Verification of Railway Interlockings in SCADEcsfm/Rail/Pubs/LawrenceAVOCS10Slides.pdf · 2017. 5. 30. · Complier Certiﬁed EN 50128 SCADE moto: Design, Verify, Generate. We only

IntroductionPart IPart II

Verification of Railway Interlockings in SCADE

Andy Lawrence∗ and Monika SeisenbergerSwansea University

22nd September 2010

∗Acknowledging the support of Invensys Rail UK.

Andy Lawrence Verification of Railway Interlockings in SCADE


An Overview of the Presentation

Aim: Formal Verification of Railway Interlockings:Various approaches - Is Scade useful for it?

Overview:

Part I: Verification of Railway Interlockings in Ladder Logic

Part II: Modelling Railways from Scratch.

Comparison.

In both parts of this talk the verification is performed via modelchecking.



Part I: Verification of Railway Interlockings in Ladder Logic

Part I: Verification of Railway Interlockings inLadder Logic



Railway Interlockings and Ladder Logic

Railway engineers use a programming language called LadderLogic to describe interlockings:

A graphical language for programming logic controllers.

Part of the IEC 61131 standard.

Sequentially executed

The subset used here is similar to propositional logic.



SCADE Suite

Tool support for modelling and verification: SCADE Suite.

Developed by Esterel TechnologiesSafety critical embedded systems IDEComplier Certified EN 50128SCADE moto: Design, Verify, Generate.

We only use SCADE ’s model checking component.

Methods included:

St̊almarck’s Saturation AlgorithmReduced Ordered Binary Decision Diagrams



Translating Ladder Logic into SCADE

Building on work by Kanso and James, Swansea, we generated atool (in Haskell) that translates Ladder Logic specifications intoScade.

Ladder logicTool=⇒ Scade language

We translated specifications of one toy example (pelican crossing)and two real world example (given by the company, butconfidential).



Ladder Logic versus SCADE Language

Ladder Logic:

pressed req req

SCADE Language:

req = false -> pressed and (not pre req);



Safety Condition

A safety condition for the pelican crossing:

safelights = true -> (traff_green xor ped_green)

It should be the case that either a green light is showing for thetraffic or the pedestrians; but never both at the same time.

SCADE will check that the variable safelights always has valuetrue.



Verification of a Safety Condition for Interlocking A

Verified real-world 2 railway interlockings: Approximately 600variables, 350 rungs each.

We verified a variety of safety conditions:

“A point can not be driven normal and reverse”

“If the track is occupied then the signal will show a redaspect”

“if a green light is set and a route is selected then the greenbulb has not blown” .

Verification time: less than a second

However some false counter examples were also produced.

Reason: Model under-specifiedAndy Lawrence Verification of Railway Interlockings in SCADE


Comparison of Approaches

Comparison with previous projects in the Swansea RailwayVerification Group.

SCADE managed to verify all case studies which had beenpreviously verified.

Advantages of SCADE :

Heavily used, well known tool

User interface

Disadvantage: No fine tuning possible



Part II : Modelling The Railway From Scratch



Modelling The Railway From Scratch

The modelling process started by creating components from whicha railway could be built.

Our intent was to capture concrete behaviour with reusablecomponents.

The following components were specified:

Track Segments.

Lights.

Points.

Routes.

We modelled a segment of railway consisting of: 11 segments oftrack, 4 points, 6 routes, 9 lights and a route controller.



Partial Track Plan

This is part of a simplified version of a track plan controlled by oneof the real-world interlockings verified in Part I.

Station

Trains In

Trains Out

This track is traversed in 4 different ways.

2 Incoming Routes

2 Outgoing Routes



Formalising Safety Conditions

1 Verified safety conditions which also had been verified in firstapproach.

2 Since have captured the topology of the railway in our model,further safety properties can be verified.

Example of an additional safety condition proven:If the point is set A→ B and a train enters the junction at AIt should leave the junction at B



Results and Comparison

1 First Approach: We built an automatic translation tool.

Ladder logic spec given by industryCovered Larger Model

2 Second Approach: We have invented a new modellingapproach which allowed us to specify and verify the topology

reusable componentsIndustry wants to get away from ladder logic towards higherlevel languages.



Further Work:

Investigate:

Limits of Railway Interlocking examples in SCADE :How many variables and rungs can SCADE handle?

How to exclude false negatives.

Explore:

Further safety conditions and liveness conditions.

Further functionality of SCADE : explore and control othercapabilities (eg. code generation).

Is a combination of first order theorem proving and modelchecking applicable?


Verification of Railway Interlockings in SCADEcsfm/Rail/Pubs/LawrenceAVOCS10Slides.pdf · 2017. 5. 30. · Complier Certiﬁed EN 50128 SCADE moto: Design, Verify, Generate. We only

Documents