Chapter 5: The Vital Processor Interlocking  by van Vlijmen, S.F.M. et al.
Electronic Notes in Theoretical Computer Science  
URL httpwwwelseviernllocateentcsvolumehtml  pages
Chapter 
The Vital Processor Interlocking
SFM van Vlijmen

Faculty of Philosophy Utrecht University
Heidelberglaan   CS Utrecht The Netherlands
with JF Groote and JWC Koorn
Abstract
This document is one of the parts of the electronic version of the PhD thesis by
SFM van Vlijmen  The goal of the PhD project was to get a better under
standing of the problems with the integration of formal specication technique in
the day to day software practice The approach followed was to execute a number
of projects in cooperation with industry on realistic cases
This document reports on the modelling of a railway safety and control system
in CRL the specication of set of practically relevant safety criteria in the modal
logic for CRL Next the means for verication of the criteria on the model are
discussed Reported is on tests of the verication of a small number of critera on a
model of an actual safety system Finally the case study is evaluated
Train movement at the Dutch station HoornKersenboogerd is partly con
trolled by a system called the Vital Processor Interlocking VPI

 It forms
an important subject in the cooperation with the Engineering Department
and the Rail Infrabeheer Department of the Dutch Railway Company which
started Fall 	 Today the Engineering Department is a separate company
named Holland Railconsult I will use that name from now on
A VPI can be characterized as a Programmable Logic Controller PLC
that is tuned for use in a railway environment The most important applica
tion software loaded into a VPI is called the Vital Logic Code VLC The
basic VPI is built in the USA by the General Railway Signal Company


We thank Gea Kolk Robert Straatman and Peter Musters of Holland Railconsult for
documentation test data and numerous discussions on the VPI and on railway safety re
quirements

VPI and Vital Processor Interlocking are registered trademarks of the General Railway
Signal Company
c
 Published by Elsevier Science B V Open access under CC BY-NC-ND license.
SFM van Vlijmen
Logistical layer
l
Interlocking layer
l
Infrastructure layer
Figure 	 Main layers in a railway yard control system
application programming for VPI is done by or done under supervision of
Holland Railconsult
The construction of control systems for railway yards is an intricate task
at which railway companies have reached a high level of safety and precision
To keep up this high level of quality and to keep costs under control the
railway parties mentioned are looking for techniques that can help to design
and validate the new computerized control equipment meticulously quickly
and cheaply This has motivated us to investigate whether formal specication
technique could be of any help Work on the VPI began early in 
 hence
partly in parallel to the study on IDEAL Section 	

of Chapter  of 
This chapter is based on 		
I start in Section  with a general presentation on the type of control
system that the VPI belongs to the interlockings An introduction to the
VPI follows in Section  Then the main features of the VPI and Vital Logic
Code for the situation at HoornKersenboogerd are modelled in CRL this is
Section 	 The reader is referred to 		 for information on CRL and to
	 for information on the modal logic for CRL Verication of properties
is discussed in Section  We touch there too upon the issue of safe behaviour
of a railway yard For a more elaborate treatment see eg 		 An
approach using propositional logic that could be followed for the verication
of correctness criteria is presented in Section  Tools that could be or have
been constructed are discussed in Section  Experiments have shown that it
is indeed possible to eciently verify these correctness criteria  The
case is evaluated in Section  In the appendices an example of verication
is presented A and are given the full CRL specication B and a SDF
specication of a variant of VLC C

Chapter  The Vital Processor Interlocking
 Interlockings
One could say that the control system of a railway yard consisting of people
and machinery fulls three tasks
First it has to conceive train movements in accordance with the specic
goal the systems tries to achieve This kind of logistical activity is placed in
a what we will call logistical layer of the railway yard control system see
Figure  Often the logistical task is carriedout by human trainmanagers
supported by computer equipment
Second train movements have to be performed that is the highlevel
logistical assignments have to be translated in lower level commands to the
infrastructure This task is fully automated
Third safety has to be maintained constantly Abstractly speaking safety
maintenance means no collisions and no derailments Although this require
ment can be stated succinctly at an abstract level it is a dicult task to
translate the safety requirements to requirements expressed in behavioural
characteristics of an actual railway yard control system There are several
studies performed in the area of safety requirements capture eg 		
Recent and very elaborate work was done by Eriksson see 
Interlockings are systems that cover largely the latter two tasks In Figure
 the interlocking is the safe medium between the logistical layer and the
infrastructure To illustrate their interrelation suppose that the logistical
layer plans to direct a train T from a certain entrance E of the yard to platform
P via a route R De interlocking layer will receive a request to arrange R
This means that a myriad of things have to be checked eg are all the track
sections free
 have to be set eg points switches and signals
 and have to be
put in position and locked ie no other route can occupy infrastructure that
is used for R If this has all been performed successfully the train can follow
R
Of course the logistical layer is too dedicated to safety However the
interlocking has the nal word with respect to safety The border between
the layers and the task and other responsibilities need not be always as sharp
as presented here The model presented here is though often encountered
in the many relay based control systems which are still operational at many
places the VPI and more or less also in the Siemens systems EBS Trains t
the model in a natural way too The three layers are recognizable topdown
for a train in the driver
 the onboard safety equipment eg automated train
protection
 the wagons

Note that references are made to chapters and sometimes to sections that may be stored
as separate les at the ENTCS site 	 The original text has been partitioned into
 preface
and the Chapters  to  each part is stored in a separate le and each part has its own
bibliography and appendices To circumvent confusion a reference to a part of the thesis
outside the part at hand is followed by a bibliography style reference
	
SFM van Vlijmen
 Related work
Contrary to the other subjects studied by me railways attract quite some
attention in the literature therefore I devote a separate section to related work
The literature in which railway yards are discussed can roughly be divided into
two categories One in which railway yards are used as a good illustration of
general techniques and ideas and one in which is focussed specically on
railway related questions
Examples in the rst category are   	 	 and  These books
and papers are mentioned because they highlight a number of important as
pects eg specication correctness criteria the relation between criteria and
implementation and scheduling optimization In  trains sets are studied

a complete specication in Cold is presented of a class of railway yards in
cluding trains rudimentary user interface and interlocking philosophy Broy
also gives a full presentation but a much simpler system with extra atten
tion to verication of some invariants  In 	 a general framework for
the requirements analysis of safetycritical systems is presented A distinction
is made between safety requirements and mission requirements The latter
specify the situations that should be avoided whereas the former the safety
requirements specify what should happen when something goes wrong after
all In this terminology the requirements on the VPI in this chapter would
be categorized as mission requirements M Feather discusses in 	 how to
derive an implementation from a specication this in contrast to verication
of an implementation after some unknown invention process
In the other category of the literature is reported on research into specic
systems being designed or used by railway companies and their suppliers Here
it makes sense to further categorise into elementary unit systems and free wired
systems This distinction is presented in  where it is argued that extrap
olation of the two usual approaches elementary unit and free wired do not
lead to systems which fully exploit the possibilities oered by programmable
electronics
 a full treatment of interlocking specication and design is given
for implementation by means of programmable electronics
In elementary unit systems every element of the track eg signal and
point is an autonomous device which communicates with neighbouring ele
ments
 layout of the railway yard is reected in the structure of the interlock
ing In the free wired case larger chucks of a railway yard are controlled more
or less centrally the layout of the railway yard is less obvious in the structure
The VPI is typically a free wired control system
To begin with the elementary unit systems P Middelraad of Rail Infra
Beheer initiated the development of a language for the specication of these
systems This language is currently is use with Rail Infrabeheer and Holland
Railconsult and also received internationally attention  Formal study of
the language is taking place in an academic setting 	 Siemens
is an important supplier of elementary unit based interlockings among other

Chapter  The Vital Processor Interlocking
Device to measure occupation of section
Device to switch point
Signal B
Point 1 Point 2
Presentation & Scheduling
VPIVPI
Signal A
Figure 
 VPIs and their environment
things work has been done on verication by means of process algebra 
A free wired system used in the UK by British Rail is the Solid State
Interlocking SSI  SSIs received considerable attention in the literature see
for instance  The SSI is a more complex machine than the VPI
one reason for this is that the SSI is used to take more complex scheduling
decisions than the VPI Therefore the more involved methods for verication
as presented in these documents were not followed But the route using the
HOL theorem prover seems attractive also in the VPI case  Some Swedish
interlockings seem to have been veried using tautology checking in a way
that is similar to what is presented in this chapter  It is not clear whether
formulas in eg the classes JUST
MF
and NEXT
MF
 see Section  were
veried too Recent work in this tradition was done by Eriksson 
Here a set of requirements for the Swedish situation of type STATIC
MF
is
formulated that seems reasonable complete Also the automated verication
in a system called Delphi is described Finally in France a consortium of GEC
Alsthom Matra Transport and CSEE executed a number of projects in the
railway sector where formal specication and formal verication was applied

Safety and mission requirements are studied in  for the VPI and in a
more general setting in 		 Verication of requirements on VPI appli
cation can be found in 

SFM van Vlijmen
 Introduction to the VPI
In this section a short introduction to the VPI is given ie its relation to
other rail equipment its components and its operation This section does not
provide a detailed description of VPIs Detailed information can be found in
	 However the presentation here is sucient for understanding the main
operating principles necessary to understand our approach to specication and
verication
In Figure  a schematic view of VPIs and their environment is presented
The box with the text Presentation  Scheduling is the Logistical layer
from the introduction it presents all equipment for interfacing with trac
control personnel software for scheduling and routing decisions At this layer
commands are generated to be executed by the track side modules These
commands are all quite simple turn point x to reverse

 or turn signal
A to a colour better than or equal to yellow A VPI can only make some
small decisions eg turn a signal red just after a train has passed or turn
A to green thats better than yellow if that is considered safe A VPI acts
as an intelligent lter between Presentation  Scheduling and the track side
modules In general one can say that a VPI is not aware of the scheduling
routing or planning strategy nor of the timetable that has to be followed Its
only responsibility is to guarantee safety of the railroad Often multiple VPIs
are used each controlling his own set of track side modules Along a bus
VPIs receive commands from the Presentation  Scheduling layer and VPIs
supply the Presentation  Scheduling layer with status information VPIs
communicate among themselves on a separate bus
Operation of a VPI is as follows A VPI executes endlessly control cy
cles In each control cycle a xed set of inputs is read The input values
are latched this means that during the rest of the control cycle their value
cannot change Next the VPI sequentially executes a program that takes
as arguments the inputs just read the set of internal variables and the set
of outputs During execution of the program internal variables and outputs
may internally change value but outputs are transmitted simultaneously to
the outside world after the program is completely executed Now some short
idle time may follow
 a control cycle should take precisely  second Inputs
internal variables and outputs are essentially all twovalued Typical inputs
are commands from the top layer measurements from the track side modules
and detections of power failure Typical outputs are status information to the
top layer and commands to points and signals
In the program introduced in the above control decisions are specied
Here is decided whether a command from the top layer can safely be exe
cuted When a VPI considers a command unsafe the VPI just rejects the
command This is not necessarily a hazardous situation only the top layer is
not functioning properly according to the VPI A hazardous situation occurs

