Verification of a safety-critical railway interlocking system with real-time constraints  by Hartonas-Garmhausen, Vicky et al.
Science of Computer Programming 36 (2000) 53{64
www.elsevier.nl/locate/scico
Verication of a safety-critical railway interlocking system
with real-time constraints(
Vicky Hartonas-Garmhausena ; , Sergio Camposb, Alessandro Cimattic,
Edmund Clarked, Fausto Giunchigliac;e
aCarnegie Mellon University, Pittsburgh, PA 15213, USA
bFederal University of Minas Gerais, Brazil
cIstituto per la Ricerca Scientica e Tecnologica (IRST), Trento, Italy
dCarnegie Mellon University, Pittsburgh, PA 15213, USA
eDISA, University of Trento, Trento, Italy
Abstract
Ensuring the correctness of computer systems used in life-critical applications is very dicult.
The most commonly used verication methods, simulation and testing, are not exhaustive and can
miss errors. This work describes an alternative verication technique based on symbolic model
checking that can automatically and exhaustively search the state space of the system and verify if
properties are satised or not. The method also provides useful quantitative timing information
about the behavior of the system. We have applied this technique using the Verus tool to a
complex safety-critical system designed to control medium and large-size railway stations. We
have identied some anomalous behaviors in the model with serious potential consequences in
the actual implementation. The fact that errors can be identied before a safety-critical system
is deployed in the eld not only eliminates sources of very serious problems, but also makes it
signicantly less expensive to debug the system. c© 2000 Published by Elsevier Science B.V.
All rights reserved.
Keywords: Safety-critical systems; Railway systems; Formal verication; Symbolic model
checking; Quantitative analysis
( This research is sponsored by the Semiconductor Research Corporation (SRC) under Contract No.
97-DJ-294, the National Science Foundation (NSF) under Grant No. CCR-9505472, and the Defense
Advanced Research Projects Agency (DARPA) under Contract No. DABT63-96-C-0071. Any opinions,
ndings and conclusions or recommendations expressed in this material are those of the authors and do not
necessarily reect the views of SRC, NSF, DARPA, or the United States Government.
∗ Corresponding author.
E-mail addresses: hartonas@cs.cmu.edu (V. Hartonas-Garmhausen), scampos@dcc.umfg.br (S. Campos),
cimatti@irst.itc.it (A. Cimatti), emc@cs.cmu.edu (E. Clarke), fausto@irst.itc.it (F. Giunchiglia)
0167-6423/00/$ - see front matter c© 2000 Published by Elsevier Science B.V. All rights reserved.
PII: S 0167 -6423(99)00016 -7
54 V. Hartonas-Garmhausen et al. / Science of Computer Programming 36 (2000) 53{64
1. Introduction
Ensuring the correctness of computer systems is a complex task of paramount im-
portance, especially when such systems control and monitor life-critical operations. The
verication of industrial computer systems is particularly dicult due to their size and
complexity. The most frequently used methods, simulation and testing, are not exhaus-
tive and can miss important errors. While the use of both methods can increase the
reliability of the application, they cannot fulll the verication needs of modern com-
plex safety-critical systems. Formal methods are an additional methodology to tackle
this problem. Formal verication tools allow an exhaustive search to be automatically
performed on the state space of the system, avoiding the shortcomings of both simu-
lation and testing.
In this paper we describe a case study in formal verication based on a real industrial
system. We veried the safety logic of ACC (\Apparato Centrale a Calcolatore") [26],
a complex real-world safety-critical system developed by Ansaldo Transporti for the
control of medium and large-size railway stations.
The verication was performed using Verus [7, 13], a formal verication tool, which
combines symbolic model checking and quantitative timing analysis. Verus allows for
the formalization of systems in an imperative language with a syntax similar to C. This
language includes special constructs for the straightforward expression of timing prop-
erties, simplifying the description of real-time and safety-critical systems. The language
is compiled into state-transition graphs, to which powerful symbolic model checking
and quantitative algorithms can be applied. Symbolic model checking algorithms search
the state space exhaustively to determine whether the model satises its specications.
