Formal validation method and tools for French computerized railway interlocking systems

Transcription

1 Formal validation method and tools for French computerized railway interlocking systems Abstract 1 M. Antoni, 2 N. Ammad SNCF, Infrastructure, Maintenance Engineering, Paris, France 1 SNCF, Engineering, Safety Management, St-Denis, France 2 The SNCF is responsible for the putting into service of all interlocking systems of the French railway network. This is why, especially for computerized SIL4 system, the SNCF wishes to check that new interlocking systems are always correct and safe in the context of the French network with its own approval process. Checks and tests before putting safety facilities into service as well as the results of these tests are essential, time consuming and may show great variations between each other. Economic constraints and the increasing complexity associated with the development of computerized tools tend to limit the capacity of the classic approval process (manual or automatic). A reduction of the cover rate could be stated in practice. This is not compatible with the French national plan to renew the interlocking systems of the national network. The method and the tool presented in this paper make it possible to validate formally new computerized systems or evolutions of existing French interlocking systems with real-time functional interpreted Petri nets. The aim of our project is to provide the SNCF with an operating method for the formal validation of French interlocking systems. A formal proof method by assertion, which is applicable to industrial automation equipment such as interlocking systems, and which covers equally the specification and its real software implementation, is presented in this paper. With the proposed method and its associated tools we completely verify that the system follows all safety properties at any time and does not show superfluous conditions: it replaces all the indoor checks (not the outdoor checks). It can easily be included in the existing SNCF testing procedures. The immediate advantages expected are a significant reduction of testing time and of the related costs, an increase of the test cover rate, an answer to the new demand of the railway infrastructure maintenance engineering in situation of modify and validate computerized interlocking systems. Formal methods mastery by infrastructure engineers are surely a key to prove that more safety is not necessary more expensive. INTRODUCTION One of the particularities of railway risk analysis is that the hazard events that we wish to detect and to analyze have a very low marginal probability (they correspond to abnormalities in comparison to the regular mode of the concerned system). Consequently, feedback data of these hazard events (failures, accidents) in the French railway system are very rare. We identify three types of problems, depending on what aspect one focuses: characterization of hazard events; in this case the exploitable data are enough: case of non-programmed systems; discrimination of the abnormalities from situations of normal working; in this case the strength of the available data will be strongly disproportionate: case of in long use programmed systems; in the extreme case where no feedback data of abnormalities are also available, it is no possible to use a statistical approach. One can construct a model of the regular mode of the system and this model can serve to detect the gaps corresponding to possible abnormalities: case of new programmed systems or systems after functional modifications. 1

2 In fact, statistical approaches are not pertinent and not acceptable for validation of the functionalities of computerized critical systems (SIL3 or SIL4 functions). For a real time system computerized it is for us necessary to differentiate two essentially different aspects: Input (TOR or communications in the railway context) Have to be 100% correct or they are not put into service Have to be sure: the unsafe execution rate is below a standardized fixed limit Functionalities of the interlocking system Hardware and software supporting the execution of the functionalities with the right safety level N of P architecture(s) of the real time computerized system validation in the railway context SIL4 development Output (TOR or communications in the railway context) Figure 1: Architecture principle of a real time computerized system Two cases have to be considered and were treated separately in the today French interlocking system: The functionalities that have to be fulfilled by the system and that have to be translated into the programming language of the computer system. In that case, the main problem is the following one: are the specifications and their transformations into the acquired final code, correct at 100%? It is clear that the putting into service of an installation of a high safety level (SIL4 for instance) involving a functional incorrectness that persists in the final code will necessarily lead to an accident after a certain time in a deterministic way. Experience shows us however that this scenario exists [1]; The architecture support (hard and software) that has to allow the realization of the system functionalities with a safety level (tolerable hazard risk fixed by safety norms). In that case the main question is the following one: What level of maximum residual error can be guaranteed by the architecture under real usage conditions? This concerns an unsafe failure rate per hour involving the possibility of an execution error of the system by including active modules and their real-time constraints, the data and control flow, synchronizations, connection with the material Concerning the first aspect, we have to consider that the quality development approach (cf. DO178B or EN50129,126,128) cannot be able alone to guarantee that the functionalities are correct. This point of view is confirmed by many experiences in Europe [1]. This is the reason why formal methods were introduced to optimize the life cycle cost of computerized critical railway systems. Their advantage is to propose, in reasonable delays, an exhaustive analysis of all possible behaviours of the programmed system and to assure the consistency between the proved behaviour of the model and the behaviour of the code embedded into the system. As we will see later, one of the characteristics of the method presented for the new French interlocking systems is to check "the" code embedded into the target system. In this case there is no difference between the model and the embedded code. 2

