Automatically Verifying Railway Interlockings using SAT-based Model Checking by James, Phillip & Roggenbach, Markus
Electronic Communications of the EASST
Volume 35 (2010)
Proceedings of the
10th International Workshop on
Automated Verification of Critical Systems
(AVoCS 2010)
Automatically Verifying Railway Interlockings using SAT-based Model
Checking
Phillip James and Markus Roggenbach
17 pages
Guest Editors: Jens Bendisposto, Michael Leuschel, Markus Roggenbach
Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer
ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122
ECEASST
Automatically Verifying Railway Interlockings using SAT-based
Model Checking
Phillip James1∗ and Markus Roggenbach1
Swansea University1, Wales, UK
Abstract: In this paper, we demonstrate the successful application of various SAT-
based model checking techniques to verify train control systems. Starting with a
propositional model for a control system, we show how execution of the system
can be modelled via a finite automaton. We give algorithms to perform SAT-based
model checking over such an automaton. In order to tackle state-space explosion we
propose slicing. Finally we comment on results obtained by applying these methods
to verify two real-world railway interlocking systems.
Keywords: Model Checking, Interlocking, Ladder Logic, Railway, SAT, Slicing.
1 Introduction
Formal verification of railway control software has been identified to be one of the “grand chal-
lenges” [Jac04] of Computer Science. Various formal methods have been applied to this area,
including algebraic specification, e.g., [Bjø09], process-algebraic modelling and verification,
e.g., [Win02], and also model-oriented specification, where e.g., the B method has been used
in order to verify part of the Paris Metro railway [BG00]. In partnership with Invensys, an in-
ternationally established company specialising in railway control systems, we explore various
verification approaches based on SAT solving [BHMW09]. The aim is to explore and develop
technologies that, at a later date, might be integrated into Invensys’ design process.
Continuing work by Kanso et al. [KMS08] we verify interlockings of real-world train stations
with respect to safety conditions. Our modelling language is propositional logic, see Figure 1:
The physical layout of the train station together with an abstract safety condition, e.g., ‘trains are
separated by at least one empty track segment’, yields a concrete safety condition ϕ . The initial
configuration of a train station is characterised by some initialisation formula I. The control
program (in ladder logic, an IEC standard [IEC03]) of the interlocking system is translated into
a transition formula T . All the above translations have been automated in [KMS08]. Using an
inductive approach, namely I(Z)⇒ ϕ(Z) and T (Z,Z′)∧ϕ(Z)⇒ ϕ(Z′), Kanso et al. [KMS08]
successfully verify a medium sized real-world interlocking. Some of the required safety proper-
ties are automatically proven using a SAT solver [Kul08], however in some cases the SAT solver
produces counter examples. These take the from of a pair of states, namely interpretations of
Z and Z′, which violate the safety property. In the context of the interlocking under discussion,
these counter examples were excluded via manual analysis: it was claimed that they concern
unreachable states. For inclusion into the standard development process of interlockings, Inven-
sys requires further automation of the verification, namely the exclusion of the supposed to be
∗ Acknowledging the support of Invensys Rail.
1 / 17 Volume 35 (2010)
Automatically Verifying Railway Interlockings using SAT-based Model Checking
For all 
track 
points... 
Safety Condition 
𝜑 𝑍  
Railway Topology Informal Safety Condition 
 
 
  
 
 
 
Automated Verification 
 
 
 
 
Interlocking Ladder Logic 
|a| 
|c| 
|e| 
|d| 
 (b) 
Initial Condition - 𝐼(𝑍)  
and Transition Formula -  𝑇 𝑍, 𝑍′  
𝑍,𝑍′ : 𝑅𝑒𝑝𝑟𝑒𝑠𝑒𝑛𝑡 𝑠𝑦𝑠𝑡𝑒𝑚 𝑠𝑡𝑎𝑡𝑒𝑠. 
 
T104 
T101 
T102 T103 
Figure 1: The basic verification setting.
unreachable states and the production of error traces if a safety property does not hold.
In order to accommodate these requirements, we develop and experiment with verification
approaches based on ideas used in bounded model checking. Here, we deliberately stay within
Boolean modelling: first, it is natural in the given context – the ladder logic program contains
only Boolean variables; second, it allows the direct use of SAT solvers for verification.
In order to deal with real-world interlockings, we develop a slicing technique. To this end
we re-use an algorithm first stated by [GKV95, FH98] and prove that it is correct w.r.t. our
specific setting. In practice, slicing reduces the problem size by approximately a factor of five.
This reduction has proven to be enough to automatically verify, using various techniques, two
interlockings of medium complexity: either the safety condition could be proven, or an error
trace was produced.
In [ZRK03, FH98] alternative approaches for the verification of ladder logic programs are
provided. In [ZRK03] a translation from ladder logic into timed automata is defined, before
using the Uppaal model checker [upp10] for verification. Due to state-space explosion their
approach is limited to “small” programs. Secondly, in [FH98] an inductive verification approach
is taken to verify ladder logic interlockings.
This paper is organised as follows: In Section 2, we introduce the basics of railway interlock-
ings. Section 3 introduces a pelican crossing as a small example system. In Sections 4 and 5 we
give a modelling of interlockings through propositional logic and automata. Section 6 introduces
the model checking approaches we apply, with Section 7 giving a method to tackle state-space
explosion. Finally, Section 8 shows the results gained from verifying two real-world interlock-
ings. The results given in this paper are based on [Jam10] and have already been presented
at CALCO-Jnr [JR10], a workshop for young researchers which encourages re-submission of
papers to proper scientific events.
