Verification of railway interlocking - Compositional approach with OCRA by Limbree, Christophe et al.
Verification of railway interlocking -
Compositional approach with OCRA
Christophe Limbre´e1, Quentin Cappart1, Charles Pecheur1, and
Stefano Tonetta2
1 Universite´ catholique de Louvain, Louvain-La-Neuve, Belgium
{quentin.cappart|christophe.limbree|charles.pecheur}@uclouvain.be
2 Fondazione Bruno Kessler, Trento, Italy
tonettas@fbk.eu
Abstract. In the railway domain, an electronic interlocking is a com-
puterised system that controls the railway signalling components (e.g.
switches or signals) in order to allow a safe operation of the train traffic.
Interlockings are controlled by a software logic that relies on a generic
software and a set of application data particular to the station under
control. The verification of the application data is time consuming and
error prone as it is mostly performed by human testers.
In the first stage of our research [?], we built a model of a small Belgian
railway station and we performed the verification of the application data
with the nusmv model checker. However, the verification of larger sta-
tions fails due to the state space explosion problem. The intuition is that
large stations can be split into smaller components that can be verified
separately. This concept is known as compositional verification. This ar-
ticle explains how we used the ocra tool in order to model a medium
size station and how we verified safety properties by mean of contracts.
We also took advantage of new algorithms (k-liveness and ic3) recently
implemented in nuxmv in order to verify LTL properties on our model.
1 Introduction
In the railway domain, an interlocking is a signalling subsystem that controls the
routes, the switches and the signals before allowing a train through a station.
Computer-based interlockings are configured based on a set of application data
particular to each station. The safety of the train traffic relies on the correctness
of the application data. Usually, the application data are prepared manually and
are thus subject to human errors. For example, some prerequisites to the clear-
ance (e.g. green light) of the origin signal of a route can be missing. This kind
of error can easily be discovered by a code review or by testing on a simulator.
However, errors caused by concurrent actions (e.g. route commands) are much
harder to find. In this case, the combination of possible concurrent actions ex-
plodes quickly and testing all possible combinations manually is impracticable.
The goal of our research is to develop a method based on model checking in
order to verify the application data. Especially, our approach must scale-up and
allow the verification of real size interlocking areas.
ar
X
iv
:1
60
5.
06
24
5v
1 
 [c
s.S
E]
  2
0 M
ay
 20
16
In a previous work [?], we built a model of a small Belgian railway station
and we performed the verification of the application data with the nusmv model
checker. However the verification of larger stations fails due to the state space
explosion problem: the models are too big so that the model checker does not
give a result in reasonable time. In this paper, we therefore tackle the problem
with a compositional approach. The intuition is that large stations can be split
into smaller components that can be verified separately. We report on the us-
age of the ocra tool in order to model a medium size station and on how we
verified safety properties by mean of contracts. We also took advantage of new
algorithms (k-liveness and ic3) recently implemented in nuxmv in order to verify
LTL properties on our model.
Outline The paper is structured as follows. In Section 2, we give a brief overview
of the formal techniques that have been used in the case study. In the Section 3,
we describe our model and the new features that we have added compared to our
first model. In Section 4, we explain our verification strategy for larger stations.
In Section 5, we discuss the performance of our verification approach and show
how counter examples are produced when we insert errors in the application
data. References to related work are provided in Section 7.
2 Contract Based Verification
2.1 Symbolic Model Checking
Model checking [?] is a method to formally verify that a system is correct.
In symbolic model checking [?], a system M is described by a finite set V of
variables, the initial states are represented by a formula I over V , while the
transitions by a formula T over the variables V and V ′, where V ′ represent the
value of V after a transition. In the scope of this paper, we consider finite-state
systems. Thus, without loss of generality, we can consider V as Boolean variables
and formulas in propositional logic.
A state is an assignment to the variables in V . An initial state is a state that
satisfies I. A transition is a pair of states that satisfy T . A path is a sequence
σ = s0, s1, s2, . . . of states such that s0 is an initial state (s0 |= I) and, for every
i ≥ 0, si, si+1 is a transition (si, si+1 |= T ). A state s is reachable if there is a
path s0, s1, s2, . . . such that s = si for some i ≥ 0.