3 Formal proofs of functional software are currently receiving increasing attention in diverse areas such as industrial automation and railway systems. A formal proof is a set of processes that can be tackled other domains: socio-organizational, financial and economical, technical and human. In this paper, a special focus is brought on the original method developed and used by the SNCF for reducing delays and costs with, at least, the same safety level in the development and the validation of new interlocking systems. Our ultimate aim consists in defining a generic framework supporting a formal proof of SIL4 software. In the scope of this paper, we present the French interlocking system using functional Petri nets specification. The formal validation method is based on these Petri nets. RAILWAY SAFETY CONTEXT The railway system a global viewpoint The issue presented in this article is particularly adapted for a railway environment. As we will see later, the biggest difficulty is the writing of exhaustive safety properties, functionality properties and their postulates of validity. In order to make easier the comprehension of the following article, we will give some information about railway system in general and the French railways in particular. A system is a complex set of interconnected elements aiming to fulfil a function in a given environment. As any industrial process, a system includes three elements: operators - procedures - tools and can be simplified as follows: ERGONOMIC TOOLS OPERATORS ORGANIZATION PRODUCT EDUCATION PROCEDURE Figure 2: Organisation of a railway system The railway system consists of operators on the ground and aboard who act on an infrastructure and railway equipments in accordance with a procedure. The common parts of the infrastructure and the equipments allow the definitions of correlations. This system can be simplified as shown in Figure 3. The railway system consists of 4 sub-systems implicating 4 types of operators. Consistent procedures guarantee the perfect understanding of dialogues and the coherence of actions. They constitute the central point of the system safety. They are the result at the same time of an analysis, of technical compromises and of experience collected in 150 years of functioning. Note that the principles of French signalling did not change since 1935 and that they are until now unified on the whole national territory. This confers to our interlocking generics functions, arranged in layers, to signalling study methods and to SNCF testing procedures a very high level of reliability. The separation between infrastructure manager and railway undertaking can therefore only be considered under control of experts who will have acquired an important experience of functioning. It is wrong to think that procedures are applied only outside automatisms; the reality is more complex as: 3

4 the operator behaviour is always present at a degree or at another, moving borders between the operator behaviour and tools can collide, beyond a certain threshold, with problems of a considerable complexity, the good equilibrium is a permanent object of research, attentiveness. The technical characteristics of the railway (an unique dimension and steel on steel driving) seem to lead to an unstable system. In fact, they also allow to identify and to anticipate easily potential conflicts and they impose to put safety in the centre of the actions of all operators. On the whole, the combination of all the points has allowed constructing a very safe system based on simple and robust infrastructure installations (fixed installations). Including the technical characteristics and the possible scopes of action one differentiates traditionally: the traffic safety that concerns the interaction between running or the treatment of unexpected modifications of the environment interfering with the traffic. The safety is based on the circulation operators and the drivers who act on their respective tools by applying procedures, the technical safety, that aims allowing a train to circulate on the infrastructure by means of the dimensional and functional conservation of the characteristics. It is based on maintenance operators of the fixed installations and maintenance operators of the rolling stock. Their intervention with respect to the traffic operators and the drivers is defined by procedures. RAILWAY UNDERTAKING Engine drivers PROCEDURES AND NATIONAL LAWS Rolling stocks - Trains Rolling stock maintenance operators INFRASTRUCTURE MANAGER Railway operators Fixed Installations (signal boxes, interlocking) Signalling maintenance operators Set of possibilities to be taken into account for the safety validation before putting into service Prevention measures Figure 3: Position of the interlocking installation in the railway system The safety preoccupation is the consequence of both characteristics of the railway system (one only dimension and driving on steel). It requires the perfect coherence between the three elements of the system (operators - procedures - tools) where nothing must be left to chance or to improvisation. With this aim, the French railway system is designed to respect some practical rules: 1. one unique cause cannot lead to an accident, 2. the defects of the installations bring always towards safety state, 3. the actions of operators in the procedures are limited as much as possible, 4