Proc. AVoCS 2010 2 / 17
ECEASST
2 Interlockings
An interlocking provides a safety layer for a railway. It interfaces with both the physical track
layout and the human (or computerised) controller. The controller issues requests, such as to
move a point. On such a request the interlocking will determine whether it is safe for the opera-
tion to be permitted. If it is safe then the interlocking will issue requests to change the physical
track layout, informing the controller of the change. Whereas if it is unsafe to perform the oper-
ation the interlocking will not allow the physical track layout to be changed, and will report back
to the controller that the operation has not taken place as it would yield an unsafe situation.
Here, we consider Westrace [wes10] interlockings. A Westrace interlocking has the following
typical control flow:
initialise
while True do
read (Input) %% read
(*) State’ <- Program(Input, State) %% process
write (Output) & State <- State’ %% update
After initialisation, there is a non terminating loop consisting of three steps: (1) Reading of
Input, where Input includes requests from signallers and data from physical track sensors.
(2) Internal processing: this depends on the Input as well as on the current State of the
controller. Using these the next state State’ is computed. (3) Committing of Output, which
includes passing information back to the signaller, commands to change the physical track layout,
as well as an update of the State of the controller.
In the context of Westrace interlockings, Input, Output, State, and State’ are sets
of Boolean variables, where Output is a subset of State’. The current configuration of the
controller is given by the values of all variables in the sets Input and State. The process
step then depends on the current configuration. The Westrace interlocking realises this controller
in hardware (cycle time of approximately 1 sec), where the steps initialise and process
depend on the installed control software written in ladder logic – see Section 4.
The initialise step performs the following:
set_to_false (Input)
State’ <- Program(Input, State)
State <- State’
First, all Input variables are set to false, then the process step is executed once, finally
State is updated.
3 Pelican crossing example
As a running example we study a pelican crossing. Such a system is found on many road net-
works throughout the world. The basic idea is that a pelican crossing allows pedestrians to safely
cross a flow of traffic. To this end, a pelican crossing consists of the following components: four
traffic lights - two for pedestrians, two for the traffic, where for simplicity we assume that all
3 / 17 Volume 35 (2010)
Automatically Verifying Railway Interlockings using SAT-based Model Checking
these traffic lights can only show red or green. The pedestrian traffic lights emit an audio signal
when they show green and have an input button which a pedestrian can press in order to request
the green signal.
In order to program our system, we use the following Boolean variables, distinguished into
input, output, and state variables. There is only one input variable, namely pressed. This variable
becomes true if a pedestrian presses the button at either pedestrian light. We use the suffix g to
indicate that a traffic light shows green, and the suffix r to indicate that a traffic light shows red.
There are four traffic lights, namely pla and plb for pedestrians, and tla and tlb for traffic. Thus,
overall there are eight output variables for lights, namely pla g, pla r, plb g, plb r, tla g, tla r,
tlb g, and tlb r. When one of these variables is true, the corresponding light is on. There is also
one output variable audio. When audio is true then the audio signal is sounding. Finally there are
two state variables, req which “remembers” the value of pressed, and crossing which indicates
that pedestrians may cross the road.
[ crossing′ ⇐⇒ (req∧¬crossing),
req′ ⇐⇒ (pressed∧¬req),
tla g′ ⇐⇒ ((¬crossing′)∧ (¬pressed∨ req′)),
tlb g′ ⇐⇒ ((¬crossing′)∧ (¬pressed∨ req′)),
tla r′ ⇐⇒ crossing′,
tlb r′ ⇐⇒ crossing′,
pla g′ ⇐⇒ crossing′,
plb g′ ⇐⇒ crossing′,
pla r′ ⇐⇒ (¬crossing′),
plb r′ ⇐⇒ (¬crossing′),
audio′ ⇐⇒ crossing′ ]
Figure 2: A ladder logic formula for the control program of a pelican crossing.
Figure 2 presents the control program of our pelican crossing. It uses unprimed variables to
store the configuration of the controller before the process step. Primed variables store the
values of state variables after the process step. We can also say: if the unprimed variables
represent the configuration at (*), then the primed variables represent the configuration at (*)
in the next cycle of the control loop.
As an example of how to interpret the control program, consider the first line of Figure 2,
namely “crossing′ ⇐⇒ (req∧¬crossing)”. This can be read as: if there was a request req in the
last control cycle, and pedestrians were not able to cross the road, then at the end of the current
cycle pedestrians will be able to cross the road. Its second line says: In the next cycle req will be
true if a pedestrian pressed the button before starting this cycle (indicated by pressed) and in the
previous cycle there was no request. The remainder of the program can be read similarly.
4 Ladder logic formulae
Ladder logic is a graphical programming language specified in the IEC standard 61131 [IEC03].
Westrace interlockings are programmed with ladder logic. A ladder logic program can be equiv-
alently translated into a subset of propositional logic. We call this subset ladder logic formulae
Proc. AVoCS 2010 4 / 17
ECEASST
(see below for its definition). This translation is straightforward: it replaces graphical symbols
by logical operators, a process which has been automated in [Kan08]1. For the rest of the paper
we only deal with this representation in propositional logic. Figure 2 gives a concrete instance
using a practical shorthand notation.