The method has proven to be very successful in nding design errors in several in-
dustrial systems and protocols [6, 10, 12, 18]. Moreover, Verus extends the power of
model checking by allowing the determination of quantitative timing information such
as response time to events, schedulability of a set of tasks, and performance measures.
The model of a Verus program is a nite state-transition graph, where each state is
one possible assignment of values to all variables in the model. Verus uses a discrete
notion of time. Each transition in the graph corresponds to one time unit. The simplicity
of this representation makes it amenable to a symbolic implementation using binary
decision diagrams. This representation is very ecient, as attested by the complex
systems veried. One example has 15 concurrent processes and counterexamples that
have thousands of states produced in seconds. Perhaps more indicative of the usefulness
of the method than the size of the counterexamples are the types of systems veried.
We have applied this method to the verication of several real systems, such as an
aircraft controller [9], a robotics controller [11] and a distributed heterogeneous real-
time system [14]. In all cases, the examples veried are either actual existing systems
or use components and protocols employed in current industrial products.
We use a discrete notion of time. In recent years, there has been considerable research
on algorithms that use continuous time [1, 2, 21, 22]. Most of these techniques use a
transition relation with a nite set of real-valued clocks and constraints on times when
V. Hartonas-Garmhausen et al. / Science of Computer Programming 36 (2000) 53{64 55
transitions may occur. It can be argued that such algorithms lead to more accurate
results than discrete time algorithms. However, an uncountable innite state space is
required to handle continuous time, because the time component in the states can take
arbitrary real values. Most verication procedures based on this paradigm depend on
constructing a nite quotient space called a region graph out of the innite state space.
Unfortunately, the region graph construction is very expensive in practice and current
implementations of the algorithms can only handle quotient spaces with at most a
few thousand states. This makes it impossible to verify large complex systems using
continuous time tools.
In this work a formal model of the interlocking system has been produced in the
input language of Verus. A set of qualitative (e.g. safety, liveness) and quantitative (e.g.
response times) properties have been automatically analyzed. Despite the complexity of
the system (the model has about 1027 states) the analysis has been performed within
minutes. A subtle and anomalous behavior leading to a deadlock of the system has
been discovered by Verus. The anomalous behavior was pinpointed by an automatically
generated counterexample trace, showing precisely the behavior leading to the violating
state. The same behavior had blocked the entire operation during a eld test of an earlier
design of the system.
Related work.
A large part of literature on the application of formal methods to railway systems
(e.g. [24, 27]) addresses the proof of requirements with theorem proving tools. These
tools are often dicult to apply at design time because they require an intense and
specialized user-intervention.
The formal verication of the application discussed in this paper has also been tack-
led in an independent project by Bernardeschi et al. [3]. There are however signicant
dierences: the model focuses on the modeling of the operations in process algebra
and does not take into account the structure of the Scheduler. This approach generates
complex models and abstraction techniques, unless strongly automatized (see [25]), are
hard to apply within the development cycle as they often require human intervention
of specialized users.
The same system of specications has been analyzed [15, 16] using the SPIN [23]
tool. SPIN is mainly designed for the analysis of asynchronous systems and protocols.
The input language is an imperative style programming language, extended with con-
structs for specifying nondeterministic computations and communication. The analysis
of temporal and real-time properties is based on explicit state space search. For this
particular application, the compression techniques implemented in SPIN allow the user
to limit the amount of memory required for the search, usually the main bottleneck
in explicit-state verication, and thus scale up the analysis to complex interlocking
congurations.
An interesting class of applications in the verication of railway interlocking systems
is the one based on automated procedures for propositional logic and linear arithmetic
[4, 20]. These applications are based on the Stalmarck procedure, a patented method
for propositional satisability [28]. The idea is to model the dynamics of the system in
56 V. Hartonas-Garmhausen et al. / Science of Computer Programming 36 (2000) 53{64
propositional logic by imposing a time bound on the temporal interval to be analyzed.
