Practical formal validation method for interlocking systems

Today, the main issue is to answer the following question: have we finally recognized that when it comes to software, the delivery of absolute numerical safety targets is considered to be impossible, and the methods contained in the CENELEC standard produce a “probability” that certain unsafe failure rates will be archived, rather than an absolute assurance? We know that checks that are undertaken (and their results) before putting safety signalling facilities into service are essential but they are time consuming. And there is no guarantee that these tests are exhaustive, particularly for computerised equipments. In the context of greater economic constraints and increasing complexity of computerized tools, the capacities of the classic approval process are today attained. In practice there is a reduction in the validation cover rate which results in more and more numerous unsafe failures. This paper assumes that it is possible in practice to give an exhaustive formal proof that the “functional” of the signalling application (functional “white box”) is safe in the context of use (over-system). The presented method makes it possible, after a rigorous and cost effective design, to formally validate the “functional” software of critical computerized systems. The aim of our project was to provide the SNCF (today for delegated infrastructure manager, and tomorrow for rolling stock departments of railway subcontractor) with an operating method for the formal validation of critical computerized systems, especially for the Interlocking and ETCS/ERTMS systems. A formal proof method by assertion is presented in this paper; it covers the specification and its software implementation. With the proposed method and its associated tools we verified that the system follows all safety properties all time and does not show superfluous conditions: it replaces the platform checks and is in accordance with the existing SNCF testing procedures. The advantages are a significant reduction of testing time and of the related costs and an increase in the test’s cover rate (deterministic safety vs. probabilistic safety). The paper assumes that the formal methods mastery by infrastructure engineers is a main key to prove that, during the life of the system, an increase in safety is not more expensive.