Tool Support for Checking Railway Interlocking Designs

Transcription

1 Tool Support for Cheking Rilwy Interloking Designs K. Winter W. Johnston P. Roinson P. Strooper L. vn en Berg Shool of Informtion Tehnology n Eletril Engineering University of Queensln Emil: kirsten@itee.uq.eu.u Astrt The evelopment of rilwy interloking systems is urrently very lour-intensive. Speilists evelop the interloking esign for prtiulr re n mnully hek for ompleteness n onsisteny. The interloking is implemente in either softwre or using eletril relys. The interloking hs to e teste ginst the sfety requirements for signlling systems, i.e., the signlling priniples. The whole proess n e supporte y vrious tools, rnging from eitors to nimtors. In this pper we fous on exploiting moel heking to utomtilly hek the esign with respet to sfety. The min onerns of this tehnique re the prolem size n the effiieny of ville tools. We hve investigte oth of these prolems: seeking to work with miniml moel of the interloking esign n to improve effiieny of the moel-heking proess y exploiting omin knowlege of our prtiulr pplition. Keywors: Rilwy interlokings, utomte verifition, symoli moel heking, Binry Deision Digrms 1 Introution Moel heking (Clrke, Grumerg & Pele 2000) is n utomti tehnique use to support the vlition n verifition of system esigns. It is of prtiulr interest to inustry sine its pplition oes not rely on ny expertise in the unerlying verifition tehnique. A moel heker explores the full stte spe of given moel of the system. Similr to omplete test, every possile ehviour is investigte. The tool provies the user with n nswer initing whether the moel violtes given property or requirement. Most tools provie ounter-exmple tht shows possile senrio in the se when violtion ours, whih proves to e very useful when eugging the moel. The following tsks hve to e solve when setting up evelopment proess tht integrtes moel heking to support eugging n verifying system esign. 1. The system esign hs to e moelle formlly in the input lnguge of the tool. 2. Requirements or properties to e heke hve to e ientifie n lso formlise in the tool s input nottion for requirements. 3. Both moel n requirements hve to e refully vlite. Tht is, the user hs to mke sure Copyright 2005, Austrlin Computer Soiety, In. This pper ppere t the 10th Austrlin Workshop on Sfety Relte Progrmmle Systems (SCS 05), Syney. Conferenes in Reserh n Prtie in Informtion Tehnology, Vol. 55. Tony Cnt, E. Reproution for emi, not-for profit purposes permitte provie this text is inlue. tht oth formlistions orrespon with the tul system esign n requirements tht ought to e heke. 4. A thorough nlysis hs to lrify whih prolems in the system esign n e etete with moel heking n whih nnot e etete ue to the given formlistion of system esign n requirements. Within speifi pplition, tsks 1 n 2 of the list ove n often e utomte one the omin of interest is well enough unerstoo. This is possile, if () system esign is lwys provie in stnr formt n () the requirements n e erive in stnr fshion for eh prtiulr se. Rilwy signlling interlokings re sfety ritil systems. They re esigne to permit the sfe movement of trins long rilwy system. We re urrently investigting the use of moel heking for the verifition of rilwy interloking esigns within ollortive projet with Queensln Ril (QR). It is plnne tht the interfe to the moel heker will eome prt of Signlling Design Toolset (Roinson, Brney, Kerney, Niknros & Toms 2001), whih inlues lso trk-lyout eitor, ontrol-tle genertor, n ontrol-tle eitor (CTE). For this pplition, oth onitions ove re stisfie: the system esign (i.e., the interloking esign) is speifie y experts t QR s tles, lle ontrol tles. The trk lyout n route tle (Winter & Roinson 2003) provie itionl informtion out the position of signls, points, trks, n routes etween the signls. From these ouments, our tool support utomtilly genertes forml moel of the interloking esign. The properties we wnt to hek re the sfety requirements of n interloking system s speifie in the Signlling Priniples 1 (SAOS Stnrs 1999). They re generi for our prtiulr moel n n e summrise s () voine of trin ollision n () voine of trin erilment. We use the moel heker NuSMV (Cimtti, Clrke, Giunhigli & Roveri 1999) to hek the sfety properties for interloking esigns. NuSMV is softwre tool for the forml verifition of finite stte trnsition systems. It is reimplementtion n re-engineering of the Symoli Moel Verifier (SMV) evelope y MMilln t Crnegie Mellon University (MMilln 1993). The tool heks whether temporl logi properties re stisfie y given moel. Tht is, the moel hs to e speifie using (type) stte vriles to moel the stte spe n gure trnsitions tht pture the ehviour of the moel. The requirements hve to e speifie in Computtion Tree Logi (CTL), propositionl rnhing type 1 This is oument of the priniples to e pplie to ll signlling works in the Brisne suurn re.