In Figure  point  is normal and point  is reverse

Chapter  The Vital Processor Interlocking
X
fg
 X
fg
v 
X
fg
s  
X
B
n
read   sendgf s  X
fg
f s 
Figure  Abstract specication of a VPI
on power failure or when something unexpected is measured In such a sit
uation emergency actions will be performed in the worst case all signals are
turned red This may happen when a VPI detects malfunctioning of a power
supply or detects some internal failure If after some xed period of time
everything seems stable again the VPI continues to regulate
 Specifying a VPI
In the previous section an informal description of the operation of a VPI
was given Furthermore it was pointed out which features of a VPI will
be specied Most freedom is in the way the calculation that takes place
in a control cycle is specied and executed If we abstract from this the
calculation can be viewed as a function f  from inputs and the joined set of
internal variables and outputs to the set of internal variables and outputs
These observations leads to the following abstract model of a VPI in process
algebra 
Let Bool be a set with two distinct elements denoted by  and  Bool 
f g Dene B
n
 n  N as the set of vectors of elements from Bool of length
n Dene STEP as the set of functions f B
n
 B
m
 B
m
 for nm  N
Dene SHOW as the set of functions gB
m
 B
k
 form k  N m  k STEP
contains next step functions these functions correspond to VPI programs
SHOW is the set of functions that lters those elements from a vector that
are considered outputs
Let f  STEP  f  f  B
n
B
m
 B
m
 and g  SHOW  and g  g 
B
m
 B
k
 Furthermore s is variable over B
m
 v  B
m
is an initial state
A VPI is now characterized as the process dened by X
fg
in Figure 	 This
process starts with the initial state v It then reads an arbitrary input vector 
from B
n
 Next it sends a selection g of the new state f s  to the outside
world and nally starts all over again from this new state
This model seems adequate for reasoning about VPIs A meta assumption
is that the time from read action to read action is precisely  second In
Sections  and 	 is elaborated on f  its specication and its evaluation
Note that the form of this specication which seems to be the natural one
for a VPI is close to the UNITY format of  and the Linear Process

SFM van Vlijmen
Operator of  This is interesting because there is some experience with
verication of specications in this format 	
 Vital Logic Code
VPI programs are specied in a number of les The most important part
of the program is specied in a language which we will call here Vital Logic
Code VLC In this section some of the syntactical and semantical aspects of
VLC are introduced Other program parts specify eg mappings of variable
names to hardware ports names of inputs and output ports
An introduction to VLC seems appropriate because this may clarify the
way the specication in CRL is setup The text of the VLC program as
operational at HoornKersenboogerd is not presented
To make it easier for us to work with VPI programs we decided to change
the syntax of VLC slightly There were two reasons for this

The layout of VLC is important for the correct interpretation To illustrate
this consider the following expression
BOOL x  a
 b
Here  b is a comment whereas this is not the case in
BOOL x  a
 b
Here x becomes the value of a  b upon execution This makes it hard to
specify tools with purely context free generators like the ASFSDF Meta
environment in which the notion of the beginning of a line does not exist

Except for lists of inputs and outputs most of the contents of the pro
gram parts other than the VLC part are not important from a specica
tion verication point of view
The syntax of the adapted VLC which we will call VLC

is specied in Ap
pendix C in SDF VLC

diers in the following respects from VLC

The comment convention is changed Comments start with a ! instead of
the "

A declaration of inputs is added



A declaration of code system inputs is added



A declaration of outputs is added

VLC

has constants TRUE and FALSE whereas VLC does not have these
constants The reason to add them is because simplication of expressions

Inputs are connected to track side devices code system inputs are connected to the
Presentation  Scheduling layer

Chapter  The Vital Processor Interlocking
may result in one of these constants For example in one of the VLC
programs that was studied the following fragment was found
SWINIT  NOPSTART  NVRDFRNTDI
OPSTART  SWINITOPSTART VRDFRNTDI
This amounts always to TRUE as the value that is assigned to OPSTART 
In the rest of the text we will simply consider VPI programs to be expressions
in VLC


DIRECT INPUT SECTION
I
OUTPUT SECTION
U
CODE SYSTEM SECTION
CURRENT RESULT SECTION
R
SELFLATCHED PARAMETER SECTION
V
TIMER EXPRESSION RESULT SECTION
Q
BOOLEAN EQUATION SECTION
APPLICATION  Example
TIME DELAY   SECONDS BOOL Q  I
BOOL R  Q V
BOOL V  Q  NR
BOOL U  V
END BOOLEAN EQUATION SECTION
Figure  An Example VLC

Program
In Figure  an example program is given There are six variable dec
laration sections The most important part of the program is the part be
low BOOLEAN EQUATION SECTION This part essentially consists of a list of
assignments like BOOL R  Q  V and timer assignments like TIME DELAY 
 SECONDS BOOL Q  I Such a list can be cut into sublists by sentences like
APPLICATION  Example
 these sentences have no operational meaning The

SFM van Vlijmen
assignments are executed sequentially and top down All variables in a VLC
program are essentially twovalued and can be considered propositions in the
sense of propositional logic

 Expressions at the right of the  sign in Figure
 can easily be interpreted by reading not for N or for  and and for  For
example Q  NR is read as Q and not R Timer assignments are slightly
more complicated they delay the assignment of TRUE to the variable at the
left hand side by the number of seconds specied in the assignment
 Static semantics
Here a number of static semantic criteria is given Purpose of this listing
is to gain a deeper understanding of the programs in VLC

and to gain the
condence that the CRL specication of the VPI at HoornKersenboogerd
models the relevant characteristics Suppose P is a VLC

program Let IN 
OUT  CSS CRS SLPS and TERS be sets of the names declared in the
DIRECT INPUT SECTION the OUTPUT SECTION the CODE SYSTEM SECTION the
CURRENT RESULT SECTION the SELFLATCHED PARAMETER SECTION and the
TIMER EXPRESSION RESULT SECTION of P respectively

The sets IN  OUT  CSS CRS SLPS and TERS are mutually disjunct

Every variable that occurs in an assignment of P is declared in a variable
declaration section of P 

Every variable in OUT CRSSLPSTERS appears once and only once
at the left side of an assignment of P 

Variables in IN  CSS are not assigned to

A variable declared in the CRS is assigned a value before it is referenced
As a result there are as many assignments as there are variables in OUT 
CRS  SLPS  TERS Outputs are latched and it is allowed to refer to
the value of outputs Therefore one could view them as externally visible
selflatched variables
 Interpretation of VLC

and VPIs in CRL
In Section  an abstract specication of a VPI was given We will now look
closely at the state of a VPI the modelling of function f and the evaluation of
f given some input A central notion in VLC

is the boolean variable Both
in the CRL specication and in propositional logic objects exist that corre
spond to variables These objects are called identiers and atomic propositions
respectively

In reality the variables are not twovalued A VPI performs runtime checks and
for that purpose extra information is stored A typical check is on variables in the
CURRENT RESULT SECTION it is checked whether these are not referenced before being
assigned a value Such a variable has the value undened before it is assigned a value
Furthermore to handle timer assignments counters are used

Chapter  The Vital Processor Interlocking
Notation  Let  be a type sort declared in the CRL specication
in Appendix B By x   is denoted that x is a closed term of type 
Furthermore given x y  
 with x  y is denoted that x and y are provably
equal in the specication
 States
When a VPI starts executing it rst sets all variables to F false Then it
commences with the control cycles However in the specication no specic
values for identiers in initial states are specied or requested The state
ie the information that is conveyed from one control cycle to the other
can in general be modelled with a truth valuation for the variables ie
with a mapping from variables to the set fT Fg In the state also temporal
information is kept that is necessary for the proper evaluation of the timer
assignments like TIME DELAY   SECONDS BOOL Q  I In simple assignments
like V  Q  NR V is assigned the truth value calculated for Q  NR A
timer assignment delays the assignment of T true to the variable at the left
side To illustrate this consider the assignment
TIME DELAY   SECONDS BOOL Q  I
The following holds if I evaluates to F then Q becomes F  and if I evaluates
to T then Q becomes T i I evaluated to T the last  control cycles too To
model this information one needs counters In the specication the state is
therefore modelled with a mapping of identiers to Z These mappings are
specied by type Valuation terms in Valuation are constructed from the empty
list emptyvaluation and a function that adds an Identier and an Integer to a
valuation
func emptyvaluation   Valuation
add  Identier#Integer#Valuation  Valuation
An example state for the program P in Figure  is
addQ intnat SSnat addV intSnat nat emptyvaluation
Note that Q and V are the only relevant identiers to keep from control
cycle to control cycle Q and V are the only identiers that are referenced
before being assigned a value The naturals are specied with zero nat and
successor function S ie Sx is the natural that corresponds with x plus 
For example Snat is  The integer numbers are specied as a pair of
natural numbers intx y is read as x	 y For example intnat nat is 
int SSnat is 	 In the rest of the discussion of the VPI the usual
numeral notation for integers and naturals is used most of the time The state
above is then somewhat simpler denoted with
addQ	 addV  emptyvaluation
The intuition behind the integers in a valuation is as follows A value greater
than or equal to  signals that the corresponding identier is T  a number less

SFM van Vlijmen
P  add ta Q exI
add aR orexQ exV 
add aV andexQ notexR
add aU exV  emptyprogram
Figure  The example of Figure  in CRL
than or equal to  signals that the corresponding identier is F  What we gain
is a combination of a counter and a truth value in one For example the value
assigned to Q in the above is 	 This signals that in the last control cycle I
was  F  and therefore the counter of Q was reset to  minus the delay of 
control cycles Suppose that the input I stays T for some time then one will
see the following states pass by
addQ	 addV  emptyvaluation
addQ  addV  emptyvaluation
addQ  addV  emptyvaluation
addQ  addV  emptyvaluation
   
Note that the truth of I is delayed to have eect on Q
 Modelling of a program
In this section the focus is on the modelling of a program in CRL A rst
step is a simplication of VLC