Ladder logic formulae have several underlying syntactical restrictions. These restrictions be-
come important later for slicing. In order to describe their syntax we use the following notations:
The function vars returns for a given propositional formula ϕ the set of propositional variables
appearing in ϕ . We use “prime” to generate a fresh variable. V ′ = {v′ |v ∈V} denotes the set of
all fresh variables obtained from a set of variables V .
A ladder logic program is formulated relatively to a finite set of input variables I and a finite
set of state variables C, such that I∩C = /0. It may also refer to primed state variables C′, which
represent the newly computed values within a control cycle.
Definition 1 (Ladder logic formulae) A ladder logic formula ψ (relative to a set of input vari-
ables I and a set of state variables C) is a propositional formula
ψ ≡ ((c′1⇔ ψ1)∧ (c′2⇔ ψ2)∧·· ·∧ (c′n⇔ ψn))
where n≥ 0 and the ψi, 1≤ i≤ n, are propositional formulae, such that the following conditions
hold:
• for all 1≤ i≤ n : c′i ∈C′.
• for all 1≤ i, j ≤ n : if i 6= j then c′i 6= c′j.
• for all 1≤ i≤ n : vars(ψi)⊆ I∪{c′1, . . .c′i−1}∪{ci, . . .cn}.
If n = 0, as usual ψ ≡ True. Such an empty program proves useful in the context of slicing.
A ladder logic program prescribes the computation that takes place in the process step of
the control loop. The equivalence (⇔) can be interpreted as assignment. The above conditions
ensure that only primed state variables can be assigned to; a primed state variable is assigned to
at most once; a primed state variable can only depend on input variables, primed state variables,
or state variables. Here either the unprimed or the primed version of a state variable can be used,
depending on the index i.
For a ladder logic formula we often write ψ ≡ [R1,R2, . . . ,Rn] where Ri ≡ c′i⇔ ψi, for 1≤ i≤
n, for some n≥ 0. The subformulae Ri are called rungs.
5 Representation of an interlocking as an automaton
We capture the dynamics of a Westrace interlocking by defining an automaton relative to a given
ladder logic formula. Consider the control loop in Section 2: a state in the automaton represents
a configuration of the controller and a transition p→ q represents one execution of the loop. That
is, if p represents the configuration of the controller at (*), then q represents the configuration
of the controller at (*) one cycle later.
1 A similar modelling approach has been taken in [FH98].
5 / 17 Volume 35 (2010)
Automatically Verifying Railway Interlockings using SAT-based Model Checking
In order to define the transition relation via ladder logic formulae, we define paired valuations.
In the definition we use I′ to represent new inputs to the controller and the function unprime to
remove the prime from a variable.
Definition 2 (Paired valuations) Given a finite set of input variables I, a finite set of state
variables C, and valuations µ, µ ′ : (I ∪C)→ {0,1} we define the paired valuation µ ; µ ′ : (I ∪
C∪ I′∪C′)→{0,1} where
µ ; µ ′(x) =
{
µ(x) if x ∈ I∪C
µ ′(unprime(x)) if x ∈ I′∪C′.
We now define an automaton for a ladder logic formula:
Definition 3 (Automaton) Given a ladder logic formula ψ over I∪C, we define the automaton
A(ψ) = (S,S0,→)
where
• S = {µ |µ : I∪C→{0,1}} is the set of states,
• µ → µ ′ if µ ; µ ′ |= ψ defines the transitions, and
• S0 = {µ ′ |∃µ : µ |= ¬I,µ ; µ ′ |= ψ} gives the set of initial states.
Here, ¬I expands to
∧
i∈I¬i for all i ∈ I.
Remark 1 The automaton A(ψ) is non deterministic as ψ does not impose any conditions on the
variables in I′: The controller is not allowed to refuse any input. The automaton might have more
than one start state as the computation of the set of initial states only sets the input variables I,
the state variables C can take any value. Finally, the automaton A(ψ) is finite; it has 2|I∪C| states.
This automaton faithfully models the behaviour of the interlocking. The set of initial states S0
of the automaton represents all possible configurations of the interlocking when reaching point
(*) for the first time. As one transition corresponds to one execution of the loop, the traces of
configurations observed at (*) directly correspond to the state sequences of the automaton.
Naturally, such a controller should never stop. In our formalisation of a Westrace interlocking
we can prove this:
Theorem 1 Let ψ be a ladder logic formula. Let µ be a state in A(ψ). Then there exists a state
µ ′ such that µ ; µ ′ |= ψ , i.e. it holds that µ → µ ′.
Proof. (Sketch) By induction on size n of a ladder logic formula. Assume the claim holds for
length i. Given an evaluation µi for Vi = I ∪{c′1, . . . ,c′i−1}∪{ci, . . . ,cn} we set µi+1(x) = µi(x)
for x ∈ Vi, µi+1(c′i) = 1 if µi |= ψi and µi+1(c′i) = 0 if µi 6|= ψi. Finally set µ ′(c) = µn(c) for all
c ∈C.
A paired valuation µ ; µ ′ is reachable with respect to an automaton A(ψ) = (S,S0,→), if there
exists a series of transitions µ0→ µ1→ ··· → µ → µ ′ with µ0 ∈ S0.
Proc. AVoCS 2010 6 / 17
ECEASST
Figure 3: An automaton modelling of the ladder logic program for a pelican crossing.
Figure 3 illustrates the reachable states of the automaton constructed from the pelican crossing
ladder logic formula in Figure 2. Here, initial states are represented via double circles, and some
variable values have been excluded for ease of reading.
