Applied Bounded Model Checking for Interlocking System Designs

Haxthausen, Anne Elisabeth; Peleskã, Jan; Pinger, Ralf

doi:10.1007/978-3-319-05032-4_16

Cited by 28 publications

(27 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The cases in Table 2 are listed in the approximate order of increasing network complexity. The first seven cases are made-up networks inspired by the typical examples used in other studies about formal verification of railway interlocking systems [20,38,25,24]. For instance, the example network shown in Figure 1 is case Mini in Table 2.…”

Section: Experiments With Our Toolchainmentioning

confidence: 99%

“…SAT-based model checking and slicing technique are used in [26]. In order to remedy the problem with state space explosion in the global model checking approach, we have recently used BMC for the work described here and for some other applications [23,24]. In the current work, a combination of SMT-based BMC with inductive reasoning allowed us to verify safety properties without having to explore the whole state space, hence we were able to push the bounds even further to handle larger networks of industrial size.…”

Section: Related Workmentioning

confidence: 99%

“…Conventionally, the development and verification process of interlocking systems is informal and mostly manual, and hence time-consuming, costly, and error-prone. Automated verification of interlocking systems is therefore an active research topic, investigated by several research groups, see e.g., [20,17,38,25,19,24]. As part of the RobustRailS research project, 3 our work aims at establishing a holistic method supporting the verification of such systems.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Formal modelling and verification of interlocking systems featuring sequential release

Haxthausen

Peleskã

2017

Science of Computer Programming

Self Cite

View full text Add to dashboard Cite

In this article, we present a method and an associated toolchain for the formal verification of the new Danish railway interlocking systems that are compatible with the European Train Control System (ETCS) Level 2. We have made a generic and reconfigurable model of the system behaviour and generic safety properties. This model accommodates sequential release -a feature in the new Danish interlocking systems. To verify the safety of an interlocking system, first a domain-specific description of interlocking configuration data is constructed and validated. Then the generic model and safety properties are automatically instantiated with the well-formed description of interlocking configuration data. This instantiation produces a model instance in the form of a Kripke structure, and concrete safety properties expressed as invariants. Finally, using a combination of SMT based bounded model checking (BMC) and inductive reasoning, it is verified that the generated model instance satisfies the generated safety properties. Using this method, we are able to verify the safety properties for model instances corresponding to railway networks of industrial size. Experiments show that BMC is also efficient for finding bugs in the railway interlocking designs. Additionally, benchmarking results comparing the performance of our approach with alternative verification techniques on the interlocking models are presented.

show abstract

Section: Experiments With Our Toolchainmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Formal modelling and verification of interlocking systems featuring sequential release

Haxthausen

Peleskã

2017

Science of Computer Programming

Self Cite

View full text Add to dashboard Cite

show abstract

“…The research shows that interlocking systems of realistic size are currently out of reach for both flavors of general purpose model checkers. To mitigate the state-space explosion problem, [21] uses bounded model checking [8] for interlockings. Instead of attempting an exhaustive coverage of the state-space, symbolically or explicitly, bounded model checking analyses (the behavior of) a given system only up to a given bound (which is raised incrementally in case analyzing a problem instance is inconclusive).…”

Section: Related Workmentioning

confidence: 99%

Efficient verification of railway infrastructure designs against standard regulations

Luteberget

Johansen

2017

Form Methods Syst Des

View full text Add to dashboard Cite

In designing safety-critical infrastructures s.a. railway systems, engineers often have to deal with complex and large-scale designs. Formal methods can play an important role in helping automate various tasks. For railway designs formal methods have mainly been used to verify the safety of so-called interlockings through model checking, which deals with state change and rather complex properties, usually incurring considerable computational burden (e.g., the state-space explosion problem). In contrast, we focus on static infrastructure models, and are interested in checking requirements coming from design guidelines and regulations, as usually given by railway authorities or safety certification bodies. Our goal is to automate the tedious manual work that railway engineers do when ensuring compliance with regulations, through using software that is fast enough to do verification on-the-fly, thus being able to be included in the railway design tools, much like a compiler in an IDE. In consequence, this paper describes the integration into the railway design process of formal methods for automatically extracting railway models from the CAD railway designs and for describing relevant technical regulations and expert knowledge as properties to be checked on the models. We employ a variant of Datalog and use the standardized "railway markup language" railML as basis and exchange format for the formalization. We developed a prototype tool and integrated it in industrial railway CAD software, developed under the name RailCOMPLETE . This on-the-fly verification tool is a help for the engineer while doing the designs, and is not a replacement to other more heavy-weight software like for doing interlocking verification or capacity analysis. Our tool, through the export into railML, can be easily integrated with these other tools. We apply our tool chain in a Norwegian railway project, the upgrade of the Arna railway station.

show abstract

“…For example, abstraction techniques can be applied at the domain modelling level before the model checking is performed [9]. Other very efficient techniques applied for real world railways are bounded model checking [8] and k-induction [19]. The state explosion problem can also be tamed using techniques that allow a compositional approach to the model checking task [10]: the model checker must prove that assumptions imply the guarantees of each 1 For instance the July 2016 rural Southern-Italy head-on train collision would have been prevented if automated train detection equipment had been in place.…”

Section: Introductionmentioning

confidence: 99%

Compositional Model Checking of Interlocking Systems for Lines with Multiple Stations

Macedo

Fantechi

Haxthausen

2017

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. In the railway domain safety is guaranteed by an interlocking system which translates operational decisions into commands leading to field operations. Such a system is safety critical and demands thorough formal verification during its development process. Within this context, our work has focused on the extension of a compositional model checking approach to formally verify interlocking system models for lines with multiple stations. The idea of the approach is to decompose a model of the interlocking system by applying cuts at the network modelling level. The paper introduces an alternative cut (the linear cut) to a previously proposed cut (border cut). Powered with the linear cut, the model checking approach is then applied to the verification of an interlocking system controlling a real-world multiple station line.

show abstract

Applied Bounded Model Checking for Interlocking System Designs

Cited by 28 publications

References 19 publications

Formal modelling and verification of interlocking systems featuring sequential release

Formal modelling and verification of interlocking systems featuring sequential release

Efficient verification of railway infrastructure designs against standard regulations

Compositional Model Checking of Interlocking Systems for Lines with Multiple Stations

Contact Info

Product

Resources

About