Experience using Coloured Petri Nets to Model Railway Interlocking Tables
SS.-W. Lin and L. Petrucci (Eds.): 2nd French SingaporeanWorkshop on Formal Methods and ApplicationsEPTCS 156, 2014, pp. 17–28, doi:10.4204/EPTCS.156.6 c (cid:13)
S. Vanit-AnunchaiThis work is licensed under theCreative Commons Attribution License.
Experience using Coloured Petri Nets to Model RailwayInterlocking Tables ∗ Somsak Vanit-Anunchai
School of Telecommunication EngineeringInstitute of EngineeringSuranaree University of TechnologyMuang, Nakhon Ratchasima, Thailand [email protected]
Interlocking tables are the functional specification defining the routes on which the passage of thetrain is allowed. Associated with the route, the states and actions of all related signalling equipmentare also specified. It is well-known that designing and verifying the interlocking tables are labourintensive, tedious and prone to errors. To assist the verification process and detect errors rapidly,we formally model and analyse the interlocking tables using Coloured Petri Nets (CPNs). Althougha large interlocking table can be easily modelled, analysing the model is rather difficult due to thestate explosion problem and undesired safe deadlocks. The safe deadlocks are when no train collidesbut the train traffic cannot proceed any further. For ease of analysis we incorporate automatic routesetting and automatic route cancelling functions into the model. These help reducing the numberof the deadlocks. We also exploit the new features of CPN Tools; prioritized transitions; inhibitorarcs; and reset arcs. These help reducing the size of the state spaces. We also include a fail safespecification called flank protection into the interlocking model.
In the railway signaling domain, an interlocking table is a tabular representation comprising the sectionsor routes that the train is allowed to enter together with the required states and actions of all relatedequipment along the routes. The interlocking tables play such an important role that operating proceduresand train movement must be complied with it. This document also acts as a legal agreement between therailway administrators and the contractors. Railway signalling contractors usually have software toolsgenerating the interlocking table from the track layout and track side equipments. However the generatedtable is not unique. It depends upon the signalling principle or regulation of each railway administrator.After the interlocking tables are designed and checked by the contractors, they need to be recheckedby signal engineers. In the past we manually inspected the submitted interlocking tables without anysoftware tools. Thus the checking process was very slow, labour intensive and prone to errors. To reducethe manpower and time consumed in the checking process we have introduced the State Railway ofThailand to the formal methods and CPN Tools since 2009.
Previously, we modelled and analysed in [11] a single track railway station using Coloured Petri Nets(CPNs). We created a static model where CPN structure was used to mimic the signalling layout and the ∗ Supported by National Research Council of Thailand Grant no. PorKor/2551-153. tokens with a complex data structure. When signaling layout was modified or rebuilt, wesimply change the initial marking. To solve the second problem, this paper introduces the automatic routesetting and automatic route canceling functions into the CPN model. Although these two procedures arenot specified in the interlocking tables, both are standard operating procedures normally conducted bysignalmen. After applying these two procedures, the sequences of route setting commands that lead totraffic deadlocks could be avoided.
The contribution of this paper is three fold. Firstly, to ease of analysis and get rid of the undesired,safe terminal markings, the automatic route setting and automatic route canceling functions are includedinto the model. Secondly, when we analysed the double track station in [12], we encountered the stateexplosion. To alleviate the state explosion problem, we revise the CPN model by exploiting the recentlyintroduced features of CPN Tools version 4.0.0 [13] that are prioritized transitions; inhibitor arcs; andreset arcs. Thirdly, designing a large interlocking table is a difficult task partly because the railwaysignalling system is required to be fail safe . The fail safe means that, in the event of failure, the systemshall respond in a no harmful way or no danger to persons. In the railway signalling domain an importantevent of failure is when a train overruns the stop signal. Preventing an accident when a train overrunsthe stop signal, a fail safe condition called “Flank Protection” is required. This condition has not beenincluded in [11] and [12] because it does not affect the normal functional behaviour as long as no faultoccurs in the braking system and the train driver still obeys the signal. However this paper has includedthe flank protection into the model.The rest of this paper is organised as follows. Section 2 briefly explains the concept of railwaysignalling system and interlocking tables. Section 3 reviews related work. The CPN model is discussedin Section 4. Analysis results are reported in Section 5. Section 6 presents conclusion and outlinessuggested future work.
