SAT2009 Twelfth International Conference on Theory and Applications of Satisfiability Testing Satisfiability Testing in the Railway Industry Simon Chadwick Head of Research Westinghouse Rail Systems Limited, Chippenham, UK 1 Contents •Introduction •Railways and Safety •The Story of Signalling •Where Signalling meets SAT •Some final thoughts 2 Introduction WRSL •Westinghouse Rail Systems Limited •Part of Invensys Rail Group •Part of Invensys plc 3 Introduction 4 Introduction 5 Railways and Safety •First railway? Stockton & Darlington Railway Opened 27 th September 1825 6 Railways and Safety •First railway accident? William Huskisson (1770-1830) Killed during the opening of the Liverpool and Manchester Railway, 15 th September 1830. 7 Railways and Safety Incremental rule building Apply for 150 years: Accident Improvement Investigation Changes 8 Railways and Safety Causes of Accidents •Many causes: – Civil engineering failure – Failure of train – Failure of operators – Failure of signalling system 9 Railways and Safety Railway Signalling assumes… •Rails intact •Civil engineering intact •Trains intact 10 Contents •Introduction •Railways and Safety •The Story of Signalling •Where Signalling meets SAT •Some final thoughts 11 The Story of Signalling What is signalling for? To maintain the safety of trains by: 1. Maintaining a safe distance between following trains on the same track 2. Safeguarding the movement of train at junctions and crossings 3. Regulating the passage of trains according to service density and speed required 4. Ensuring safety of trains in the event of equipment failure 12 The Story of Signalling Early Signalling PROCEED STOP 13 The Story of Signalling Time Interval Working • Regulation of train by time • Controlled by Policemen • No standard time • Electrical Telegraph • Block Instrument • Absolute Block Working 14 The Story of Signalling Semaphore Signals 15 The Story of Signalling Basic Signalling Block Block Section Station Limits Section Distant Signal Home Signal Starter Signal Station Signal Box Direction of travel 16 The Story of Signalling Outer Home Signal Block Block Section Station Limits Section Outer Distant Home Home Signal Signal Signal Starter Signal Station Signal Box Overlap Direction of travel 17 The Story of Signalling Four Aspect Signalling 18 The Story of Signalling Four Aspect Signalling 19 The Story of Signalling Four Aspect Signalling 20 The Story of Signalling Four Aspect Signalling 21 The Story of Signalling Four Aspect Signalling 22 The Story of Signalling Four Aspect Signalling 23 The Story of Signalling Four Aspect Signalling 24 The Story of Signalling Four Aspect Signalling 25 The Story of Signalling Four Aspect Signalling 26 The Story of Signalling Four Aspect Signalling 27 The Story of Signalling Four Aspect Signalling 28 The Story of Signalling Four Aspect Signalling 29 The Story of Signalling Four Aspect Signalling 30 The Story of Signalling Four Aspect Signalling 31 The Story of Signalling Four Aspect Signalling 32 The Story of Signalling Four Aspect Signalling 33 The Story of Signalling Four Aspect Signalling 34 The Story of Signalling Four Aspect Signalling 35 The Story of Signalling Interlocking and Control Centre Control System Interlocking Train detection inputs Point control outputs Point detection inputs Signal lamp outputs Lamp proving inputs 36 The Story of Signalling Interlocking Principles • The interlocking is the safety device for the signalling equipment. • It will not allow an unsafe condition to occur • It ensures that all train movements are protected • The design of the interlocking is the responsibility of principle design Engineers who must incorporate very strict rules. • The design is independently checked and tested. 37 The Story of Signalling Mechanical Interlocking 38 The Story of Signalling Relay Interlocking 39 The Story of Signalling Solid State Interlocking (SSI) 40 The Story of Signalling Solid State Interlocking WESTLOCK •Put WESTLOCK photo here 41 The Story of Signalling Lever Frame Control System 42 The Story of Signalling Control Panel Cowlairs 43 The Story of Signalling Large Control Panel 44 The Story of Signalling Electronic Control Centres 45 Contents •Introduction •Railways and Safety •The Story of Signalling •Where Signalling meets SAT •Some final thoughts 46 Where Signalling Meets SAT •Signalling meets SAT at the interlocking •The interlocking can be seen as a logic engine 47 Where Signalling Meets SAT At the Interlocking Control System Interlocking Train detection inputs Point control outputs Point detection inputs Signal lamp outputs Lamp proving inputs 48 Where Signalling Meets SAT If N = number inputs Then 2 N combinations of inputs are possible BUT… can have internal stored states So, order of combinations of inputs matters BUT… can have timers So, duration of combinations of inputs matter 49 Where Signalling Meets SAT • I can express the behaviour of an interlocking as a set of Boolean equations • One of the interlocking products used by WRSL uses Ladder Logic • I can express safety rules about my interlocking as generic rules • I can use SAT theory to demonstrate that my interlocking logic meets the safety rules 50 Where Signalling Meets SAT WESTRACE Ladder Logic 51 Where Signalling Meets SAT At the Interlocking Example rules - general 1. Points should not be moved if the track is occupied 2. Signals can only show proceed aspect if the track is clear for route set Example rules - specific 1. Points P123 should not be moved if track TC is occupied S3 2. If route is set S1 to S3, signal can only show proceed if tracks TC, TG are clear, plus TH if overlap TG TH S1 S2 TA TBP123 TC TD TE 52 Where Signalling Meets SAT Signalling Designer Specific Railway Specific Layout Interlocking Logic Satisfiable? Specific Generic Safety Safety Rules Instancing Requirements This is the hard bit! Are the safety properties complete? 53 Where Signalling Meets SAT WRSL and IRG research WRSL is working with Swansea University to enhance our understanding of satisifiability testing, and understand how it can be applied to railway interlocking systems. WRSL is also working with Prover Technology to evaluate use of their proof technology with Invensys Rail WESTRACE interlockings. S3 TG TH S1 S2 TA TBP123 TC TD TE 54 Contents •Introduction •Railways and Safety •The Story of Signalling •Where Signalling meets SAT •Some final thoughts 55 Final thoughts High Speed Trains •European Rail Traffic Management System (ERTMS) 56 Final thoughts High speed trains If you are driving one of these… you need cab signalling! 57 Final thoughts ERTMS •ERTMS = European Rail Traffic Management System •Interoperability across Europe •Signalling and Automatic Train Protection on the train •Interlocking is still required – but… 58 Final thoughts Size and Complexity Over time: • Signalling systems have got more complex • Scope of individual system components has got larger • We have reached the limits of traditional approaches Question: Has size/complexity of modern safety systems exceeded ability of human understanding? If the answer is “Yes” then we need practical applications of technologies such as SAT! 59 Thankyou Thankyou! 60.