In this paper, we specify transition systems in SMV [?], the input language
of different model checkers such as nusmv [?] and nuxmv [?]. Safety properties
have been formalized by invariants, i.e. formulas over V that must be satisfied
by all reachable states. Temporal properties have been formalized into LTL [?],
which uses temporal operators to specify the temporal evolution of the transition
system. The typical LTL formula we consider is in the form G (φ1 → Fφ2), where
φ1 and φ2 are state formulas over V . It means that whenever φ1 is true along
an execution, φ2 is true in a state that follows along the trace.
2.2 nuXmv: Verification of Components with K-Liveness and IC3
In the case study we use nuxmv to prove invariants and LTL properties. In par-
ticular, we use the IC3 algorithm to prove invariants and the k-liveness algorithm
for LTL properties.
IC3 [?] is a SAT-based algorithm for the verification of invariant properties of
transition systems. Very briefly, the idea of IC3 is to build iteratively a sequence
of formulas F0, F1, . . . , Fk such that i) F0 = I, ii) for all i > 0, Fi is a set of
clauses, iii) Fi |= Fi+1, iv) Fi(V ) ∧ T (V, V ′) |= Fi+1(V ′), and v) for all i < k,
Fi |= P where P is the property that we want to verify. The formulas Fi are
therefore over-approximations of the state space reachable in up to i transitions.
They are iteratively strengthened and extended by generalizing clauses while
disproving candidate counterexamples. The procedure terminates when either a
counterexample is found or when Fi = Fi+1 for some i so that Fi is an inductive
invariant that proves P .
In [?], IC3 has been integrated with predicate abstraction (PA) [?]. The ap-
proach leverages Implicit Abstraction (IA) [?], which allows to express abstract
transitions without computing explicitly the abstract system, and is fully incre-
mental with respect to the addition of new predicates.
k-liveness [?] reduces liveness to a sequence of invariant checking. It uses a
standard approach to reduce LTL verification for proving that a certain signal
f is eventually never visited (F G ¬f). The key insight of k-liveness is that,
for finite-state systems, this is equivalent to find a K such that f is visited at
most K times, which in turn can be reduced to invariant checking. k-liveness is
therefore a simple loop that increases K at every iteration and calls a subroutine
safe to check the invariant. In particular, the implementation in [?] uses IC3 as
safe and exploits the incrementality of IC3 to solve the sequence of invariant
problems in an efficient way.
2.3 OCRA: Contract-Based Compositional Approach
In this paper, we adopt a compositional contract-based approach and we use the
framework supported by the ocra tool [?]. In particular, we specify component
interfaces in terms of Boolean data ports and LTL contracts.
The ocra input language is a component-based description of the system ar-
chitecture where every component is associated with one or more contracts. Each
contract consists of an assumption and a guarantee specified as LTL formulas.
The assumption represents a requirement on the environment of the component.
The guarantee represents a requirements for the component implementation to
be satisfied when the assumption holds.
When a component S is decomposed into subcomponents, the contract re-
finement ensures that the guarantee of S is not weakened by the contracts of
the subcomponents while its assumption is not strengthened. This is checked
independently from the actual implementation of the components and is verified
by means of a set of proof obligations in LTL, which are discharged with model
checking techniques [?].
ocra allows to associate to a component a behavioral model representing
its implementation. The language used for the behavioral model is SMV. ocra
checks if the SMV model is a correct implementation of the specified component
simply calling NuSMV to verify if the SMV model satisfies the implication A→
G for every contract 〈A,G〉 of the component.
3 System and Model Description
In this section, we describe the station, the model, and two new features of our
model that are the directional locking and the sequential release.
3.1 The Station
Braine l’Alleud station, shown in Fig. 1, is a medium size Belgian railway sta-
tion comprising 32 routes, 12 switches, 12 signals, and 4 platforms (101-104).
A platform is a section of pathway, alongside rail tracks at a railway station,
metro station or tram stop, at which passengers may board. A route is a line of
railway track between two signals on a rail system (e.g. route R CC 102 from
signal CC to track 102 - signal JC). The station can be decomposed into two
separate nearly symmetrical parts comprising 16 routes each: M1 and M2.