In general the railway lines are divided into sections . To avoid collision, only one train is allowed in one section at a time. The train can enter or leave the section when the driver receives authorization from.Vanit-Anunchai 19Figure 1: Signalling layout of the Panthong Station (double track)a signalman via a signal indicator. Before the signalman issues the authorization, he needs to ensurethat no object blocks the passage of the train. The section between two railway stations, which involvestwo signal men, is called “ block section ”. To prevent human error that may lead to collisions, the strictoperation on a block section is controlled by equipment called “Block Instruments”. Figure 1 shows thesignalling layout of a double track station named “Panthong”. The signalling layout comprises a col-lection of railway tracks and signalling equipment such as track circuits, points and signals. (e.g. signalno.1-3 and signal no.2-4). Each piece of signalling equipment has an identification number and holds acertain state as follows.
Track Circuits
A track circuit is an electrical device used to detect the presence of a train. A trackcircuit (e.g. 61T, 1-3T) is either clear indicating no train on the track or occupied indicating the possible presence of a train. Warner signals
A warner signal (e.g. 1-1, 2-2, 3-1,4-2) has two aspects: yellow or green . It informsdrivers about the status of the next signal. Home signals
A home signal (e.g. 1-3, 2-4, 3-3, 4-4) has three aspects: red , yellow or green . Itdisplays red when the train is forbidden to enter the station area . It displays yellow giving the driverauthority to move the train into the station area and prepare to stop at the next signal. It displays green giving the driver authority to move the train passing the station and enter the next block section . Starter signals
A starter (e.g. 15, 16, 17, 18, 31, 32) has two aspects: red or green . It displays red when forbidding the train to enter the block section . It displays green when giving the driver authority tomove the train into the block section . Point
A point (e.g. 101A, 101B, 111, 112, 102A, 102B) or railway switch or turnout is a mechanicalinstallation used to guide a train from one track to another. A point usually has a straight through trackcalled “main-line” and a diverging track called loop line. A point is right-hand when a moving train froma joint track diverges to the right of the straight track. Similarly a left-hand point has the diverging trackon the opposite side of a right-hand point. When a point diverges the train, it is in reverse position. Whena point lets the train move straight through, it is in normal position.
Derailer
A derailer (e.g. 201, 202) is a mechanical installation used to prevent unauthorized move-ments of trains or unattended rolling stock. The train is derailed when it rolls over the derailer. Thenormal position is the derailing position.
A collection of track circuits along the reserved section is called “ route ”. An entry signal shall be clearto let the train enter the route. Although the request to clear the entry signal is issued by the signalman, When the track circuit fails, its state is occupied even if there is no train.
Route locking
Route setting involves a collection of adjacent track circuits, points and signals. Aroute can be set and reserved for a passage of a train along this route. To assure the safety, firstly, theinterlocking system verifies that the route does not conflict with other routes previously set. Secondly,the points along the route are locked in the correct positions. If the related points are not in the correctpositions, the controller will attempt to set and lock them in the correct positions. Thirdly, the trackcircuits along the required route are all clear or unoccupied so that nothing obstructs the passage of thetrain. Then the entry signal can be cleared (showing yellow or green).
Approach locking
After a route is set; the point is locked; and the entry signal is cleared, if the trackcircuit in front of (approaching) the entry signal is occupied, then the signalman cannot cancel the routeand the entry signal by the normal procedure. Approach locking prevents the train driver from the suddenchange of signal aspect from green or yellow to red. Column 3 in Table 2, “APPROACH LOCKEDWHEN SIGNAL CLEARED & TC OCC”, presents locking when a route is set and the approach trackcircuit is occupied. For example, route 3-3(3) will be approach locked if the route is set and track 3-1Tis occupied.
