EP3395643A1 - Method for checking safety requirements of ssi-based data used in an interlocking control system - Google Patents
Method for checking safety requirements of ssi-based data used in an interlocking control systemDownload PDFInfo
- Publication number
- EP3395643A1 EP3395643A1EP17305477.6AEP17305477AEP3395643A1EP 3395643 A1EP3395643 A1EP 3395643A1EP 17305477 AEP17305477 AEP 17305477AEP 3395643 A1EP3395643 A1EP 3395643A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- unsafe
- data
- interlocking
- constraint violation
- application data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L19/00—Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
- B61L19/06—Interlocking devices having electrical operation
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L21/00—Station blocking between signal boxes in one yard
- B61L21/04—Electrical locking and release of the route; Electrical repeat locks
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L27/00—Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
- B61L27/60—Testing or simulation
Definitions
- the present inventionconcerns a method for checking safety requirements of SSI-based data (for Solid State Interlocking based date) used in an interlocking control system.
- An interlocking control systemis a computer based railroad signaling system whose purpose is to ensure the safe movements of railroad vehicles, in particular in order to prevent collisions and derailments.
- the present inventionrelates therefore to the domain of circulation management of vehicles using a transportation network, such as a railroad transportation network, a subway network, a tramway network, or the like.
- a transportation networksuch as a railroad transportation network, a subway network, a tramway network, or the like.
- the circulation managementis achieved through interlocking equipment of an interlocking system, often called “yard equipment” and/or “wayside equipment” and/or “trackside equipment”, which are designed to perform specific train circulation-related operations.
- This equipmentmay comprise signaling devices and/or railroad switches and/or track circuits, or the like.
- This field equipmentmay be controlled remotely by operators through an interlocking control system, in a semi-automatic or automatic manner, based on a software architecture executed by computing means of the control system.
- the interlocking control systemincludes a communication network through which the system is interfaced with the field equipment.
- An interlocking control systemis usually designed through known methods which design both the hardware and the software components of the system, as well as the communication network used for interfacing the transportation network wayside equipment with the developed hardware.
- the interlocking control systemcomprises hardware, including one or more control units, for controlling the interlocking equipment, each control unit comprising computing means intended for controlling the interlocking equipment remotely through the communication network.
- control unitsmay be station-based, the communication network being configured to link the units to the interlocking equipment arranged trackside.
- the communication networkusually comprises a network of cables connected to each element of the interlocking equipment and to one or several of the control units.
- the computing means of the control unitsexecute software, in other words a system of one or more computer programs.
- the interlocking control systemcomprises a plurality of interlocking applications, and the functioning of each interlocking application, also called the logic of each application, is configured using software tools.
- SML400GP SSI-based productwhich is part of a family of products known as Smartlock 400, which was designed as a successor to previous Solid State Interlocking (SSI) products.
- the logic for a specific SML400GP SSI-based interlocking applicationis expressed using an extension of the SSI language, known per se as the SML400 language.
- the SML400GP SSI-based productconsists of interlocking hardware, software, communications technology, as well as tools for the preparation and verification of data.
- the core of the productis the well-known Central Interlocking (CIXL) module, and it interprets, in a manner known per se, SSI data, which in the following of the description will be referred as application data.
- the application dataare prepared off-line in a manner known per se, preferably in an office environment using standard computers, and they are subsequently embedded in the CIXL.
- the application datais the data specific to the signaling area that the interlocking control system controls; the CIXL contains fixed software used to interpret these specific application data.
- the operation of the interlocking control systemis based, in a manner known per se, on exchange of data, in the form of signals, between the interlocking control system and the interlocking equipment.
- the application datadefine the interlocking equipment logic for a predetermined signaling application and are usually verified and validated before being supplied to the interlocking control system.
- This verificationincludes, in a manner known per se, a series of manual and automatic procedures aiming at checking that the data are suitable for being installed in the interlocking control system from a formal point of view, i.e. that they fulfill formal constraints.
- the application datamust satisfy the processing requirements of the CIXL in order to be sufficiently self-consistent and complete so as not to cause the CIXL interpreter software to malfunction.
- Tools exist to automatically verify the application databut they only perform checks to ensure that the application data meets run-time constraints of the CIXL. They do not check if certain logical conditions, in particular safety conditions, are satisfied, i.e. conditions that could lead to incidents that may cause harm to trains and their passengers.
- the technique usedinvolves checking the model against test scenarios that manifest different train movements that may be made in the interlocking application, so it is more a test via simulation approach than a proof approach.
