Satisfiability Testing in the Railway Industry

SAT2009 Twelfth International Conference on Theory and Applications of Satisfiability Testing Satisfiability Testing in the Railway Industry

Simon Chadwick Head of Research Westinghouse Rail Systems Limited, Chippenham, UK

1 Contents

•Introduction

•Railways and Safety

•The Story of Signalling

•Where Signalling meets SAT

•Some final thoughts

2 Introduction WRSL

•Westinghouse Rail Systems Limited

•Part of Invensys Rail Group

•Part of Invensys plc

3 Introduction

4 Introduction

5 Railways and Safety

•First railway?

Stockton & Darlington Railway Opened 27 th September 1825

6 Railways and Safety

•First railway accident?

William Huskisson (1770-1830) Killed during the opening of the Liverpool and Manchester Railway, 15 th September 1830.

7 Railways and Safety Incremental rule building

Apply for 150 years: Accident

Improvement Investigation

Changes

8 Railways and Safety Causes of Accidents

•Many causes:

– Civil engineering failure

– Failure of train

– Failure of operators

– Failure of signalling system

9 Railways and Safety Railway Signalling assumes…

•Rails intact

•Civil engineering intact

•Trains intact

10 Contents

•Introduction

•Railways and Safety

•The Story of Signalling

•Where Signalling meets SAT

•Some final thoughts

11 The Story of Signalling What is signalling for?

To maintain the safety of trains by: 1. Maintaining a safe distance between following trains on the same track 2. Safeguarding the movement of train at junctions and crossings 3. Regulating the passage of trains according to service density and speed required 4. Ensuring safety of trains in the event of equipment failure

12 The Story of Signalling Early Signalling

PROCEED STOP

13 The Story of Signalling Time Interval Working

• Regulation of train by time • Controlled by Policemen • No standard time • Electrical Telegraph • Block Instrument • Absolute Block Working

14 The Story of Signalling Semaphore Signals

15 The Story of Signalling Basic Signalling

Block Block Section Station Limits Section

Distant Signal Home Signal Starter Signal

Station

Signal Box

Direction of travel

16 The Story of Signalling Outer Home Signal

Block Block Section Station Limits Section

Outer Distant Home Home Signal Signal Signal Starter Signal

Station

Signal Box Overlap Direction of travel

17 The Story of Signalling Four Aspect Signalling

18 The Story of Signalling Four Aspect Signalling

19 The Story of Signalling Four Aspect Signalling

20 The Story of Signalling Four Aspect Signalling

21 The Story of Signalling Four Aspect Signalling

22 The Story of Signalling Four Aspect Signalling

23 The Story of Signalling Four Aspect Signalling

24 The Story of Signalling Four Aspect Signalling

25 The Story of Signalling Four Aspect Signalling

26 The Story of Signalling Four Aspect Signalling

27 The Story of Signalling Four Aspect Signalling

28 The Story of Signalling Four Aspect Signalling

29 The Story of Signalling Four Aspect Signalling

30 The Story of Signalling Four Aspect Signalling

31 The Story of Signalling Four Aspect Signalling

32 The Story of Signalling Four Aspect Signalling

33 The Story of Signalling Four Aspect Signalling

34 The Story of Signalling Four Aspect Signalling

35 The Story of Signalling Interlocking and Control Centre

Control System

Interlocking

Train detection inputs Point control outputs Point detection inputs

Signal lamp outputs Lamp proving inputs

36 The Story of Signalling Interlocking Principles

• The interlocking is the safety device for the signalling equipment. • It will not allow an unsafe condition to occur • It ensures that all train movements are protected • The design of the interlocking is the responsibility of principle design Engineers who must incorporate very strict rules. • The design is independently checked and tested.

37 The Story of Signalling Mechanical Interlocking

38 The Story of Signalling Relay Interlocking

39 The Story of Signalling Solid State Interlocking (SSI)

40 The Story of Signalling Solid State Interlocking WESTLOCK

•Put WESTLOCK photo here

41 The Story of Signalling Lever Frame Control System

42 The Story of Signalling Control Panel

Cowlairs

43 The Story of Signalling Large Control Panel

44 The Story of Signalling Electronic Control Centres

45 Contents

•Introduction

•Railways and Safety

•The Story of Signalling

•Where Signalling meets SAT

•Some final thoughts

46 Where Signalling Meets SAT

•Signalling meets SAT at the interlocking

•The interlocking can be seen as a logic engine

47 Where Signalling Meets SAT At the Interlocking

Control System

Interlocking

Train detection inputs Point control outputs Point detection inputs

Signal lamp outputs Lamp proving inputs

48 Where Signalling Meets SAT

If N = number inputs Then 2 N combinations of inputs are possible

BUT… can have internal stored states So, order of combinations of inputs matters

BUT… can have timers So, duration of combinations of inputs matter

49 Where Signalling Meets SAT

• I can express the behaviour of an interlocking as a set of

Boolean equations

• One of the interlocking products used by WRSL uses Ladder

Logic

• I can express safety rules about my interlocking as generic

rules

• I can use SAT theory to demonstrate that my interlocking logic

meets the safety rules

50 Where Signalling Meets SAT WESTRACE Ladder Logic

51 Where Signalling Meets SAT At the Interlocking

Example rules - general 1. Points should not be moved if the track is occupied 2. Signals can only show proceed aspect if the track is clear for route set

Example rules - specific 1. Points P123 should not be moved if track TC is occupied S3 2. If route is set S1 to S3, signal can only show proceed if tracks TC, TG are clear, plus TH if overlap

TG TH S1 S2

TA TBP123 TC TD TE

52 Where Signalling Meets SAT

Signalling Designer Specific Railway Specific Layout Interlocking Logic

Satisfiable?

Specific Generic Safety Safety Rules Instancing Requirements

This is the hard bit! Are the safety properties complete?

53 Where Signalling Meets SAT WRSL and IRG research

WRSL is working with Swansea University to enhance our understanding of satisifiability testing, and understand how it can be applied to railway interlocking systems.

WRSL is also working with Prover Technology to evaluate use of their proof technology with Invensys Rail WESTRACE interlockings. S3

TG TH S1 S2

TA TBP123 TC TD TE

54 Contents

•Introduction

•Railways and Safety

•The Story of Signalling

•Where Signalling meets SAT

•Some final thoughts

55 Final thoughts High Speed Trains

•European Rail Traffic Management System

(ERTMS)

56 Final thoughts High speed trains

If you are driving one of these…

you need cab signalling!

57 Final thoughts ERTMS

•ERTMS = European Rail Traffic Management System

•Interoperability across Europe

•Signalling and Automatic Train Protection on the

train

•Interlocking is still required – but…

58 Final thoughts Size and Complexity Over time:

• Signalling systems have got more complex • Scope of individual system components has got larger

• We have reached the limits of traditional approaches

Question: Has size/complexity of modern safety systems exceeded ability of human understanding? If the answer is “Yes” then we need practical applications of technologies such as SAT!

59 Thankyou

Thankyou!