Route released
After the passage of the train, the reserved route is released automatically. Column“Route Released by” in Table 2 presents route released mechanism for the signalling layout in Fig. 1.Route 3-3(3) will be released when the track circuits 3-3T, 3-71AT, 3-71BT, 3-71CT, 101AT are clear;the track circuit 18T is occupied and then clear; and the track circuit 63T is occupied. The reserved routeTable 1: An Interlocking Table for Panthong station (part 1:Route locking) .Vanit-Anunchai 21Table 2: An Interlocking Table for Panthong station (part 2:Approach locking)
ROUTE
WHEN SIGNAL CLEARED &AND RELEASE
AFTER
240 secROUTE RELEASED BYTC & CLEAR
EmergencyOR
CLEARFrom TO APPROACH LOCKEDORTC OCC TC OCC TC OCC
Table 3: An Interlocking Table for Panthong station (part 3:Flank Protection)
ROUTE
SET & LOCKS POINTS
REVERSE3-3(1) 31 1023-3(2) 15 102201, 2023-3(3) 10215(2) 202SECTION 4BLOCKDOWN17 CONTROLSREQUIRE TRACKINTERLOCKING AT TIME OF CLEARING ONLYFrom TO NORMAL TC CLEAR62T63T can be emergency released but the release action will be delayed for 4 minutes after the signalman issuesthe “emergency route released” command.
Flank protection
This is an important class of fail safe requirement. The equipment within thesurrounding area of the reserved route that may cause an accident shall be protected even if no trainis expected to pass such a signal or such points. Points should be in such positions that they do notgive immediate access to the route. Even though those flank points and derailers are not located onthe required route, when the route is set, they shall be locked in the safe position until the route isreleased. Table 3 shows the flank protection requirements for routes 3-3(1), 3-3(2), 3-3(3) and 15(2)of the Panthong’s interlocking table. For example route 3-3(3) requires the points 102 (both 102A and102B), which are not on the route, be locked in the normal position. Route 15(2) requires the trackcircuits 63T, which is not in the route 15(2), be unoccupied. Route 15(2) also requires the derailer 202,which is not in the route 15(2), be locked in the derail position. Because routes 3-3(3) and 15(2) are notin conflict, trains may enter these two routes at the same time. However arriving on 63T, the train onroute 3-3(3) could overrun the red signal no. 17 and collide with the train on route 15(2) at point 102. Toprevent this accident, route 3-3(3) requires flank protection, point 102 be locked in the normal position.Meanwhile Route 15(2) cannot be set while point 102 in the normal position.
In [6], Fokkink and Hollingshead divide the railway signalling system into three layers: infrastructure,interlocking and logistics layers. The infrastructure layer involves objects or equipment used in the yard.The work in this category, for instance [1, 4], ties closely with the manufacturer’s products. The logisticslayer involves human operation and train scheduling which aims at efficiency and absence of deadlocks.It involves the operation of the whole railway network (e.g. [7,9]) thus the state space explosion problem2 Experience using Coloured Petri Netsto Model Railway Interlocking Tablesis often encountered. The interlocking layer provides the interface between logistics and infrastructurelayers. It prevents us from accidents caused by human errors or equipment failure. The work in thiscategory models the interlocking tables and verifies them against the signalling principles. For exam-ple [6, 15] uses theorem prover and [16] uses NuSMV. Hansen [8] presented a VDM model of a railwayinterlocking system, and validate it through simulation using Meta Language (ML). The work focuseson the principles and concepts of Danish systems rather than a particular interlocking system. He alsopointed out that Interlocking systems from other countries may be different from the Interlocking de-scribed in [8]. Winter et al [14] proposed to create two formal models during the design process ofinterlockings. One is the formal model of the Signalling Principles called Principle model. The other isthe formal model of the functional specification for a specific track-layout called Interlocking model. TheControl Tables are translated into an interlocking model and then checked against the Principle model.At first she used CSP (Communicating Sequential Processes) as a modelling language but later foundthat the CSP models of the interlocking system and the signalling principle are difficult to understand andvalidate. Thus [16] used ASM (Abstract State Machine) notation to model the semantics of control ta-bles. The ASM model is then automatically transformed to NuSMV code [5] while the safety propertiesare modeled in CTL (Computational Tree Logic). Basten [2] simulated and analysed railway interlock-ing specification using ExSpect which is a software tool based on high level Petri Nets. However formalverification of railway interlockings were not possible because they were too complex for the technologyat that time. Hagalisletto et al [7] modelled signalling equipment such as track circuits and turnouts usingColoured Petri Nets. But their aim is to simulate the train schedule rather than to verify the interlocking.