2 temporl logi (Emerson 1990). Both input nottions re well suite for our prolem. Aitionlly, NuSMV is symoli moel heker whih mens moel n requirements re internlly represente y grph strutures, lle Binry Deision Digrms (BDDs) (Brynt 1986). Generlly, BDD-se moel heking hs prove to e very effiient (see e.g., (Burh, Clrke, MMilln, Dill & Hwng 1992)). However, to mke our pproh of moel heking interloking esigns fesile for use in prtise, we hve to trget the issue of effiieny. Wheres smll esign n e utomtilly heke quite fst, s esign size inreses, the time tken to hek the esign inreses t rpi rte n my not return result t ll. This is often referre to s the stte explosion prolem. Run-time n memory usge of the proess hve to e improve. This n e one in two wys: () reuing the moels of esign n requirements y stripping informtion tht is not neessry for the moel heker n () y improving the moel heking proess itself for this prtiulr pplition. This pper resses oth issues. In Setion 2, we esrie our prtiulr moel of the system esign tht llows for generi requirements speifition n how this moel oul e optimise in terms of its size. Setion 3 shows how the hrteristis of the moel heker we use n e exploite to gin signifint spee-up in run-time y using omin knowlege. We report on relte work in Setion 4 n onlue the pper in Setion 5. 2 The Moel of the Interloking Design n its Requirements Run-time n memory-usge of the moel heking proess epen on the size of the moel n the omplexity of the requirements to e heke. Ftors tht etermine the moel s size re the numer of stte vriles, the size of their (enumerte) type, n the numer of trnsitions tht moel the ehviour. The omplexity of the requirements n e mesure in terms of the length of the CTL formul n the numer of neste temporl opertors. To optimise the omplexity of the moel-heking proess we hve to minimise these ftors. 2.1 The Moel Unlike other pprohes for verifying interlokings (see Setion 4), our moel not only inlues moel of the interloking esign ut lso of (one or two) trins moving long the trks (Winter & Roinson 2003). As onsequene, the sfety requirements eome generi n very esy to vlite euse they n e moelle in terms of trins. Trins must not ollie n they must not eril. The heking proess verifies tht trins, tht re moving oring to the onstrints permitte y the ontrol tles, o not violte these sfety requirements. The moel therefore onsists of moel of the ehviour of trins, in terms of how they move from one trk to the next n how they ret to signlling equipment, n moel of signlling equipment ehviour, instntite y the ehviour presrie in the ontrol tles. Our moel is instntite for speifi verifition re whih esries lol prt of the rilwy network. Figure 1 epits the trk lyout of smll verifition re showing the lotion of points, signls n trks within tht re. Eh verifition re shoul e lrge enough to inlue t lest one route n ll its opposing routes. Ielly, verifition re woul inlue ll the routes n opposing routes for prtiulr interloking. For eh verifition re, NG1C NG8D NG5 NG5A NG5A NG5A NG8C NG7 NG8B 511 NG8B NG8B NG8B NG8B NG8 Figure 1: Exmple of Verifition Are n extrt of the ontrol tle whih inlues t relevnt to the re is proue. Figure 1 is n exmple trk lyout. Signls, e.g. NG5, use olour initions (e.g. green for go), to give uthorities for trins to trvel prtiulr route through the lyout. The ifferene etween signls tht hve two irles (e.g. NG5) n those with three n sh (e.g. NG8) is not importnt in this ontext. Points, e.g. 511, re movle omponents in the trk tht permit trin to move from one trk to nother. The position of the points is referre to y the rilwy signlling inustry s points norml or points reverse. A route is pth etween two fing signls ( fing signl is signl tht is fing towrs n pprohing trin), route n e loke reverse mening it is reserve for use, or norml mening it is free. NG1C, NG5A, NG8D n NG8C re trks, while NG5A, NG5A n NG8B re trk-segments, the ltter re introue purely for the purpose of moelling n re not se on tul hrwre esign. Trin ehviour is suh tht trins only proee pst fing signl if tht signl is showing proee. The trins otherwise move from trk to trk oring to t extrte utomtilly from the trk lyout. Signl equipment ehviour is generilly esrie in the Signlling Priniples. For exmple, points n only hnge stte if the trks whih ontin the points re not oupie, n for every route rossing the points, the onitions for holing the points in their urrent lie o not