The applications validated automatically with this approach appear to be of very high
complexity, which is dealt with very eciently by the automated procedures. The major
dierence with the work presented here is that the safety logic has a highly recursive
behavior, more than the programs in VPIs [20], which seems dicult to handle by
provers based on the Stalmarck method.
Outline. This paper is structured as follows. In Section 2 we present the Inter-
locking system. In Section 3 we describe the formal model and in Section 4
we describe the formal verication of the safety logic. In Section 5 we draw some
conclusions.
2. The application
We focused on a complex real-world safety critical application developed by Ansaldo
Transporti, called ACC (\Apparato Centrale a Calcolatore"), a highly programmable
and scalable computer interlocking system for the control of railway stations, imple-
mented as a vital architecture based on redundancy. The system is composed of a
central nucleus connected to peripheral posts for the control of physical devices (e.g.
level crossings, track circuits, signals and switches). The nucleus of the system is based
on three independent computers, connected in parallel to create a \2-out-of-3" major-
ity logic. Each of these sections runs (independently developed versions of) the same
application program. When one of the sections disagrees, it is automatically excluded
by vital hardware. The peripheral posts are also based on a redundancy architecture,
with a \2-out-of-2" conguration of processors.
Two intrinsic sources of complexity make the verication of this system an impor-
tant work. The rst is the large size of the controlled physical plants. Large railway
stations may include as many as 2000 physical devices. The second source of complex-
ity is due to nondeterminism. Although the software is completely deterministic, and
the possible external events (e.g. task requests, response and even faults of peripheral
devices) have been exhaustively classied, the system does not know when the next
resource will be requested, or when a peripheral device may fail. Furthermore, the
system is subject to timing constraints, as it is important to ensure bounds to response
time.
The \safety logic" of the ACC is a software subsystem that implements the logical
functions requested by the external operator. A high-level picture of the Safety Logic
of the ACC, together with its environment, is shown in Fig. 1. The Safety Logic (SL),
which is connected to the peripheral devices of the station and to an external operator,
can be thought of as a deterministic reactive controller embedded in a nondeterministic
environment. The inputs to the system include manual commands from the external
operator and sensor readings from the peripheral devices. The external operator may
issue the following commands: \Open level crossing 1", or \Set route from track 2 to
track 5". Physical device sensors may report \Level crossing 1 is open", or \Switch 2
V. Hartonas-Garmhausen et al. / Science of Computer Programming 36 (2000) 53{64 57
Fig. 1. The ACC safety logic.
is in normal position". The outputs of the Safety Logic are the controls of the physical
devices, such as \ Move switch 12 to normal position", \Close level crossing 3".
This is achieved by means of a logical architecture based on a Scheduler controlling
the activation of application-dependent processes. The Scheduler is a cyclic program,
which activates, suspends, and terminates processes according to the process execution
status. One Scheduler is used across all congurations.
The specications dene the behavior of processes, i.e. how the process communi-
cates with other processes, accesses and modies variables, reacts to exceptions, and
so on. Each process is associated with a set of state variables, which depend on the
particular physical conguration. State variables are distinguished into logical variables,
which represent the status of the process computation, and control variables, which rep-
resent the status of the peripheral devices as they are read by the sensors. A process
can modify the value of a logical variable during the execution of the corresponding
operations, but it can not modify the value of a control variable. The control vari-
ables are set at the beginning of each cycle and do not change until the next cycle.
Processes may issue physical device commands and automatic commands, which are
commands from one process to another. Processes are often organized in a hierarchical
fashion: a process, which sets routes, may control a lower process, which controls a
physical device. The Safety Logic performs a single-thread computation, i.e. at most
one process is active at any one instant. Processes are activated in a master-slave way:
the Scheduler passes control to the process and suspends its own execution until the
process returns control. Global variables keep track of the status of the computation
and control the execution of the processes.