091
092
011
012
T_02BCT_01AC
T_01BC
T_
04
C
T_11BC
T_10C
T_07BC
T_07AC T_08BC
T_09C
A BBSI
DX-C
E-C I-C
C-C
CG-C
CX-C
J-C KX-C
K-CJX-CDC
F-C
101
102
103
104
M1 M2
Fig. 1: Track layout of Braine station
3.2 Composite System
The two parts of the station (i.e. M1 and M2) are not totally independent but
have interfaces. These interfaces materialize a mutual exclusion mechanism pre-
venting two trains to head for a platform in opposite direction at the same time
(e.g. routes CC 101 and KC 101). Such routes are called conflicting routes. The
exercise then consists in defining the system and its components, the interaction
among the components, and try to prove some global properties on the system
by making assumptions on the environment of each component.
The cuts (i.e. M1 and M2) are chosen so-that: 1) the number of interface
variables is minimum, and 2) it sticks to the principle of distribution between
interlockings applied in larger stations. The same principle will be applied to two
interlockings sharing a section. As shown in Fig. 2, the system is made of three
components: M1, M2, and C1. Partial Listing 1.1 shows how the components,
and the interfaces are defined in ocra. The components: M1, M2, and C1 are
implemented in SMV language.
1 COMPONENT BraineLL system
2
3 REFINEMENT
4
5 SUB Bra ineLe f t : M1;
6 SUB BraineRight : M2;
7 SUB C o n t r o l l e r : C1 ;
8
9 CONNECTION Bra ineLe f t . BSIB 101 := BraineRight . BSIB 101 ;
10 . . .
11
12 COMPONENT M1
13
14 INTERFACE −− From Environment
15 INPUT PORT BSIB 101 : boolean ;
16 . . .
17
18 COMPONENT M2
19
20 INTERFACE −− From Environment
21 OUTPUT PORT BSIB 101 : boolean ;
22 . . .
Listing 1.1: System definition in ocra
The components are defined by means of the SUB keyword. The interfaces
are defined as INPUT or OUTPUT (e.g. BSIB 101 is an output for M1 and
and an input for M2). The INPUT and OUTPUT are connected by mean of
the CONNECTION keyword.
Figure 2 shows how the components are connected by interfaces. The L CS
OUTPUT variable (=TRUE) is an output of the system and states that the
route is set and the origin signal at proceed aspect (e.g. the route R CC 102 is
set and signal CC is green). The Controller outputs the cmdR variable stating
that the controller has issued a route command. The Rongo{1,2} INPUT vari-
able provides an acknowledgement that the route command has been properly
processed by the interlocking. The two M1 and M2 interlocking components
exchange the state of the platform track-circuits and the state of the BSI. A
track-circuit is an electrical circuit that detects the presence of train in a block
of track. The four track-circuits at the platform can be occupied by a train
running in either M1, or M2. The BSI variable allows for mutual exclusion of
conflicting routes leading to the same platform. The principle of functioning of
the BSI is explained in Sect. 3.4.
BraineLeft BraineRight
System
T_10[1-4]_1
T_10[1-4]_2
BSIA_10[1-4]
BSIB_10[1-4]
L_CS forall routesL_CS forall routes
Rongo1 cmdR forall routes Rongo2
Controller
Fig. 2: Architecture of the composite system
3.3 M1 and M2 models
Figure 3 depicts the internal architecture of the M{1,2} component. Each com-
ponent is implemented in an SMV model. All the modules represent a function
achieved by the interlocking except for the train module. In fact the train module
allows to simulate the interact of the interlocking with its environment.
Track
components Trains
2 3
M2 cmdR
T_10[1-4]
BSIX_10[1-4] Input
Output
Interlocking 1
SMV
mod.
Fig. 3: Architecture of the SMV interlocking model
The interlocking module is directly translated from the application data by
mean of a translator tool described in [?] and models the routes and the locking
logic of the switches. Upon a route request, the interlocking (1) verifies that
the route can be set and then controls the track components accordingly. A
proceed aspect (e.g. green) is sent to the origin signal of the route when the
switches are locked in correct position and the track-circuits are clear (i.e. no
other train is present on the route). Finally the interlocking detects the trains
movement, releases the route and unlocks the resources used by the route. The
track components (2) record the status of the track-side objects. For example:
for a switch upon a command, the instance verifies that it is not locked before
allowing the transition from one position to the other (e.g. left to right). The train
modules (3) rely on the track layout of the station. When a signal is at proceed
aspect, it simulates a train movement by actuation of the track components.
