IntroductionPart IPart II
Verification of Railway Interlockings in SCADE
Andy Lawrence∗ and Monika SeisenbergerSwansea University
22nd September 2010
∗Acknowledging the support of Invensys Rail UK.
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
An Overview of the Presentation
Aim: Formal Verification of Railway Interlockings:Various approaches - Is Scade useful for it?
Overview:
Part I: Verification of Railway Interlockings in Ladder Logic
Part II: Modelling Railways from Scratch.
Comparison.
In both parts of this talk the verification is performed via modelchecking.
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Part I: Verification of Railway Interlockings in Ladder Logic
Part I: Verification of Railway Interlockings inLadder Logic
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Railway Interlockings and Ladder Logic
Railway engineers use a programming language called LadderLogic to describe interlockings:
A graphical language for programming logic controllers.
Part of the IEC 61131 standard.
Sequentially executed
The subset used here is similar to propositional logic.
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
SCADE Suite
Tool support for modelling and verification: SCADE Suite.
Developed by Esterel TechnologiesSafety critical embedded systems IDEComplier Certified EN 50128SCADE moto: Design, Verify, Generate.
We only use SCADE ’s model checking component.
Methods included:
St̊almarck’s Saturation AlgorithmReduced Ordered Binary Decision Diagrams
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Translating Ladder Logic into SCADE
Building on work by Kanso and James, Swansea, we generated atool (in Haskell) that translates Ladder Logic specifications intoScade.
Ladder logicTool=⇒ Scade language
We translated specifications of one toy example (pelican crossing)and two real world example (given by the company, butconfidential).
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Ladder Logic versus SCADE Language
Ladder Logic:
pressed req req
SCADE Language:
req = false -> pressed and (not pre req);
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Safety Condition
A safety condition for the pelican crossing:
safelights = true -> (traff_green xor ped_green)
It should be the case that either a green light is showing for thetraffic or the pedestrians; but never both at the same time.
SCADE will check that the variable safelights always has valuetrue.
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Verification of a Safety Condition for Interlocking A
Verified real-world 2 railway interlockings: Approximately 600variables, 350 rungs each.
We verified a variety of safety conditions:
“A point can not be driven normal and reverse”
“If the track is occupied then the signal will show a redaspect”
“if a green light is set and a route is selected then the greenbulb has not blown” .
Verification time: less than a second
However some false counter examples were also produced.
Reason: Model under-specifiedAndy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Comparison of Approaches
Comparison with previous projects in the Swansea RailwayVerification Group.
SCADE managed to verify all case studies which had beenpreviously verified.
Advantages of SCADE :
Heavily used, well known tool
User interface
Disadvantage: No fine tuning possible
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Part II : Modelling The Railway From Scratch
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Modelling The Railway From Scratch
The modelling process started by creating components from whicha railway could be built.
Our intent was to capture concrete behaviour with reusablecomponents.
The following components were specified:
Track Segments.
Lights.
Points.
Routes.
We modelled a segment of railway consisting of: 11 segments oftrack, 4 points, 6 routes, 9 lights and a route controller.
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Partial Track Plan
This is part of a simplified version of a track plan controlled by oneof the real-world interlockings verified in Part I.
Station
Trains In
Trains Out
This track is traversed in 4 different ways.
2 Incoming Routes
2 Outgoing Routes
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Formalising Safety Conditions
1 Verified safety conditions which also had been verified in firstapproach.
2 Since have captured the topology of the railway in our model,further safety properties can be verified.
Example of an additional safety condition proven:If the point is set A→ B and a train enters the junction at AIt should leave the junction at B
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Results and Comparison
1 First Approach: We built an automatic translation tool.
Ladder logic spec given by industryCovered Larger Model
2 Second Approach: We have invented a new modellingapproach which allowed us to specify and verify the topology
reusable componentsIndustry wants to get away from ladder logic towards higherlevel languages.
Andy Lawrence Verification of Railway Interlockings in SCADE
IntroductionPart IPart II
Further Work:
Investigate:
Limits of Railway Interlocking examples in SCADE :How many variables and rungs can SCADE handle?
How to exclude false negatives.
Explore:
Further safety conditions and liveness conditions.
Further functionality of SCADE : explore and control othercapabilities (eg. code generation).
Is a combination of first order theorem proving and modelchecking applicable?
Andy Lawrence Verification of Railway Interlockings in SCADE