- the techniqueis also currently limited to checks on a single interlocking application, i.e. it has not been used to verify application data of communicating interlockings.
- the method according to the present inventionis arranged to validate the application data that the CIXL subsystem interprets against safety requirements.
- the method for checking safety requirements of SSI-based data used in an interlocking control systemuses the same data model in the same environment in which the existing tools of the SML400GP SSI-based toolset run.
- the method for checking safety requirements of SSI-based data used in an interlocking control systemis preferably executed by a computer-implemented software module, and it comprises the steps and sub-steps defined herein below and schematically illustrated in the block diagram of figure 1 .
- an application data fileis generated in a manner known per se.
- the application data filecomprises SML400 application data of the type which is usually installed on a CIXL.
- SML400 application datais a code that represents interlocking logic, i.e. an implementation of the signaling requirements that a CIXL must satisfy.
- the interlocking logicis applied to the interlocking equipment in zones corresponding to signaling areas of the transportation network that the CIXL controls.
- the application dataare created from code related to one or more virtual interlockings, referred to as VIXLs.
- each VIXL of a CIXLis defined using a procedural, object-centered language, which is designed to be backwards compatible with the language used for configuring SSI-based interlocking control systems.
- the application dataare interpreted on contents of memories representing states of signaling functions (e.g. signals, switches, track sections and routes) that the interlocking control system controls. Iterating in cycles, the CIXL receives indications of the current states of the signaling functions, updates the memories accordingly as the logic demands, sends commands to control the signaling functions to their new states, and processes requests from a signaler (or requests made within the application data).
- states of signaling functionse.g. signals, switches, track sections and routes
- a constraint violation fileis prepared, this file being preferably written in a manner known per se in SSI-like notation.
- the constraint violation filecontains data representative of constraint violations expressed in SML400-like syntax.
- the constraint violation filecomprises therefore a plurality of conditions that describe a plurality of unsafe scenarios of the interlocking equipment.
- a constraint violationmay be used to express conditions when it would be unsafe to move a particular switch, such as the following scenario. It is unsafe whenever the switch is in one position and at least one of the track sections on which it lies becomes occupied, in the case when the switch is moved to the other position and at least one of the track sections on which it lies is already occupied.
- a subsequent step 6data of the application data file are selected according to a first constraint violation condition of the plurality of violation constraint conditions of the constraint violation file.
- a first constraint violation conditionof the plurality of violation constraint conditions of the constraint violation file.
- only the data which correspond to an unsafe scenario defined in the first constraint violation conditionare selected from the whole data of the application data file. For example, with reference to the above-disclosed example related to the movement of a switch, all the data which refer to the unsafe movement of the switch are selected.
- a contextcomprises in a manner per se known a plurality of paths through the application data that process a specific signaling request. Taking the above example of the switch movement, one context may be for a request to move the switch, and another context may be for a request to set a route which in turn relies on the switch being moved.
- the paths in a contexttypically contain data that test and/or update relevant parts of the signaling function memories so that, when executed, enables the particular request to be fulfilled.
- each unsafe scenario of the plurality of unsafe scenarios contained in the constraint violation filecorresponds at least one context, preferably a plurality of contexts, each context comprising a plurality of paths in the application data. If a context comprises paths that could lead to an unsafe state, the method forces them to be executed.
- a scenariocorresponds to a set of variables disclosing the scenario from the point of view of the settings of the interlocking equipment, i.e. each variable discloses a predetermined setting of one of the interlocking equipment.
- predetermined initialized valuesare therefore assigned to said variables, thus obtaining an initial state for the unsafe scenario.
- the paths belonging to the at least one context identified at step 7are executed, in the application data context itself.
- the unsafe scenario identified at step 6starting from the initial state, all possible paths of the at least one context are followed. Therefore, for the given unsafe scenario, starting from a predetermined initial state, each path is executed in the application data and respective resulting states are obtained.
- step 12at the end of each path, a check is done to determine if an unsafe state has been reached, by comparing the respective resulting state with the data of the scenario (i.e. with the data of the constraint violation file).
- Steps 10 and 12are repeated, starting each time, for each path, with the corresponding resulting state reached at the previous step, until unsafe states or no new safe states are reached.
- each path that leads to an unsafe stateis displayed to a user in a manner per se known.
- the method for checking safety requirements of SSI-based data above disclosedoperates on the same data model on which the other SML400 application data tools operate.
- the data modelis accessed and interpreted in a way that is equivalent to the way the CIXL interprets the application data. This means that the method according to the present invention is run on data that are semantically correct and that manifest similar behavior as the target data.
