Automated Verification of Executable UML Models

Science of Computer Programming

Peleskã

2017

In this article, we present a method and an associated toolchain for the formal verification of the new Danish railway interlocking systems that are compatible with the European Train Control System (ETCS) Level 2. We have made a generic and reconfigurable model of the system behaviour and generic safety properties. This model accommodates sequential release -a feature in the new Danish interlocking systems. To verify the safety of an interlocking system, first a domain-specific description of interlocking configuration data is constructed and validated. Then the generic model and safety properties are automatically instantiated with the well-formed description of interlocking configuration data. This instantiation produces a model instance in the form of a Kripke structure, and concrete safety properties expressed as invariants. Finally, using a combination of SMT based bounded model checking (BMC) and inductive reasoning, it is verified that the generated model instance satisfies the generated safety properties. Using this method, we are able to verify the safety properties for model instances corresponding to railway networks of industrial size. Experiments show that BMC is also efficient for finding bugs in the railway interlocking designs. Additionally, benchmarking results comparing the performance of our approach with alternative verification techniques on the interlocking models are presented.

Section: Train Movements Transitionsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Formal modelling and verification of interlocking systems featuring sequential release

Science of Computer Programming

Peleskã

2017

“…However, full formal verification of interlocking systems demands heavy if not infeasible computational resources 2 , a phenomenon known as the state explosion problem. The pioneering research in model checking and in applying model checking to the domain of railways [3][4][5]7,9,20] has developed techniques allowing the verification of models of the interlocking systems controlling larger and highly-complex networks. For example, abstraction techniques can be applied at the domain modelling level before the model checking is performed [9].…”

Section: Introductionmentioning

confidence: 99%

Compositional Model Checking of Interlocking Systems for Lines with Multiple Stations

Macedo

Fantechi

Lecture Notes in Computer Science

2017

Abstract. In the railway domain safety is guaranteed by an interlocking system which translates operational decisions into commands leading to field operations. Such a system is safety critical and demands thorough formal verification during its development process. Within this context, our work has focused on the extension of a compositional model checking approach to formally verify interlocking system models for lines with multiple stations. The idea of the approach is to decompose a model of the interlocking system by applying cuts at the network modelling level. The paper introduces an alternative cut (the linear cut) to a previously proposed cut (border cut). Powered with the linear cut, the model checking approach is then applied to the verification of an interlocking system controlling a real-world multiple station line.

“…It is a vital part of any railway signalling system and has the highest safety integrity level (SIL4) according to the CENELEC 50128 standard [1]. Automated safety verification of interlocking systems is hence an important issue and an active research topic, investigated by several research groups, see e.g., [3,4,5,9,21]. Model-checking techniques are considered for this purpose, but, notwithstanding the important advancements witnessed for these techniques, they fail to give results on large interlocking systems due to the state space explosion problem.…”

Section: Introductionmentioning

confidence: 99%

Compositional Verification of Multi-station Interlocking Systems

Macedo

Fantechi

Leveraging Applications of Formal Methods, Verification and Validation: Discussion, Dissemination, Applications

2016

Abstract. Because interlocking systems are highly safety-critical complex systems, their automated safety verification is an active research topic investigated by several groups, employing verification techniques to produce important cost and time savings in their certification. However, such systems also pose a big challenge to current verification methodologies, due to the explosion of state space size as soon as large, if not medium sized, multi-station systems have to be controlled. For these reasons, verification techniques that exploit locality principles related to the topological layout of the controlled system to split in different ways the state space have been investigated. In particular, compositional approaches divide the controlled track network in regions that can be verified separately, once proper assumptions are considered on the way the pieces are glued together. Basing on a successful method to verify the size of rather large networks, we propose a compositional approach that is particularly suitable to address multi-station interlocking systems which control a whole line composed of stations linked by mainline tracks. Indeed, it turns out that for such networks, and for the adopted verification approach, the verification effort amounts just to the sum of the verification efforts for each intermediate station and for each connecting line.