5.1 Safety conditions
A typical safety property in our pelican crossing example would be: “A traffic light always shows
a single aspect”. Using the vocabulary for the control program, we capture this property by the
following propositional formula:
SingleAspect≡ (tla g∨ tla r)∧¬(tla g∧ tla r)∧ (tlb g∨ tlb r)∧¬(tlb g∧ tlb r).
I.e., “For both traffic lights, namely tla and tlb, it holds that they always show a signal, however,
they never show green and red at the same time.”
Experience with Westrace interlockings has shown that the safety properties arising in practice
speak about at most two consecutive configurations at (*) of the control program depicted
in Section 2 (here the above example speaks only about one configuration). This justifies the
following definition:
Definition 4 (Safety condition) A safety condition ϕ for a ladder logic formula ψ over variables
I∪C is a propositional formula over variables I∪C∪C′.
In this definition we exclude variables from the set I′ as the controller has no influence over
any input values.
5.2 The verification problem
With these notions at hand we can state our verification problem: Given a ladder logic formula
ψ and a safety condition ϕ , we say that ψ is safe w.r.t. ϕ ,
A(ψ) |= ϕ,
7 / 17 Volume 35 (2010)
Automatically Verifying Railway Interlockings using SAT-based Model Checking
iff µ ; µ ′ |= ϕ for all reachable paired valuations µ ; µ ′ in A(ψ).
The exclusion of non-reachable states from the verification problem is motivated by the veri-
fication results in [KMS08] – see Section 1 – and comes as a direct request from Invensys. Our
Pelican crossing program is safe w.r.t. SingleAspect only thanks to the exclusion of non-reachable
states. For example, let µ, µ ′ and µ ′′ be states with µ = {crossing = 1, req = 1, pressed =
1, tla g = 1, tlb g = 1, tla r = 0, tlb r = 0, pla g = 0, plb g = 0, pla r = 1, plb r = 1, audio=0},
µ ′ = {crossing = 0, req = 0, pressed = 0, tla g = 0, tlb g = 0, tla r = 0, tlb r = 0, pla g = 0,
plb g = 0, pla r = 1, plb r = 1, audio=0} and µ ′′ any arbitrary successor of µ ′ (its existence is
guaranteed by Theorem 1). µ ; µ ′ is safe, i.e. µ ; µ ′ |= SingleAspect, there is a transition from µ ′
to µ ′′, however, µ ′ ; µ ′′ is not safe, i.e. µ ′ ; µ ′′ 6|= SingleAspect. But µ; µ ′ is not reachable to begin
with, see Figure 3.
It is obvious how to extend our setting to safety properties that involve k > 2 configurations
of the interlocking: instead of paired valuations one has to define k-tuples of valuations; a safety
property ϕ can speak about k different copies of each variable in I ∪C; and ψ is safe if all
reachable k-tuples of consecutive states satisfy the safety condition ϕ.
6 Applying model checking to ladder logic
In this section we discuss two verification techniques based on SAT solving: bounded model
checking [BCCZ99] and temporal induction [SSS00]. To allow us to apply these techniques, we
firstly have to give a representation of the state sequences of the automaton under consideration.
6.1 Representing state sequences
Given a set I of input variables and a set C of state variables, we define variable sets Wi =C(i)∪I(i)
with C(i) = {c(i) |c ∈ C} and I(i) = {x(i) |x ∈ I} for i ∈ Z. Here we use the superscript (i) to
produce fresh variables. We write [Wi/(I ∪C)] to denote the substitution where all superscripts
are removed, and [Wi+1/(I′ ∪C′)] for the substitution where all superscripts are replaced by
primes. A sequence W0,W1,W2, . . . of these variable sets is capable to “store” a state sequence of
an automaton A(ψ):
Definition 5 (Series of transitions) Let ψ be a ladder logic formula. We define the propositional
formulae
Init≡ (
∧
i∈I(−1)
¬i)∧T (W−1,W0) Tn ≡
∧
0≤i≤n−1
T (Wi,Wi+1)
where n≥ 0 and T (Wi,Wi+1)≡ ψ [Wi/(I∪C)][Wi+1/(I′∪C′)].
Given a ladder logic formula ψ , then the formula Init∧Tn is “satisfied” exactly by all state
sequences s0,s1, . . . ,sn of A(ψ). More formally: Given a state sequence s0,s1, . . . ,sn we construct
an valuation µ : W−1 ∪W0 ∪ ·· · ∪Wn → {1,0}, where state s j gives the interpretation of Wj
for 0 ≤ j ≤ n, i.e. µ(i( j)) = s j(i), i ∈ I, and µ(c( j)) = s j(c), c ∈ C; µ(i(−1)) = 0, i ∈ I, and
µ(c(−1)) such that we reach s0 via ψ. For this µ holds: µ |= Init∧ Tn. Conversely, given a µ
with µ |= Init∧Tn one can decompose it to a state sequences s0,s1, . . . ,sn of A(ψ). With these
notations in place, we can define safety at a specific point in a sequence W0,W1,W2, . . . .
Proc. AVoCS 2010 8 / 17
ECEASST
Definition 6 (Safety at step n) Let ϕ be a safety condition for a ladder logic formula ψ. We
define the propositional formula
ϕn ≡ ϕ [Wn−1/(I∪C)][Wn/(I′∪C′)],
where n > 0.