 In the CRL specication no variable decla
ration sections are specied They are not needed to perform the static checks
needed in the CRL specication Furthermore partitioning of assignments
in applications is not modelled The program in Figure  in CRL is depicted
in Figure  It amounts to a list of assignments The term in Figure  is of
type Program Programs are constructed again as lists in the same way as
terms of Valuation were constructed
func emptyprogram   Program
add  Assignment#Program  Program
The elements of a Program are objects of type Assignment A term of type
Assignment is either a simple assignment or a timer assignment
func a  Identier#Expression  Assignment
ta  Natural#Identier#Expression  Assignment
Examples are aR orexQ exV  and ta Q exI these represent the
VLC

terms BOOL R  Q  V and TIME DELAY   SECONDS BOOL Q  I

Chapter  The Vital Processor Interlocking
These terms are taken from programs in Figure  and  Finally Expressions
are terms generated by the following signature
func e  Identier  Expression
and or  Expression#Expression  Expression
not  Expression  Expression
Atomic expressions are constructed by injecting terms of type Identier into
Expression by means of the function ex For example exQ is an atomic
expression A more complex term is andexQ notexR this term rep
resents the VLC

term Q  NR Note that Q and R should be declared as
constants of type Identier As these constants vary from VPI application to
VPI application they are not declared in the specication in Appendix B
 in
the specication identiers are simply generated from the natural numbers
 Temporal behaviour and evaluation of assignments
Recall the description of the actions that take place during the control cycle
of a VPI Section  An abstract view on this activity was specied in Figure
	 The CRL specication does not dier much It essentially reads input
readinp calculates a new state evaluatep addinp v makes a part of this
resulting state which is called the visible part available to the outside world
sendnormalizeselect    and start all over again VPI Added is a
number of tests on the consistency of the program p the input inp and the
state v The notation P

 T P

is read if T holds then continue as process
P

otherwise as process P


VPIp  Program show  Identiers v  Valuation

X
inpValuation
 readinp 
sendnormalizeselectshow evaluatep addinp v 
VPIp show selectkeepp evaluatep addinp v

and singleassignmentp
andeqinputsp idsinp eqkeepp idsv

 
In the recursive call VPIp show selectkeepp  the function keepp ex
tracts those identiers from p that are referenced before they are assigned a
	
SFM van Vlijmen
value and that are not inputs
func keep  Program Identiers
In the VPI the assignments of a program are evaluated one after the other in
a top down fashion Given a state the evaluation of an assignment results
in a next state that forms input for the evaluation of the next assignment in
the program In CRL this evaluation works similarly There is a number of
functions involved the most important are listed below
func evaluate  Program#Valuation  Valuation
evaluate  Assignment#Valuation  Valuation
evaluate  Expression#Valuation  Integer
For example the term
evaluateadda

 adda

 adda

 emptyprogram v
where a

 a

 a

are terms of type Assignment and v a term of type Valuation
reduces by evaluation of a

on v and next the evaluation of a

on the result
of this etc Given the axioms in the specication we see that
evaluateadda

 adda

 adda

 emptyprogram v
is equal to
evaluatea

 evaluatea

 evaluatea

 v
Thus the evaluation of a list of assignments on a valuation is equal to the nested
evaluation of the single assignments in the list where the rst assignment is
deepest in the nesting The evaluation of an assignment a given a valuation v
can easily be explained by looking at the axioms
evaluateaid e v  addid evaluatee v v
evaluatetan id e v  if eqevaluatee v 
addid upretrieveid v v
addid intnat n v
Adding an identier and its value to a valuation simply overrules any value
that was previously assigned to the identier by the valuation This is ex
pressed by the following axiom which also expresses a restricted form of com
mutation
addid i addid i v  if eqid id
addid i v
addid i addid i v
Finally we will discuss the evaluation of terms of type Expression There is
really nothing special about this essentially it is the evaluation of a propo
sitional expression given a valuation The only complication is that we have

Chapter  The Vital Processor Interlocking
chosen to use the functions not and and or that were already specied as
operations of type Bool to do the work For that purpose two functions were
added BoolInt and IntBool  which obey the following equalities
BoolIntT   

BoolIntF   

IntBoolintSx nat  T 

IntBoolintnat x  F
We end this section with some examples
BoolIntandIntBool	 T   

evaluateexX emptyvaluation  

evaluateexX addX  emptyvaluation  

evaluateta X notexX addX  emptyvaluation 
addX	 emptyvaluation
 Timer assignment elimination
Timer assignments turn out to be syntactic sugar ie timer assignments can in
principle be translated in other semantically equivalent VLC

code Suppose
we have a timer assignment
TIME DELAY  n SECONDS BOOL x  
Here x is a variable  is some expression and n is a natural number The
interpretation is the following If n   then x is set to the value of  If
n   then x is set to true i  is true and  was true the n control cycles
before the current control cycle In other words if n   then the timer
assignment is equivalent to the assignment
BOOL x  
If n   and x  	 ie x does not occur in  then the expression is
equivalent to two assignments
BOOL x  x x

  
TIME DELAY  n	  SECONDS BOOL x

 
The disjunction xx

 expresses that x

is only relevant when x is F  When
x  	 things get a little more complicated
BOOL x

 
BOOL x  x x

  x

TIME DELAY  n	  SECONDS BOOL x

 x



SFM van Vlijmen
Here x

and x

are fresh and nonidentical identiers in the CURRENT RESULT
SECTION resp TIMER EXPRESSION RESULT SECTION Note that in either case
the order in which assignments are evaluated ie sequentially from top to
bottom is crucial Of course in practice this enrollment is cumbersome for
large n Now we will reformulate the removal of timer assignments formally
Two propositions are presented on VPIs in the context of the CRL spec
ication Let i i

    
 id id

    
 ids ids

    
 e e

    
 a

 a


   be closed terms of type Integer
 Identier
 Identiers
 Expression and
Assignment respectively
The CRL process VPI can turn into  when fed with an improper valua
tion In order to get some control on what is fed to VPIs the following set of
proper valuations is dened
Denition  The function delay  Identier Program  f	  g is
dened by
delayid P  



	n if TIME DELAY  n SECONDS BOOL id  e is in P 
 otherwise
Let P  Program
 the set of proper valuations of P is dened by
PVP 
def

fv  Valuation j idsv  keepP  and 
id  Identier
inid idsv  T  delayid P   evaluateid v  g

In the following denition the notion of strong bisimilarity between processes
is used Two processes X and Y are strongly bisimilar denoted X


Y  if
there is a relation between the states of X and Y such that in related states
X and Y can perform the same actions and these actions lead again to related
states
Denition  Given two programs P  P

 Program and a set of identiers
show  Identiers such that
inshow outputsP   T and inshow outputsP

  T
P and P

are called VPIoperationally equivalent over show i

v  PVP v

 PVP

VPIP show v


VPIP

 show v

 and

v

 PVP

v  PVP VPIP

 show v




VPIP show v


Chapter  The Vital Processor Interlocking
Proposition 
Let P  Program m   and
P  adda

    addtan id e    adda
m
 emptyprogram        
Another program P

is derived from P by one of the following rules These
rules rewrite the timer assignment tan id e

If n   then let
P

 adda

    addaid e    adda
m
 emptyprogram        

If n   and inid idse  F  then let
P

 adda

   
addaid andorexid exid

 e
addtan	  id

 e   
adda
m
 emptyprogram        
where id

is a fresh identier ie inid

 idsP   F 

If n   and inid idse  T  then let
P

 adda

   
addaid

 e
addaid andorexid exid

 exid


addtan	  id

 exid

   
adda
m
 emptyprogram        
where id

and id

are fresh and nonidentical identiers ie
inid

 idsP   F  inid

 idsP   F  and eqid

 id

  F 
P and P

are VPIoperationally equivalent over outputsP 
Proof One can construct a function f from the valuations of the identiers
of P to those of P

 Given a valuation v for P  One proves equationally
that P and P

from state v resp fv lead to the same send action after the
same read action Finally one proves that the resulting state of P is again
mapped by f to that of P

 The same procedure is to be followed for the
second simulation 
Denition  Let P  Program
 P is called timer free if P does not contain
a timer expression ie P does not contain a subterm of the form tan id e
P is called single assignment if a variable is assigned at most once 
We illustrate the notions with an example In Figure  a timer free version of
the program in Figure  is presented The original program and the program
after timer elimination are both single assignment Note that the way new
names are generated here by numbering is not important as long as generated

SFM van Vlijmen
add aQ andorexQ exQ exI
add aQ andorexQ exQ exI
add aQ exI
add aR orexQ exV 
add aV andexQ notexR
add aU exV  emptyprogram
Figure  A timer free variant for the program in Figure 
names are unique and are not used before
Proposition  For all P  Program there is a P

 Program such that P

is timer free and P and P

are VPIoperationally equivalent over outputsP 
Proof With Proposition 	 and induction to the sum of the timers 
This proposition gives way to verication of properties of VPI programs by
verication of the properties on the timer free variants of these programs
 Verication of properties of VPIs
Given a CRL specication S of a VPI loaded with program P  S can be
viewed as a denotation of a transition system T P 
In 	 a general description is presented of how a CRL specication
generates a transition system Sometimes we will abuse terminology and speak
of the transition system generated by a program without specifying the visible
output and initial state
Suppose there is a generic set of correctness criteria C ie criteria in C
are formulated for VPIs loaded with an arbitrary VLC

program Let CP 
be the instantiation of C for the specic program P  Verication comes down
to showing that CP  holds on the transition system T P 
Example  Consider the transition system depicted in Figure  of
VPIaddaX andorexX exX

 exI
addaX

 exI emptyprogram
addX addX

 addI emptyids
addX  addX

  emptyvaluation 
This is a CRL process $ timer free $ derived from the VLC

program with
as only assignment
TIME DELAY   SECONDS BOOL X  I
The states of the transition diagram are elements from f gf gf g

Chapter  The Vital Processor Interlocking
<000>
read(<0>)send(<000>)
<00>
send(<000>)
read(<1>)
<010><001>
send(<011>)
read(<0>)
<01>
read(<1>)
<011>
send(<111>)
<11>
send(<111>)
<111>
read(<1>)
read(<0>)
<110>
send(<000>)
Figure  The transition diagram of the VPI in Example 	
f gf g Where the rst position of a tuple gives the value forX the sec
ond the value forX

and the third if there is one the value for I Note that this
is just a shorter but less precise notation for terms in Valuation Similar nota
tion is used to shorten the arguments of the actions that gure as the labels for
example read
   means readaddI intSnat nat emptyvaluation

To express properties of transition systems modal logics are very useful
In 	 a modal logic for CRL is proposed There are various means to verify
properties expressed in a modal logic on a transition system Some of them
are very systematical and other more ad hoc In Section  is investigated to
some extent what properties might be candidates for verication Also some
examples of modal formulas are given
A strategy that is often feasible for checking a criterion on a transition
system is to have a computer check the criterion on every state that is reach
able in zero or more steps from a start state For the VPI this is not feasible
the state space can be simply enormous
 up to 
jvj
states for a timer free pro
gram where j v j is the number of variables that occur in a program The
state space can be reduced considerably by slicing a program ie taking into
account only those states that are related to the criterion but the number
of states can still be very large Section  gives a treatment of slicing
One means that seems to be of particular importance in the context of VPIs
is propositional logic Section  is dedicated to verication using proposi
tional logic

