Compositional Verification of Railway Interlockings: Comparison of Two Methods

Fantechi, Alessandro; Gori, Gloria; Haxthausen, Anne Elisabeth; Limbrée, Christophe

doi:10.1007/978-3-031-05814-1_1

Cited by 9 publications

(9 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For each case, the statistics are shown first for each sub-network, then the global consumption of time and memory of the compositional approach and its reduction are shown in comparison with that of a monolithic verification for the full network. The first three examples have been presented at international conferences [1,2,16]; in particular the first one is the already mentioned EDL line, which has been decomposed in sub-networks related to each station of the line, among which the Køge station maintains its own high complexity. The second example is a single cut of a large network whose layout has been extracted from a portion of the main Florence station, while the third is a Belgian station on which a cluster cut has been applied, with the aim to compare the method with the decompositional approach of [14].…”

Section: Case Studiesmentioning

confidence: 99%

“…It has also been suggested to use bounded model checking to perform kinduction proofs of safety properties expressed as state invariants to avoid exploring the whole state space. In the RobustRailS verification tools [25] for interlocking systems this technique was implemented using the powerful SMT-based bounded model checker of Jan Peleska's RT-Tester tool 1 ; this made it possible to considerably push the bounds of the size of networks that can be verified without state space explosion [25].…”

Section: Introductionmentioning

confidence: 99%

“…This approach that is based on the criteria of functional decomposition of interlocking systems defined by the Belgian railways in order to deal with the control of large networks by dividing the network into subnetworks, each possibly controlled by separate interlocking systems. A comparison of this approach with ours is presented in [1]. Indeed, it appears that decomposition of a network in this approach is grounded on pragmatic domain-related criteria, while our approach is more general.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Decomposing the Verification of Interlocking Systems

Haxthausen

Fantechi

Gori

2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

This paper considers model checking the safety for members of a product line of railway interlocking systems, where an actual interlocking system is modelled as an instance of a generic model configured over the network under its control. For models over large networks it is a well-known problem that model checking may fail due to state space explosion. The RobustRailS tools that combine inductive reasoning with SMT solving using Jan Peleska's powerful RT-Tester tool suite have pushed considerably the limits of the size of networks that can be handled. To further push these limits, we have proposed a compositional method that can be combined with RobustRailS to reduce the size of networks to be model checked: the idea is to divide the network of the system to be verified into two sub-networks and then model check the model instances for these sub-networks instead of that for the full network. In this paper we propose a strategy for applying such network divisions repeatedly to achieve a fine granularity decomposition of a given network into a number of small sub-networks. Under certain conditions, these sub-networks all belong to a library of pre-verified elementary networks, so model checking of the sub-networks is no longer needed.

show abstract

Section: Case Studiesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Decomposing the Verification of Interlocking Systems

Haxthausen

Fantechi

Gori

2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…A similar approach in [23] uses the specification in UML that is converted to B. In [24], two compositional approaches using RT-Tester and NuSMV are proposed. Checking the violation of safety rules expressed as invariants, performed in SMT solver, is described in [25].…”

Section: Related Workmentioning

confidence: 99%

Temporal Verification of Relay-Based Railway Traffic Control Systems Using the Integrated Model of Distributed Systems

et al. 2022

View full text Add to dashboard Cite

Relay-based traffic control systems are still used in railway control systems. Their correctness is most often verified by manual analysis, which does not guarantee correctness in all conditions. Passenger safety, control reliability, and failure-free operation of all components require formal proof of the control system’s correctness. Formal evidence allows certification of control systems, ensuring that safety will be maintained in correct conditions and the in event of failure. The operational safety of systems in the event of component failure cannot be manually checked practically in the event of various types of damage to one component, pairs of components, etc. In the article, we describe the methodology of automated system verification using the IMDS (integrated model of distributed systems) temporal formalism and the Dedan tool. The novelty of the presented verification methodology lays in graphical design of the circuit elements, automated verification liberating the designer from using temporal logic, checking partial properties related to fragments of the circuit, and fair verification preventing the discovering of false deadlocks. The article presents the verification of an exemplary relay traffic control system in the correct case, in the case of damage to elements, and the case of an incorrect sequence of signals from the environment. The verification results are shown in the form of sequence diagrams leading to the correct/incorrect final state.

show abstract

“…We have based our compositional approach on the RobustRailS verication framework [20], that exploits the powerful SMT-based RT-Tester bounded model checker 3 , although it can be adapted to other verication frameworks: the idea of compositional verication is also shared by the approach described in [1012]. The two approaches are compared in [1], where it turns out that the latter is grounded on pragmatic domain-related criteria for the denition of how and where to perform the cut into two sub-networks.…”

Section: Introductionmentioning

confidence: 99%

Automated Compositional Verification of Interlocking Systems

Haxthausen,

Fantechi,

Gori

et al. 2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Model checking techniques have often been applied to the verication of railway interlocking systems. However, these techniques may fail to scale to interlockings controlling large railway networks, composed by hundreds of controlled entities, due to the state space explosion problem. We have previously proposed a compositional method to reduce the size of networks to be model checked: the idea is to divide the network of the system to be veried into two sub-networks and then model check the model instances for these sub-networks instead of that for the full network. If given well-formedness conditions are satised by the network and the kind of division performed, it is proved that model checking safety properties of all such sub-networks guarantees safety properties of the full network. In this paper we observe that such a network division can be repeated, so that in the end, the full network has been divided into a number of sub-networks of minimal size, each being an instance of one of a limited set of "elementary networks", for which safety proofs have easily been given by model checking once for all. The paper denes a division algorithm, and shows how, applying it to some examples of dierent complexity, a network can be automatically decomposed into a set of elementary networks, hence proving its safety. The execution time for such a verication turns out to be a very small fraction of the time needed for a model checker to verify safety of the full network.

show abstract

Compositional Verification of Railway Interlockings: Comparison of Two Methods

Cited by 9 publications

References 19 publications

Decomposing the Verification of Interlocking Systems

Decomposing the Verification of Interlocking Systems

Temporal Verification of Relay-Based Railway Traffic Control Systems Using the Integrated Model of Distributed Systems

Automated Compositional Verification of Interlocking Systems

Contact Info

Product

Resources

About