The system behavior is dened by operations, i.e. collections of basic actions to be
performed by the process. Operations include testing the value of variables, assigning
values to logical variables, sending commands to the peripheral devices, and sending
58 V. Hartonas-Garmhausen et al. / Science of Computer Programming 36 (2000) 53{64
automatic commands to other processes. An activation table associates an operation to
each event determining the activation of the process. Operations are characterized by the
event that causes their activation: manual operations correspond to manual commands,
state operations to process states, and automatic operations to automatic commands.
The actions above are conditioned to tests. Operations consist of statements, which are
interpreted sequentially following the schema shown in Fig. 2. The VERIFY tests are
executed rst. If one of the tests fails, the corresponding EXCEPTION action is executed,
and the operation ends. If the preliminary tests are satised, commands are issued
during the SEND part and variables are set during the ASSIGN part.
The Scheduler executes operations of dierent types (e.g. manual, automatic, state) in
dierent phases of the cycle. The specications also determine what the process should
do after the execution of an operation. A process can terminate the activation and go
in a resting state, continue the current activity by executing another operation, and
suspend its execution to the next cycle. In the last case, the Scheduler will reactivate
the process at next cycle. Two queues are used by the Scheduler to store the processes
to be reactivated at current and next cycle.
3. A formal model of the safety logic
We veried a two process conguration of the Safety Logic. The system, which
controls the safe operation of a level crossing, is composed of the Scheduler and
two processes, LC and SHUNT, with over 17 operations and 18 dierent congurations
of the physical level crossing. The specications, which were dened in a condential
technical report during a technology transfer project involving IRST and Ansaldo, were
considered to be of signicant complexity due to the intrinsic complexity of the actual
Scheduler software design, which we modeled, and the large state space of the system.
In this section we describe how the SL together with its environment were modeled in
Verus. In the next section we show how the properties and timing requirements were
modeled and veried in Verus avoiding a state explosion.
A formal model of the actual SL was produced in the Verus language. The impera-
tive C-like language provided by Verus made it straightforward to express the Safety
Logic of the ACC. The Verus model preserves the cyclic structure of the SL, which
repeatedly acquires inputs from the external environments, evaluates the logic, and ac-
tivates processes. The main loop of the SL is implemented by means of a never-ending
while construct. Fig. 3 shows a segment of the Verus program that implements the
manual operation in SL corresponding to the manual command CLOSE GATE.
Language constructs have been kept simple in order to make the compilation into a
state-transition graph as ecient as possible. Simple constructs allow the precise ex-
pression of the desired features, since complex constructs sometimes force unnecessary
details into the specication. Time passes only on wait statements. This feature allows
a more accurate control of time, generates smaller models, since contiguous state-
ments are collapsed into one transition, and eliminates the possibility of implicit delays
V. Hartonas-Garmhausen et al. / Science of Computer Programming 36 (2000) 53{64 59
Fig. 2. The schema of operations.
inuencing verication results. Smaller representations can then be generated, which is
critical to the eciency of the verication and permits larger examples to be handled.
Details about the Verus language can be found in [7, 8].
Verus supports nondeterminism, which allows partial specications to be described.
For example, we have used this feature, which is implemented with the select state-
ment, to assign the manual command at the start of each cycle:
MAN cmd= selectf NO CMD, CLOSE GATE, OPEN GATE;
RESTORE AUTO, ACTIVATE SHUNT, KILL SHUNTg;
60 V. Hartonas-Garmhausen et al. / Science of Computer Programming 36 (2000) 53{64
Fig. 3. Example of verus code.
The activation of processes is dened by means of queues and the priority mechanism.