SFM van Vlijmen
 What properties
In general criteria have the following form After a sendv action if v
holds then in the near future  holds and in the recent past  held See 
for details
Before we can formalize these criteria in the modal logic of CRL as dened
in 	 a set of formulas is presented called the local propositions These are
formulas expressing properties of elements in Valuation
In the denition just below two notions are used that are taken from 	
V is used to denote a set of typed variables MF
SigV
is the set of modal
formulas given signature Sig and set of variables V
Denition  Let P  Program let v be a variable of type Valuation and
hvValuationi  V LP v P   MF
SigV
 read local propositions is a set of
formulas inductively dened as follows

if e  Expression and inidse idsP   T  then evaluatee v   
LP v P  and evaluatee v  S  LP v P 


if    LP v P  then             LP v P 

In the following a number of modal operators will be used Informally J 
purports that in the previous state  held
 N  says that in the next state
 will hold
  reads that in all states  holds
 and




a  for some action
a says that if the next action is an a then  holds in the state that a leads
to The denition below species the set of the modal formulas that we will
study
Denition  Let P  Program The notation J
k
 k  N is dened as
follows J


def
  and J
k
def
 J J
k
 In the same way N


def
 
and N
k
def
 N N
k
 Then the set of modal formulas for a VPI program

Chapter  The Vital Processor Interlocking
P is dened as
VPI
MF
P 
def

f
v Valuation




sendv    
J
i



v

 Valuation




sendv

 

    
J
i
n


v
n
 Valuation




sendv
n
 
n
 
N
j



w

 Valuation




sendw

 

    
N
j
m


w
m
 Valuation




sendw
m
 
m

j    LP v P 
nm  N
 i

     i
n
 j

     j
m
 N 	 fg



 LP v

 P      
n
 LP v
n
 P 



 LP w

 P      
m
 LP w
m
 P g

One may wonder why send actions only occur in formulas in VPI
MF
P 
because read actions seem to be the proper way to make input valuations
available for logical investigations Yet this information can also easily be
provided in a send action which we need anyway In that way one can keep
the formulas as short as possible
There are three subsets of formulas of VPI
MF
P  that prove to be useful
in the next section there it is investigated how formulas in VPI
MF
P  can
possibly be veried using techniques for proving theorems in propositional
logic
Denition  Let P  Program
STATIC
MF
P 
def
 f
v Valuation




sendv  j   LP v P g
JUST
MF
P 
def

f
v Valuation




sendv  J
k

v

 Valuation




sendv

 
j   LP v P  k  N 	 fg   LP v

 P g
NEXT
MF
P 
def

f
v Valuation




sendv N
k

v

 Valuation




sendv

 
j   LP v P  k  N 	 fg   LP v

 P g

SFM van Vlijmen
signal A
Level crossing
signal B
section 2section 1
Platform
Platform
signal C
Figure  Simplied view on HoornKersenboogerd

Consider the simplied railway yard of HoornKersenboogerd depicted in Fig
ure  Four criteria
	
are presented in an informal way and a formal way using
the format of Denition 	 and  Let P be the VPI program at the railway
yard depicted in Figure  In P the variables A
G
 A
R
 C
G
 C
R
 S

 S

and
LC occur these are respectively read as follows A shows green A shows red
C shows green C shows red section  is free section  is free and the level
crossing is open

Signal A as any other signal does not show green and red at the same time

v Valuation




sendv  evaluateA
G
 v    evaluateA
R
 v   

If signal A shows green then signal C does not show red

v Valuation




sendv  evaluateA
G
 v   evaluateC
R
 v   

If signal A shows green then section  is free and has been free for at least
four seconds

v Valuation




sendv evaluateA
G
 v  

evaluateS

 v   
J


v

 Valuation




sendv

 evaluateS

 v

   
J


v

 Valuation




sendv

 evaluateS

 v

   
J


v

 Valuation




sendv

 evaluateS

 v

   
J


v

 Valuation




sendv

 evaluateS

 v

   

If section  is occupied and signal C shows green then we can detect that

The criteria presented are only caricatures of realistic criteria

Chapter  The Vital Processor Interlocking
the level crossing is closed in  seconds

v Valuation




sendv evaluateS

 v    evaluateC
G
 v  

N


v

 Valuation




sendv

 evaluateLC v

   
Below some notational shorthands are dened
Denition 

LP v 
S
PProgram
LP v P 

VPI
MF

S
PProgram
VPI
MF
P 

STATIC
MF

S
PProgram
STATIC
MF
P 

NEXT
MF

S
PProgram
NEXT
MF
P 

JUST
MF

S
PProgram
JUST
MF
P 

 Using propositional logic
In this section is discussed how propositional logic could be used to verify
criteria introduced in Section  For an introduction to propositional logic
the reader is referred to 
Given a program P and criterion  Intuitively we have to prove that
P implies some  A number of transformations is needed on a program to
reach this form of formula from P and  A basic transformation is then from
Boolean Expressions that we nd in a program to propositional formulas in
PROP 
Denition  Terms in Expression are translated to terms in PROP 
which is the set of all propositions see  The symbol  is dened as 
Suppose e and e

are closed terms of type Expression
propTRUE  
propFALSE  
propexid  id
propande e

  prope  prope


propore e

  prope  prope


propNe  prope

	
SFM van Vlijmen
In the denitions and claims to come a name generation convention will be
used The naming convention says the following Given a program P 
Program Suppose id  Identier occurs in P  and we want to replace some
occurrences of id by one of the following variants id
J
 id
JJ
    
 id
N
 id
NN

    then these variants do not occur in P  Often a renaming  will be intro
duced that renames an id  Identier in one of the variants above To denote
longer lists of J  and N subscripts we introduce the following shorthands
id
J
k and id
N
k k  N Here id
J

def
 id id
J

def
 id
J
 id
J

def
 id
JJ
et cetera
The function prop is further overloaded by dening prop also on modal
formulas First prop is dened on formulas in LP v Then prop will be
dened on STATIC
MF
 JUST
MF
and NEXT
MF
too
Denition 	 Let I be the identity function on Identier

  LP v Let  be a renaming
if   evaluateexid v   then prop


def
 id

if   evaluateexid v  S then prop


def
 id

if    then prop


def
 prop



if      then prop


def
 prop

  prop



if      then prop


def
 prop

  prop



if     then prop


def
 prop

 prop



if     then prop


def
 prop

 prop



  
v Valuation




sendv   STATIC
MF
 then prop
def
 prop
I


  
v Valuation




sendv   J
k

v

 Valuation




sendv

  
JUST
MF
 Let  be such that 
id  Identier holds id
def
 id
J
k 
 prop
def

prop
I
 prop



  
v Valuation




sendv   N
k

v

 Valuation




sendv

  
NEXT
MF
 Let  be such that 
id  Identier holds id
def
 id
N
k and
prop
def
 prop
I
 prop



Modal formulas refer to current states and or past and or future states By
concatenation and renaming of programs it will be achieved that this notion
of past and future can be coded into propositional formulas in a straightfor
ward manner Below follow three denitions that specify how to concatenate
renamed programs The renaming is dened rst
Denition 
 First dene the renaming 
i
for some i  Z on Identier

Chapter  The Vital Processor Interlocking
as follows



id
def
 id


if i 
  then 
i
id
def
 id
J
jij



if i   then 
i
id
def
 id
N
i

Second dene timecopyi P  for some timer free P  Program and some i  Z
as follows
If P  emptyprogram then timecopyi P 
def
 emptyprogram
Otherwise suppose
P  addaid

 e

 addaid

 e

    addaid
m
 e
m
 emptyprogram    
and m   then timecopyi P  is the program one obtains by performing the
following operation on P 

Replace each occurrence of each identier id in inputsP  by 
i
id


for each k   k  m
i replace aid
k
 e
k
 by a
i
id
k
 e
k

ii replace in e

    e
k
each occurrence of id
k
by 
i
id
k

iii replace in e
k
    e
m
each occurrence of id
k
by 
i
id

The concatenation of n programs with an eye to the past is dened as follows
Denition  Dene the n copy just	extension of a program P  Program
and some n  N as the concatenation of n  timecopies as follows
J
n
P 
def
 timecopy	n P timecopy	n   P     timecopy P 

The concatenation of n programs with an eye to the future is similar
Denition  Dene the n copy next	extension of a program P 
Program and some n  N as the concatenation of n   timecopies as fol
lows
N
n
P 
def
 timecopy P timecopy P     timecopyn P 

Actually the programs that result from J
n
 and N
n
 are semantically
equivalent However to have both operations seems intuitively more appro
priate
Time for some examples% Suppose P is the program in Figure  Page 
The  copy nextextension of P is the same as the  copy justextension of P

SFM van Vlijmen
which is
add aQ andorexQ
J
 exQ
J
 exI
add aQ andorexQ
J
 exQ
J
 exI
add aQ exI
add aR orexQ exV
J

add aV andexQ notexR
add aU exV  emptyprogram
The  copy justextension of P is
add aQ
J
 andorexQ
JJ
 exQ
JJ
 exI
J

add aQ
J
 andorexQ
JJ
 exQ
JJ
 exI
J
 
add aQ
J
 exI
J

add aR
J
 orexQ
J
 exV
JJ

add aV
J
 andexQ
J
 notexR
J

add aU
J
 exV
J

add aQ andorexQ
J
 exQ
J
 exI 
add aQ andorexQ
J
 exQ
J
 exI
add aQ exI
add aR orexQ exV
J

add aV andexQ notexR
add aU exV  emptyprogram
Note how programs are connected by renaming of identiers For example
Q
J
 in the assignment marked with refers back to the assignment marked

Chapter  The Vital Processor Interlocking
with  The  copy nextextension of P is
add aQ andorexQ
J
 exQ
J
 exI
add aQ andorexQ
J
 exQ
J
 exI
add aQ exI
add aR orexQ exV
J

add aV andexQ notexR
add aU exV 
add aQ
N
 andorexQ exQ exI
N

add aQ
N
 andorexQ exQ exI
N

add aQ
N
 exI
N

add aR
N
 orexQ
N
 exV 
add aV
N
 andexQ
N
 notexR
N

add aU
N
 exV
N
 emptyprogram
Finally we can dene how to translate programs to propositional logic formu
las
Denition  Given a timer free program P  Program The proposition
of P is a term in PROP dened as follows

if P  emptyprogram then propP 
def
 


if P  addaid e emptyprogram then propP 
def
 id prope


if P  addaid e p then propP 
def
 id prope  propp

Note that the renamings in Denitions  and  were chosen in such a
way that atoms in the proposition of a criterion refer to the correct atomic
propositions in the proposition of a next just extented program
Example  Let P be the program in Figure  on Page  Then

