Verification of railway interlocking - Compositional approach with OCRA
This work addresses the time-consuming and error-prone verification of application data in railway interlocking systems, offering a more efficient approach for railway safety engineers, though it appears incremental as it builds on existing compositional methods.
The authors tackled the state space explosion problem in verifying railway interlocking systems by applying compositional verification with the OCRA tool, enabling the verification of safety properties for a medium-sized station using contracts and new algorithms like k-liveness and IC3.
In the railway domain, an electronic interlocking is a computerised system that controls the railway signalling components (e.g. switches or signals) in order to allow a safe operation of the train traffic. Interlockings are controlled by a software logic that relies on a generic software and a set of application data particular to the station under control. The verification of the application data is time consuming and error prone as it is mostly performed by human testers. In the first stage of our research, we built a model of a small Belgian railway station and we performed the verification of the application data with the nusmv model checker. However, the verification of larger stations fails due to the state space explosion problem. The intuition is that large stations can be split into smaller components that can be verified separately. This concept is known as compositional verification. This article explains how we used the ocra tool in order to model a medium size station and how we verified safety properties by mean of contracts. We also took advantage of new algorithms (k-liveness and ic3) recently implemented in nuxmv in order to verify LTL properties on our model.