Verus allows an elegant formalization of queues based on dynamic scheduling. We
created the request variables req1 and req2 (for the current-cycle-processes) and nreq1
and nreq2 (for the next-cycle-processes) to be integers with values corresponding to
the priority level at which each process is requesting execution. The Scheduler chooses
the process with the highest requested priority. At the beginning of each cycle we
copy the list of next-cycle-processes to the current-cycle-processes and re-initialize the
next-cycle-process list to the empty list:
req1= nreq1; nreq1=0;
req2= nreq2; nreq2=0;
The request variables are updated depending on the type of transition (manual, state, or
automatic) and whether the process terminates or continues its execution. For example
in the manual phase, if process SHUNT does not terminate and does not continue, we
schedule its execution for the next cycle with priority higher than the priority of process
LC:
if (nreq2==0 && req2==0) nreq2= nreq1+1;
The Scheduler checks whether there are state processes to run in the current cycle
while(req1 ! = 0 j j req2 ! = 0)
and then activates process LC if req1> req2 and process SHUNT if req2> req1.
The Verus exception handling mechanism provides a general way to signal that a
certain condition is not veried. This feature has been exploited to gain condence in
the model by expressing a number of simple properties. For instance, we checked the
valid range of variables and the reachability of certain control points.
Process instantiation in Verus follows a synchronous model. All processes execute
in lock step, with one step in any process corresponding to one step in the other
processes. Asynchronous behavior can be modeled by using stuttering, which introduces
nondeterministic transitions and eectively models the desired behavior. This technique
is described in detail in [7].
V. Hartonas-Garmhausen et al. / Science of Computer Programming 36 (2000) 53{64 61
4. Formal verication of the safety logic
The ACC SL has been veried using algorithms derived from symbolic model check-
ing because these algorithms are amenable to ecient implementations using symbolic
techniques [6]. The transition relation is represented by boolean formulas, and im-
plemented by binary decision diagrams [5]. This usually results in a much smaller
representation for the transition relation, allowing the verication of models several
orders of magnitude larger than those veried using traditional implementations. We
have used the Verus verication tool, which implements these techniques.
Verus allows the verication of untimed properties expressed as CTL formulas [16]
and timed properties expressed as real-time CTL, RTCTL, formulas [19]. CTL formulas
allow the verication of properties such \p will eventually occur", or \p" will never
be asserted". However, it is not possible to express bounded properties such as \p will
occur in less than 10 ms" directly. RTCTL model checking overcomes this restriction
by introducing time bounds on all CTL operators. For example, the formula AG(req
! AF0::10 ack) species that requests will always be acknowledged in 10 time units
or less. We represented the following safety properties as invariants in CTL:
1. The process SHUNT does not issue CLEAR-SIGNAL if the Level Crossing is not closed.
2. If the low signal was issued CLEAR-SIGNAL, the loss of the closed control of the
Level Crossing implies the stop of issue of CLEAR-SIGNAL.
3. The Safety Logic never issues contradictory commands during a cycle or the same
command twice in a cycle.
These properties, which were veried within seconds, are true. Next, we checked for
the absence of deadlocks and the termination of cycles. We had to ensure that the
recursion, which may happen when a process nishes executing an operation and con-
tinues with another operation during the same cycle, must terminate. This requirement
was modelled as a property of the form AF(end of cycle). During this analysis a
deadlock was found. Verus produced a counterexample, pointing to the loop which
happens when the RESTING state of a process is activated while that process is running
in the state phase. The specications did not include state operations corresponding
to the RESTING state. The loop occurred after a long execution sequence of events.
The counterexample is 58-steps deep pointing to complex interactions among various
elements of the system. It is unlikely that simulation or other verication methods can
generate similar information. A similar problem, which blocked the operation of the
system, was reported during a eld test on an early version of the Safety Logic. The
problem was xed by dening a null operation associated with the resting state, which
simply terminates.