- the method according to the present inventionallows to validate CIXL application data against specified safety constraints, or rather to prove that there is no execution path in the application data that would result in a state that violates the constraints.
- the methodperforms an exhaustive search on parts of the application data that could lead to an unsafe state, by executing those parts on that state and all new safe states that result from the execution, until an unsafe state is reached or all states have been searched.
- the SML400GP SSI-based application data toolsoperate on a model of the data rather than on the target data, unlike other solutions, all of the target data are represented in the model.
- all dataare considered in the proofs, excluding parts of the data that are evaluated to be irrelevant to the safety condition currently being proved, rather than ignoring certain parts of the data a priori.
- the inventionconcerns also a computer program product comprising programming code instructions adapted for running a method as described here-above when executing by a calculation unit, such as a processor.
Landscapes
- Engineering & Computer Science (AREA)
- Mechanical Engineering (AREA)
- Train Traffic Observation, Control, And Security (AREA)
Abstract
Description
- The present invention concerns a method for checking safety requirements of SSI-based data (for Solid State Interlocking based date) used in an interlocking control system.
- An interlocking control system is a computer based railroad signaling system whose purpose is to ensure the safe movements of railroad vehicles, in particular in order to prevent collisions and derailments.
- The present invention relates therefore to the domain of circulation management of vehicles using a transportation network, such as a railroad transportation network, a subway network, a tramway network, or the like. In a manner known per se, the circulation management is achieved through interlocking equipment of an interlocking system, often called "yard equipment" and/or "wayside equipment" and/or "trackside equipment", which are designed to perform specific train circulation-related operations. This equipment may comprise signaling devices and/or railroad switches and/or track circuits, or the like.
- This field equipment may be controlled remotely by operators through an interlocking control system, in a semi-automatic or automatic manner, based on a software architecture executed by computing means of the control system. The interlocking control system includes a communication network through which the system is interfaced with the field equipment.
- An interlocking control system is usually designed through known methods which design both the hardware and the software components of the system, as well as the communication network used for interfacing the transportation network wayside equipment with the developed hardware.
- The interlocking control system comprises hardware, including one or more control units, for controlling the interlocking equipment, each control unit comprising computing means intended for controlling the interlocking equipment remotely through the communication network.
- Practically, the control units may be station-based, the communication network being configured to link the units to the interlocking equipment arranged trackside. For this purpose, the communication network usually comprises a network of cables connected to each element of the interlocking equipment and to one or several of the control units.
- For controlling the interlocking equipment, the computing means of the control units execute software, in other words a system of one or more computer programs.
- In particular, the interlocking control system comprises a plurality of interlocking applications, and the functioning of each interlocking application, also called the logic of each application, is configured using software tools.
- A particular product is nowadays used, the so-called SML400GP SSI-based product, which is part of a family of products known as Smartlock 400, which was designed as a successor to previous Solid State Interlocking (SSI) products.
- In particular, the logic for a specific SML400GP SSI-based interlocking application is expressed using an extension of the SSI language, known per se as the SML400 language. The SML400GP SSI-based product consists of interlocking hardware, software, communications technology, as well as tools for the preparation and verification of data.
- The core of the product is the well-known Central Interlocking (CIXL) module, and it interprets, in a manner known per se, SSI data, which in the following of the description will be referred as application data. The application data are prepared off-line in a manner known per se, preferably in an office environment using standard computers, and they are subsequently embedded in the CIXL.
- The application data is the data specific to the signaling area that the interlocking control system controls; the CIXL contains fixed software used to interpret these specific application data.
- As above disclosed, the operation of the interlocking control system is based, in a manner known per se, on exchange of data, in the form of signals, between the interlocking control system and the interlocking equipment.
- The application data define the interlocking equipment logic for a predetermined signaling application and are usually verified and validated before being supplied to the interlocking control system. This verification includes, in a manner known per se, a series of manual and automatic procedures aiming at checking that the data are suitable for being installed in the interlocking control system from a formal point of view, i.e. that they fulfill formal constraints.
- In particular, the application data must satisfy the processing requirements of the CIXL in order to be sufficiently self-consistent and complete so as not to cause the CIXL interpreter software to malfunction. Tools exist to automatically verify the application data, but they only perform checks to ensure that the application data meets run-time constraints of the CIXL. They do not check if certain logical conditions, in particular safety conditions, are satisfied, i.e. conditions that could lead to incidents that may cause harm to trains and their passengers.
