Stepwise development and model checking of a distributed interlocking system using RAISE

This paper considers the challenge of designing and verifying control protocols for geographically distributed railway interlocking systems. It describes how this challenge can be tackled by stepwise development and model checking of state transition system models in a new extension of the RAISE Specification Language. Railway interlocking systems are reconfigurable systems which can be configured by supplying data describing the network to be controlled and other details. Therefore, such systems are natural candidates for being modelled by generic state transition systems, which abstract away from the concrete configuration at the time of modelling, and can later be instantiated with concrete data. For a real-world case study, a generic state transition system is developed in steps, starting with an abstract model of the essential system behaviour and incrementally adding details and restrictions. The stepwise development method allows different variants of the control protocol to be explored. The generic models are instantiated with concrete configuration data, after which desired properties, in particular safety properties, of the system models are verified using model checking.

[1]  Anne Elisabeth Haxthausen,et al.  Modelling and Verification of Relay Interlocking Systems , 2008, Monterey Workshop.

[2]  Chris George,et al.  Model checking RAISE applicative specifications , 2006, Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007).

[3]  Maurice H. ter Beek,et al.  On the Industrial Uptake of Formal Methods in the Railway Domain - A Survey with Stakeholders , 2018, IFM.

[4]  Faron Moller,et al.  Techniques for modelling and verifying railway interlockings , 2014, International Journal on Software Tools for Technology Transfer.

[5]  Michael Leuschel,et al.  Property-Based Modelling and Validation of a CBTC Zone Controller in Event-B , 2019, RSSRail.

[6]  Hugo Daniel Macedo,et al.  Compositional Verification of Interlocking Systems for Large Stations , 2017, SEFM.

[7]  Stephan Merz,et al.  The Specification Language TLA , 2008 .

[8]  Faron Moller,et al.  Verification of Scheme Plans Using CSP $$||$$ | | B , 2013, SEFM Workshops.

[9]  Anne Elisabeth Haxthausen,et al.  Stepwise Development and Model Checking of a Distributed Interlocking System - Using RAISE , 2018, FM.

[10]  Anne Elisabeth Haxthausen,et al.  Formal Verification of Railway Timetables - Using the UPPAAL Model Checker , 2019, From Software Engineering to Formal Methods and Tools, and Back.

[11]  Peter Tummeltshammer,et al.  Using Formal Methods for Verification and Validation in Railway , 2016, TAP@STAF.

[12]  Anne Elisabeth Haxthausen,et al.  Efficient data validation for geographical interlocking systems , 2019, Formal Aspects of Computing.

[13]  Anne Elisabeth Haxthausen,et al.  Formal Development and Verification of a Distributed Railway Control System , 2000, IEEE Trans. Software Eng..

[14]  Anne Elisabeth Haxthausen,et al.  Formal modelling and verification of interlocking systems featuring sequential release , 2014, Sci. Comput. Program..

[15]  Alessandro Fantechi,et al.  Twenty-Five Years of Formal Methods and Railways: What Next? , 2013, SEFM Workshops.

[16]  Anne Elisabeth Haxthausen,et al.  Safety Interlocking as a Distributed Mutual Exclusion Problem , 2018, FMICS.

[17]  Charles Pecheur,et al.  Verification of Railway Interlocking - Compositional Approach with OCRA , 2016, RSSRail.

[18]  Alessandro Fantechi Distributing the Challenge of Model Checking Interlocking Control Tables , 2012, ISoLA.

[19]  Bernhard K. Aichernig,et al.  Formal Methods at the Crossroads. From Panacea to Foundational Support , 2003, Lecture Notes in Computer Science.

[20]  Alessio Ferrari,et al.  Model Checking Interlocking Control Tables , 2010, FORMS/FORMAT.

[21]  Jean-Raymond Abrial On B and Event-B: Principles, Success and Challenges , 2018, ABZ.

[22]  Denis Sabatier Using Formal Proof and B Method at System Level for Industrial Projects , 2016, RSSRail.

[23]  Chris George The Development of the RAISE Tools , 2002, 10th Anniversary Colloquium of UNU/IIST.

[24]  Bjørnar Luteberget,et al.  Efficient verification of railway infrastructure designs against standard regulations , 2018, Formal Methods Syst. Des..

[25]  David Déharbe,et al.  Safety Analysis of a CBTC System: A Rigorous Approach with Event-B , 2017, RSSRail.

[26]  Marc Frappier,et al.  An Event-B Model of the Hybrid ERTMS/ETCS Level 3 Standard , 2018, ABZ.

[27]  Anne Elisabeth Haxthausen,et al.  SaRDIn - A Safe Reconfigurable Distributed Interlocking , 2016 .

[28]  Anne Elisabeth Haxthausen,et al.  Model Checking Geographically Distributed Interlocking Systems Using UMC , 2017, 2017 25th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP).

[29]  Anne Elisabeth Haxthausen Automated generation of formal safety conditions from railway interlocking tables , 2013, International Journal on Software Tools for Technology Transfer.

[30]  Michael J. Butler,et al.  Decomposition Structures for Event-B , 2009, IFM.

[31]  Kirsten Winter,et al.  Model Checking Railway Interlocking Systems , 2002, ACSC.

[32]  Thai Son Hoang,et al.  The Hybrid ERTMS/ETCS Level 3 Case Study , 2018, ABZ.

[33]  Maurice H. ter Beek,et al.  A state/event-based model-checking approach for the analysis of abstract system properties , 2011, Sci. Comput. Program..

[34]  Axel Legay,et al.  Modelling and Analysing ERTMS L3 Moving Block Railway Signalling with Simulink and Uppaal SMC , 2019, FMICS.

[35]  Anne Elisabeth Haxthausen,et al.  On the Use of Static Checking in the Verification of Interlocking Systems , 2016, ISoLA.

[36]  Anne Elisabeth Haxthausen,et al.  The Raise Specification Language , 1992 .