Compositional Verification of Interlocking Systems for Large Stations

Reliability, Safety, and Security of Railway Systems. Modelling, Analysis, Verification, and Certification

Gori²,

Haxthausen³

et al. 2022

Self Cite

Formal verification of safety of interlocking systems and of their configuration on a specific track layout is conceptually an easy task for model checking. Systems that control large railway networks, however, are challenging due to state space explosion problems. A possible way out is to adopt a compositional approach that allows safety of a large system to be deduced from the formal verification of parts in which the system has been properly decomposed. Two different approaches have been proposed in this regard, differing for the decomposition assumptions and for the adopted compositional verification techniques. In this paper we compare the two approaches, discussing the differences, but also showing how the different concepts behind them are essentially equivalent, hence producing comparable benefits.

Section: The Robustrails Compositional Methodsmentioning

confidence: 99%

“…In [10,18,19,8] a compositional verification approach based on dividing the network layout into two (or more) portions has been proposed. Extra track sections and signals are added at the border between two portions in order to abstract in one portion the behaviour of the other one.…”

Section: Introductionmentioning

confidence: 99%

Compositional Verification of Railway Interlockings: Comparison of Two Methods

Reliability, Safety, and Security of Railway Systems. Modelling, Analysis, Verification, and Certification

Gori²,

Haxthausen³

et al. 2022

Self Cite

“…However, networks of very large stations still exceed the model checking capacity. Therefore, to be able to perform verification for any size of networks, we have previously [2,8,15,16] suggested to use a compositional verification method on top of the RobustRailS verification method.…”

Section: Compositional Verificationmentioning

confidence: 99%

“…Locality has also enabled our proposal of a compositional approach for addressing verification for very large networks: the idea is to divide the network to be verified into two (or more) sub-networks and then model check the model instances for these sub-networks instead of model checking the model instance of the full network [2,8,15,16]. For model checking, we use the RobustRailS verification tools.…”

Section: Introductionmentioning

confidence: 99%

Decomposing the Verification of Interlocking Systems

Haxthausen

Lecture Notes in Computer Science

Gori

2023

Self Cite

This paper considers model checking the safety for members of a product line of railway interlocking systems, where an actual interlocking system is modelled as an instance of a generic model configured over the network under its control. For models over large networks it is a well-known problem that model checking may fail due to state space explosion. The RobustRailS tools that combine inductive reasoning with SMT solving using Jan Peleska's powerful RT-Tester tool suite have pushed considerably the limits of the size of networks that can be handled. To further push these limits, we have proposed a compositional method that can be combined with RobustRailS to reduce the size of networks to be model checked: the idea is to divide the network of the system to be verified into two sub-networks and then model check the model instances for these sub-networks instead of that for the full network. In this paper we propose a strategy for applying such network divisions repeatedly to achieve a fine granularity decomposition of a given network into a number of small sub-networks. Under certain conditions, these sub-networks all belong to a library of pre-verified elementary networks, so model checking of the sub-networks is no longer needed.

“…However, the experience with railway interlocking systems says that when several trains (processes) may require tens of track circuits and points, out of a pool of some hundreds, the combinatorial combination of the possibilities produces a state space explosion problem. This problem asks for suitable abstraction or compositional techniques, and for the power of recently available SAT and SMT-solvers to verify safety of the largest systems of realistic size [28,9].…”

Section: Introductionmentioning

confidence: 99%

Safety Interlocking as a Distributed Mutual Exclusion Problem

Formal Methods for Industrial Critical Systems

Haxthausen

2018

Self Cite

 Users may download and print one copy of any publication from the public portal for the purpose of private study or research.  You may not further distribute the material or use it for any profit-making activity or commercial gain  You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.