This module is built independently of the application data by mean of a DSL
(Domain Specific Language). The train module is local to M{1,2} as it is built
based on the track layout of its component.
3.4 BSI Interface Explained
In order to prevent head to head train collisions, the interlocking use a locking
mechanism (i.e. BSI - Blocage du sens intermittent in French) that prevent two
train to head for the same platform in opposite direction. Fig. 4 illustrates how
the BSI variables are actuated upon a route command.
For each platform, two locking variables are used (e.g. BSIA 102 and BSIB 102
for platform 2). When no route is set towards platform 102 , the two variables
have a permissive value (Free). Upon a route command (e.g. R CC 102), the
BSIA 102 variable is set in a restrictive state (Locked). The routes in opposite
direction (e.g. KC 102) are thereby blocked and the signal KC can never be
commanded to a proceed aspect (e.g. green). The BSIA 102 variable regains its
permissive value when the train has reached platform 102.
BSIA 102 f
BSIB 102 f
BSIA 102 l
BSIB 102 f
BSIA 102 f
BSIB 102 l
R CC 102 cmd
R KC 102 cmd
Train has reached platform 102
Train has reached platform 102
Fig. 4: Directional locking for platform 102
3.5 Sequential Release
When the interlocking grants access to a route, it locks all the resources that
will be run through by the train: typically all the switches and the track-circuits.
This prevents different routes that share those resources to be set at the same
time. Such routes are called conflicting routes. Normally those resources are un-
locked when the train has completely run through the route. They then become
available for other routes. In large stations, it might be interesting to unlock the
resources sequentially allowing them to be used by other routes before the train
has totally run through. This contributes to improve the train traffic.
The principle of sequential release is illustrated in Fig. 5: the first route
R DXC 091 is set and prevents the second route R DXC 092 to be set. The
following switches are locked: P1A: left, P2B: right, and P3: right. According to
the sequential release principle, the second route is set when the train T2 is on
the track-circuit T 01AC and when the track-circuit T 02BC is free.
CX-C
C-C
091
092
T_01BC
T_02BCT_01AC
102
101
1) R_DXC_091
2) R_DXC_092
T2
P1A
P1B P2A
P2B
P3
T1DX-C
D-C
Fig. 5: Sequential release example
4 Verification
The decomposition of one interlocking into several components allows to perform
the verification on smaller models (one for each component) and thus limits the
so-called state space explosion problem. Therefore we have used two different
methods to verify the application data of Braine station: the first takes advantage
of the ocra compositional verification tool and the second uses the nuxmv tool
to verify local properties.
The compositional verification applies to the safety properties that imply
an interaction between the two components. Those properties are expressed by
mean of contracts. An example of contract is given in Listing 1.2.
A second set of properties are verified straight on each component (i.e. M1
and M2) with nuxmv. Several instances of nuxmv can be started at the same
time in order to reduce the computation time of the verification.
4.1 Compositional Verification
Conflicting Routes Controlled by Two Different Components The routes
R CC 101 and R KC 101 are conflicting because they share the same plat-
form as a destination and the corresponding safety property is expressed by the
formula: P = G!(R CC 101 LCS & R KC 101 LCS) - routesTowards 101 in
Listing 1.2. Equation (4.1) shows how this property is verified by composition of
the M1 and M2 modules. The first premise states that when the route R CC 101
is set and origin signal is clear (i.e. R CC 101 LCS is true), the mutual exclusion
property (!BSIA 101 & BSIB 101) is true. The second premise states the same
property (P2) for the route R KC 101. P1 and P2 are respectively CC 101 OK
and KC 101 OK in Listing 1.2. ocra performs the verification of these two prop-
erties with nuxmv. The third premise states that the first two premises entail
the global property P . Finally when all three premises are true, the composition
of the components M1 and M2 verifies the global property P .
In other words, if each component (i.e. M1 and M2) properly blocks the
access to a shared platform when it controls a route, then the other component
will not be able to control a conflicting route for the same platform.