5 4. the role of each safety operators is well defined and they receive an adapted training, 5. there are as many as possible independent recovery circuits between the different operators, procedures and tools, 6. there is a control, if possible permanent, of operators, procedures and tools, 7. the system is constantly improved based on feedback analysis. Beyond this, the general reliability of functioning has a direct influence on the system safety. The more the number of delays and incidents is limited, the less operators and procedures will be demanded and risks will thus be weaker. So, in addition to be safe since the putting in service, fixed installations must also be reliable and fast repairable in order to guarantee the requested safety level: both paths to critical situation have to be equivalent. Out of service or/and under work In service / totally available Error of the specification and the execution of the installation functions Correct putting into service of the installation respecting procedures and context Functional error or failure detected on the installations => intervention delay In service / with a detected failure In service / in an unsafe situation Error of the traffic operators during procedure application Figure 4: Impact of low reliability of the global safety level of a computerized interlocking system Thus, the safety level of the railway system is as much depending on the safety level of the fixed installations (respect of the ownership of safety related to interlocking functions) as on the level of availability of functionalities (respect of the functional ownership). Moreover, generally speaking, the level of safety after a stage works would not know how to be less than that of a final stage even though interim situation is more dangerous potentially. Moreover, generally speaking, during and after each stage works, the safety level would not be less than the safety level before stage works. Identification of dangerous events Both specific characteristics of the railway lead to the definition of two fundamental rules: characteristics a one dimensional system restricted adhesion and friction fundamental rules two trains must not be in the same place at the same time a train must have a free distance at least equal to its braking distance These two items should be completed by situations where trains can cross themselves or complete or bifurcate: Sections with more than one dimension Safe states (technical point of view) a train can only occupy a rail section if the continuance of the train-path and the absence of another trains are assured 5

6 5 types of configuration and 7 types of dangerous events result from the application of these rules and the analysis of the different possible "intersection" of one-dimensional sections. They are presented in the following table: Configurations Dangerous event 1 collision * 1 head-on collision * Two running move towards each other 1 2 convergence * 3 cutting across * 2 counter collision * Two running move toward to the same track [1] Two running use crossing routes 4 divergence * 3 opening * Switch movement under the train [2] 5 succession * 4 overtaking * Two running with the same direction that approach each other 2 5 runaway * Running without breaking 6 derailment 7 collision Running that looses the guidance of the rail Running that collides with an obstruction 3 Interlocking functions Table 1: Configurations and dangerous events in the railway system So, for all configurations and dangerous events marked by an asterisk (*) interlocking functions were worked out and were validated in situ based on experience. Their principles are written in a quasi formal way 4 so that it is easy to establish the test sheet for every (new or modified) interlocking system. This specification sheet incorporates intrinsically the safety properties, the properties representing the expected functioning and the postulates of working. We have to notice that with failsafe relay technology, all this functionalities are tested with a cover rate of 100% before putting into service. Before allowing the passage of a train in a zone that includes turnouts, it is necessary to be sure that: 1. the route is free (trains in sense of permissive block, operators ), 2. switches are properly moved and locked, 3. the route is protected against any converging, cutting, or running in the opposite direction, 1 For example : Flaugeac derailment in France in 1985 : 40 deaths 2 For example : Gagny derailment in France in 1933 : 200 deaths 3 For example : level crossing obstruct by a stopped car or truck 4 In the general way with a «fail safe relay language» 6