6.2 Bounded model checking
Widely used within industrial applications [CESS08, ADK+05], bounded model checking re-
stricts the search space by a bound which states how many transitions of the automaton should
maximally be considered for the verification process. Using the formulae
Initial≡ Init∧T1⇒ ϕ1 Transitionn ≡ Tn⇒ ϕn, for n > 0
the algorithm shown in Figure 4 performs a forwards iteration of the state-space. Given an au-
tomaton A(ψ) and safety condition ϕ , the algorithm will check: (1) that ϕ holds on all transitions
leaving the initial states of the automaton, and that (2) ϕ holds for up to K transitions from an
initial state of the automaton.
if ¬Initial is satisfiable return error trace
j← 2
while j ≤ K do
if ¬Transition j is satisfiable return error trace
j← j+1
return ”K-Safe”
Figure 4: K-step forwards iteration algorithm.
The algorithm in Figure 4 calls a SAT solver once in every iteration. In practice, the algorithm
performs better when multiple calls to the SAT solver are combined into one call, namely for l >
1, “¬Transition j satisfiable”, . . . , “Transition j+l satisfiable”, are combined to one call, namely
“¬(Transition j ∧·· ·∧Transition j+l) satisfiable”.
Practical results from the pelican crossing example, show that verification times are less than
one second2. With inductive verification, see [Kan08], verification of the safety condition given
in Section 5.1 fails for the induction step. With the proposed bounded model checking approach,
we were able to show that this was in fact due to unreachable states. That is, a bound size of
k = 6 is required when using the given algorithm. Then via inspecting the state space given in
Figure 3 we see that a bound of 6 covers all states.
6.3 Unbounded model checking
Temporal induction [SSS00] is a method that is based on strengthening the inductive approach
as e.g., given by Kanso [Kan08]. As the name suggests, the verification method still consists of
2 All results presented in this paper are based on tests carried out using a 64-bit computer, with a 3GHz quad-core
processor and 8 GBytes of memory.
9 / 17 Volume 35 (2010)
Automatically Verifying Railway Interlockings using SAT-based Model Checking
two proof steps, namely a base case and an inductive step. These proof steps are however used
differently: the (negation of the) base case is checked for satisfiability, and the (negation of the)
inductive step is checked for unsatisfiability. Our presentation follows [ES03].
We define properties of a state sequence encoded by W0,W1, . . . ,Wn:
LFn ≡ (
∧
0≤k<l≤n
¬(Wk⇔Wl)) safen ≡
∧
1≤ j≤n
ϕ j
where (Wk ⇔Wl) ≡
∧
i∈I i
(k) ⇔ i(l) ∧
∧
c∈C c
(k) ⇔ c(l); k, l,n ≥ 0. LFn describes the state se-
quences of length n of an automaton which are “loop free”, i.e. the states appearing in the
sequence are pairwise different. The formula safen encodes that all transitions between two
consecutive states are safe. Using these formulae, we define the base case and induction step of
temporal induction:
Basen ≡ Init∧Tn⇒ ϕn Stepn ≡ Tn+1∧LFn+1∧ safen⇒ ϕn+1, for n≥ 0.
Figure 5 gives the temporal induction algorithm, similar to [SSS00, CESS08].
n← 1
while true do
if ¬Basen is satisfiable return trace
if ¬Stepn is unsatisfiable return “Safe”
n← n+1
Figure 5: Temporal induction algorithm.
Theorem 2 For all ladder logic formulae and safety conditions, temporal induction terminates,
is sound, and is complete.
Proof. (Only termination) Let ψ be a ladder logic formula. Let ϕ be a safety condition. Given
that the automaton A(ψ) is finite, we know that for some k all state sequences longer than k
include a state twice. Thus, the formula Tk+1∧LFk+1 is unsatisfiable. This implies that Stepk ≡
Tk+1∧LFk+1∧ safek⇒ ϕk is a tautology. Hence ¬Stepk is unsatisfiable.
This temporal induction algorithm verifies our pelican crossing example completely automat-
ically. Once again, the verification time was less than one second.
7 Program slicing
The proposed approaches for the verification of ladder logic programs quickly give rise to large
formulae to be verified. As the formula size increases, both the space and time requirements
increase. This increase leads to a rather small bound3 on the number of iterations of a ladder logic
program we can verify in a feasible amount of time. Following approaches in [GKV95, FH98],
we introduce slicing.
3 I.e., with 361 variables, approximately 2000 iterations were possible.
Proc. AVoCS 2010 10 / 17
ECEASST
Here, the novelty of our approach is that we prove slicing to be correct w.r.t. reachable states.
Let Ψ be a program and ϕ be a property. Now consider two semantical approaches: |=all con-
siders all states as in [GKV95, FH98], while |=reach – our approach – considers the reachable
states only. Clearly, Ψ |=all ϕ implies Ψ |=reach ϕ . However, as our Pelican crossing example
demonstrates, the converse does not hold. Now consider a program Ψϕ , which is a program Ψ
sliced for ϕ. Slicing is considered correct if Ψ satisfies ϕ iff Ψϕ satisfies ϕ . This results to two
different correctness conditions, as illustrated by the following diagram:
Ψ |=all ϕ ⇔ Ψϕ |=all ϕ
6⇑ ⇓
Ψ |=reach ϕ ⇔ Ψϕ |=reach ϕ
Note that we use the same slicing as [GKV95, FH98].
The intuition behind slicing is that the variables occurring in a safety condition often depend
only on some part of the ladder logic program. Hence parts that have no effect on the safety
condition can be removed.
7.1 Algorithm for slicing ladder logic
We begin by defining the dependence between rungs in a ladder logic formula.