(Premise 1) M1 |= P1
(Premise 2) M2 |= P2
(Premise 3) P1 ∧ P2 |= P
M1‖M2 |= P
Equation 4.1: Compositional verification of conflicting routes property involving
the M1 and M2 components
1 CONTRACT routesTowards 101
2 assume : always TRUE;
3 guarantee : always ( R KC 101 LCS −> ! R CC 101 LCS ) ;
4
5 CONTRACT routesTowards 101
6 REFINEDBY M1. CC 101 OK , M2. KC 101 OK ;
7
8 CONTRACT CC 101 OK
9 assume : TRUE;
10 guarantee : always ( R CC 101 LCS −> ( ! BSIA 101 & BSIB 101 ) ) ;
11 CONTRACT KC 101 OK
12 assume : TRUE;
13 guarantee : always ( R KC 101 LCS −> ( ! BSIB 101 & BSIA 101 ) ) ;
Listing 1.2: Contract definition for conflicting routes towards platform 101
involving the M1 and M2 components
Listing 1.2 illustrates how the conflicting routes contract for the routes
R KC 101 and R CC 101 is specified. First a top level contract (routesTo-
wards 101) specifies that the two routes cannot be set at the same time. The
top level contract is then refined by two contracts that apply on M1 and M2:
KC 101 OK and CC 101 OK respectively. These two contracts allow to verify
that the M1 and M2 components handle the BSI locking mechanism properly.
The syntax of the language is given in ([?]).
4.2 Local Safety Properties
The term Local Properties designates the properties that are not influenced by
the environment of the component on which they are verified. Those properties
are verified on each component SMV model with nuxmv. Due to the space
limitation, those properties will not be explained in detail but examples are
provided in Listing 1.3. They are expressed in two different ways:
– By mean of invariants (lines 1 to 5)
– By mean of LTL formulas and especially by using the ic3 algorithm (lines 6
and 7)
1 check invar −p ” ! (M1. t1 . f r o n t = d e r a i l e d ) ”
2 check invar −p ” ! (M1. t1 . f r o n t = M1. t2 . f r o n t ) ”
3 check invar −p ” ! ( (M1. T 01AC . s t = o ) & M1. P 01AC . willMove ) ”
4 check invar −p ” (M1. R CXC 103 . L CS −> !M1. R EC 091 . L CS) ”
5 check invar −p ” (M1. f 1 . U CXC 13C . s t = l −> (M1. f 1 . U 13C 15C . s t
= l xor M1. f 1 . U 13C DXC . s t = l ) ) ”
6 c h e c k l t l s p e c k l i v e −p ”G (M1. U IR 01AC . s t = l −> ( (M1. P 01AC .
pos i = cdr −> X M1. P 01AC . pos i = cdr ) & (M1. P 01AC . pos i =
cdn −> X M1. P 01AC . pos i = cdn ) ) ) ”
7 c h e c k l t l s p e c k l i v e −p ”G( (M1. T 01AC . s t = o & M1.TRP CC. krc =
s ) −> X ( !M1. R CC 101 . L CS & !M1. R CC 102 . L CS & !M1.
R CC 103 . L CS & !M1. R CC 104 . L CS) ) ”
Listing 1.3: Local properties
Explanation of the properties:
– Line 1: the train never derails. A derailment happens when a train takes a
trailing point in reverse direction.
– Line 2: two trains never collide. This is done by verifying that their front
never reaches the same track segment at the same time.
– Line 3: a point never move when its home track-circuit is occupied.
– Line 4: conflicting routes are not set at the same time. This formula verifies
the same property as the contracts defined in ocra.
– Line 5: the sub-routes are released in the correct sequence.
– Line 6: a point never moves when its latching variable is in restrictive state.
These formulas are checked by mean of k-liveness (see [?])
– Line 7: signal replacement. The origin signal of a route is immediately com-
manded to red (replaced) when the train occupies the first track-circuit of
the route and has triggered the first passage sensor. This prevents a second
train to use the same authorization (i.e. signal green).
5 Results and Performance
In this section, we discuss the performance of our verification approach based on
composition and local verification. We also illustrate how we validate the model
and the properties by error seeding.
