A Formal Specification and Validation of a Safety Critical Railway Control System

This paper describes an important experiment in formal specification and validation, both performed in the context of an industrial project jointly performed by Ansaldobreda Segnalamento Ferroviario and CNR Institutes IEI and CNUCE of Pisa. Within this project we developed two formal models of a control system which is part of a wider safety-critical system for the management of medium-large railway networks. Each model describes different aspects of the system at a different level of abstraction. On these models we performed verification of both safety properties - in the hypothesis of Byzantine errors or in presence of some defined hardware faults -- and liveness properties of a dependable communication protocols. The properties has been specified by means of assertions and temporal logical formulae. As a specification language we used Promela language while the verification was performed using the model checker Spin.