Coloured Petri Nets (CPNs) [10] are a graphical modelling language for design, verification and analysisof distributed, concurrent and complex systems. CPNs include hierarchical constructs that allow modularspecifications to be created. CPN Tools [10] is a software tool used to create, maintain, simulate andanalyse CPNs. We use CPN Tools version 4 [13] to create our railway signaling model and analyse themusing reachabilty analysis.
To reduce the complexity of the model as well as avoid the state explosion problem when analysingrailway networks [7, 16], we need to make the following assumptions regarding train movement andsignalling operations:1. We assume that a train has no length and it occupies one track at a time. The train moves in onlyone direction. Train shunting is not considered.2. Our model does not include the auxiliary signals such as Call-on, Shunting and Junction indicators.3. Our model does not include level crossings.4. Our model includes high level abstraction of block systems but we do not model their operationsin detail.5. Our model does not include timers.6. The train must not move through a track circuit so fast that the interlocking cannot detect thepresence of the train. We use prioritized transitions to model this condition.7. Unlike [12], our CPN model includes the flank protection..Vanit-Anunchai 23
This section provides two examples of CPN pages. Due to space limitation we choose to explain only the
UserCommand and
Move Track to Track pages because these pages play central roles in the model.For global declarations and other details regarding our CPN model of the interlocking table, see [11]and [12].
The
UserCommand page shown in Fig. 2 models the action after a route request command is issued (e.g.3-3(3)). Transition
SetRoute checks whether it is plausible to set the requested route. Taking tokensfrom fusion places
RouteNormal and
TrackPool , transition
SetRoute checks if1. No conflict route is being set (modelled by function require route normal).2. The relevant tracks are unoccupied (modelled by functions require track clear andrequire flank track clear).If all conditions are met, transitions
SetNormalLock and
SetReverseLock will attempt to set andlock points in the correct position. The two conditions and the states of the relevant point machines andderailers will be rechecked again by Substitution transition
RouteSetting .Actually the above model description is enough to satisfy the specification requirement. Howeverwhen the CPN model was analysed, we found many deadlocks which were safe terminal states. It isinconvenient to investigate all deadlocks so we attempt to reduce them by introducing automatic routesetting and automatic route canceling. These two functions are not specified in the interlocking tablebecause they are normally conducted by the signal man. The automatic route setting condition is thatthe preselected route setting command can be issued only when the track in front of the entry signal isoccupied. This is modelled by the ML function approach set . After the transition
SetRoute fires, it
SetPointReverseLockINT SetPointNormalLock INTRouteSuccess? ROUTESetRouteCommandIn/Out ROUTEIn/Out TrackPoolFusion 2 TRACKInitTrackFusion 2POINT_POOLFusion 3POINTInitPointFusion 3RouteNormalFusion 6 ROUTEInitRouteFusion 6 RouteSettingSetRouteSetRouteSetRouteP_HIGH8SetReverseLock[p_id = Int.toString(i) andalso From = (Int.toString(i)^"T")]P_SetPointR SetNormalLock[p_id = Int.toString(i) andalso From = (Int.toString(i)^"T")]P_SetPointNCancelRouteSettingP_LOWEST 1`(route)1`route1`{pid=p_id, pos = pos1, lock = false}1`{pid=p_id, pos = Reverse,lock = true} 1`{pid=p_id, pos = Normal, lock = true}1`{pid=p_id, pos = pos1, lock = false} ii require_track_clear(route) ++require_flank_track_clear(route)++list_to_ms(approach_set(route))require_route_normal(route) require_route_normal(route)--1`route1`(route)list_to_ms(rpoint_reverse(route) ^^ r_flank_point_reverse(route)) list_to_ms(rpoint_normal(route)^^ r_flank_point_normal(route))1`(route) 1`(route)unlock_point_normal(route)++unlock_point_reverse(route)++unlock_flank_point_normal(route)++unlock_flank_point_reverse(route)require_point_normal(route)++require_point_reverse(route)++require_flank_point_normal(route)++require_flank_point_reverse(route)1`{tid=From, pos= noTrain} 1`{tid=From, pos= noTrain}