SFM van Vlijmen
propJ

P  is
Q Q
J
Q
J
  I 
Q Q
J
Q
J
  I 
Q I 
R Q  V
J
 
V  Q R 
U  V 

Now the translation of programs and modal formulas to propositions has been
dened Of course prop eats any program However the programs that are
intended to be translated to propositions are programs that result form the
application of a J
n
 or N
n
 operator on an original program This n here
is derived from the modal formula it captures the number of time slices the
modal formula looks back or looks forward The denition below makes this
explicit in a notion called the time depth of a modal formula
Denition  The time depth td of a modal formula in JUST
MF
or
NEXT
MF
is the number of control cycles the formula refers to in the past
respectively in the future
td
v Valuation




sendv  J
k

v

 Valuation




sendv

 
def

td
v Valuation




sendv N
k

v

 Valuation




sendv

 
def

k

Below will follow the most important claims of this chapter with regard to
verication Note that A A   k j  holds i  holds on every path of A
when starting at the kth state of such a path see 	
Proposition 
Given a timer free and single assignment program P  Program Let
AVPIP idsP  v be the transition system generated by VPIP idsP  v
for some v  Valuation Let A be a boolean preserving and minimal algebra
for the CRL specication in Appendix B Let  be a substitution Let  
STATIC
MF
P 
j propJ

P 

prop 
v  PVP AVPIP idsP  v A    j 

Chapter  The Vital Processor Interlocking
Proposition 
Given a timer free and single assignment program P  Program Let
AVPIP idsP  v be the transition system generated by VPIP idsP  v
for some v  Valuation Let A be a boolean preserving and minimal algebra
for the CRL specication in Appendix B Let  be a substitution Let  
NEXT
MF
P 
j propN
td

P  prop


v  PVP AVPIP idsP  v A    j 
Verication of modal formulas from JUST
MF
is not as straightforward as for
modal formulas from NEXT
MF
 In the modal logic one can only successfully
refer to states on a path that lay between the current state and the starting
state inclusive By the transformation to propositional logic this notion of
after or on the starting state gets blurred Consider the transition diagram
in Figure  and the following modal formula
  
v Valuation




sendv evaluateX v  

J


v

 Valuation




sendv

 evaluateI v

  
 expresses that if X is true then in the previous regulation cycle I was
true  does not hold on every path of the transition diagram Consider for
instance the path
hi

read
hi
						 hi
send
hi
								 hi

   
In the valuation v as sent by sendhi is evaluateX v equal to  How
ever at state hi

one cannot refer to a send three steps back on the
path
But the proposition that is generated from the program and  is a tau
tology This proposition is
X
J
 X
JJ
X

JJ
  I
J
 
X

J
 I
J
 
X  X
J
X

J
  I 
X

 I
 X  I
J

Because of the J

operation on the program the resulting proposition cannot
refer to none existing states Consequently a generated proposition proves
only something about the states of a path at some distance of the start state

SFM van Vlijmen
<000>
read(<0>)
<00>
send(<000>)
read(<1>)
<001>
send(<011>)
<010>
read(<0>)
<01>
read(<1>)
<011>
send(<111>)
<11>
send(<111>)
<111>
read(<1>)
read(<0>)
<110>
send(<000>)
send(<000>)
<100>
send(<000>)
<10>
read(<0>)
read(<1>)
<101>
send(<111>)
Figure  The transition diagram of Example 	 completed for all proper valuations
This distance is minimally twice the time depth of the formula to be veried
Note that these complications do not occur when verifying modal formulas
from NEXT
MF
 Because a VPI never terminates the paths are innite
 there
is always a next state
Proposition 
Given a timer free and single assignment program P  Program Let
AVPIP idsP  v be the transition system generated by VPIP idsP  v
for some v  Valuation Let A be a boolean preserving and minimal algebra
for the CRL specication in Appendix B Let  be a substitution Let  
JUST
MF
P 
j propJ
td

P  prop


v  PVP AVPIP idsP  v A     td j 
In verications the oset td will probably not form a severe handicap In
case a criterion  holds and one want to prove it too for the initial td
steps the route may be to instantiate the start state with the actual start
state which is known and device specic criteria 

 

    that should hold
during the rst td states
Intuitively it is not dicult to convince oneself of the validity of the afore
mentioned propositions However a complete reasonably formal proof may
be tedious this was not attempted
Lemma 	 Let




a  

 

  MF
SigV
 for some signature Sig and
	
Chapter  The Vital Processor Interlocking
some set of variables V then
j




a  

 






a  

 




a  


Proof With the semantics of the modal logic and   

 

   


  

 
By Propositions    and Lemma  one can extend verication
to VPI
MF

Corollary 
 Let P  Program be a timer free and single assignment
program and let   VPI
MF
P 
  
v Valuation




sendv    
J
i



v

 Valuation




sendv

 

    
J
i
n


v
n
 Valuation




sendv
n
 
n

N
j



w

 Valuation




sendw

 

    
N
j
m


w
m
 Valuation




sendw
m
 
m

Let AVPIP idsP  v be the transition system generated by VPIP idsP  v
for some v  Valuation Let A be a boolean preserving and minimal algebra
for the CRL specication in Appendix B Let  be a substitution Then the
following holds
j propJ

P  prop 

propJ
td



P  prop

    
propJ
td

n

P  prop
n


propN
td

n

P  prop
n
    
propN
td

nm

P  prop
nm



v  PVP AVPIP idsP  v A    maxftd

     td
n
g j 
	
SFM van Vlijmen
Where


 
vValuation




sendv  J
i



v

Valuation




sendv

 


  

n
 
vValuation




sendv  J
i
n


v
n
Valuation




sendv
n
 
n


n
 
vValuation




sendv N
j



w

Valuation




sendw

 


  

nm
 
vValuation




sendv N
j
m


w
m
Valuation




sendw
m
 
m

 Tool support for VPI
Automated verication of properties of VPIs requires the construction of a
set of tools Of main importance are a tool that transforms programs and
modal formulas into propositions and a tool that proves whether these propo
sitions are tautologies By means of the ASFSDF Metaenvironment  a
number of prototype tools was constructed that implement the transforma
tions as presented in this chapter  These tools all operate on VLC


whereas some operations in this chapter operate on CRL terms representing
programs but this is irrelevant For the tautology checking various existing
tools were used a binary decision diagram checker  developed locally 

the resolution theorem prover Otter 
 and a commercial tool 

 Transformation tools
The following transformation tools were constructed

A tool for elimination of timer assignments

A tool for expansion of timer free programs

A tool that implements the n copy justtransformation

A tool that implements the n copy nexttransformation

A tool that translates programs to propositions

A simulator for VLC

programs

A tool that performs program slicing
Most of the transformations are quite simple and will sound familiar now only
program slicing and expansion were not addressed before Program slicing will
be introduced shortly in a separate section below Expansion is a process in
which an occurrences of a variables in the right hand sides of assignments are
replaced by the right hand sides of their own assignment provided that such
an assignment appears earlier in the program This seemed to be a relevant
operation but turned out not to be used in verications and will therefore
	
Chapter  The Vital Processor Interlocking
not be discussed further
No tool was constructed for the translation of modal formulas The reason
for this is that the modal formulas checked where small
 the translation was
easily done by hand However we are convinced that this tool could have
been constructed easily using the ASFSDF Metaenvironment
All tools except the simulator can be used stand alone and as part of
the ASFSDF Metaenvironment The simulator only runs in the Meta
environment Stand alone the tools have a very simple interface read a
text le process the contents output a text le terminate Combinations of
tools are then easily constructed using pipes Static semantical checks are not
performed but could have been specied Syntax checking is for free with the
ASFSDF Metaenvironment
We tried to generate tools with the ASFSDF Metaenvironment
 it is
possible to have the system output C code implementing the tool But due
to the enormous memory consumption of this code this route turned out
not to be practical Yet we didnt investigate what the result would be after
optimizing the specication for the sole purpose of generating ecient code In
the end the tools were constructed by translating the ASFSDF specications
by hand using C Lex and Yacc

 Program slicing
Intuitively a slice of P for x is the program one obtains from P by removing
all assignments from P that do not contribute to the value of x upon eval
uation of P  Slicing of code receives attention in the literature see  for
an overview What is presented here is using the terminology of  back
ward static slicing ie select in a backward manner a part of the program
statements without special assumptions on the input to the program
Slicing is of practical importance to the verication of VPI programs Sup
pose one plans to verify that program P obeys   VPI
MF
with a time depth
of  After all transformations this gives an impressive proposition and it
may take a computer quite some time to nd out whether this proposition is
a tautology Now it can be the case that  only refers to a small number of
identiers Theorem  below shows that one can remove that part of the
proposition that does not inuence the identiers in  This means that the
proposition will get smaller and tautology checking will speed up Of course
this will work if slicing is cheap The type of slicing considered here has a
time complexity that is linear in the number of assignments
The slicing tool takes as input a VLC

program and a list of identiers
The output the sliced program can then be translated to a proposition
Below slicing will be dened more precisely followed by a formal treatment
in propositional logic
Denition  Given a timer free and single assignment program P 
Program and an identier id  Identier This id is the slicing criterion see
		
SFM van Vlijmen
 Suppose
P  addaid

 e


addaid

 e


  
addaid
n
 e
n
 emptyprogram    
then sliceP id is the program which is an order preserving selection of
assignments in P that satises the following
aid
i
 e
i
   i  n is in sliceP id i

eqid id
i
  T  or

aid
j
 e
j
 is in sliceP id and i 
 j and inid
i
 idse
j
  T 

It is clear that we can easily extend the notion of a slice of a program for an
identier to a slice of a program for an expression a set of identiers and to
nontimer free programs In order to exemplify slicing suppose that P is the
program of Figure  ie
P  add ta Q exI
add aR orexQ exV 
add aV andexQ notexR
add aU exV  emptyprogram
A slice of P for U is P  The same holds for eg the slice of P for an expression
as orandexR exU exI A slice of P for eg R or orexR exQ
is
addta Q exI
addaR orexQ exV  emptyprogram
And a slice of P for I is the empty program because P does not contribute to
the value of I at all I is an input
A function sliceids is dened that collects and then renames the identiers in
formulas in STATIC
MF
 JUST
MF
and NEXT
MF
 These renamed identiers
	
Chapter  The Vital Processor Interlocking
are needed to properly slice programs with respect to a modal formula
Denition  First a function ids
LP
is dened
ids
LP
evaluatee v  n n  f g is the set of identiers in e

ids
LP

def
 ids
LP


ids
LP
  
def

ids
LP
  
def

ids
LP
 
def

ids
LP
 
def
 ids
LP
  ids
LP

Now sliceids can be dened

If   
v Valuation




sendv   STATIC
MF

then sliceids
def
 ids
LP


If   
v Valuation




sendv  J
k

v

 Valuation




sendv

 
 JUST
MF
 then sliceids
def
 ids
LP
  fid
J
k j id  ids
LP
g

If   
v Valuation




sendv N
k

v

 Valuation




sendv

 
 NEXT
MF
 then sliceids
def
 ids
LP
  fid
N
k
j id  ids
LP
g

Armed with this machinery we can reformulate Propositions   and
 For example the main part of Proposition  becomes
j propsliceJ