- Other tools are used to execute the application data in a laboratory test environment to provide confidence that the data are compliant to the signaling principles and the interlocking logistical requirements, however, the setting-up and running of the tests is a time consuming process, and it is almost impossible to create test scenarios that would take into account every possible circumstance that could lead to a violation of a safety condition.
- In order to solve the problem of safety validation, some methods for checking safety requirements of application data used in an SSI interlocking control system have been proposed.
- Document"Towards an Integrated Model Checker for Railway Signalling Data", Michael Huber and Steve King, Springer-Verlag Berlin Heidelberg 2002, p. 20, discloses the use of model checking techniques, known per se, for automatically checking safety conditions of application data used in an SSI interlocking control system. The technique disclosed involves the automatic translation of a subset of the whole application data into a predetermined model expressed using a formalism different from the one with which the application data have been created, so that they can be checked by using a pre-existing general purpose model checking software. The behavior of the predetermined model is a close approximation of the behavior of an interlocking control system employing the application data, but the use of the general purpose model checking software is inefficient and requires expert skills. The document concludes that a purpose-build SSI data checker would be more optimal and usable.
- Document"Verification of railway interlocking systems", Simon Busard, Quentin Cappart, Christophe Limbrèe, Charles Pecheur, Pierre Schaus, in Proceedings ESSS 2015discloses a more recent experiment of using a general purpose model checker software, known per se, on application data of SSI interlocking systems, which shows better performance results. Like the previous solution, this solution involves the automatic translation of the application data into the formalism required by the model checker software, and the behavior of the model is an approximation of the behavior of the interlocking control system employing the application data. However, only certain types of data are included in the model, based on the assumption that only those types of data are safety related, ignoring the possibility that the misuse of other types of data could lead to an unsafe state. The technique used involves checking the model against test scenarios that manifest different train movements that may be made in the interlocking application, so it is more a test via simulation approach than a proof approach. The technique is also currently limited to checks on a single interlocking application, i.e. it has not been used to verify application data of communicating interlockings.
- In view of the above, there is therefore the need to provide a method for checking safety requirements of SSI-based data used in an interlocking control system which checks automatically all possible scenarios, which does not employ a general purpose model checking software and/or which does not requires expert skills, thus overcoming the limitations of the prior art solutions.
- This and other objects are fully achieved by virtue of a method for checking safety requirements of SSI-based data used in an interlocking control system having the characteristics defined in independent claim 1.
- Preferred embodiments of the invention are specified in the dependent claims, whose subject-matter is to be understood as forming an integral part of the present description.
- Further characteristics and advantages of the present invention will become apparent from the following description, provided merely by way of a non-limiting example, with reference to the enclosed drawings, in which:
Figure 1 shows a block diagram of the steps of a method for checking safety requirements of SSI-based data used in an interlocking control system according to the present invention.- The method according to the present invention is arranged to validate the application data that the CIXL subsystem interprets against safety requirements.
- The method for checking safety requirements of SSI-based data used in an interlocking control system according to the present invention uses the same data model in the same environment in which the existing tools of the SML400GP SSI-based toolset run.
- The method for checking safety requirements of SSI-based data used in an interlocking control system according to the present invention is preferably executed by a computer-implemented software module, and it comprises the steps and sub-steps defined herein below and schematically illustrated in the block diagram of
figure 1 . - In a
first step 2, an application data file is generated in a manner known per se. The application data file comprises SML400 application data of the type which is usually installed on a CIXL. SML400 application data is a code that represents interlocking logic, i.e. an implementation of the signaling requirements that a CIXL must satisfy. - The interlocking logic is applied to the interlocking equipment in zones corresponding to signaling areas of the transportation network that the CIXL controls. In other words, the application data are created from code related to one or more virtual interlockings, referred to as VIXLs.
- The logic for each VIXL of a CIXL is defined using a procedural, object-centered language, which is designed to be backwards compatible with the language used for configuring SSI-based interlocking control systems.
- The application data are interpreted on contents of memories representing states of signaling functions (e.g. signals, switches, track sections and routes) that the interlocking control system controls. Iterating in cycles, the CIXL receives indications of the current states of the signaling functions, updates the memories accordingly as the logic demands, sends commands to control the signaling functions to their new states, and processes requests from a signaler (or requests made within the application data).
- In a
subsequent step 4, a constraint violation file is prepared, this file being preferably written in a manner known per se in SSI-like notation. The constraint violation file contains data representative of constraint violations expressed in SML400-like syntax. The constraint violation file comprises therefore a plurality of conditions that describe a plurality of unsafe scenarios of the interlocking equipment. - For example, a constraint violation may be used to express conditions when it would be unsafe to move a particular switch, such as the following scenario. It is unsafe whenever the switch is in one position and at least one of the track sections on which it lies becomes occupied, in the case when the switch is moved to the other position and at least one of the track sections on which it lies is already occupied.