pply. The preise t, giving whih routes n wht loking onitions re neee, is extrte (utomtilly) from the t for the verifition re tht is uner investigtion. Our moel omprises the following entities n entity vlues: trins n their positions, signls n their spets (either stop or proee), points n their lie (either norml or reverse), n routes n their loking n route-usge. These entities re moelle s stte vriles. Their vlues n e hnge t eh stte if the onitions (orresponing to the generl esription in the Signlling Priniples n oring to the ontrol tle entries for the speifi verifition re) re stisfie. We opt synhronous moel, i.e., t eh step ll possile hnges to the stte vriles re onute t the sme time. This moel of synhronous onitionl uptes reflets the ehviour of n interloking system of speifi verifition re s it is permitte y the orresponing ontrol tles. A position of trin is given in terms of segment. Eh trk omprises one or more segments, where eh segment represents unique wy of trversing the trk. For trks NG5A n NG8B figure 1 shows the orresponing segments, nmely NG5A n, n NG8B- re shown. Note tht for the trk

3 tht ontins point, NG8B, we n fin four unique wys to trverse it n therefore get four segments, NG8B-. A route my ross numer of trks. The numer of trks very muh epens on the opertionl requirements of the rilwy. A route is in use when one of its trk setions is oupie y trin. As the trin proees into the route, trks re progressively oupie n susequently unoupie, n in so oing progressively relese prts of the route ehin the trin for other trins to use. Thus route my hve vrious stges of usge epening on the numer of trks. This is moelle y n itionl stte vrile lle route usge. For the opertion of rel interloking, route n point settings re requeste y the signller. This is moelle y n input vrile request. When moel heking, the vlue of this input vrile is set ritrrily t eh step. Of ourse, this moel inlues quite unonventionl ehviour of signller, sine every possiility is investigte n no ssumptions hve een me on the ehviour of the signller. It is resonle to proee this wy sine the ontrol tle hs to gurntee sfe opertion in every senrio. We re le to show y exhustive testing tht ny element missing from the t in the route holing setion of the ontrol of the ontrol tles, les to violtion of the sfety requirements (tht is, ollision or erilment ours) A Miniml Moel For our purpose simple moel of trins n their movement is suffiient. We onsier trins to ehve well, i.e., they o not spee or overrun re signls. They move oring to the stte of points n signls. We strt from the spee n length of trin. A trin just oupies one segment t time n n stop instntly. The iretion of trin is etermine through its position, whih is prtiulr segment tht rries informtion out iretion. Signls n show only two spets, stop n proee. This reues the speifie spet type ut it oes prevent us from heking the spet sequening of the interloking esign. Aspet sequening ensures tht the trin river will see sfe sequene of signl spets, for exmple, yellow spet efore re one. This mehnism, however, n lso e heke sttilly within the Control Tle Eitor (CTE) (Roinson et l. 2001). One prt of the ontrol tle logi esries the funtionlity of pproh loking whih is the funtion tht prevents route tht hs een set for trin from hnging until it is eeme sfe to o so. We eie to restrit our heking to moel without pproh loking in orer to erese the moel s stte spe n ehviour. This lso llowe us to simplify the trin movement n signl moel s esrie ove. Approh loking is sfety onern, ut the orresponing entries in the tle n e heke sttilly y the CTE. Our moel oes not istinguish etween norml routes n shunt routes. Shunting is low spee opertion in whih trins re joine together. In terms of our moel, however, this esries trin ollision, i.e., hzr, sine we o not onsier the spee of trin. For simpliity, the shunting ehviour of trins is urrently ignore. This n e justifie in so fr tht shunting oes not provie high sfety onern ue to the low spee tht is involve. Shunting is ertinly hzrous opertion for those iretly involve in the oupling n unoupling of items of rolling stok i.e. signifint workple hzr. It is not however onsiere signifintly hzrous in the rilwy signlling ontext, s the low spees involve shoul llow trins to stop short of ny ostrution, thus using either none or miniml mge An improve Initilistion We lso improve the initilistion of our moel. When setting the route-usge initilly to the lowest vlues, the moel heking proess revels tht the first few itertions re use only to inrese the vlue of the route-usge. To voi these itertions, we initilly set route-usge of eh route to its mximl vlue. A less restritive initilistion tht leves vlues unspeifie where possile n lso help to reue the heking time ue to the ft tht the internl representtion of the initil sttes eomes smller (see lso (Huer & King 2002)). In our pplition we n leve out the initilistion of the points setting. 