P  sliceids prop


v  PVP AVPIP idsP  v A    j 
This reformulation only makes sense when the following holds
Proposition  Given a timer free and single assignment program P 
Program and modal formula   VPI
MF
P 
j propsliceJ

P  sliceids prop

j propJ

P  prop
This will be investigated below Before presenting the results on slicing some
notions will be presented
 for a complete and formal treatment of these notions
the reader in referred to eg 
PROP is the set of all propositional formulas We dene a subset of this
PROP
a
 PROP is the set of atomic propositions other than  and  For
	
SFM van Vlijmen
all   PROP  	 is the set of atomic propositions other than  and  in
 A valuation is a mapping from PROP
a
to f g Let  be a valuation

the interpretation of a formula   PROP in  is denoted by  This
interpretation is dened in the usual way Furthermore  j  means that
   and  j means that   
Denition  The set of hierarchical propositional formulas HP  PROP
is dened as follows

If x  PROP
a
   PROP  and x  	 then x   HP 

If x    HP    x

 

      x
n
 
n
  HP  n   x 
fx

     x
n
g and fx

     x
n
g  	  
then x   x

 

      x
n
 
n
  HP 

Denition  The set of VPI propositions VPIP  PROP is dened as
follows If   HP and   PROP such that 	  	 then    
VPIP  
It may be clear that propositions that are generated from programs and criteria
are elements of VPIP 
Denition  Given   x

 

      x
n
 
n
    VPIP 
n   An atom x
i
   i  n is said to be unrelated to the consequent 
i x
i
 	 and for all j   j  n such that j  i if x
i
 	
j
 then
x
j
is unrelated to  We say that the atom x
i
is fully unrelated when it only
occurs once and only one in  namely in x
i
 
i
 Note that from Denition
 follows that x
i
 	
i
 
Lemma 	 Given   x

 

      x
n
 
n
    VPIP and
some x
i
unrelated to  then there is a x
j
that is fully unrelated
Proof Suppose there does not exist such a x
i
 This will lead to a contra
diction because the antecedent of  is then not a hierarchical proposition

Lemma 
 Given   x

 

      x
n
 
n
    VPIP If x
i

  i  n is fully unrelated related then j   j x

 

  x
i


i
  x
i
 
i
      x
n
 
n
 
Proof Given  and x
i
as specied above Let A  x

 

      x
n


n
 

 A

  and A

 x

 

      x
i
 
i
  x
i


i
      x
n
 
n

 With case distinction Suppose A   then    and A

  
hence A

   
	
Chapter  The Vital Processor Interlocking
Suppose A   and x
i
 
i
   Then there is a term x
j
 
j
in
A with i  j Thus A

   hence A

   
Suppose A   and x
i
 
i
   Then there are two cases to
consider A

   and A

   The former leads trivially to A


   For the latter we have to prove that    Because x
i
is fully
unrelated to everything else we can construct a valuation 

such that for all
x  	 n fx
i
g it holds that 

x  x but 

x
i
  x
i
 Then we have


x
i
 
i
   hence 

A    and thus 

    
 Trivially true 
With the above Lemma  Proposition 	 follows easily

 Tautology checkers
It is wellknown that satisability of propositional formulas is NPcomplete
Also the question whether a formula is a tautology is coNP complete and as
such it is not at all obvious whether it is possible to establish this for formulas
expressing the correctness of VPIs
We have initially attempted to establish the correctness of the following
three static properties

Signal  cannot show both red and green

If signal  shows red then signal  does not show green Signal  imme
diately precedes signal  and should therefore show yellow ashing yellow
or red

If signal  shows green and track CT is occupied then the barriers of
level crossing 	 are closed
We have tried to prove or disprove these properties using three systems
 a
resolutionbased system called Otter  an improved BDD based theorem
prover  and a commercially available prover  The problems turned
out too large for Otter to handle However it should be noted that the
structure of formulas tend to transform in relatively small conjunctive normal
forms Therefore other resolutionbased theorem provers may turn out to do
well on this problem Plain BDD techniques did not get anywhere but with
the improvement described in  sliced formulas could be proven disproven
in times up till a minute whereas the unsliced formulas took approximately
an hour to be proven or disproven All these results have been obtained on a
Sparc server  with  MB of memory The system of  seems to be able
to handle the unsliced formulas in a few seconds
The feasibility of the verication route was later shown with reasonable
complete verications see the work of Fokkink and Mertens 
	
SFM van Vlijmen
 Evaluation
In this chapter a model has been presented in CRL of a realistic system an
interlocking that is used amongst others at Dutch railway yards Further
more a collection of correctness criteria was formulated in the modal logic for
CRL It was shown how these correctness criteria can be veried automati
cally using propositional logic For automated verication a number of tools
was specied in ASFSDF and these specications were implemented in C
Technically spoken the whole formalization appears rather longwinded

a critique often heard on this work is the VPI is such a simple device that
a translation in propositional logic is straightforward and does not need all
this formal machinery I agree to the extent that the presentation could be
simplied by presenting the whole procedure informally by using VLC and
move all the formal material to an appendix I do not agree when the formal
ization itself is at stake I consider it important to show that all aspects of a
system operational requirements and techniques tautology checking can
t together in one unifying structure in a clear and rigid manner The VPI
is a nice example of this Moreover in case of a safety critical system as the
VPI is one needs to be precise Finally a next step may well be to model the
cooperation of two or more VPIs CRL is then again needed
The verication route is somewhat rough all valuations for internal vari
ables are considered to be valid starting points for execution It is clear that
the real state space is just a subset of this larger space as the VPI starts
in only one specic valuation Therefore if a proposition is not a tautology
does not always means the VPI code is faulty However it turned out in the
case studies that followed that by adding some invariants this kind of suspect
verication results do not form a problem 
As a nal technical remark ASFSDF was a very helpful formalism to
specify the transformation on programs The generated tools however did
not suce for transformations on realistic programs For that purpose Koorn
coded some transformations in C It is indeed the case that all tools con
structed were specied and prototyped with ASFSDF and that these spec
ication served for the implementation This is relevant from an engineering
perspective on the case that covers reverse engineering and forward engineer
ing
With the ASFSDF prototypes a VPI workbench was emerging We had
the intention to document the specication and implementation properly And
then investigate whether the ToolBus could be used to construct the VPI
workbench by integration of tools already developed by Holland Railconsult
tools discussed in this chapter and projected tools  An example
of the latter is generation of requirements from railway yard layout draw
ings This followup to the project terminated after some months because the
student assigned found a job The project however did get followup The
work was published in various forms eg 		 and the verication route was
	
Chapter  The Vital Processor Interlocking
put to work in  Furthermore it necessitated the formulation of some
thing already long envisioned ie a modal logic for CRL Groote has setup
various projects on propositional tautology checking and model checking by
means of propositional encodings 		 Finally the results achieved
with the VPI led to contract research on the formalization of EURIS  and
on the denition of a symbolic superset of EURIS called LARIS 
In our view the techniques and tooling developed in the project could
easily be integrated in the current VPI engineering process as an additional
check especially in the collation phase A large set of requirements once
dened can be veried in a couple of minutes The engineers of Holland Rail
consult that we collaborated with agreed with us that it could be a valuable
additional means Nevertheless the work is not used at the time of writing
It appears that much more lobbying and additional investments are needed to
push the application This is something that my academic site does not excel
in Useful results do not necessarily sell themselves
References
	 S Anderson and G Cleland Formal approaches to safety in programmable
electronic systems Technical report University of Edinburgh LFCS 	

 JCM Baeten and WP Weijland Process algebra volume 	 of Cambridge
Tracts in Theoretical Computer Science Cambridge University Press 	
 T Basten R Bol and M Voorhoeve Simulating and analyzing railway
interlockings in ExSpect Technical Report  Eindhoven University of
Technology Department of Mathematics and Computing Science 	
 J Berger P Middelraad and AJ Smith EURIS European Railway
Interlocking Specication Technical report UIC Committee A	 	

 J Berger P Middelraad and AJ Smith The European Railway Interlocking
Specication In Proceedings RSE January 	
 JA Bergstra WJ Fokkink WMT Mennen and SFM van Vlijmen
Spoorweglogica via EURIS volume 

 of Quaestiones innitae Universiteit
Utrecht Faculteit Wijsbegeerte 	 In Dutch
 JA Bergstra and P Klint The discrete time ToolBus In M Wirsing and
M Nivat editors Algebraic methodology and software technology AMAST	
volume 			 of LNCS pages 
 SpringerVerlag 	
 JA Bergstra and P Klint The ToolBus coordination architecture In
P Ciancarini and C Hankin editors Coordination Languages and Models
COORDINATION 	 volume 		 of LNCS pages  SpringerVerlag
	
	
SFM van Vlijmen
 MA Bezem and JF Groote A correctness proof of a onebit sliding window
protocol British Computer Journal 
 	 Corrigendum in
British Computer Journal 	
	 MA Bezem and JF Groote Invariants in process algebra with data In
B Jonsson and J Parrow editors CONCUR Uppsala volume  of LNCS
pages 		 SpringerVerlag 	
		 RN Bol JWC Koorn LH Oei and SFM van Vlijmen Syntax and static
semantics of the interlocking design and application language Technical Report
P

 University of Amsterdam Programming Research Group 	
	
 M Broy Specication of a railway system Technical Report MIP	
Universitat Passau 	
	 JJ Brunekreef Two simple protocols for local area networks In Algebraic
specication of communication protocols pages 		 Cambridge University
Press 	
	 JJ Brunekreef On modular algebraic protocol specication PhD thesis
University of Amsterdam 	
	 JJ Brunekreef Process specication in a UNITY format In A Ponse
C Verhoef and SFM van Vlijmen editors Algebra of communicating
processes Utrecht 
 pages 	 SpringerVerlag 	 WICS
	 RE Bryant Graphbased algorithms for boolean function manipulation IEEE
Transactions on Computers C	 August 	
	 GV Conroy and C Pulley Logical methods in the formal verication of safety
critical software Technical report UMIST 	
	 D Craigen S Gerhart and T Ralston An international survey of industrial
applications of formal methodscase studies volume 
 NIST National Institute
of Standards and Technology 	
	 D van Dalen Logic and structure SpringerVerlag 	

 A van Deursen J Heering and P Klint editors Language prototyping an
algebraic approach volume  of AMAST Series in Computing World Scientic
	