- In a
subsequent step 6 data of the application data file are selected according to a first constraint violation condition of the plurality of violation constraint conditions of the constraint violation file. In particular, only the data which correspond to an unsafe scenario defined in the first constraint violation condition are selected from the whole data of the application data file. For example, with reference to the above-disclosed example related to the movement of a switch, all the data which refer to the unsafe movement of the switch are selected. - At this point, in a
subsequent step 7, at least one application data context is determined, for the unsafe scenario of the first constraint violation condition, in a manner per se known. A context comprises in a manner per se known a plurality of paths through the application data that process a specific signaling request. Taking the above example of the switch movement, one context may be for a request to move the switch, and another context may be for a request to set a route which in turn relies on the switch being moved. The paths in a context typically contain data that test and/or update relevant parts of the signaling function memories so that, when executed, enables the particular request to be fulfilled. As a consequence, to each unsafe scenario of the plurality of unsafe scenarios contained in the constraint violation file corresponds at least one context, preferably a plurality of contexts, each context comprising a plurality of paths in the application data. If a context comprises paths that could lead to an unsafe state, the method forces them to be executed. - Returning now to
figure 1 , atstep 8, for the unsafe scenario identified atstep 6, all the variables that define all possible states of the scenario are initialized, thus setting an initial state for said variables. In particular, it is known that a scenario corresponds to a set of variables disclosing the scenario from the point of view of the settings of the interlocking equipment, i.e. each variable discloses a predetermined setting of one of the interlocking equipment. Atstep 8, predetermined initialized values are therefore assigned to said variables, thus obtaining an initial state for the unsafe scenario. - Subsequently, at
step 10, the paths belonging to the at least one context identified atstep 7 are executed, in the application data context itself. In particular, for the unsafe scenario identified atstep 6, starting from the initial state, all possible paths of the at least one context are followed. Therefore, for the given unsafe scenario, starting from a predetermined initial state, each path is executed in the application data and respective resulting states are obtained. - A this point, at
step 12, at the end of each path, a check is done to determine if an unsafe state has been reached, by comparing the respective resulting state with the data of the scenario (i.e. with the data of the constraint violation file). - If no unsafe state has been detected, it is further determined if the resulting state (which should therefore be a safe state) has not been reached.
Steps - At the end of the loop, at step 14 each path that leads to an unsafe state is displayed to a user in a manner per se known.
- The above disclosed
steps 6 to 12 are repeated for any constraint violation condition of the plurality of violation constraint conditions of the constraint violation file. - The method for checking safety requirements of SSI-based data above disclosed operates on the same data model on which the other SML400 application data tools operate. The data model is accessed and interpreted in a way that is equivalent to the way the CIXL interprets the application data. This means that the method according to the present invention is run on data that are semantically correct and that manifest similar behavior as the target data.
- As clearly detailed in the above, the method according to the present invention allows to validate CIXL application data against specified safety constraints, or rather to prove that there is no execution path in the application data that would result in a state that violates the constraints.
- To this end, starting from an initial state, the method performs an exhaustive search on parts of the application data that could lead to an unsafe state, by executing those parts on that state and all new safe states that result from the execution, until an unsafe state is reached or all states have been searched.
- The main advantages of the method according to the present invention are the followings:
- limited informatics skills are required to perform the method;
- the validation method is performed by a user-friendly software system that provides support for the interlocking configuration process: it is enough to create a text file with the constraint violations expressed in a few lines using SSI-like notation and to select a menu command of the interlocking configuration system;
- the method is applied to application data of single VIXLs or on data that relate to multiple VIXLs of the same interlocking or different interlockings, thus enabling safety requirements of data related to communicating interlockings to be checked.
- the method can be performed in phases, by running separate proofs to validate safety requirements related to different signaling functions of different VIXLs, to enable the validation activity to be performed in parallel;
- the method splits the application data into manageable partitions and it uses bespoke algorithms to search them efficiently;
- the method applies domain-specific heuristics (knowledge about signaling applications in general and SSI-based applications in particular) that are derivable automatically from the types of constraint violations. These techniques serve to limit the search space for each proof, thus making the solution feasible for complex data.
- In experiments done, the method has found known data errors, related to a certain type of safety condition, in reasonable time.