2.2 Consequenes for the Verifition Tsk Reuing the moel of the interloking esign omes t ost n rries two onsequenes. Firstly, the moel n its ehviour is less intuitive for rilwy signl interloking esigners. The ounter-exmples tht re output y the NuSMV tool, lthough reveling rel errors in the ontrol tle, show in some ses unexpete or unusul ehviour for the trins ue to our simplifie moel of trin movement. In tht sense, the moel heking pproh is very ifferent to testing using simultion tht ims t relisti senrios. Our pproh is not inline to o tht ut rther to hek tht the entries in the ontrol tles prevent trin ollision n erilment. This is prolem tht requires resolution in orer to hieve eptne of the tool support y interloking esigners. We propose to provie the user with n interprettion of the ounter-exmples proue. In most ses, the neessry informtion, on wht the use of the prolem n where the hzr is, n e utomtilly erive from the ounterexmple. This enles us to generte n interprettion tht points the user iretly to the right ple in the ontrol tle where n entry is missing or flwe, without inspetion of the ounter-exmple. We re urrently isussing n testing this pproh with prtitioners from QR. Seonly, the sope of the verifition tsk is reue. As lrey isusse in Setion 2.1.1, ertin prts of the ontrol tles nnot e heke using our simplifie moel. In some ses, e.g., pproh loking n spet sequening, it seems resonle n more effiient to hek those prts using other pprohes, e.g., oing stti heks using the CTE. In other ses, e.g., shunt routes, the enefit of inluing heks on those entries oes not outweigh the enefit of more effiient moel heking proess euse they o not rry signifint sfety onern. However, there re issues tht we wnt to inlue into our moel in the future, like the notion of overlps n level rossings. Overlps re trks eyon signl n re introue s sfety uffer for trins tht overrun re signl. Sine the trins in our moel lwys stop t re signl, missing overlps in the ontrol tle nnot e etete in our urrent pproh. Moreover, inluing the onept of overlps into our moel woul lso llow us to hek for ertin liveness onitions on setting signls n routes. Level rossings lso rry sfety onern. They re not present in every re ut when they re, the orresponing prt of the ontrol tle shoul e heke. Future work will e to inlue neessry onepts, suh s gtes n gte movement, into the moel.

4 All the hnges on our moel re thoroughly isusse with our inustry prtners from QR. The hnges n their impt re well oumente, espeilly the sope of the verifition tht is provie y the moel heking proess. 2.3 The Requirements Sine our moel omprises moel of moving trins, the requirements on n interloking esign re generi. Rther thn expressing, for exmple, possile trin ollision in terms of routes, signls n points, we n stte this in terms of trins tht use the trks oring to the ontrol tle entries. We hek the following sfety hzrs: ollisions etween trins trvelling on the sme trk n in the sme iretion ollisions etween trins trvelling on the sme trk ut in ifferent iretions erilments use y points moving unerneth trin erilments when trin rosses inorretly set triling points trins pssing signls with routes set in the opposite iretion. For heking ollisions on trins, we oviously nee moel with t lest two trins. However, reful nlysis of our pproh shows tht no more thn two trins re neessry to fin ll possile errors in the ontrol tles. Derilment n trins running into wrongly set routes, on the other hn, n e heke using one trin only. Hene, we run ifferent heks with ifferent moels: two-trin moels n one-trin moels, of whih the ltter run signifintly fster. We trnslte the sfety hzrs into requirements formlise in CTL, e.g., it is lwys the se tht the position of trin tr1, pos(tr1), is ifferent to the position of trin tr2, pos(tr2). In CTL syntx (note tht AG moels lwys, in every stte): AG (pos(tr1) pos(tr2)) To hek erilment use y points moving unerneth trin we wnt to hek