A Train Protection Logic Based on Topological Manifolds for Virtual Coupling

Virtual coupling is a promising innovation aimed at increasing railway capacity. Compared to current railway signaling systems, it allows two or more trains to run with reduced headway between them. However, such reduced headways are a challenge to safety. In this work we consider this challenge by formally describing and verifying an approach to virtual coupling. We propose a general modeling method based on topological manifolds to describe the protection logic for virtual coupling train control systems. We also describe the basic train control elements in topological terms and analyze the line condition of our virtual coupling logic. We establish that the line condition safety requirements and its representation as a manifold are equivalent and further provide a formal definition of the concept of a movement authority with manifold notations. This allows us to consider the dynamic behavior of trains and a series of theorems that establish the correctness of our protection logic for virtual coupling. Finally, we apply the presented methods to a case study. The results show that the proposed method provides a suitable way to realize a virtual coupling logic safely

Test Case Generation for a Level Crossing Controller

Formal methods (FM) can be used for the precise specification, property-ensuring development and exhaustive property verification of systems. Thus they are especially suited for highly safety or mission critical applications. Railway signaling systems clearly belong to these applications, and there are indeed several industrial projects where FM have been successfully applied; especially to core interlocking and communication-based train control (CBTC) systems. But despite their potential, FM are not very wide-spread in the sector. Work Package 5 of the X2Rail-2 project seeks to foster the use of FM in railway signaling by providing an introduction and overview of formal methods and demonstrating their use and benefit. For the latter, four different formal and one classical development methods are applied by different project partners to a level crossing (LX) controller specified by the Swedish railway infrastructure manager Trafikverket. For all of these developments, the safety properties from the LX specification are planned to be formally verified afterwards using the High Level Language (HLL). Since that means proving them exhaustively, they are of less interest for testing. However, there are further non-safety functional requirements in the specification which remain for testing. The extended abstract at hand reports on an automatic test case generation (TCG) approach of a test suite testing these requirements. In fact, this approach is based on formal methods as well, since the test case generator applies symbolic execution and theorem solving techniques: given a behavioral model of the system under test (SUT), the former method finds feasible paths through the model, while the latter completes the test case by determining suitable test data. This way, the test design task is partly automated, ensures a structural coverage of the model and the modeling process usually leads to a high test suite quality. The different LX controller implementations are tested as black box systems, each one with the same generated test cases. In order to simplify the integration of the different implementations with the test environment, a common test interface has been drawn up

A formal theory of railway track networks in higher-order logic and its applications in interlocking design

The research described in this dissertation centres on the application of a discipline of formal methods in railway signalling system design. A generic abstract model of railway track networks and signals has been developed in Higher-Order Logic(HOL). It consists of several theories arranged in a hierarchy. Railway track networks are modelled by a class of constraint labelled directed graphs. HOL theories of graphs and paths have been developed for representing track networks. HOL theories modelling individual track components and signals have also been developed. These theories are then combined to create a theory of track network. Three applications of this model are described. The first is a network verifier which verifies a formal specification of track layout against its abstract model by proving theorems automatically. The second application is to extract information from the specifications and to create control tables automatically. Lastly, a method of modelling the interlocking processor using finite state machines is described. Although this research has centred on railway signalling, it can be viewed as a case study of how to apply formal methods in the analysis and design of safety- critical systems. The approach and methods used can be generalized in order to be useful in other industries

Automatic instantiation of abstract tests on specific configurations for large critical control systems

Computer-based control systems have grown in size, complexity, distribution and criticality. In this paper a methodology is presented to perform an abstract testing of such large control systems in an efficient way: an abstract test is specified directly from system functional requirements and has to be instantiated in more test runs to cover a specific configuration, comprising any number of control entities (sensors, actuators and logic processes). Such a process is usually performed by hand for each installation of the control system, requiring a considerable time effort and being an error prone verification activity. To automate a safe passage from abstract tests, related to the so called generic software application, to any specific installation, an algorithm is provided, starting from a reference architecture and a state-based behavioural model of the control software. The presented approach has been applied to a railway interlocking system, demonstrating its feasibility and effectiveness in several years of testing experience

Verification of interlocking systems using statistical model checking

In the railway domain, an interlocking is the system ensuring safe train traffic inside a station by controlling its active elements such as the signals or points. Modern interlockings are configured using particular data, called application data, reflecting the track layout and defining the actions that the interlocking can take. The safety of the train traffic relies thereby on application data correctness, errors inside them can cause safety issues such as derailments or collisions. Given the high level of safety required by such a system, its verification is a critical concern. In addition to the safety, an interlocking must also ensure that availability properties, stating that no train would be stopped forever in a station, are satisfied. Most of the research dealing with this verification relies on model checking. However, due to the state space explosion problem, this approach does not scale for large stations. More recently, a discrete event simulation approach limiting the verification to a set of likely scenarios, was proposed. The simulation enables the verification of larger stations, but with no proof that all the interesting scenarios are covered by the simulation. In this paper, we apply an intermediate statistical model checking approach, offering both the advantages of model checking and simulation. Even if exhaustiveness is not obtained, statistical model checking evaluates with a parametrizable confidence the reliability and the availability of the entire system.Comment: 12 pages, 3 figures, 2 table

Developing a distributed electronic health-record store for India

The DIGHT project is addressing the problem of building a scalable and highly available information store for the Electronic Health Records (EHRs) of the over one billion citizens of India

Formalization and Validation of Safety-Critical Requirements

The validation of requirements is a fundamental step in the development process of safety-critical systems. In safety critical applications such as aerospace, avionics and railways, the use of formal methods is of paramount importance both for requirements and for design validation. Nevertheless, while for the verification of the design, many formal techniques have been conceived and applied, the research on formal methods for requirements validation is not yet mature. The main obstacles are that, on the one hand, the correctness of requirements is not formally defined; on the other hand that the formalization and the validation of the requirements usually demands a strong involvement of domain experts. We report on a methodology and a series of techniques that we developed for the formalization and validation of high-level requirements for safety-critical applications. The main ingredients are a very expressive formal language and automatic satisfiability procedures. The language combines first-order, temporal, and hybrid logic. The satisfiability procedures are based on model checking and satisfiability modulo theory. We applied this technology within an industrial project to the validation of railways requirements

A software architecture for autonomous maintenance scheduling: Scenarios for UK and European Rail

A new era of automation in rail has begun offering developments in the operation and maintenance of industry standard systems. This article documents the development of an architecture and range of scenarios for an autonomous system for rail maintenance planning and scheduling. The Unified Modelling Language (UML) has been utilized to visualize and validate the design of the prototype. A model for information exchange between prototype components and related maintenance planning systems is proposed in this article. Putting forward an architecture and set of usage mode scenarios for the proposed system, this article outlines and validates a viable platform for autonomous planning and scheduling in rail