Formal validation of an interlocking system for large railway stations: A case study. utes (as reported in gure 7), while the non-progress cycles check required less than 6 minutes. Some remarks about the experimental results. Of all the reduction mechanisms provided by spin, d_step was the most eeective to reduce the storage of irrelevant states. Without it, it would not have been possible to complete the above analysis. Notice also that the optimization of the model was never a major concern, given the requirement of scalability for the model. A number of redundancies in the used representation have been identiied which seem to allow for optimization, and for the veriication of even more complex conngurations. During the analysis, spin was able to detect an anomalous behaviour. One of the processes was activated while being in a resting state, i.e. a state having no associated operations in the activation table. The signiicance of this behaviour is that it was present in a prototype version of the Safety Logic. This was solved by associating by default every resting state with a ctitious operation which simply returns control to the Scheduler. Pinning out this behaviour was very valuable to highlight the power of exhaustive veriication. Such a behaviour is extremely hard to point out via testing. After the anomalous behaviour was found, the spin mechanism for nding the shortest counterexample was very useful to reduce the length of the trace. The \short-est" trace we could come up with is generated by a particular sequence of four manual commands issued during seven cycles of the Safety Logic, and amounts to several hundred steps of simulation. In gure 8 part of the trace shown by the spin interface is reported, covering just a little more than one cycle of the SL. The vertical traces represent (from left to right), OP, Sched, LC, Shunt, the two Liberations and PD. This project has been a successful experience in formal methods applied to the design of safety-critical systems. The conngurations analyzed in this project are much simpler than the ones needed to control a railway station. However, it seems possible to deal with conngurations of signiicant size and complexity, which can help the designer to gain conndence in the system being speciied. This is a great advantage with respect to testing, as very often the exhaustive analysis of a scaled down connguration can reveal problems which are present …