7 4. these conditions will not be changed before the train exits the route. It is not possible, in complex zones used by several routes, to assign these missions to a movement operator only disposing of the assistance of procedures. There are therefore mechanical and/or electrical devices called interlocking that forbid the movement of signals and switches in conditions incompatible with the traffic safety. These devices can be classified in two categories: interlocking for the passage of trains (continuance of the turnout in the good position), interlocking between turnouts in order to assure that all turnouts rest in the good position. The functioning of a modern signal box implements a high number of interlocking; the most important are the following ones: Imperative control Approach interlocking Transit interlocking Sense interlocking Block interlocking Figure 5: Functioning of a modern signal box the imperative switch control assures that the turnouts are in good position, fixed and locked and acts on signals. It allows the opening of the entrance signal only if, for all turnouts of the route and for all protecting turnouts, the following conditions are complied: - concordance between the position on the ground and the position that was ordered by the signal box, - closing of the blade, - opening of the other blade, - locking of the blade (for facing turnouts used with a speed over 30 km/h), the approach interlocking forbids the modification of the route during the occupation of the approach zone by the trains by means of fixing the admission signal at the open position. The closing of the signal in front of the train would liberate the transit interlocking (see below), the transit interlocking fixes the all turnouts before and during the passage of the train. It is active until the release by the train of the conflict zone (in flexible transit) or up to the clearing of the entire route (rigid transit). It employs an orientated chaining (according to the movement direction) of the zones composing the route. It is deployed from the construction of the train-path on, the sense interlocking forbids the simultaneous opening of the signals of two routes of opposite sense. It aims at forbidding noses with nose. The capture of sense assumes: - the release of the last engagement of transit of sense reverses, - the release of the common zone, - the not catch of sense reverses, - the forming of the route 7

8 The line of a route implements some of these interlocking which act successively and are raised according to clearing by the circulation. In modern interlocking systems, interlocking are now accomplished by logical equations or Petri nets interpreted on high safety computers. In all cases if a sure failure (sensors, computer ) appear, the signaller will have to execute some procedures to assure the trains circulation. FRENCH INTERLOCKING SYSTEM On a PI 5 system tasks related to the functional safety properties are performed by the computerized interlocking module called Module d enclenchement Informatique (MI 6 ). Its architecture is designed in three levels, shown in Figure 6, allowing a minimization of the life cycle cost and guaranteeing a good interoperability between the functional Petri nets and the target machine. The three levels are: a hardware not specific to the railway domain: industrial conditioned personal computer, industrial power supply, and industrial input-output interfaces are used, a software independent from both hardware and functional properties which manages resources (input, output, and internal memory) and interprets the functional Petri nets using a panel of imposed rules. It has been developed in compliance with SIL4 EN 50129,126,128 standards, and its design is identical on operating French interlocking systems since 1995 (about 100 units in service today in France), functional Petri nets based on generic state graphs parameterized for each track description: the number of accessible states of the system is thus limited. MEI Control centre Functional Petri nets (the same nets of the to machines) Exchange channel between others interlocking systems Input (24VDC) Output (24VDC) SIL4 Interpreter a master and a slave machines 2/2 Hardware (different harwares) Figure 6 MI s architecture of the PI In the following, the term interpreter will be used to refer to the second level software, which interprets the functional Petri nets. The functional Petri nets are state graphs described by formal semantic rules and saved in an ASCII file. They are interpreted in real time by the interpreter of the target machine. The formal semantic rules result in: a deterministic behavior of the interpreter, a non-ambiguous comprehension (writing, reading, modifying ) of the functional Petri nets by railway engineers and railway maintainers. 5 PI = Poste Informatique : French computerized interlocking 6 MI = computerized interlocking module: the hardware and the low software (resources manager, interpreter and safety mechanisms) are the same for all modules each one used its own Petri nets file, which defines all the functionalities. 8

9 Thus, the SNCF designed the MI in order to integrate constraints necessary for the validity of the method and the tools. The MI module integrates the fundamental properties that allow applying our proposed method, i.e.: the chronology of all external events is recorded, whatever their duration is, only one event at a time is processed (hardware limit about 100 events each 50ms), the graphs (functional Petri nets) are directly interpreted, without being rewritten, the interpretation rules are defined at once. Because of these specific properties and the conception properties, the MI module is a pure deterministic machine. The first two levels fulfil tasks with a very high safety level (SIL4), thus, it is not necessary to consider these elements during the check. The MI architecture gives satisfaction so that the next interlocking system of the French railway network will use the same principle and properties. FORMAL VALIDATION METHOD OF THE FRENCH INTERLOCKING Problem definition The aims of the project for a formal validation of the functionalities of French interlocking systems are: the reduction of the life cycle costs of interlocking systems (development, functional evolution and replacement of the target system ) : a real interest for railway infrastructure maintenance engineering, the maintain of the direct safety level of non-computerized interlocking system against the background of the increasing functional complexity and the today s limits of qualification processes : safety based on the quality of the development level, on test scripts with limited cover rate, the maintain of the reliability level of our non-computerized interlocking against the background of technology changes, of the increasing of the functional complexity and of specification of the news computerized systems, the equipment of the SNCF with an operating method for a formal validation used by the railway test engineers without the help of persons highly educated in mathematics [3]. This method helps them and increases their efficiency by using tools that implement the boring part of the testing process, the promotion of formalization in order to preserve the railway safety knowledge. With this approach the following direct advantages are expected: a significant reduction of the testing time and the testing costs, the opportunity to obtain quickly a no regression test after a modification of the design and to increase of the test cover rate especially for ensuring that the system will work in the appropriate way when put into service, Our proposed method relies on a mathematical formal proof of the specifications described by functional Petri nets and interpreted in real time by the French interlocking system. We do not execute test scripts but we completely verify that the system does follow the safety properties and the expected functional properties at any time and does not show superfluous conditions. To reach this goal, we use, on the one hand, the mathematical properties of Petri nets, written with particular rules, and, on the other hand, the fact that our interlocking target machine is strictly deterministic and based on a real-time interpretation of the functional Petri nets: for these reasons, the number of system states is finite. The difficulty of our study was to find a solution for potential blocking situations during a practical implementation of the formal method on the real interlocking system, especially concerning: 9