Definition 7 (Dependency relation) Let ψ = [R1,R2, . . .Rn] be a ladder logic formula for some
n ≥ 0. We define the relation dependant ⊆ {1, . . . ,n}×{1, . . . ,n} between rungs of the ladder
logic program, as the transitive closure of
{(i, j) | j < i and c′j ∈ vars(ψi)}
where rung k has the form Rk ≡ c′k⇔ ψk for 1≤ k ≤ n.
Using this notion of dependence, we define the slice of a ladder logic formula w.r.t. a safety
condition as:
Definition 8 (Slice) Given a ladder logic formula ψ = [R1,R2, . . .Rn], and a safety condition ϕ ,
a slice ψϕ of ψ is an order preserving selection of rungs such that the following two conditions
hold:
• for all 1≤ j ≤ n : R j ∈ ψϕ if c j ∈ vars(ϕ)∨ c′j ∈ vars(ϕ).
• for all 1≤ i, j ≤ n : R j ∈ ψϕ if Ri ∈ ψϕ and (i, j) ∈ dependant.
Given a slice ψϕ we define the sets
Î = vars(ψϕ)∩ I Ĉ = {c ∈C |c′ ∈ vars(ψϕ)∩C′}
of those input variables (resp. state variables) that appear in the slice.
Note that this definition does not include a notion of minimality. Consequently, a ladder logic
formula ψ is always a slice of itself. If the safety condition is ϕ ≡ True, then for every ladder
11 / 17 Volume 35 (2010)
Automatically Verifying Railway Interlockings using SAT-based Model Checking
logic formula ψ we have that the empty program ψϕ ≡ true is a slice. To ensure that rung
order is maintained, we compute a slice in a backward fashion. The algorithm we present is due
to [GKV95, FH98].
Step 1 – Extract variables from safety condition. Given a safety condition ϕ of the form
described in Section 5.1, we extract its variables: U = vars(ϕ).
Step 2 – Calculate dependant variables. Calculate all the variables of the ladder logic for-
mula that effect the variables in U . This step is repeated for each rung until a fixed point within
the variable set is reached. Figure 6 illustrates the code that could be used to perform this step.
Step 3 – Extract dependant rungs. Finally, using the variable set U computed in step two,
we remove all rungs that do not effect the safety condition. To do this, we construct the set
index = {i ∈ {1, . . . ,n}|ci ∈U or c′i ∈U}.
Now, we remove from the original program all rungs Ri whose indicies do not appear in index.
The result ψϕ is the sliced version of program ψ .
do
U ←U
Un+1←U
for i = n down to 1 do
if c′i ∈Ui+1 then Ui←Ui+1∪ vars(ψi) else Ui←Ui+1
U ←U1
until U ⊆U
return U
Figure 6: Algorithm to compute step two.
Figure 7 illustrates the effect of slicing the ladder logic formula of Figure 2 w.r.t. the safety
condition presented in Section 5.1: The safety condition has four variables, six out of the original
eleven rungs remain.
[ crossing′ ⇐⇒ (req∧¬crossing),
req′ ⇐⇒ (pressed∧¬req),
tlag′ ⇐⇒ ((¬crossing′)∧ (¬pressed∨ req′)),
tlbg′ ⇐⇒ ((¬crossing′)∧ (¬pressed∨ req′)),
tlar′ ⇐⇒ crossing′,
tlbr′ ⇐⇒ crossing′ ]
Figure 7: A sliced version of our pelican crossing ladder logic formulae.
7.2 Correctness of slicing
Given that slicing changes the ladder logic formulae under consideration, we need to ensure that
the validity of safety conditions is still upheld.
Proc. AVoCS 2010 12 / 17
ECEASST
Throughout this Section we assume that ψϕ is the computed slice of a ladder logic formula
ψ = [R1,R2, . . .Rn] w.r.t. a safety condition ϕ, where Î is the set of inputs of ψ which appear in
ψϕ and Ĉ is the set of state variables of ψ required by ψϕ – see Definition 8.
In order to compare the two automata A(ψ) and A(ψϕ) we first need to relate their states.
A(ψ) has maps µ : (I∪C)→{0,1} as its states, while the states of A(ψϕ) take the form of maps
ν : (Î ∪ Ĉ)→ {0,1}. To this end, we define two functions: |Î∪Ĉ mapping states from A(ψ)
to states from A(ψϕ), and :: f mapping a state from A(ψϕ) to a state of A(ψ), where f is a
valuation that describes how we interpret the variables in (I∪C)− (Î∪Ĉ).
Definition 9 (Reducing/Extending a valuation) Let µ be a state of A(ψ). Its reduction µ|Î∪Ĉ :
Î∪Ĉ→{0,1} w.r.t. Î∪Ĉ is defined as µ|Î∪Ĉ(x) = µ(x) for all x ∈ Î∪Ĉ.
Let ν be a state of A(ψϕ). Let f : (I ∪C)− (Î ∪Ĉ)→ {0,1} be an evaluation. We define the
extension of ν by f as (ν :: f ) : C∪ I→{0,1} where
(ν :: f )(x) =
{
ν(x) if x ∈ Î∪Ĉ
f (x) otherwise
for all x ∈C∪ I.