	 LH Eriksson Formal methods formal verication of railway interlockings
Technical Report 	 Swedish National Rail Administration Banverket
Kopieringscentralen Banverket HK S	  Borlange Sweden 	


 LH Eriksson Formal methods formalising railway interlocking requirements
Technical Report 	 Swedish National Rail Administration Banverket
Kopieringscentralen Banverket HK S	  Borlange Sweden 	

 MS Feather Towards a derivational style of distributed system design  an
example Automated Software Engineering 		 	

Chapter  The Vital Processor Interlocking

 LMG Feijs HBM Jonkers and CA Middelburg Notations for software
design FACIT SpringerVerlag 	

 S Fischer A Scholz and D Taubner Verication in process algebra of the
distributed control of track vehicles  a case study In G von Bochmann and
DK Probst editors Computer aided verication volume  of LNCS pages
	

 	


 WJ Fokkink Safety criteria for the vital processor interlocking at Hoorn
Kersenboogerd In Proceedings of the th Conference on Computers in
Railways COMPRAIL	 Part I Railway Systems and Management pages
				 Berlin 	 Computational Mechanics Publications Extended
version is available as technical report 	 Logic Group Preprint Series of
the Department of Philosophy Utrecht University

 JF Groote Hiding propositional constants in BDDs Technical Report
	
 Utrecht University Logic Group Preprint Series of the Department of
Philosophy 	

 JF Groote The propositional theorem prover HeerHugo Unpublished
manuscript 	

 JF Groote M Hollenberg and SFM van Vlijmen Laris 	 LAnguage for
Railway Interlocking Specication 	 Publication in preparation
 JF Groote JWC Koorn and SFM van Vlijmen The safety guaranteeing
system at station HoornKersenboogerd Technical Report 	
	 Utrecht
University Logic Group Preprint Series of the Department of Philosophy 	
	 JF Groote JWC Koorn and SFM van Vlijmen Formele analyse van het
veiligheidssysteem op het station van HoornKersenboogerd Informatie pages
 June 	 In Dutch

 JF Groote JWC Koorn and SFM van Vlijmen The safety guaranteeing
system at station HoornKersenboogerd In Proceedings of the Tenth Annual
Conference on Computer Assurance Compass pages  IEEE 	
IEEE catalog number CH

 JF Groote and H van Maaren Equivalence of the concave optimisation
method and dAgostinos tableaux for propositional logic In V Atalay
editor Proceedings of the Eleventh International Symposium on Computer and
Information Sciences ISCISXI pages 		 	
 JF Groote and A Ponse Proof theory for CRL a language for processes with
data In DJ Andrews JF Groote and CA Middelburg editors Proceedings
of the International Workshop on Semantics of Specication Languages pages



	 SpringerVerlag 	 WICS
 JF Groote and A Ponse Syntax and semantics of CRL In A Ponse
C Verhoef and SFM van Vlijmen editors Algebra of communicating
processes Utrecht 
 pages 

 SpringerVerlag 	 WICS

SFM van Vlijmen
 JF Groote and SFM van Vlijmen A modal logic for CRL In A Ponse
M de Rijke and Y Venema editors Modal logic and process algebra a
bisimulation perspective volume  of CSLI lecture notes pages 			
Stanford California 	 CSLI
 KM Hansen Modelling railway interlocking systems Technical Report
IDTR 		 Department of Computer Science Technical University of
Denmark 	
 KM Hansen Linking safety analysis to safety requirements PhD thesis
Institut for Informationsteknologi Danmarks Tekniske Universitet 	
 Ingenieursbureau NS Ontwerp Voorschrift Electronische Beveiligingssystemen
VPI 	 	 OV 

		 tm 

		 Deel II aevering B van Voorschriften
Seintechnische Installaties NV Nederlandse Spoorwegen In Dutch
 M Ingleby and I Mitchell Proving safety of a railway signalling system
incorporating geographic data In Heinz H Frey editor Proceedings of
SAFECOMP  Pergamon Press 	

	 P Klint A metaenvironment for generating programming environments ACM
Transactions on Software Engineering and Methodology 

	
	 	

 M Koutny The MerlinRandell problem of train journeys Acta Informatica


 	
 R de Lemos A Saeed and T Anderson A train set as a case study for
the requirements analysis of safetycritical systems The Computer Journal
	 	

 WW McCune OTTER 
 Users Guide Technical Report ANL
Argonne National Laboratory March 	
 WW McCune Whats new in OTTER 

 Technical Report ANLMCS
TM	 Argonne National Laboratory July 		
 J Mertens Verifying the safety guaranteeing system at railway station
Heerhugowaard Masters thesis Utrecht University Department of Philosophy
August 	
 MJ Morley Modelling British Rails Interlocking logic Geographic data
correctness Technical Report ECSLFCS		 University of Edinburgh
LFCS November 		
 MJ Morley Safety in railway signalling data A behavioural analysis In
J Joyce and C Seger editors Higher order logic theorem proving and its
applications volume  of LNCS SpringerVerlag 	
 PJTh Musters VPI Beschrijving van volgordedwang Technical report
Ingenieursbureau NS TBSProductie 	 Uitgave D In Dutch
 LH Oei Pruning the search tree of interlocking design and application
language operational semantics Technical Report P	 University of
Amsterdam Programming Research Group 	

Chapter  The Vital Processor Interlocking
	 G Stalmark and M Saund Modelling and verifying systems and software in
propositional logic In Proceedings of SAFECOMP  pages 	 Pergamon
Press 	

 F Tip Generation of program analysis tools PhD thesis University of
Amsterdam 	
 SFM van Vlijmen Algebraic Specication in Action PhD thesis Universiteit
Utrecht dept of Philosophy 	 In Quaestiones innitae vol 

 SFM van Vlijmen Algebraic Specication in Action volume 
	 of Electronic
Notes in Theoretical Computer Science ENTCS Elsevier Science 	
httpwwwelseviernllocateentcsvolumehtml
 Wai Wong A Formal Theory of Railway Track Networks in Higherorder Logic
and its Applications in Interlocking Design PhD thesis University of Warwick
Dept of Engineering 		
 L Zigterman A new approach to specication and design of a railway
interlocking the ROUTE approach PhD thesis Technische Hogeschool Delft
	
A A verication example
In this appendix a small program and some modal formulas are presented
Then the program and the modal formulas are transformed to propositional
logic formulas which will then be investigated
A
B
C
P
Figure A	 The situation at Little Yard
Consider the railway yard in Figure A The following program controls
	
SFM van Vlijmen
this railway yard
DIRECT INPUT SECTION
I
OUTPUT SECTION
P
r
P
n
A B C
CODE SYSTEM SECTION
Cmd
A
Cmd
B
Cmd
C
Cmd
r
CURRENT RESULT SECTION
E
SELFLATCHED PARAMETER SECTION
TIMER EXPRESSION RESULT SECTION
P
BOOLEAN EQUATION SECTION
APPLICATION  LY
BOOL E  A B  C  A B  A  C B  C
TIME DELAY   SECONDS BOOL P  I
BOOL P
r
 NA  NB  NC Cmd
r
BOOL P
n
 NP
r
BOOL A  Cmd
A
 NCmd
B
 NCmd
C
 NE  P  P
n
BOOL B  Cmd
B
 NCmd
A
 NCmd
C
 NE  P  P
r
BOOL C  Cmd
C
 NCmd
A
 NCmd
B
 NE  P  P
n
END BOOLEAN EQUATION SECTION
The signals A B and C can only be green or red The variables A B and
C are outputs that control the signals with the same name If A is  then
A shows green otherwise A shows red
 in the same way the B and C are
interpreted Occupation of the track is measured with input I  if I is  the
corresponding track level device says the point is free But this will be believed
only by the VPI if this is measured twice therefore P is delayed P
r
and P
n
indicate whether the point is reverse or normal position E is a variable that
signals an erroneous situation Finally the variables Cmd
A
 Cmd
B
 Cmd
C
and Cmd
r
are inputs that correspond to commands issued to the VPI When
Cmd
A
is  this signals that A should turn green otherwise A should turn
red In the same way Cmd
B
and Cmd
C
are interpreted When Cmd
r
is 

Chapter  The Vital Processor Interlocking
this signals that the point should move to reverse position otherwise that
the point should move to normal position Consider the following four modal
formulas Note that in the modal formulas VLC

expressions are used instead
of the CRL representations The rst two formulas will turn out to hold the
last two will turn out not to hold

At the most one of the signals A B and C is green


 
vValuation




sendv  evaluateA B  A  C B  C v   

If signal A B or C shows green then I is  and also in the previous control
cycle I was 



v Valuation




sendv evaluateA B  C v   evaluateI  v   
J


v

Valuation




sendv

 evaluateI  v

  

If A shows green then the point was already in the normal position



v Valuation




sendv evaluateA v  
J


v

Valuation




sendv

 evaluateP
n
 v

  

If there is a conict detected then the point should not move An instance
of this says if there is a conict detected and the point is normal position
then it will stay in normal position



v Valuation




sendv evaluateE  P
n
 v  
N


v

Valuation




sendv

 evaluateP
n
 v

  
The question is whether the propositions generated from LY and the formulas


to 

are tautologies In other words do the following statements hold


j propsliceJ

LY  sliceids


 prop




j propsliceJ

LY  sliceids


 prop




j propsliceJ

LY  sliceids


 prop




j propsliceN

LY  sliceids

 prop


Not all transformation steps are given only the resulting propositions are
shown These propositions are following the order of the statements above
listed and commented below
It is not hard to convince oneself that the program obeys 

and 

 See
Figures A and A	 In accordance with the claims in Section  the rst two
propositions listed below turn out to be tautologies

SFM van Vlijmen
propsliceJ

LY  sliceids

 prop



E  A
J
 B
J
 C
J
 A
J
 B
J
 A
J
 C
J
 B
J
 C
J
 
P  P
J
 P

J
  I  
P
r
 A
J
 B
J
 C
J
 Cmd
r
 
P
n
 P
r
 
A Cmd
A
 Cmd
B
 Cmd
C
 E  P  P
n
 
B  Cmd
B
 Cmd
A
 Cmd
C
 E  P  P
r
 
C  Cmd
C
 Cmd
A
 Cmd
B
 E  P  P
n


A B  A  C  B  C
Figure A
 The proposition for 


It is also not hard to convince oneself that 

and 

do not hold See Figure
A and A In accordance with the claims in Section  the corresponding
propositions are not tautologies One can in both cases easily construct a
mapping that renders the proposition false