10 the control of the number of states that can be reached by the system and that have to be checked, the capacity to express the safety rules to be checked (safety properties and superfluous conditions), the realization of algorithms and tools allowing to accomplish the proof, the aspects related to socio-economic issues. Principles of the formal validation method In a general way, a target machine of interlocking system (functions and parameters) has to accomplish all necessary functions to guarantee the rail traffic safety: no accident. An error of specification, comprehension or of design will provoke a non reliable functioning and an accident, sooner or later (these systems work twenty-four-seven for several dozens of years) [1]. It will provoke a brutal transition by functional error to a malfunction system state. The formal validation has to guarantee that the interlocking system will always be sure for all functionally reachable system states, in nominal or in degraded modes (cf. figure 7). Function (normal and degraded modes) Success => Accident free Verboten by a formal validation (impossibility of this transition) Brutal transition due to a functional error (specification or execution error) Mal-function Failure => Accident Figure 7 Illustration of the formal validation of the functionalities of computerized interlocking Our method is a formal validation method of safety properties (direct and indirect through procedures and operators) derived from university works [4]. Used with the PI, it covers all fields from the specification up to the execution (SNCF approval for being suitable for work). In comparison to other validation and proof of the conformity methods (model-checking, languages B, SDL...) our method has the following specific characteristics: The method is not based on the "modeling" of the expected functionality (with an unknown offset between the models and the real execution context, the gap between the modeling of the application code execution and the real time execution) but it works directly on the executable specifications implemented (after a simple file copy) in the target machine. It covers all steps from specification up to realization. Its application is possible without the need of high knowledge in mathematics. The writing of the safety properties is straightforward; it can be done for example by SNCF railway engineers. It is automatized and the application does not require manual interventions. The principles of the method are particularly simple. The fundamental idea is: "If a property is true in an occupied (marked) state and if the conservation of this property during the transition that follows this state is ensured the property will be true in the new occupied state. The demonstration can be continued as long as the property is preserved". This principle is used for safety properties and waited functional properties. 10

11 T3i End of the exploration thus the reached state is known T2i T3j Initial system state T1i First system transition after an external event T2j System states T=T1i T3k T4j Proved transition The initial system state is sure All transitions are generated All transitions are proved All states are sure Figure 8 Principle of the formal proof The industrial application of our method required the development of appropriated tools: to define the safety (and functional) properties, to define the manner of evaluating the conservation of the safety (and functional) properties for each transition between system states, to define an initial state before the proof application; in this initial state the safety properties are true, to evaluate the safety properties by recurrence for each transition between system states; the safety properties are evaluated until all safety properties are true; otherwise the proof is stopped. We directed our work into the following directions: reduction of the combinative explosion (control of the number of states reached by the system), identification and formalization of the safety properties, methods for the exploration of accessible system states before the proof, development of a tool allowing to carry out the proof, development of upstream and downstream tools allowing to apply the proof in an industrial way, application of the method on a small but real functional interlocking system, inclusion of our method in the current validation process. Developed tools for our formal validation method - Upstream tools: general way for the definition of safety properties The safety properties are written in an unambiguous and real-time exploitable way by the proving tool. For each signaling function we use Petri nets to write down the associated safety properties. We carry out this work directly together with railway engineers. All safety properties are grouped together in a special database, which has to be completed for every existing signaling function (Figure 9). 11