5.1 Performance
The tests were performed on 2.3 GHz i7 MacBookPro with 4 GB of RAM running
under OS 10.11. Tables 1, 2, and 3 illustrate the results (in terms of computation
time), which we achieve using different methods and different models. “BDD”
refers to the fix-point algorithm using BDDs (see [?]); “SAT(ic3)” refers to the
ic3 algorithm using a SAT solver as backend (see [?]); “SMT(ic3)” refers to the
ic3 algorithm integrated predicate abstraction using an SMT solver as back-end
(see [?]).
Table 1: Performance of the verification of invariants on monolithic models
Model Tool Method Properties Duration
1 Monolithic model NuSMV BDD Invariants > 1 day
2 Partial monolithic model NuSMV BDD Invariants > 1 day
3 Monolithic model NuXMV SAT(ic3) 10 × Invariants 123 sec
4 Monolithic model NuXMV SMT(ic3) 10 × Invariants 80 sec
Table 1 reports the performance of the verification of the application data for
the station described in Section 3. Line 1 shows that nusmv could not terminate
in one day. After reducing the size the state space by allowing only 16 routes to
be commanded, nusmv could build the reachable state space in 6 days and verify
invariants (line 2). One of the features of ocra is to allow to rebuild a monolithic
(32 routes) model based on the definition of the system. The verification of
invariants is therefore possible. The results clearly show that ic3 with predicate
abstraction performs better than plain ic3, and that both outperform the BDD-
based algorithm on this case study.
Table 2: Performance of the verification of the contracts by ocra
Model Tool Method Properties Duration
5 Contract refinement ocra - 4 × Contracts 7,34 sec
6 Implementation M1 ocra ic3 4 × Contracts 5,6 sec
7 Implementation M2 ocra ic3 4 × Contracts 14,94 sec
8 Composite monolithic ocra ic3 4 × Contracts 1242 sec
Table 2 illustrates the performance of the verification of the contracts and
their implementation. Line 5 corresponds to the verification of the premise 3
of Equation (4.1) (P1 ∧ P2 |= P ). Lines 6 and 7 are respectively related to the
verification of the premisses 1 and 2 (M1 |= P1 and M2 |= P2). The sum of the
duration of these 3 tasks gives the time needed by ocra to check the coherence
between the contracts and their implementation in the SMV models (i.e. ≤ 28
sec). This time is to be compared with the 1242 sec needed by ocra to verify
the same contracts and implementations on a monolithic model.
Table 3: Performance of the verification of the local properties
Model Tool Method Properties Duration
9 M1 NuXMV BDD 197 × Invariants 123 sec
10 M2 NuXMV BDD 199 × Invariants 424 sec
11 M1 NuXMV SAT(ic3) 12 × LTL 960 sec
12 M1 NuXMV SMT(ic3) 12 × LTL 20 sec
13 M2 NuXMV SAT(ic3) 12 × LTL 1036 sec
14 M2 NuXMV SMT(ic3) 12 × LTL 740 sec
Finally Table 3 illustrates the verification of the local safety properties on
the M1 and M2 components. Two approaches are used: first some invariants are
verified with nuxmv and the standard BDD and second 12 LTL properties are
verified with the ic3 algorithm. An order file based on [?] is used to optimize the
BDD structure. ic3 with abstraction and the SMT MathSAT solver outperforms
ic3 with MiniSAT in this context in an order of magnitude close to 50.
5.2 Error Seeding
In order to gain confidence in our model and properties, we have seeded errors
in the model by removing some safety conditions in the route proving condi-
tions3. As expected, ocra could not prove the safety property and produced a
counterexample. Listing 1.4 shows that the property is false (line 1) because the
route R KXC 101 is set (line 30) whereas the BSIB 101 is TRUE (line 5).
3 Conditions to give a proceed aspect on origin signal of the route.
1 LTL spec G (R KXC 101 LCS −>
( ! BSIB 101 & BSIA 101 ) ) i s
f a l s e
2 Trace Desc r ip t i on : IC3
counterexample
3 −> State : 2 . 1 <−
4 . . .
5 BSIB 101 . s t = TRUE
6 . . .
7 −> Input : 2 . 2 <−
8 cmdR = R KXC 101
9 −> State : 2 . 2 <−
10 R KXC 101 . cmd = TRUE
11 . . .
