria, T., Steffen, B. (eds.) ISoLA 2016. LNCS, vol. 9953, pp. 279–293. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47169-3_20
Macedo, H.D., Fantechi, A., Haxthausen, A.E.: Compositional model checking of interlocking systems for lines with multiple stations. In: Barrett, C., Davies, M., Kahsai, T. (eds.) NFM 2017. LNCS, vol. 10227, pp. 146–162. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57288-8_11
Nguyen, A.N.A., Eilgaard, O.B.: Development and use of a tool supporting compositional verification of railway interlocking systems. Technical report, DTU Compute, Technical University of Denmark (2020). https://findit.dtu.dk/en/catalog/5f181f35d9001d016b4e1f3b
The RAISE Language Group: George, C., et al.: The RAISE Specification Language. The BCS Practitioners Series, Prentice Hall Int. (1992)
Vu, L.H., Haxthausen, A.E., Peleska, J.: A domain-specific language for railway interlocking systems. In: Schnieder, E., Tarnai, G. (eds.) 10th Symposium on Formal Methods for Automation and Safety in Railway and Automotive Systems, FORMS/FORMAT 2014, pp. 200–209. Institute for Traffic Safety and Automation Engineering, Technische Universität Braunschweig (2014)
Vu, L.H., Haxthausen, A.E., Peleska, J.: A domain-specific language for generic interlocking models and their properties. In: Fantechi, A., Lecomte, T., Romanovsky, A. (eds.) RSSRail 2017. LNCS, vol. 10598, pp. 99–115. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68499-4_7
Vu, L.H.: Formal development and verification of railway control systems - in the context of ERTMS/ETCS level 2. Ph.D. thesis, Technical University of Denmark, DTU Compute (2015)
Vu, L.H., Haxthausen, A.E., Peleska, J.: Formal modelling and verification of interlocking systems featuring sequential release. Sci. Comput. Program. 133, Part 2, 91–115 (2017)
Winter, K.: Optimising ordering strategies for symbolic model checking of railway interlockings. In: Margaria, T., Steffen, B. (eds.) ISoLA 2012. LNCS, vol. 7610, pp. 246–260. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34032-1_24
Acknowledgements
The authors would like to thank (1) Jan Peleska and Linh H. Vu together with whom Anne Haxthausen developed the RobustRailS verification method and tools, (2) Hugo D. Macedo, who contributed to the initial work on the applied compositional method, and to (3) Anna Nam Anh Nguyen and Ole Eilgaard for their network cutter tool which we have integrated in our decomposer tool. The contribution by the second and third author was carried out within the MOST – Sustainable Mobility National Research Center and received funding from the European Union Next-GenerationEU (Piano Nazionale di Ripresa e Resilienza (PNRR) – Missione 4 Componente 2, Investimento 1.4 – D.D. 1033 17/06/2022, CN00000023). This manuscript reflects only the authors’ views and opinions, neither the European Union nor the European Commission can be considered responsible for them.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Haxthausen, A.E., Fantechi, A., Gori, G., Mikkelsen, Ó.K., Petersen, SA. (2023). Automated Compositional Verification of Interlocking Systems. In: Milius, B., Collart-Dutilleul, S., Lecomte, T. (eds) Reliability, Safety, and Security of Railway Systems. Modelling, Analysis, Verification, and Certification. RSSRail 2023. Lecture Notes in Computer Science, vol 14198. Springer, Cham. https://doi.org/10.1007/978-3-031-43366-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-43366-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-43365-8
Online ISBN: 978-3-031-43366-5
eBook Packages: Computer ScienceComputer Science (R0)