tht whenever trin tr is on trk setion with point p (i.e., pos(tr) = homet rk(p)) it shoul not e possile to move point p, i.e., to hnge its setting pointset(p). Using CTL this n e formlise s follows: p P oints, vl om(pointset) : AG (pos(tr) = homet rk(p) pointset(p) = vl AX (pointset(p) = vl)) The quntifition on points p n vlues vl hve to e unfole: vl rnges over {setn, setr} n the set of points P oints is speifi for the verifition re uner investigtion. (Note tht AX moels lwys in the next stte). All other requirements n e formlise in CTL in similr fshion. However, lose inspetion revels tht ll CTL requirements in our moel n lso e speifie s simple invrints. NuSMV not only supports moel heking for CTL formuls ut lso for simple invrint heking. Sine the lgorithms for the ltter re muh more effiient, the use of invrints over temporl logi where possile is preferle. If CTL formul ontins only the temporl opertors AG then this formul is equivlent to n invrint (leving out the temporl opertors). In our se the formul on heking erilment ue to moving points (s shown ove) n lso e stte s Figure 2: OBDD for f = ( ) ( ) with orering < < < invrint if we exploit the knowlege from our interloking moel: A point only moves if ertin onitions re stisfie, i.e., if the gur pointn Gur, for setting point norml (to vlue setn), or the gur pointrgur, for setting point reverse (to vlue setr), is true. The following invrint is equivlent to the CTL formul ove: p P oints : pos(tr) homet rk(p) ((pointset(p) = setn pointrgur(p)) (pointset(p) = setr pointn Gur(p))) Agin, the quntifition on point p hs to e unfole n the prmeters pointrgur(p) n pointn Gur(p) reple oring to the verifition re uner investigtion. This n e one utomtilly. 3 The Moel Cheking Proess Our moel heking proess is se on tehnique lle symoli moel heking. Symoli moel heking uses orere inry eision igrms (OB- DDs) s t struture for the internl representtion of the moel n the temporl logi formul to e heke. OBDDs re noni representtion for oolen formuls. They n e reue into reue OBDDs (ROBDDS). ROBDDs provie for most funtions more onise representtion thn other norml forms (e.g., KNF n DNF) (Brynt 1986). Very effiient lgorithms for uiling n omining ROBDDs re ville (Somenzi 1998). 3.1 Vrile Orering of ROBDDs The possiilities for reuing n OBDD epen on the hosen orering of vriles. Figure 2 shows the OBDD for the oolen funtion f = ( ) ( ). 2 Noes of the grph re lelle with the vrile nmes ourring in f. Noes on eh level re lelle with the sme vrile, i.e. the grph is orere. A otte ege from noe mrks the evlution to 0 (or flse) of the vrile the noe is lelle with. A soli ege mrks its evlution to 1 (or true). The leves of the grph re lelle with 0s n 1s initing the evlution of the formul f epening on the evlution of the vriles s represente y the pth in the grph tht les to the lef. In the OBDD shown in Figure 2 the vriles re orere oring to their pperne in the formul, nmely < < <. This orering is reflete in the grph through the levels on whih vrile ppers s noe lel. The reution lgorithm for OBDDs llows us to eliminte reunnt tests on vrile, isomorphi sugrphs, n lef noes with 2 Note the the symols in the formul re s if n only if ( ), n or ( ).

5 the sme lel (n reireting remining eges oringly). The mount of reution tht n e pplie is oviously essentil for the resulting size of the ROBDD: the more we n reue the etter. In our exmple in the figure, we n fin two isomorphi sugrphs s well s severl reunnt tests on vriles. For instne, if vrile n vrile evlutes to 0, then we know tht f evlutes to 1; if oth vriles evlute to 1, f evlutes to 1 too. In these two ses we o not hve to test the evlutions of vriles n. The OBDD in Figure 3 shows ifferent vrile orering: we evlute vrile efore. This grph shows ifferent pttern of sugrphs n lef noes. It llows for less reution. In Figure 4 we show the reue OBDDs for oth orerings. As n e seen the resulting ROBDD for orering < < < is signifintly smller (given the ft tht we re looking t very smll exmple). It hs six (non-lef) noes inste of nine. This numer of noes etermines the omplexity of the lgorithms use when moel heking. 