Verus implements algorithms that determine the minimum and maximum length of
all paths leading from a set of starting states to a set of nal states. It also has
algorithms that calculate the minimum and the maximum number of times a specied
condition can hold on a path from a set of starting states to a set of nal states. For
example, by choosing as starting states those in which a process requests execution,
62 V. Hartonas-Garmhausen et al. / Science of Computer Programming 36 (2000) 53{64
and as nal states those in which the process completes execution we can compute the
response time for that process. If we specify as third condition for the same intervals the
execution of lower-priority processes we can compute the amount of priority inversion
time that can aect the process.
Several types of information can be produced by this method. Response time to
events is computed by making the set of starting states correspond to the event, and
the set of nal states correspond to the response:
MIN(init cycle, end of cycle);
MAX(init cycle, end of cycle);
Schedulability analysis can be done by computing the response time of each process in
the system and comparing it to the process deadline. A performance analysis was carried
out by exploiting the timing primitives and the quantitative algorithms of Verus. We
modeled performance of operations by generating dierent models of the SL. We rst
used a unit weight for each operation, and then we specied dierent weights taking
into account the number of basic actions (e.g. tests, assignments). The quantitative
analysis provided detailed insight into the system behavior, which can be used to
optimize the performance and improve the reliability of the system.
5. Conclusions
In this paper we have described the verication of a safety critical railway interlock-
ing system called ACC. The system has been modeled and analyzed with the Verus
tool, which uses ecient symbolic algorithms for the verication of complex systems.
Verus uses a language especially designed to allow a natural representation of real-time
software systems. It also combines symbolic model checking and quantitative analysis
techniques to determine system correctness and to provide useful information about its
behavior.
The ACC is a very complex system designed to control medium to large railway
stations. Because of this it has been necessary to take advantage of several features of
Verus in order to complete the verication. The use of a procedural ‘C-like’ language
has made it possible to model the system in a straightforward manner. The eciency
of BDD-based algorithms has been vital to verify a model that has more than 1027
states. Two other features have been very important in understanding how the model
behaves: quantitative analysis has determined the performance of the system and the
counterexamples generated have assisted in understanding what the results mean.
This case study shows how formal methods can be used to ensure the correctness of
safety-critical systems of industrial complexity. It also shows that the Verus tool is a
viable alternative in the verication of such systems. Based on these results we believe
that not only can formal methods be used in current industrial systems but also that
they can provide results that cannot be obtained by other means.
V. Hartonas-Garmhausen et al. / Science of Computer Programming 36 (2000) 53{64 63
References
[1] R. Alur, C. Courcourbetis, D. Dill, Model-checking for real-time systems, Proceedings of the fth
Symposium on Logics in Computer Science, 1990, pp. 414{425.
[2] R. Alur, D. Dill, Automata for modeling real-time systems, Lecture Notes in Computer Science, 17th
ICALP, Springer, Berlin, 1990.
[3] C. Bernardeschi, A. Fantechi, S. Gnesi, S. Larosa, G. Mongardi, D. Romano, A formal verication
environment for railway signaling system design, Formal Methods System Des. 12(2) (1998) 139{161.
[4] Boralv, A fully automated approach for proving safety properties in interlocking software using
automatic theorem-proving, in: S. Gnesi, D. Latella (Eds.), Proceedings of the Second International
ERCIM Workshop on Formal Methods for Industrial Critical Systems, Pisa, Italy, July 1997.
[5] R.E. Bryant, Graph-based algorithms for boolean function manipulation, IEEE Trans. Comput. C-35(8)
(1986).
[6] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, L.J. Hwang, Symbolic model checking: 1020 States
and Beyond, Inform. Comput. 98 (2) (1992).
[7] S. Campos, A quantitative approach to the formal verication of real-time systems, Ph.D. Thesis, SCS,
Carnegie Mellon University, 1996.
[8] S. Campos, E. Clarke, The Verus language: representing time eciently with BDDs, in Fourth AMAST
Workshop on Real-Time Systems, Concurrent and Distributed Software, 1997.