12 −> Input : 2 . 3 <−
13 cmdR = R KXC 103
14 −> State : 2 . 3 <−
15 R KXC 101 . s t = s
16 . . .
17 −> State : 2 . 4 <−
18 U IR 09C . s t = l
19 U IR 07BC . s t = l
20 BSIA 101 = TRUE
21 U IR 07AC . s t = l
22 U 16C JXC . s t = l
23 U 18C 16C . s t = l
24 U KXC 18C . s t = l
25 . . .
26 −> State : 2 . 5 <−
27 R KXC 101 . s t = rsu
28 T 101 . s t = c
29 T 101 1 = FALSE
30 R KXC 101 LCS = TRUE (
Route i s s e t )
31 KXCopen = TRUE
Listing 1.4: Error trace generated after
error seeding in the model
6 Related Work
Many works applied model checking to interlocking systems. One of the first
work dates back to 1998 and is described in [?]. However, as also concluded
in [?], although small scale interlocking systems can be addressed by model
checking, interlockings that control medium or large railway needs to tackle the
state-space explosion problem. As shown also in [?], a single approach is often
not sufficient to prove all properties and sometimes a combination of approach
may dramatically improve the performance.
Compositional approach is one method to reduce the complexity of the ver-
ification but is not the only one. For instance, Cappart et al. [?] introduced a
method based on discrete event simulations. The idea is to do not verify all
the states but to limit the verification to a set of likely scenarios. However this
method does not provide enough confidence that all the errors in the application
data will be detected.
In [?,?], Winter shows how to compute optimized variable and transition
orderings in order to speed-up the symbolic model checking of railway interlock-
ings with NuSMV. She also reported on her findings on how to set the threshold
for cluster.
In [?], Winter et al. modelled the interlocking by means of the formal notation
ASM that are more readable. The formal model is translated in NuSMV code
and the Safety requirements are expressed in CTL.
In [?], Peter Duggan (Siemens Rail Automation, UK) and Arne Bora¨lv
(Prover Technology AB, Sweden) have demonstrated that the Prover4 tools were
4 http://www.prover.com
successfully used to generate and test the configuration data of a realistic size
UK station.
In [?], Haxthausen et al. detailed how they modelled an ETCS level 2 com-
patible Danish interlocking with the RT-Tester. The state space, the transition
relation and the safety properties are efficiently evaluated by the SMT solvers
that support bit vector and integer arithmetic. The model also include the se-
quential release feature.
In [?], Xu et al. verifies hybrid safety properties of Automatic Collision Avoid-
ance System (ACAS) in the European Train Control System (ETCS). They
verify those properties using Compositional Verification rules based on weakly
monotonic time extension.
In [?], Antoni et al. have developed a SIL4 interlocking that uses the Petri
Nets as application data. In [?], Dutilleul et al. have also used the Petri Nets in
order to define a model pattern of railway interlocking.
7 Conclusions and Future Work
Conclusions
The verification of medium and large interlocking data is still a challenge due
to the state space explosion problem affecting the model checking process. Our
main contribution was to achieve the verification of the application data of a
medium size railway interlocking by mean of compositional verification. In order
to do that, we modelled our case study interlocking as a composite of smaller
interlocking components in ocra and SMV language. The verification of the
safety properties (expressed as contracts) was performed with ocra and nuxmv
tools.
We have also added the sequential release functionality into our interlock-
ing model. This functionality allows to increase the throughput of the railway
network by releasing the route components earlier.
Finally, we have achieved the verification of LTL properties in efficient time
thanks to the usage of the new ic3 algorithm implemented into nuxmv. The ver-
ification of the local components can be paralleled by running several instances
of nuxmv at the same time.
Future work
In our future work, we will continue to refine the structure of the interlock-
ing composite into adequate components (e.g. train). Our goal is to be able to
verify safety properties on a network of interlockings by mean of compositional
verification.
We will continue to develop the automatic translator tool in order to convert
the application data of a network of interlockings into ocra language.
Another goal is to develop a model of an IL/ETCS installation in order to
verify safety properties related to the train dynamic characteristics (i.e. speed
and position). In order to do that we will extend our train module in order to
make it continuous.
