Formal Modeling and Verification of Interlocking Systems Featuring Sequential Release

In this paper, we present a method and an associated tool suite for formal verification of the new ETCS level 2 based Danish railway interlocking systems. We have made a generic and reconfigurable model of the system behavior and generic high-level safety properties. This model accommodates sequential release – a feature in the new Danish interlocking systems. The generic model and safety properties can be instantiated with interlocking configuration data, resulting in a concrete model in the form of a Kripke structure, and in high-level safety properties expressed as state invariants. Using SMT based bounded model checking (BMC) and inductive reasoning, we are able to verify the properties for model instances corresponding to railway networks of industrial size. Experiments also show that BMC is efficient for finding bugs in the railway interlocking designs.

[1]  Alessandro Fantechi,et al.  Twenty-Five Years of Formal Methods and Railways: What Next? , 2013, SEFM Workshops.

[2]  Anne Elisabeth Haxthausen,et al.  Efficient Development and Verification of Safe Railway Control Software , 2013 .

[3]  Markus Roggenbach,et al.  Automatically Verifying Railway Interlockings using SAT-based Model Checking , 2010, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[4]  Anne Elisabeth Haxthausen,et al.  A formal approach for the construction and verification of railway control systems , 2011, Formal Aspects of Computing.

[5]  Anne Elisabeth Haxthausen,et al.  A Domain-Specific Language for Railway Interlocking Systems , 2014, FM 2014.

[6]  Anne Elisabeth Haxthausen,et al.  Applied Bounded Model Checking for Interlocking System Designs , 2013, SEFM Workshops.

[7]  Faron Moller,et al.  Verification of Scheme Plans Using CSP $$||$$ | | B , 2013, SEFM Workshops.

[8]  Jan Peleska,et al.  Industrial-Strength Model-Based Testing - State of the Art and Current Challenges , 2013, MBT.

[9]  Anne Elisabeth Haxthausen,et al.  Formal Development and Verification of a Distributed Railway Control System , 2000, IEEE Trans. Software Eng..

[10]  Kirsten Winter,et al.  Optimising Ordering Strategies for Symbolic Model Checking of Railway Interlockings , 2012, ISoLA.

[11]  Neil J. Robinson,et al.  Signalling Control Table Generation and Verification , 2002 .

[12]  Alessandro Fantechi Distributing the Challenge of Model Checking Interlocking Control Tables , 2012, ISoLA.

[13]  Amel Mammar,et al.  Industrialising a Proof-Based Verification Approach of Computerised Interlocking Systems , 2008 .

[14]  Bas Luttik,et al.  Automated Verification of Executable UML Models , 2010, FMCO.

[15]  Anne Elisabeth Haxthausen,et al.  Modelling and Verification of Relay Interlocking Systems , 2008, Monterey Workshop.

[16]  Harald Ruess,et al.  Bounded Model Checking and Induction: From Refutation to Verification (Extended Abstract, Category A) , 2003, CAV.

[17]  Jan Peleska,et al.  Automated Test Case Generation with SMT-Solving and Abstract Interpretation , 2011, NASA Formal Methods.

[18]  Tiziana Margaria,et al.  Leveraging Applications of Formal Methods, Verification and Validation. Applications and Case Studies , 2012, Lecture Notes in Computer Science.

[19]  Alessio Ferrari,et al.  Model Checking Interlocking Control Tables , 2010, FORMS/FORMAT.