12 The evaluation of the safety properties generates one of the three possible results: Safety property violation stop the proof - give the sequence of external events that presents an unsure system state; Function property violation the system state reached is out of the boundary, the system state is proofed but it will not be reintroduced - give the sequence of external events that presents an unexpected system state; Superfluous property violation the system prohibits a transition allowed by the safety properties. Signalling expertise Signalling study process Data base of signalling functions Data base of safety properties Functional Petri nets MEI: Interlocking module Figure 9 Safety properties database - Upstream tools: generation of the safety properties file The railway employee in charge of the interlocking validation has at his disposal the complete description of the tracks and the signaling system via a specific graphical interface. All the information is combined in a local base (technical report which describes the signaling functions, the interlocking ) and used to automatically build the graphical check-board. The safety properties are automatically generated using the local data from the previous database. Thus, they are written, for each proof, in a safety properties file. A consistency check is made between the safety property file and the functional Petri net file (Figure 10). Functional Petri nets file Signalling program for a local site Coherence check Safety properties file Safety property data base - Proving tool: Formal validation tool Figure 10 Safety properties file generation The proving tool interprets the functional Petri nets exactly like the final interlocking module. It respects all the rules mentioned earlier. 12

13 The explorer identifies the totality of system states departing from a safe initial state. The proving tool uses the explorer: to take into account the task limitations of the interlocking system; to evaluate step by step (state by state during the exploration) the safety properties. The combinative reduction is based a partition of the routes to be checked, on a limitation of the functions and a specific description of the environment (railway culture). We have developed two algorithms (vertical or horizontal scanning) performing this operation and we compare both results. The proving tool evaluates the safety properties step by step during the automatic and complete exploration (after each system transition). Thus, the transitions between system states are automatically proved. The method stops when a safety property violation is detected (Figure 11). The exploration breaks off and no new system state can be reached. Functional Petri nets file Safety properties file Interpreter and exploration Proof tool (properties evaluations for each new state) Proved system states Figure 11 Proof realization - Reached system state tree and execution certificate At the end of the exploration and of the check, a certificate (report) is produced which gives information: about unsure state; about the sequence of external events that presents an unsure system state. A tool was developed to simplify the data processing in the case of unsure system states. It provides the railway engineer in charge of the validation of the interlocking system with: a tree containing all system state transitions found during the exploration; a precise description of each system state reached; an evaluation of each safety property and the superfluous condition for each reached system state. The tool generates the tracing of the occupied states and the used transitions of the functional Petri nets. The results are saved after the end of the check and are given to the railway engineers in order to to help them to detect the reason of a problem (specification mistake or lack of specification, safety property mistake, bad defined operating rules ). In a general way, the railway engineer has to certify that there are no superfluous conditions or any safety property violations. He also has to identify the shortest way to reach the unsure system state. 13

14 Identified system states Downstream tools (analysis) Certificate (if all the properties are ever verified) System state tree (unsafe examples ) Tracing of states and transitions (vivacity ) Figure 12 Downstream tool This tool allows the railway engineer also to check every intermediate data, and this for each system state reached. APPLICATIONS TO REAL INTERLOCKING PI of Noisy le Roy We applied our method to the real interlocking system of "Noisy le Roy" that is currently in use and situated next to Paris (cf. Figure 12). The results were obtained under reasonable delays, directly proportional to the number of tested train routes. For each route checked, we found about 1,500 different system states and around 1 hour calculation time of a normal laptop. We chose some potential dangerous situations from the experience of railway engineers and we were able to verify that the tools detect them easily. Figure 13 PI example used 14