Remark 2 We also apply reduction and extension to paired valuations. That is, (µ ; µ ′)|Î∪Ĉ =
(µ|Î∪Ĉ) ;(µ ′|Î∪Ĉ) is the paired evaluation obtained from individually reducing µ and µ ′. Similarly
ν :: f ;ν ′ :: f ′ = (ν :: f ) ;(ν ′ :: f ′) is the evaluation obtained by individually extending ν by f and
ν ′ by f ′ and then pairing the results.
We now study how to relate transitions of A(ψ) to transitions of A(ψϕ): A step in A(ψ)
corresponds to a step in A(ψϕ); consequently, reachability in A(ψ) implies reachability in A(ψϕ).
Lemma 1 (A(ψ) transitions correspond to A(ψϕ) transitions) Let µ and µ ′ be states of A(ψ).
1. µ ; µ ′ |= ψ ⇒ µ ; µ ′|Î∪Ĉ |= ψϕ
2. If µ ; µ ′ is reachable with respect to A(ψ) then
µ ; µ ′|Î∪Ĉ is reachable with respect to A(ψϕ).
Proof. (Sketch) (1) follows as ψϕ does not depend on removed variables. (2) is shown by induc-
tion on path length using point (1).
Corresponding results hold for the reverse direction:
Lemma 2 (A(ψϕ) transitions can be extended to A(ψ) transitions) Let ν and ν ′ be states of
A(ψϕ).
1. Let ν ;ν ′ |= ψϕ . Then for all f there exists a f ′ such that ν :: f ; µ ′ :: f ′ |= ψ .
2. Let ν ;ν ′ be reachable with respect to A(ψϕ). Then there exist f , f ′ such that ν :: f ; µ ′ :: f ′
is reachable with respect to A(ψ).
13 / 17 Volume 35 (2010)
Automatically Verifying Railway Interlockings using SAT-based Model Checking
Proof. (Sketch)
1. Choose f arbitrarily and define
f ′(x) =
{
0 if x = ci and ν :: f 6|= ψi
1 if x = ci and ν :: f |= ψi
With these choices of f and f ′, ψ is satisfied.
2. By induction on path length and given point 1.
Using these lemmas we can prove that slicing is correct:
Theorem 3 Let ϕ be a safety condition over a ladder logic formula ψ . Then
A(ψ) |= ϕ ⇐⇒ A(ψϕ) |= ϕ.
Proof. By Lemma 1 and Lemma 2.
Full proofs of Lemma 1, Lemma 2 and Theorem 3 are given in [Jam10].
8 Application and results
We summarise some results that have been obtained via a verification tool based on the discussed
methods. A detailed discussion of the implementation of the tool, and the results are available
in [Jam10]. In total, two railway interlocking ladder logic programs (one containing 331 rungs
with 599 variables, and the other 238 rungs with 361 variables) were verified against a set of
approximately ten safety conditions.
Overall, the results we have gained have been positive. For every safety condition the tool has
either given a successful verification, or a counter example trace. All results have been obtained
within the region of seconds.
With respect to the safety of the systems under consideration, all counter example traces could
then manually be excluded as system runs by considering invariants. Such invariants have not
been included in our automaton model, as in industry they are soft constraints used by the engi-
neers, however, not part of the documentation for the interlocking control programs.
In this sense, our change of the semantic model, namely to consider reachable states only,
turned out to be superfluous for the interlockings studied. It gave, however, an insight into the
very nature of these interlockings and helped to understand the reasons why they are safe: not
– as originally expected – due to unreachability, but thanks to states excluded by construction.
Note that the inclusion of such invariants into our model will give rise to new proof obligations,
namely counterparts for Theorem 1 will have to be established. As our Pelican crossing example
demonstrates, the verification of technical systems can require our more sophisticated semantics,
see Section 5.2.
Proc. AVoCS 2010 14 / 17
ECEASST
8.1 Results of bounded model checking
The main success of the bounded model checking approach proved to be the generation of
counter example traces. In all the verification results where inductive verification via Kanso’s
method [Kan08] gave a counter example, our forward iteration approach constructed a counter
example trace.
Results obtained show that bounded model checking was possible up to two thousand itera-
tions before memory issues occurred. With the application of our slicing algorithm, the number
of iterations possible increased to twenty thousand. This is a large number of iterations, however,
it remains unknown how many iterations would be required to verify all reachable states.
8.2 Results of temporal induction
The results obtained from the temporal induction approach are as expected:
Whenever inductive verification via Kanso’s method [Kan08] succeeded, i.e., the safety prop-
erty held, the safety property was also provable via temporal induction. In this special case,
namely, that safety can be established via inductive verification, temporal induction is of equal
complexity as Kanso’s method: only its first iteration is executed, which requires the same re-
sources as inductive verification.
Furthermore, whenever a counter example was generated using bounded model checking, a
counter example would be generated by temporal induction. These two results show that tempo-
ral induction works correctly. The full power of temporal induction, however, is demonstrated
by our Pelican crossing example: only temporal induction is capable of verifying it fully auto-
matically.
8.3 Results of slicing
All results obtained show that applying slicing to the formulae to be verified resulted in large
efficiency gains. The results are based on a set of approximately ten safety conditions which
Invensys considered to be vital. Some analysis of the application of the slicing algorithm have
shown that the following reductions were possible:
• For interlocking one, the number of rungs contained in the ladder logic formula, was
reduced, on average from 331 rungs to around 60 rungs.
• For interlocking two, the number of rungs contained in the ladder logic formula, was
reduced, on average from 238 rungs to around 25 rungs.
Obviously, the resultant formula size is dependant on the safety condition being verified. Hence
it would be interesting to see the effect slicing has on more complicated, larger interlockings.