Chapter  The Vital Processor Interlocking
propsliceJ

LY  sliceids

 prop



E
J
 A
JJ
 B
JJ
 C
JJ
 A
JJ
 B
JJ
 A
JJ
 C
JJ

B
JJ
 C
JJ
 
P
J
 P
JJ
 P

JJ
  I
J
 
P

J
 I
J
 
P
r
J
 A
JJ
 B
JJ
 C
JJ
 Cmd
r
J
 
P
n
J
 P
r
J
 
A
J
 Cmd
A
J
 Cmd
B
J
 Cmd
C
J
 E
J
 P
J
 P
n
J
 
B
J
 Cmd
B
J
 Cmd
A
J
 Cmd
C
J
 E
J
 P
J
 P
r
J
 
C
J
 Cmd
C
J
 Cmd
A
J
 Cmd
B
J
 E
J
 P
J
 P
n
J
 
E  A
J
 B
J
 C
J
 A
J
 B
J
 A
J
 C
J
 B
J
 C
J
 
P  P
J
 P

J
  I  
P
r
 A
J
 B
J
 C
J
 Cmd
r
 
P
n
 P
r
 
A Cmd
A
 Cmd
B
 Cmd
C
 E  P  P
n
 
B  Cmd
B
 Cmd
A
 Cmd
C
 E  P  P
r
 
C  Cmd
C
 Cmd
A
 Cmd
B
 E  P  P
n


A B  C I  I
J

Figure A The proposition for 



SFM van Vlijmen
propsliceJ

LY  sliceids

 prop



E
J
 A
JJ
 B
JJ
 C
JJ
 A
JJ
B
JJ
 A
JJ
 C
JJ

B
JJ
 C
JJ
 
P
J
 P
JJ
 P

JJ
  I
J
 
P

J
 I
J
 
P
r
J
 A
JJ
 B
JJ
 C
JJ
 Cmd
r
J
 
P
n
J
 P
r
J
 
A
J
 Cmd
A
J
 Cmd
B
J
 Cmd
C
J
 E
J
 P
J
 P
n
J
 
B
J
 Cmd
B
J
 Cmd
A
J
 Cmd
C
J
 E
J
 P
J
 P
r
J
 
C
J
 Cmd
C
J
 Cmd
A
J
 Cmd
B
J
 E
J
 P
J
 P
n
J
 
E  A
J
 B
J
 C
J
 A
J
 B
J
 A
J
 C
J
 B
J
 C
J
 
P  P
J
 P

J
  I  
P
r
 A
J
 B
J
 C
J
 Cmd
r
 
P
n
 P
r
 
A Cmd
A
 Cmd
B
 Cmd
C
 E  P  P
n


A P
n
J

Figure A The propostion for 



Chapter  The Vital Processor Interlocking
propsliceN

LY  sliceids

 prop



E  A
J
 B
J
 C
J
 A
J
 B
J
 A
J
 C
J
 B
J
 C
J
 
P  P
J
 P

J
  I  
P
r
 A
J
 B
J
 C
J
 Cmd
r
 
P
n
 P
r
 
A Cmd
A
 Cmd
B
 Cmd
C
 E  P  P
n
 
B  Cmd
B
 Cmd
A
 Cmd
C
 E  P  P
r
 
C  Cmd
C
 Cmd
A
 Cmd
B
 E  P  P
n
 
P
r
N
 A  B  C  Cmd
r
N
 
P
n
N
 P
r
N


P
n
 E  P
n
N

Figure A The proposition for 



SFM van Vlijmen
B CRL specication of the VPI
sort Bool
func T F  Bool
or and  Bool#Bool Bool
not  Bool Bool
if  Bool#Bool#Bool Bool
var x y z  Bool
rew notT   F
notF   T
orT x  T
orx T   T
orF x  x
orx F   x
andx y  notornotx noty
ifx y z  orandx y andnotx z
sort Natural
func nat  Natural
S  Natural Natural
eq  Natural#Natural Bool
var x y  Natural
rew eqnat nat  T
eqSx nat  F
eqnat Sx  F
eqSx Sy  eqx y
sort Integer
func   Integer
  Integer
int  Natural#Natural Integer
eq  Integer#Integer Bool
up  Integer Integer
BoolInt  Bool Integer
IntBool  Integer Bool
if  Bool#Integer#Integer Integer
var x y  Natural
i i  Integer
rew   intnat nat
  intSnat nat
intSx Sy  intx y
eqintnat x intnat y  eqx y
eqintx nat inty nat  eqx y
eqintnat Sx inty nat  F

Chapter  The Vital Processor Interlocking
eqintSx nat intnat y  F
upintx nat  intSnat nat
upintnat Sx  intnat x
BoolIntT   
BoolIntF   
IntBoolintSx nat  T
IntBoolintnat x  F
ifT i i  i
ifF i i  i
sort Identier
func id  Natural Identier
eq  Identier#Identier Bool
var n n  Natural
rew eqidn idn  eqn n
sort Identiers
func emptyids  Identiers
add  Identier#Identiers Identiers
in  Identier#Identiers Bool
in  Identiers#Identiers Bool
union  Identiers#Identiers Identiers
rem  Identier#Identiers Identiers
rem  Identiers#Identiers Identiers
isect  Identiers#Identiers Identiers
eq  Identiers#Identiers Bool
if  Bool#Identiers#Identiers Identiers
var id id id  Identier
ids ids ids  Identiers
rew addid addid ids  addid ids
addid addid ids  addid addid ids
inid emptyids  F
inid addid ids  oreqid id inid ids
inemptyids ids  T
inaddid ids ids  andinid ids inids ids
unionemptyids ids  ids
unionaddid ids ids  addid unionids ids
remid emptyids  emptyids
remid addid ids 
ifeqid id remid ids addid remid ids
rememptyids ids  ids
remaddid ids ids  remids remid ids
isectemptyids ids  emptyids
isectaddid ids ids 

SFM van Vlijmen
ifinid ids addid isectids ids isectids ids
eqids ids  andinids ids inids ids
ifT ids ids  ids
ifF ids ids  ids
sort Expression
func e  Identier Expression
and or  Expression#Expression Expression
not  Expression Expression
ids  Expression Identiers
var id  Identier
e e e e	  Expression
rew idsexid  addid emptyids
idsnote  idse
idsande e  unionidse idse
idsore e  unionidse idse
sort Assignment
func a  Identier#Expression Assignment
ta  Natural#Identier#Expression Assignment
ids  Assignment Identiers
var n  Natural
id id id  Identier
e e e  Expression
rew idsaid e  addid idse
idstan id e  addid idse
sort Program
func emptyprogram  Program
add  Assignment#Program Program
singleassignment  Program Bool
outputs  Program Identiers
inputs  Program Identiers
keep  Program Identiers
ids  Program Identiers
var p  Program
id  Identier
n  Natural
e  Expression
a  Assignment
rew singleassignmentemptyprogram  T
singleassignmentaddaid e p 
andnotinid outputsp singleassignmentp
singleassignmentaddtan id e p 

Chapter  The Vital Processor Interlocking
andnotinid outputsp singleassignmentp
outputsemptyprogram  emptyids
outputsaddaid e p  addid outputsp
outputsaddtan id e p  addid outputsp
inputsp  remoutputsp idsp
keepemptyprogram  emptyids
keepaddaid e p  unionisectidse addid outputsp keepp
keepaddtaSn id e p 
addid unionisectidse outputsp keepp
idsemptyprogram  emptyids
idsadda p  unionidsa idsp
tanat id e  aid e
sort Valuation
func emptyvaluation  Valuation
add  Identier#Integer#Valuation Valuation
add  Valuation#Valuation Valuation
retrieve  Identier#Valuation Integer
select  Identiers#Valuation Valuation
evaluate  Program#Valuation Valuation
evaluate  Assignment#Valuation Valuation
evaluate  Expression#Valuation Integer
normalize  Valuation Valuation
ids  Valuation Identiers
if  Bool#Valuation#Valuation Valuation
var v v v  Valuation
id id id  Identier
ids  Identiers
n  Natural
i i i  Integer
a  Assignment
p  Program
e e e  Expression
rew addid i addid i v 
ifeqid id addid i v addid i addid i v
addemptyvaluation v  v
addaddid i v v  addid i addv v
retrieveid emptyvaluation  
retrieveid addid i v  ifeqid id i retrieveid v
selectids emptyvaluation  emptyvaluation
selectids addid i v 
ifinid ids addid i selectremid ids v selectids v
evaluateemptyprogram v  v
evaluateadda p v  evaluatep evaluatea v
	
SFM van Vlijmen
evaluateaid e v  addid evaluatee v v
evaluatetan id e v 
ifeqevaluatee v 
addid upretrieveid v v addid intnat n v
evaluateexid v  retrieveid v
evaluatenote v  BoolIntnotIntBoolevaluatee v
evaluateore e v 
BoolIntorIntBoolevaluatee v IntBoolevaluatee v
evaluateande e v 
BoolIntandIntBoolevaluatee v IntBoolevaluatee v
normalizeemptyvaluation  emptyvaluation
normalizeaddid i v  addidBoolIntIntBooli normalizev
idsemptyvaluation  emptyids
idsaddid i v  addid idsv
ifT v v  v
ifF v v  v
act send  Valuation
read  Valuation
proc VPIp  Program show  Identiers v  Valuation

X
inpValuation
 readinp 
sendnormalizeselectshow evaluatep addinp v 
VPIp show selectkeepp evaluatep addinp v

and singleassignmentp
andeqinputsp idsinp eqkeepp idsv

 
C SDF specication of VLC

Module Integers which species also the natural numbers module Booleans
and module Layout are not listed
module Vpi
imports Integers

Chapter  The Vital Processor Interlocking
exports
sorts
Program Identier Assignment Expr Inputsection
Outputsection Codesection Resultsection Parameter
section
Timersection Equationsection Application
Applications Applinote Assignments
lexical syntax
ntnn  LAYOUT
!nnnn  LAYOUT
azAZn	   Identier
nnnn  Applinote
contextfree syntax
Inputsection Outputsection Codesection
Resultsection Parametersection Timersection
Equationsection  Program
DIRECT INPUT SECTION Identier  Inputsection
OUTPUT SECTION Identier  Outputsection
CODE SYSTEM SECTION Identier  Codesection
CURRENT RESULT SECTION
Identier  Resultsection
SELFLATCHED PARAMETER SECTION
Identier  Parametersection
TIMER EXPRESSION RESULT SECTION
Identier  Timersection
BOOLEAN EQUATION SECTION Applications
ENDBOOLEANEQUATIONSECTION  Equationsection
Assignment  Assignments
Application  Applications
APPLICATION Applinote Assignments  Application
BOOL Identier  Expr  Assignment
TIME DELAY  NAT SECONDS
BOOL Identier  Expr  Assignment

SFM van Vlijmen
TRUE  Expr
FALSE  Expr
Identier  Expr
N  Expr  Expr
Expr  Expr  Expr fassocg
Expr  Expr  Expr fassocg
 Expr   Expr fbracketg
priorities
N  Expr  Expr 
Expr  Expr  Expr 
Expr  Expr  Expr