[9] S.V. Campos, E.M. Clarke, W. Marrero, M. Minea, H. Hiraishi, Computing quantitative characteristics
of nite-state real-time systems, in: IEEE Real-Time Systems Symposium, 1994.
[10] S. Campos, E. Clarke, W. Marrero, M. Minea, Verifying the performance of the PCI local bus using
symbolic techniques, in International Conference on Computer Design, 1995.
[11] S.V. Campos, E.M. Clarke, W. Marrero, M. Minea, Timing analysis of industrial real-time systems, in
Workshop on Industrial-strength Formal specication Techniques, 1995.
[12] S. Campos, E. Clarke, W. Marrero, M. Minea, Verus: a tool for quantitative analysis of nite-state
real-time systems, in ACM SIGPLAN 30 (11) (1995).
[13] S. Campos, E. Clarke, M. Minea, The Verus tool: a quantitative approach to the formal verication of
real-time systems, in Conference on Computer Aided Verication, 1997.
[14] S.V. Campos, O. Grumberg, Selective quantitative analysis and interval model checking: verifying
dierent facets of a system, Comput. Aided Verif. (1996).
[15] A. Cimatti, F. Giunchiglia, G. Mongardi, D. Romano, F. Torielli, P. Traverso, Model checking safety
critical software with SPIN: an application to a railway interlocking system, in Proceedings of the Third
SPIN Workshop, Twente University, Enschede, The Netherlands, April 1997.
[16] A. Cimatti, F. Giunchiglia, G. Mongardi, D. Romano, F. Torielli, P. Traverso, Formal verication of a
railway interlocking system using model checking, Formal Aspects Comput. 10 (1998) 361{380.
[17] E.M. Clarke, E.A. Emerson, A.P. Sistla, Automatic verication of nite-state concurrent systems using
temporal logic specications, ACM TOPLAS 8(2) (1986) 244{263.
[18] E. Clarke, O. Grumberg, H. Hiraishi, S. Jha, D. Long, K. McMillan, L. Ness, Verication of the
Futurebus+ cache coherence protocol, in Proceedings of the 11th CHDL, 1993.
[19] E. Emerson, A. Mok, A. Sistla, J. Srinivasan, Quantitative temporal reasoning, in: Lecture Notes in
Computer Science, Computer Aided Verication, Springer, Berlin, 1990.
[20] J.F. Groote, S.F.M. van Vlijmen, J.W.C. Koorn, The safety guaranteeing system at station Hoorn-
Kersenboogerd, in Proceedings of the COMPASS’95, 1995.
[21] T. Henzinger, X. Nicollin, J. Sifakis, S. Yovine, Symbolic model checking for real-time systems, in
Proceedings of the 7th Symposium on Logic in Computer Science, 1992.
[22] T. Henzinger, P. Ho, H. Wong-Toi, HyTech: the next generation, in IEEE Real-Time Systems
Symposium, 1995.
[23] G.J. Holzmann, Design and Validation of Computer Protocols, Prentice-Hall, Englewood Clis, NJ,
1991.
[24] D.N. Hoover, A mathematical model for railway control systems, Technical Report, Odyssey Research
Associates, Ithaca, NY 14850 USA, June 1995.
[25] R.P. Kurshan, Computer-Aided Verication of Coordinating Processes, Princeton University Press,
Princeton, 1994.
64 V. Hartonas-Garmhausen et al. / Science of Computer Programming 36 (2000) 53{64
[26] G. Mongardi, Dependable computing for railway control systems, in Proceedings of the Working
Conference on Dependable Computing for Critical Applications, IFIP Working Group, 1992,
pp. 255{273.
[27] M.J. Morley, Safety-level communication in railway interlockings, Sci. Comput. Programm. 29 (1997)
147{170.
[28] G. Stalmarck, M. Sa, Modelling and verifying systems and software in propositional logic, in Ifac
SAFECOMP’90, 1990.