9 Conclusion
We have completed a feasibility study into various techniques for SAT-based model checking of
Westrace interlockings. We have provided a formal model for Westrace interlockings via propo-
sitional logic and given an automaton theoretic semantics for this propositional model. We have
15 / 17 Volume 35 (2010)
Automatically Verifying Railway Interlockings using SAT-based Model Checking
studied in some depth, the verification processes of bounded model checking and unbounded
model checking via temporal induction. As a natural continuation from this, we have reviewed
how a slicing algorithm can be applied to reduce the complexity of the verification problem,
showing the correctness of its application. The overall outcome being the development of a ver-
ification tool, with varied verification techniques on offer. This tool has been applied to verify
real-world interlockings, with the main results being:
• The approaches we propose work. That is, an interlocking can successfully be verified
with respect to some safety condition. The result being either that the interlocking is safe,
or that a counter example trace is generated.
• The approaches we propose scale up to real-world systems.
• SAT-based verification is a successful method of verifying large systems.
Future work will include the removal of functional dependencies [JB04] and the verification of
further interlockings.
Acknowledgements: We wish to thank Invensys for support and good cooperation; the Swansea
Railway Verification Group, especially Faron G Moller, Anton G Setzer, and Monika Seisen-
berger for many helpful discussions; the reviewers for their helpful suggestions; and, finally,
Erwin R. Catesbeiana (Jr) for guiding us along the correct route.
Bibliography
[ADK+05] N. Amla, X. Du, A. Kuehlmann, R. P. Kurshan, K. L. McMillan. An Analysis of SAT-Based
Model Checking Techniques in an Industrial Environment. In Borrione and Paul (eds.),
CHARME. Springer, 2005.
[BCCZ99] A. Biere, A. Cimatti, E. M. Clarke, Y. Zhu. Symbolic Model Checking without BDDs. In
Cleaveland (ed.), TACAS ’99. Springer-Verlag, 1999.
[BG00] J. Boulanger, M. Gallardo. Validation and verification of METEOR safety software. In Ad-
vances in Transport Vol 7. WIT Press, 2000.
[BHMW09] A. Biere, M. J. H. Heule, H. van Maaren, T. Walsh (eds.). Handbook of Satisfiability. IOS
Press, 2009.
[Bjø09] D. Bjørner. Towards a Domain Model of Transportation. In Domain Engineering – Technol-
ogy Management, Research and Engineering. JAIST Press, 2009.
[CESS08] K. Claessen, N. Een, M. Sheeran, N. Sörensson. SAT-solving in practice. In Lennartson
et al. (eds.), Proceedings of Workshop on Discrete Event Systems. IEEE, May 2008.
[ES03] N. Een, N. Sörensson. Temporal Induction by Incremental SAT Solving. Electronic Notes in
Theoretical Computer Science 89(4), 2003. BMC’2003.
[FH98] W. Fokkink, P. Hollingshead. Verification of Interlockings: from Control Tables to Ladder
Logic Diagrams. In Groote et al. (eds.), FMICS’98. CWI, 1998.
Proc. AVoCS 2010 16 / 17
ECEASST
[GKV95] J. Groote, J. Koorn, S. Van Vlijmen. The safety guaranteeing system at station Hoorn-
Kersenboogerd. In Danner et al. (eds.), Compass’95, Computer Assurance. IEEE, 1995.
[IEC03] Programmable Controllers - Part 3: Programming languages. 2003. IEC Standard 61131-3.
[Jac04] R. Jacquart (ed.). IFIP 18th World Computer Congress, Topical Sessions. Chapter TRain:
The Railway Domain - A Grand Challenge. Kluwer, 2004.
[Jam10] P. James. SAT-based Model Checking and its applications to Train Control Software. Mas-
ter’s thesis, Swansea University, 2010.
[JB04] J.-H. R. Jiang, R. K. Brayton. Functional Dependency for Verification Reduction. In Alur
and Peled (eds.), CAV. Springer, 2004.
[JR10] P. James, M. Roggenbach. SAT-based Model Checking of Train Control Systems. In Calco-
Jnr 2009. March 2010.
[Kan08] K. Kanso. Formal Verification of Ladder Logic. Master’s thesis, Swansea University, 2008.
[KMS08] K. Kanso, F. Moller, A. Setzer. Verification of Safety Properties in Railway Interlocking
Systems Defined with Ladder Logic. In Calder and Miller (eds.), AVOCS08. Glasgow 2008.
[Kul08] O. Kullmann. The OKlibrary: A generative research platform for (generalised) SAT solving.
Technical report CSR 1-2008, Swansea University, 2008.
[SSS00] M. Sheeran, S. Singh, G. Stalmarck. Checking safety properties using induction and a SAT-
solver. Lecture Notes in Computer Science, 2000.
[upp10] Uppaal Tool. Webpage, last accessed in July 2010. http://www.uppaal.com/.
[wes10] Westrace. Webpage, last accessed July 2010. http://www.wrsl.com/assets/
files/Interlocking/westrace/WESTRACE%20Intorduction.pdf.
[Win02] K. Winter. Model checking railway interlocking systems. Australian Computer Science
Communications 24(1), 2002.
[ZRK03] B. Zoubek, J.-M. Roussel, M. Kwiatowska. Towards Automatic Verification of Ladder Logic
Programs. In Proceedings of IMACS-IEEE (CESA’03). 2003.
17 / 17 Volume 35 (2010)