3.2 Applition speifi Vrile Orering The size of the OBDDs influenes the time tken for moel heking n the memory usge. In generl, fining n optiml orering for the vriles is infesile (Clrke et l. 2000). The insight into the issue of vrile orerings n e exploite for generting vrile orerings utomtilly. Aoring to the rules for uiling n reuing n OBDD s esrie ove, the following priniples n e oserve: When orering the vriles tht our in formul, it is enefiil to group vriles together tht re losely interrelte; often the lolity within the formul is hrteristi for lose interreltion etween vriles; ple groups of vriles, tht etermine the overll vlue of the formul, t the top of the orering. As efult, the NuSMV tool genertes vrile orering oring to the orer of pperne of vriles within the SMV oe. We ll this the efult orering. The NuSMV tool lso hs user input option to generte n orering n optimise it uring the run of moel heking proess, referre to s ynmi re-orering (Cv, Cimtti, Olivetti, Pistore & Roveri 2001). However, those utomte orerings i not prove to e suessful for our pplition (see results elow). Therefore, we itionlly use knowlege from our pplition omin, nmely interloking esign, to propose lterntive orering strtegies. These strtegies re not se on the orer of pperne of the vriles in the SMV oe ut rther on the informtion provie through the trk lyout n the ontrol tles Figure 3: OBDD for f with orering < < < 1 0 Figure 4: Two ROBDDs for ( ) ( ) with ifferent orerings. Left: < < <, Right: < < <.) Geogrphil orering: For moel of speifi verifition re we group vriles oring to the lolity within the trk lyout. Signlling equipment, whih etermines the vriles of the OBDDs, is ple together in the orering if it is geogrphilly lose. Tht is, we ollet the signlling equipment ourring in the trk lyout from left to right n ple them in the orer of their position. We ll this orering geogrphil orering..) Cusl orering: We group the vriles for speifi verifition re oring to usl epenenies etween the vriles. More speifilly, we group eh point with those routes tht ross the point in fing iretion n with the signls from whih those routes re entere. Routes tht o not ross points in fing iretion re groupe with routes tht oppose them. This results in groups of vriles, in whih ll memers etermine the stte of ll other memers. The position of group of entities within the overll orering is geogrphilly. We ll this orering the usl orering. Interestingly, this strtegy orrespons with the wy mehnil interloking esign use to e one, s QR rilwy engineers pointe out. To them, our usl orering strtegy seem to e the nturl strtegy to hoose. The position of the trin is relte to the ehviour of ll signlling entities. In oth pplitionspeifi orerings we therefore ple vriles on the trin position n trin movement t the eginning of the orering. Input vriles to the moel, like the request of route or point, re ple in the mile of the vrile orering, preferly etween two neighouring groups of entities. This oinies with the suggestions in (Moon, Hhtel & Somenzi 2000). We hve teste the ifferent strtegies for vrile orerings on vrious verifition res using n Ultr- SPARC II 450 MHz proessor with 2GByte of RAM uner the operting system Solris version 8. For exmple, on meium-size verifition re (29 routes, 13 signls, 22 trks, n 9 points) we get results s shown in Tle 1. orering strtegy run-time (in hours) 1 0 memory usge (in MByte) efult geogrphil usl Tle 1: Sttistis for meium-size prolem The ynmi re-orering ws teste on smll

6 verifition re only (24 routes, 16 signls, 18 trks, n 4 points) 3 n the results were isourging: the moel heking proess with ynmi re-orering runs for 31.9 hours wheres using the usl orering on the sme exmple reues the run-time to 40 min. These results illustrte tht the strtegy of hoosing vrile orering hs signifint impt on the ppliility of moel heking to lrger prolems. 3.3 Setting the Mximum Che Size Limit The NuSMV tool integrtes the Coloro University Deision Digrm (CUDD) pkge (Somenzi 1998) whih provies lirry of effiient lgorithms for ll BDD opertions. The effiient reursive mnipultion of BDDs uses he to store ompute results. This he provies fst ess to BDDs, enles re-usility of grphs n supports n effiient grge olletion if grphs re not use ny more. The CUDD pkge strts y efult with smll he, n inreses its size until either no further enefit is hieve, or limit size is rehe. The user n set the initil n the limit vlue for the he size. The impt of these figures is twofol. Too smll he size will le to frequent overwriting of useful results. Too lrge he size will le to igger overhe use for grge olletion. The CUDD mnul reommens the following: The optiml prmeters epen on the speifi pplition. The efult vlues work resonly well for wie