- Although the SML400GP SSI-based application data tools operate on a model of the data rather than on the target data, unlike other solutions, all of the target data are represented in the model. In particular, according to the method of the present invention, all data are considered in the proofs, excluding parts of the data that are evaluated to be irrelevant to the safety condition currently being proved, rather than ignoring certain parts of the data a priori.
- Advantageously the invention concerns also a computer program product comprising programming code instructions adapted for running a method as described here-above when executing by a calculation unit, such as a processor.
- Clearly, the principle of the invention remaining the same, the embodiments and the details of production can be varied considerably from what has been described and illustrated purely by way of non-limiting example, without departing from the scope of protection of the present invention as defined by the attached claims.
Claims (4)
- Method for checking safety requirements of SSI-based data used in an interlocking control system for controlling an interlocking equipment, the method comprising the steps of:a) obtaining (2) application data representative of interlocking logic operations of the interlocking equipment;b) preparing (4) a constraint violation file containing data representative of a plurality of constraint violation conditions, said data describing a plurality of unsafe scenarios of the interlocking equipment;for each constraint violation condition of the plurality of constraint violation conditions:c) selecting (6) data of the application data according to the constraint violation condition, said selected data corresponding to a predetermined unsafe scenario of the plurality of unsafe scenarios defined in the constraint violation file;d) determining (7) at least one predetermined context associated to said unsafe scenario, said context comprising a plurality of paths through the application data;e) initializing (8) variables that define all possible states of said unsafe scenario, thus obtaining a predetermined initial state, said variables being representative of the scenario from the point of view of settings of the interlocking equipment;f) executing (10), starting from said initial state, all possible paths of the context in the application data, thus obtaining respective resulting states;g) at an end of each path, determining (12) if an unsafe state has been reached by comparing a respective resulting state with the data of the constraint violation file;h) if no unsafe state has been detected, determining (12) if the resulting state has not been reached;-i) repeating steps f), g) and h), starting, for each path, from the respective resulting state, until unsafe states or no new states are reached.
- Method according to claim 1, further comprising, after step i), the step of displaying (14) each path that leads to an unsafe state.
- Method according to claim 1 or 2, wherein the application data comprise SML400 application data of the type installed on a central interlocking.
- Method according to any of the preceding claims, wherein the constraint violation file contains data representative of constraint violations expressed in SML400-like syntax.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP17305477.6AEP3395643B1 (en) | 2017-04-28 | 2017-04-28 | Method for checking safety requirements of ssi-based data used in an interlocking control system |
| AU2018202873AAU2018202873B2 (en) | 2017-04-28 | 2018-04-26 | Method for checking safety requirements of SSI-based data used in an interlocking control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP17305477.6AEP3395643B1 (en) | 2017-04-28 | 2017-04-28 | Method for checking safety requirements of ssi-based data used in an interlocking control system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| EP3395643A1true EP3395643A1 (en) | 2018-10-31 |
| EP3395643B1 EP3395643B1 (en) | 2020-03-11 |
Family
ID=58701568
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| EP17305477.6AActiveEP3395643B1 (en) | 2017-04-28 | 2017-04-28 | Method for checking safety requirements of ssi-based data used in an interlocking control system |
Country Status (2)
| Country | Link |
|---|---|
| EP (1) | EP3395643B1 (en) |
| AU (1) | AU2018202873B2 (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116187104A (en)* | 2023-04-27 | 2023-05-30 | 华侨大学 | Method and device for safety analysis and development of rail transit interlocking system |
| CN117670630A (en)* | 2024-02-02 | 2024-03-08 | 华侨大学 | A safety analysis method, system, equipment and medium for high-speed railway interlocking system |
| WO2024060377A1 (en)* | 2022-09-19 | 2024-03-28 | 卡斯柯信号有限公司 | Formal verification method and system for interlocking data security |
| CN118363368A (en)* | 2024-06-20 | 2024-07-19 | 华侨大学 | A modeling method and system for safety-oriented railway interlocking system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006111469A2 (en)* | 2005-04-21 | 2006-10-26 | Alstom Ferroviaria S.P.A. | Control system for railway signalling network |
- 2017
- 2017-04-28EPEP17305477.6Apatent/EP3395643B1/enactiveActive
- 2018
- 2018-04-26AUAU2018202873Apatent/AU2018202873B2/enactiveActive
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006111469A2 (en)* | 2005-04-21 | 2006-10-26 | Alstom Ferroviaria S.P.A. | Control system for railway signalling network |
Non-Patent Citations (4)
| Title |
|---|
| MICHAEL HUBER; STEVE KING: "Towards an Integrated Model Checker for Railway Signalling Data", 2002, SPRINGER-VERLAG BERLIN, pages: 20 |