15 Double track level crossing We applied our method to a future level crossing system developed as a little PI. The level crossing was designed for a double track with, for each track, two sense of circulation, with the possibility to control manual the running of the level crossing in case of sensors failure (detectors, track circuit ). The results were obtained under one hour for all the proofs. New applications We will apply our method and tools to an interlocking system that has to be put into service before the end of In collaboration with the TUBS 7, we will try to link the university and the railway worlds and to apply the method of German level crossing or interlocking system. Feedback For us the method is industrially applicable. At the end of 2008, it will be fully usable by signal engineers. The automatic and systematic exploration allows checking event sequences that the testers would not normally test (economic constraints, limited test time ) or not practically practicable scenarios (occurrence of several events during a small reaction delay is present ). The main difficulty in these news studies was to write and validate by the experts all the safety properties and the functional properties. Our method needs a rigorous formalization of the functionality of an industrial application based on Petri nets. This generates benefits like: a readable application, a fast and simplified maintenance, an easy comprehension for railway engineers and maintainers. It is generally admitted that formal methods solve problems related to the safety check of long living computerized applications. However, the main critics of these methods are: They need a good traceability of the system properties and the formal specification. They require a detailed knowledge of mathematical techniques. They increase production costs. They are usually not delivered including specified tools. They remain hermetic for the users (customers and non specialists). They are not recognized by the standardization organizations. They are not practicable for large-size or complex systems. We showed in this article that our method allows refuting almost all above mentioned critics: The traceability of the safety properties of the system and the formal specifications are identical, The users do not need mathematical knowledge, The formalism of the Petri nets allows reducing production and maintenance costs of the critical software and makes a formal language accessible, Tools were developed to support the methods, European standards recommend the use of formal method, It is applicable to large-size systems, the only limit is the calculation time, which is shorter than the manual tests at an identical safety level. 7 TUBS = Technische Universität Braunschweig (Technical University of Braunschweig Institute for Traffic Safety and Automation Engineering, Germany) 15

16 CONCLUSION Safety and real-time computerized applications are more and more complex, so that the limits of the classical validation methods are now reached. Formal methods can validate this kind of systems and are mean for finding the best compromise between costs and safety level. Our method is applicable practically and will permit to answer future tasks: the large renewing plan of interlocking systems, the demography of testers and their training. Our prover tool formally verifies that the application code, i.e. the functional Petri nets, meets all applicable safety requirements and all functional requirements. Our methods use the knowledge of the real-time software, it use the properties of the SIL4 interpreter. The tool applies automated mathematical proof search on the functional Petri nets. There is not need to write a single test. If there is an unsafe scenario violating a requirement exists, the proving tool will find it, generate the corresponding test, and display it in the tool. The engineer then identifies and fixes the unsafe logic and re-runs the tool. This approach is fundamentally different from testing, simulation and review. The test or the simulation of all possible scenarios and combinations of events would take billions of years even for very basic real time application code. All test methods rely on picking a few scenarios (typically less then 1 % of all, but the most important based on experience and functional knowledge) and testing them. Whether the operation of the application code is safe also for the remaining scenarios is unknown. With the introduction of our proving tool, we no longer have to limit ourselves to check a few scenarios. Our proving tool checks if the final application code is safe for all scenarios. Although, new to some persons, formal verification will be shortly mature and proven verification approach that has been used extensively within the computerized railway signalling. Our method could be used for the validation of functional specifications (interlocking system or other automation equipment for example) before call for tending. By this way, it could be possible to prove that the specifications fulfil all the requirements and that the product is correctly designed. We hope have reply to the main question: how can we in the computerized future maintain the safety level of actual failsafe relays interlocking and, in the same time, decrease the costs of engineering? The way shown in this paper could be used in a common way for all railway engineers to formalize new specifications or functional modifications for interlocking systems. Compared to the current method, this could have the following benefits: The elaboration of safety properties and functional properties will be made by railway engineers and not by mathematicians who do not necessarily have a deep knowledge of signalling systems, The possibility for each railway network to modify its signaling principles and safety properties in the best economic conditions, The possibility for manufacturers, if they wish, to interpret directly the functional Petri nets with their own interlocking machine, reducing thus their own validation effort References [1] ETCS software error led to derailment, Railway Gazette International (January 2008). [2] British track faces scruting after 152 km/h derailment, IRJ (April 2007). [3] M. Antoni, N. Ammad, Feasibility study for the implementation of a formal proof of interpretable specification (for an interlocking system), FORMS/FORMAT 2007 Proceedings of Formal Methods for Automation and Safety in Railway and Automotive Systems (G. Tarnai and E. Schnieder Eds.), Braunschweig (2007). [4] P. Bielinski, Implantation VLSI d un algorithme de code correcteur d erreur et validation formelle de la réalisation, Thesis, Université Paris 6 (1993). 16