spetrum of pplitions (Somenzi 1998). Although this prmeter nnot e set s user option to the NuSMV tool we hnge its vlue within the NuSMV oe. Inste of using the efult limit for the he size (104 MByte), we hnge this vlue to 512 MByte. These experiments were one on new mhine with two Intel 3192 MHz proessors, n 4GByte RAM, running Re Ht Enterprise Linux AS relese 3. On the meium size verifition re, using the usl orering n he size of 104 MByte, the sttistis re 2.1 hours run-time n 578 MByte memory usge. Inresing the size of the he to 512MByte, the run-time reue to 1.2 hours n the memory usge inrese mrginlly to 596 MByte. Although the memory usge is slightly inrese we gin signifint spee-up in proessor run-time. We re urrently nlysing the optimistion of this vlue in more etil. 4 Relte Work Moel heking hs een pplie efore to the nlysis of interloking systems: Gnesi et. l (Gnesi, Lenzini, Ltell, Aneo, Amenol & Mrmo 2000), Bernreshi et. l (Bernreshi, Fntehi, Gnesi & Mongri 1996), n Cleveln et. l (Cleveln, Luettgen & Ntrjn 1996), for instne, hve resse the prolem of fult-tolerne in interloking systems. In their work, the heking tsk is fouse on ommunition issues etween omponents of the system rther thn the ontrol logi of the interloking. The preferre moelling lnguge for formlising the systems re se on proess lgers (e.g., Communiting Sequentil Proess (CSP), Clulus of Communition Systems (CCS), Proess Met Lnguge (PROMELA)). These lnguges provie suitle fetures for moelling ommunition etween omponents. 3 Although the numers of routes, signls, trks n points in our smll n meium-size moels o not iffer muh, the numer of resulting stte vriles n vlues in the SMV moel re signifintly igger in the meium-size moel. The work of Simpson, Woook n Dvies (Simpson, Woook & Dvies 1997) esries nother pproh tht uses proess lger for moelling. The pper esries how the ontrol logi of n interloking system is moelle using CSP. The refinement heker Filure Divergene Refinement (FDR) (For 1996) is use to hek the sfety properties. However, their moel is t lower level of strtion thn ours. The sfety invrints, nmely no ollision of trins n no erilment, re moelle in terms of the signlling entities suh s points, signls, routes, n segments. This formlistion of sfety invrints hs to e mnully erive from the trk-lyout (in the pper it is not expline how) n, therefore, it is not ovious if given set of invrints is omplete n overs ll eventulities. Closer to our pproh re the ontriutions y Eisner (Eisner 1999) n Huer et. l (Huer & King 2002). Both use symoli moel heker to nlyse the interloking logi of given trk lyout n isuss strtegies for optimistion. In oth works, however, the moel is signifintly ifferent from our moel. Eisner strts her nlysis with moel given s Vitl Logi Coe (VLC) (essentilly of set of Boolen expressions), to speify rilwy interloking softwre whih is then trnslte into ilet of the SMV input nottion. Therefore, optimising the moel is not n issue isusse in the pper. Her optimistions relte to the wy in whih the sfety requirements re formlise in su-lnguge of CTL, lle AGAX formuls. She shows tht the moel use hs ertin generl hrteristis (lle roustness n lolity) tht rener the pplition prtiulrly suitle to symoli moel heking of AGAX formuls. Although this is generlly very interesting oservtion, sine it llows preitions for other pplitions too, in our se the requirements re even simpler thn AGAX formuls. For our moel the requirements n e stte s invrints. Huer et. l moel n hek the Geogrphil Dt of Soli Stte Interloking progrm using NuSMV. Tht is, their pproh for verifition is ple t progrm level rther thn esign level. Moreover, their moel oes not ontin moel for trin position n movement. Consequently, the requirements hve to e formlise se on the signlling entities. The pper suggests n utomte pproh for generting the CTL formuls from the given priniples. In this pproh the numer of requirements to e heke is rther lrge. The generl templte for the formuls hs to e instntite for ll trks, n ll points, n ll routes. To optimise the vrile orering, the pper suggests using the ynmi re-orering of the NuSMV tool. In our se, however, we were le to signifintly improve on this option y using n pplition speifi orering. This work is of prtiulr interest euse it suggests numer of wys to optimise the moelheking proess. In ontrst to our work, the input t is not trnslte into SMV oe ut rther into BDD strutures (irumventing the ompiltion of the NuSMV tool). This provies more iret ess to the BDD strutures. Some of the suggestions n e pplie to our pproh too. For exmple, the optimistion of initilistion of the moel (see Setion 2). Other suggestions will e further investigte in our future work (e.g., the potentil of splitting the trnsition reltion). 5 Conlusion This work esries n pproh to heking the sfety requirements of interloking esigns using

