Safety assurance in interlocking design

This thesis takes a pedagogical stance in demonstrating how results from theoretical computer science may be applied to yield significant insight into the behaviour of the devices computer systems engineering practice seeks to put in place, and that this is immediately attainable with the present state of the art. The focus for this detailed study is provided by the type of solid state signalling systems currently being deployed throughout mainline British railways. Safety and system reliability concerns dominate in this domain. With such motivation, two issues are tackled: the special problem of software quality assurance in these data-driven control systems, and the broader problem of design dependability. In the former case, the analysis is directed towards proving safety properties of the geographic data which encode the control logic for the railway interlocking; the latter examines the fidelity of the communication protocols upon which the distributed control system depends. The starting point for both avenues of attack is a mathematical model of the interlocking logic that is derived by interpreting the geographic data in process algebra. Thus, the emphasis is on the semantics of the programming language in question, and the kinds of safety properties which can be expressed as invariants of the system’s ongoing behaviour. Although the model so derived turns out to be too concrete to be effectual in program verification in general, a careful analysis of the safety proof reveals a simple co-induction argument that leads to a highly efficient proof methodology. From this understanding it is straightforward to mechanise the safety arguments, and a prototype verification system is realised in higher-order logic which uses the proof tactics of the theorem prover to achieve full automation. The other line of inquiry considers whether the integrity of the overall design that coordinates the activities of many concurrent control elements can be compromised. Therefore, the formal model is developed to specifically answer safety-related concerns about the protocol employed to achieve distributed control in the management of larger railway networks. The exercise reveals that moderately serious design flaws do exist, but the real value of the mathematical model is twofold: it makes explicit one’s assumptions about the conditions under which the faults can and cannot be activated, and it provides a framework in which to prove a simple modification to the design recovers complete security at negligible cost to performance.

[1]  Konrad Slind AC Unification in HOL90 , 1993, HUG.

[2]  Amir Pnueli,et al.  Applications of Temporal Logic to the Specification and Verification of Reactive Systems: A Survey of Current Trends , 1986, Current Trends in Concurrency.

[3]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[4]  Robin Milner,et al.  Interpreting one Concurrent Calculus in Another , 1990, Theor. Comput. Sci..

[5]  Julian C. Bradfield Verifying temporal properties of systems with applications to petri nets , 1991 .

[6]  David Walker,et al.  Local Model Checking in the Modal mu-Calculus , 1991, Theor. Comput. Sci..

[7]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[8]  Sharad Malik Analysis of cyclic combinational circuits , 1994, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[9]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[10]  Dexter Kozen,et al.  RESULTS ON THE PROPOSITIONAL’p-CALCULUS , 2001 .

[11]  Robert de Simone,et al.  Higher-Level Synchronising Devices in Meije-SCCS , 1985, Theor. Comput. Sci..

[12]  Aarti Gupta,et al.  Formal hardware verification methods: A survey , 1992, Formal Methods Syst. Des..

[13]  Michael J. C. Gordon,et al.  Edinburgh LCF: A mechanised logic of computation , 1979 .

[14]  Siegfried Fischer,et al.  Verification in process algebra of the distributed control of track vehicles—A case study , 1994, Formal Methods Syst. Des..

[15]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[16]  Henrik Reif Andersen Model Checking and Boolean Graphs , 1992, ESOP.

[17]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[18]  Trevor King,et al.  Formalising British Rail's Signalling Rules , 1994, FME.

[19]  Stefania Gnesi,et al.  Model checking for action-based logics , 1994, Formal Methods Syst. Des..

[20]  A. H. Cribbens Solid-state interlocking (SSI): an integrated electronic signalling system for mainline railways , 1987 .

[21]  Matthew Hennessy,et al.  Algebraic theory of processes , 1988, MIT Press series in the foundations of computing.

[22]  Vaughan R. Pratt,et al.  A decidable mu-calculus: Preliminary report , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[23]  Tommaso Bolognesi,et al.  Tableau methods to describe strong bisimilarity on LOTOS processes involving pure interleaving and enabling , 1994, FORTE.