| N N: "signalling solutions -Smartlock 400", SIGNALLING SOLUTIONS LTD., 31 August 2010 (2010-08-31), Hertfordshire, pages 1 - 16, XP055419677, Retrieved from the Internet <URL:https://signallingsolutions.com/wp-content/uploads/SSL-A4-SL400-Bro.pdf> [retrieved on 20171027]* |
| SIMON BUSARD ET AL: "Verification of railway interlocking systems", ELECTRONIC PROCEEDINGS IN THEORETICAL COMPUTER SCIENCE, vol. 184, 1 January 2015 (2015-01-01), pages 19 - 31, XP055419704, DOI: 10.4204/EPTCS.184.2* |
| SIMON BUSARD; QUENTIN CAPPART; CHRISTOPHE LIMBREE; CHARLES PECHEUR; PIERRE SCHAUS: "Verification of railway interlocking systems", PROCEEDINGS ESSS, 2015 |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024060377A1 (en)* | 2022-09-19 | 2024-03-28 | 卡斯柯信号有限公司 | Formal verification method and system for interlocking data security |
| CN116187104A (en)* | 2023-04-27 | 2023-05-30 | 华侨大学 | Method and device for safety analysis and development of rail transit interlocking system |
| CN117670630A (en)* | 2024-02-02 | 2024-03-08 | 华侨大学 | A safety analysis method, system, equipment and medium for high-speed railway interlocking system |
| CN117670630B (en)* | 2024-02-02 | 2024-04-30 | 华侨大学 | Safety analysis method, system, equipment and medium for high-speed railway interlocking system |
| CN118363368A (en)* | 2024-06-20 | 2024-07-19 | 华侨大学 | A modeling method and system for safety-oriented railway interlocking system |
Also Published As
| Publication number | Publication date |
|---|---|
| EP3395643B1 (en) | 2020-03-11 |
| AU2018202873A1 (en) | 2018-11-15 |
| AU2018202873B2 (en) | 2022-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2018202873B2 (en) | Method for checking safety requirements of SSI-based data used in an interlocking control system | |
| Könighofer et al. | Shield synthesis | |
| ES2307954T3 (en) | METHOD AND DEVICE FOR GENERATING LOGIC CONTROL UNITS FOR ESSENTIAL COMPUTER APPLIANCES BASED ON RAILWAY STATIONS. | |
| Comptier et al. | Safety analysis of a CBTC system: a rigorous approach with Event-B | |
| Song et al. | Validation, verification and evaluation of a train to train distance measurement system by means of colored petri nets | |
| Comptier et al. | Property-based modelling and validation of a CBTC zone controller in Event-B | |
| US20170132054A1 (en) | Method and apparatus for generating a fault tree | |
| Cuer et al. | A formal framework for the safe design of the autonomous driving supervision | |
| James et al. | On modelling and verifying railway interlockings: Tracking train lengths | |
| Mitsch et al. | Formal verification of train control with air pressure brakes | |
| Macedo et al. | Compositional model checking of interlocking systems for lines with multiple stations | |
| JP6773782B2 (en) | Control device | |
| Khan et al. | On the real time modeling of interlocking system of passenger lines of Rawalpindi Cantt train station | |
| Xie et al. | Safety and reliability estimation of automatic train protection and block system | |
| Ortmeier et al. | Formal failure models | |
| Ferrari et al. | Product line engineering applied to CBTC systems development | |
| Xu et al. | Safety requirement verification of train-centric CBTC by integrating STPA with coloured Petri net | |
| RU2470339C2 (en) | Method for certification of monitoring/control system and monitoring/control system certified using said method | |
| Hudon et al. | Development of control systems guided by models of their environment | |
| Schaber et al. | Towards a Novel Approach to Railway Safety Using STPA and Promise Theory | |
| Issad et al. | A model-based methodology to formalize specifications of railway systems | |
| Tarasyuk et al. | Quantitative verification of system safety in Event-B | |
| Ito | Method of evaluating the influence factor of safety in the automated driving system: the chasm between SAE level 2 and level 3 | |
| WO2021038826A1 (en) | State transition model constructing device and autonomous system | |
| Raghavan et al. | Property-driven runtime resolution of feature interactions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase | Free format text:ORIGINAL CODE: 0009012 | |
| STAA | Information on the status of an ep patent application or granted ep patent | Free format text:STATUS: THE APPLICATION HAS BEEN PUBLISHED | |
| AK | Designated contracting states | Kind code of ref document:A1 Designated state(s):AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR | |
| AX | Request for extension of the european patent | Extension state:BA ME | |
| STAA | Information on the status of an ep patent application or granted ep patent | Free format text:STATUS: REQUEST FOR EXAMINATION WAS MADE | |
| 17P | Request for examination filed | Effective date:20190401 | |
| RBV | Designated contracting states (corrected) | Designated state(s):AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR | |
| GRAP | Despatch of communication of intention to grant a patent | Free format text:ORIGINAL CODE: EPIDOSNIGR1 | |
| STAA | Information on the status of an ep patent application or granted ep patent | Free format text:STATUS: GRANT OF PATENT IS INTENDED | |
| INTG | Intention to grant announced | Effective date:20191023 | |
| RIN1 | Information on inventor provided before grant (corrected) | Inventor name:MINKOWITZ, CYDNEY | |
| GRAS | Grant fee paid | Free format text:ORIGINAL CODE: EPIDOSNIGR3 | |
| GRAA | (expected) grant | Free format text:ORIGINAL CODE: 0009210 | |
| STAA | Information on the status of an ep patent application or granted ep patent | Free format text:STATUS: THE PATENT HAS BEEN GRANTED | |