7 symoli moel heker. In orer to minimise the stte explosion prolem n to improve the performne of the moel heker for lrger exmples, we suggest numer of optimistions. We reue the moel to e heke, where this is possile, without loss of reiility regring sfety issues. We esrie strtegy for fining very goo vrile orering se on omin knowlege n we suggest on n improvement of prmeter settings of the NuSMV tool n the CUDD pkge for our speifi pplition. In future work we will ontinue to investigte further improvements to the moel s well s further optimistions to the settings of the tool s prmeters. To utomte the overll proess, we re iming to evelop n utomte genertor for vrile orerings for speifi verifition res, n to provie the user with support for omprehensive ounter-exmple interprettion. Aknowlegements: This work hs een supporte y the ARC Linkge Grnt LP This work enefite gretly from the knowlege n insight into rilwy interloking systems provie y George Niknros, Dvi Brney n Dvi Toms from QR. We lso wish to thnk the reviewers for their helpful omments. Referenes Bernreshi, C., Fntehi, A., Gnesi, S. & Mongri, G. (1996), Proving sfety properties for emee ontrol systems, in Pros. of Conferene on Depenle Computing (EDCC-2), Vol. xvi+440, Springer-Verlg, pp Brynt, R. E. (1986), Grph-se lgorithms for oolen funtion mnipultion, IEEE Trnstions On Computers C-35(8). Burh, J., Clrke, E., MMilln, K., Dill, D. & Hwng, L. (1992), Symoli moel heking sttes n eyon, Informtion n Computtion 98(2), Cv, R., Cimtti, A., Olivetti, E., Pistore, M. & Roveri, M. (2001), NuSMV 2.0 User Mnul, IRST Trento, Cimtti, A., Clrke, E., Giunhigli, F. & Roveri, M. (1999), NuSMV: A new symoli moel verifier, in Pro. of Int. Conf. on Computer Aie Verfition, CAV 99, Vol of LNCS, Springer- Verlg, pp Clrke, E., Grumerg, O. & Pele, D. (2000), Moel Cheking, MIT Press. Cleveln, R., Luettgen, G. & Ntrjn, V. (1996), Moeling n verifying istriute systems using priorities: A se stuy, in Pros. of Int. Workshop on Tools n Algorithms for the Constrution n Anlysis of Systems (TACAS 96), Vol of LNCS, Springer-Verlg, pp Eisner, C. (1999), Using symoli moel heking to verify the rilwy sttions of Hoorn- Kersenooger n Heerhugowr, in Pro. of Conf. on Corret Hrwre Design n Verifition Methos (CHARME 99), Vol of LNCS, Springer-Verlg. Emerson, E. A. (1990), Temporl n mol logi, in J. vn Leeuwen, e., Hnook of Theoretil Computer Siene, Vol. B, Elsevier Siene Pulishers. For (1996), Filure Divergene Refinement, FDR 2.0, User Mnul. Gnesi, S., Lenzini, G., Ltell, D., Aneo, C., Amenol, A. & Mrmo, P. (2000), An utomti SPIN vlition of sfety ritil rilwy ontrol system, in Pros. of IEEE Conferene on Depenle Systems n Networks, IEEE Computer Soiety Press, pp Huer, M. & King, S. (2002), Towrs n integrte moel heker for rilwy signlling t, in L.- H. Eriksson & P. Linsy, es, Pro. on Forml Methos Europe (FME 2002), Vol. 2391, Springer-Verlg, pp MMilln, K. (1993), Symoli Moel Cheking, Kluwer Aemi Pulishers. Moon, I.-H., Hhtel, G. & Somenzi, F. (2000), Borer-lok tringulr form n onjuntion sheule in imge omputtion, in W. A. Hunt & S. D. Johnson, es, Int. Conferene on Forml Methos in Computer Aie Design (FMCAD 2000), Vol of LNCS, Springer-Verlg, pp Roinson, N., Brney, D., Kerney, P., Niknros, G. & Toms, D. (2001), Automti genertion n verifition of esign speifition, in Pro. of Int. Symp. of the Interntionl Counil On Systems Engineering (INCOSE). SAOS Stnrs, (1999), Signlling priniples - Brisne suurn re. Simpson, A., Woook, J. & Dvies, J. (1997), The mehnil verifition of soli stte interloking geogrphi t, in L. Groves & S. Reeves, es, Pro. of Forml Methos Pifi (FMP 97), Disrete Mthemtis n Theoretil Computer Siene Series, Springer-Verlg, pp Somenzi, F. (1998), CU Deision Digrm Pkge: Relese 2.3.0, Deprtment of Eletril n Computer Engineering, University of Coloro t Bouler, Winter, K. & Roinson, N. J. (2003), Moelling lrge rilwy interlokings n moel heking smll ones, in M. Oushoorn, e., Pro. of Austrlsin Computer Siene Conferene (ACSC2003).