[24]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[25]  Faron Moller,et al.  A Temporal Calculus of Communicating Systems , 1990, CONCUR.

[26]  Kim Dam Petersen,et al.  Program Verification using HOL-UNITY , 1993, HUG.

[27]  I. Mitchell,et al.  Proving Safety of a Railway Signalling System Incorporating Geographic Data , 1992 .

[28]  R. Milner,et al.  The use of machines to assist in rigorous proof , 1984, Philosophical Transactions of the Royal Society of London. Series A, Mathematical and Physical Sciences.

[29]  Robert D. Tennent,et al.  Semantics of programming languages , 1991, Prentice Hall International Series in Computer Science.

[30]  Wolfgang A. Halang,et al.  Safety assurance in process control , 1994, IEEE Software.

[31]  Tom Melham,et al.  Reasoning with Inductively Defined Relations in the HOL Theorem Prover , 1992 .

[32]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[33]  Don Syme,et al.  A New Interface for HOL - Ideas, Issues and Implementation , 1995, TPHOLs.

[34]  Matthew J. Morley Safety in Railway Signalling Data: A Behavioural Analysis , 1993, HUG.

[35]  David Park,et al.  Concurrency and Automata on Infinite Sequences , 1981, Theoretical Computer Science.

[36]  Michael J. C. Gordon,et al.  Mechanizing programming logics in higher order logic , 1989 .

[37]  Robin Milner,et al.  Operational and Algebraic Semantics of Concurrent Processes , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[38]  Colin Stirling,et al.  Modal and Temporal Logics for Processes , 1996, Banff Higher Order Workshop.

[39]  Colin Stirling,et al.  Local Model Checking for Infinite State Spaces , 1992, Theor. Comput. Sci..

[40]  T. Melham Automating recursive type definitions in higher order logic , 1989 .

[41]  Wai Wong A formal theory of railway track networks in higher-order logic and its applications in interlocking design , 1992 .

[42]  Robin Milner,et al.  Co-Induction in Relational Semantics , 1991, Theor. Comput. Sci..

[43]  J. F. Groote,et al.  The safety guaranteeing system at station Hoorn-Kersenboogerd , 1994, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[44]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[45]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[46]  David Walker,et al.  A General Tableau Technique for Verifying Temporal Properties of Concurrent Programs , 1990 .

[47]  M. Gordon HOL: A Proof Generating System for Higher-Order Logic , 1988 .

[48]  C. A. R. Hoare,et al.  Communicating Sequential Processes (Reprint) , 1983, Commun. ACM.

[49]  Dan Craigen,et al.  An International Survey of Industrial Applications of Formal Methods , 1992, Z User Workshop.

[50]  Jim Cunningham,et al.  Proving properties of a safety-critical system , 1991, Softw. Eng. J..

[51]  Wai Wong,et al.  Application of formal methods to railway signalling—a case study , 1993 .

[52]  Kim G. Larsen,et al.  Proof Systems for Satisfiability in Hennessy-Milner Logic with Recursion , 1990, Theor. Comput. Sci..

[53]  Thomas Filkorn,et al.  Generating BDDs for Symbolic Model Checking in CCS , 1991, CAV.

[54]  H. Andersen Verification of Temporal Properties of Concurrent Systems , 1993 .

[55]  Kenneth L. McMillan,et al.  Symbolic model checking: an approach to the state explosion problem , 1992 .

[56]  John Harrison Binary Decision Diagrams as a HOL Derived Rule , 1995, Comput. J..

[57]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[58]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[59]  Gilles Kahn,et al.  Real theorem provers deserve real user-interfaces , 1992 .

[60]  Robin Milner,et al.  Calculi for Synchrony and Asynchrony , 1983, Theor. Comput. Sci..

[61]  Edmund M. Clarke,et al.  Symbolic model checking for sequential circuit verification , 1993, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[62]  R. C. Short Software Validation for a Railway Signalling System , 1983 .

[63]  Alonzo Church,et al.  A formulation of the simple theory of types , 1940, Journal of Symbolic Logic.

[64]  Robin Milner,et al.  Algebraic laws for nondeterminism and concurrency , 1985, JACM.