Safety-Level Communication in Railway Interlockings

Abstract This paper illustrates the formal analysis of a simple protocol to convey critical data between the distributed solid state control elements in the signalling systems operated by Railtrack (British Railways). The analysis concentrates on temporal properties of the protocol, and one safety property in particular which informal analysis suggests can be violated in certain combinations of circumstances. A formal model is developed so that a rigorous, mathematically informed, assessment can be made as to whether the perceived violation of safety presents a significant hazard to railway traffic. The model is used to formulate possible strategies to overcome the problem. While demonstrating the power of the modelling process, this paper also illustrates the importance of conducting formal proofs: the failed attempt to prove safety in a corrected version of the protocol reveals a second logical flaw. Both flaws admit simple solutions.

[1]  Julian Bradfield Verifying Temporal Properties of Systems , 1992, Progress in Theoretical Computer Science.

[2]  R. C. Short Software Validation for a Railway Signalling System , 1983 .

[3]  J. F. Groote,et al.  The safety guaranteeing system at station Hoorn-Kersenboogerd , 1994, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[4]  Robin Milner,et al.  Algebraic laws for nondeterminism and concurrency , 1985, JACM.

[5]  Colin Stirling,et al.  Modal and Temporal Logics for Processes , 1996, Banff Higher Order Workshop.

[6]  I. Mitchell,et al.  Proving Safety of a Railway Signalling System Incorporating Geographic Data , 1992 .

[7]  Robin Milner,et al.  Calculi for Synchrony and Asynchrony , 1983, Theor. Comput. Sci..

[8]  A. W. Roscoe,et al.  A Timed Model for Communicating Sequential Processes , 1986, Theor. Comput. Sci..

[9]  Glenn Bruns,et al.  A Case Study in Safety-Critical Design , 1992, CAV.

[10]  Martin Rothfelder,et al.  The Fast Cost Effective Design and Concurrent Certification of the Safe Computer for a Real Time Train Control Application , 1993, SAFECOMP.

[11]  Faron Moller,et al.  A Temporal Calculus of Communicating Systems , 1990, CONCUR.

[12]  Rance Cleaveland,et al.  A Semantics Based Verification Tool for Finite State Systems , 1989, PSTV.

[13]  Dexter Kozen,et al.  RESULTS ON THE PROPOSITIONAL’p-CALCULUS , 2001 .

[14]  M. Gordon HOL: A Proof Generating System for Higher-Order Logic , 1988 .

[15]  Robert de Simone,et al.  Higher-Level Synchronising Devices in Meije-SCCS , 1985, Theor. Comput. Sci..

[16]  Tommaso Bolognesi,et al.  Tableau methods to describe strong bisimilarity on LOTOS processes involving pure interleaving and enabling , 1994, FORTE.

[17]  A. H. Cribbens Solid-state interlocking (SSI): an integrated electronic signalling system for mainline railways , 1987 .

[18]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[19]  Matthew J. Morley Safety in Railway Signalling Data: A Behavioural Analysis , 1993, HUG.

[20]  Hideo Nakamura,et al.  Safety and Fault-Tolerance in Computer-Controlled Railway Signalling Systems , 1991 .