| AK | Designated contracting states | Kind code of ref document:B1 Designated state(s):AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR | |
| REG | Reference to a national code | Ref country code:GB Ref legal event code:FG4D | |
| REG | Reference to a national code | Ref country code:CH Ref legal event code:EP | |
| REG | Reference to a national code | Ref country code:AT Ref legal event code:REF Ref document number:1242798 Country of ref document:AT Kind code of ref document:T Effective date:20200315 | |
| REG | Reference to a national code | Ref country code:IE Ref legal event code:FG4D | |
| REG | Reference to a national code | Ref country code:DE Ref legal event code:R096 Ref document number:602017012894 Country of ref document:DE | |
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] | Ref country code:FI Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:NO Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200611 Ref country code:RS Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 | |
| REG | Reference to a national code | Ref country code:NL Ref legal event code:MP Effective date:20200311 | |
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] | Ref country code:BG Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200611 Ref country code:GR Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200612 Ref country code:HR Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:LV Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:SE Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 | |
| REG | Reference to a national code | Ref country code:LT Ref legal event code:MG4D | |
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] | Ref country code:NL Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 | |
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] | Ref country code:PT Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200805 Ref country code:LT Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:SK Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:RO Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:IS Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200711 Ref country code:CZ Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:EE Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:SM Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 | |
| REG | Reference to a national code | Ref country code:DE Ref legal event code:R119 Ref document number:602017012894 Country of ref document:DE | |
| REG | Reference to a national code | Ref country code:AT Ref legal event code:MK05 Ref document number:1242798 Country of ref document:AT Kind code of ref document:T Effective date:20200311 | |
| REG | Reference to a national code | Ref country code:CH Ref legal event code:PL | |
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] | Ref country code:MC Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 | |
| PLBE | No opposition filed within time limit | Free format text:ORIGINAL CODE: 0009261 | |
| STAA | Information on the status of an ep patent application or granted ep patent | Free format text:STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT | |
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] | Ref country code:LU Free format text:LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date:20200428 Ref country code:ES Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:LI Free format text:LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date:20200430 Ref country code:CH Free format text:LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date:20200430 Ref country code:DK Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:IT Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:DE Free format text:LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date:20201103 Ref country code:AT Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 | |
| 26N | No opposition filed | Effective date:20201214 | |
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] | Ref country code:PL Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:SI Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 | |
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] | Ref country code:IE Free format text:LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date:20200428 | |
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] | Ref country code:TR Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:MT Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:CY Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 | |
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] | Ref country code:MK Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 Ref country code:AL Free format text:LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date:20200311 | |
| P01 | Opt-out of the competence of the unified patent court (upc) registered | Effective date:20230823 | |
| REG | Reference to a national code | Ref country code:GB Ref legal event code:732E Free format text:REGISTERED BETWEEN 20250213 AND 20250219 | |
| REG | Reference to a national code | Ref country code:BE Ref legal event code:PD Owner name:ALSTOM HOLDINGS; FR Free format text:DETAILS ASSIGNMENT: CHANGE OF OWNER(S), ASSIGNMENT; FORMER OWNER NAME: ALSTOM TRANSPORT TECHNOLOGIES Effective date:20241025 | |
| PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] | Ref country code:GB Payment date:20250423 Year of fee payment:9 | |
| PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] | Ref country code:BE Payment date:20250418 Year of fee payment:9 | |
| PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] | Ref country code:FR Payment date:20250425 Year of fee payment:9 |