Figure 2: CPN model: UserCommand page4 Experience using Coloured Petri Netsto Model Railway Interlocking Tableswill be disabled by the inhibitor arc from place
RouteSuccess? . When the route setting process is notcomplete, no other route can be set. Transitions
SetNormalLock and
SetReverseLock attempt to setand lock the points in the position specified in the interlocking table. Because transition
SetNormalLock has a higher priority, the actions of transition
SetNormalLock do not interleave with the actions oftransition
SetReverseLock .When the route setting cannot be completed and no more action can occur in the model, the in-complete route setting will be canceled using transition
CancelRouteSetting (lowest priority). Thistransition clears all tokens in the places
SetPointReverseLock and
SetPointNormalLock by the re-set arcs (two arrow arcs) in a single instance. Using prioritized transitions, inhibitor arcs and reset arcscan alleviate the state explosion problem. The automatic route setting and automatic route cancelationcan eliminate deadlocks due to the wrong sequence of route setting commands given by the signal man.
Figure 3 shows the CPN diagram modelling the simple train movements between two adjacent tracks.Place
Config stores tokens representing signalling layout as discussed in [12]. In addition to the layout,the train movement requires information regarding the status of signalling equipment stored in places
TrackPools , SignalPool , and
PointPool1 . Transition
MoveT2T represents the movement acrossadjacent straight tracks. Transition
MoveTST behaves similar to Transition
MoveT2T but there is an entryFigure 3: CPN model: Move Track to Track page.Vanit-Anunchai 25signal post between the adjacent tracks. However the train moves toward the back of the signal. Thetrain movement facing the front of the entry signal was modelled in another CPN page illustrated in [12].The movement across points is captured by Transition
MoveTPT . For ease of analysis we also add twoplaces
AccidentH2T H2H and
AccidentHead2Side for detecting train collision.
A basic safety property that railway signalling shall provide is to prevent train collision and derailment.Places
AccidentH2T H2H and
AccidentHead2Side shall be empty when no collision occurs. Checkingderailment is in other CPN pages that we do not discussed in this paper. To convince us of the correctnessof our CPN model and the interlocking table, the CPN model is analysed using reachability analysis inCPN Tools version 4.0.0. The investigation of the generated reachability graph is conducted on WindowsXP using a AMD9650 computer with 2.30 GHz and 3.5 GB of RAM. After generating each entire graph,we use ML query functions searching for the markings that have tokens in places AccidentH2T H2H or AccidentHead2Side . For ease of investigating the terminal markings, we attempt to execute the modeluntil there is no train in the model. This can be done using automatic route setting and automatic routecancelation. However there are still possible deadlocks left as shown in Section 5.3.
Despite the fact that we can analyse various scenarios by changing the initial markings, due to spacelimitation, we select to discuss only six cases with the initial configurations shown in Table 4. The initialconfigurations are:1. Case A is when three trains are on the platform tracks.2. Case B is when two trains are on the platform tracks 62T and 63T.3. Case C1,C2, and C3 are when one train is on the platform track 61T, 62T, and 63T respectively.4. Case D is when no train is on the platform tracks.In all initial markings, four trains are coming from the north and south directions and other trackcircuits are unoccupied; all points are in
Normal position and unlocked; all derailers are
Normal andlocked. All signals are in normal states. Of course we also need to check other accident places in other CPN pages that are not discussed in this paper.
Table 4: Initial configurations of track circuits.
Case (cid:3) (cid:882) (cid:3) (cid:882) (cid:3) (cid:3) (cid:3) (cid:3) (cid:882) (cid:3) (cid:882) (cid:3) A (cid:3) TrainUP (cid:3)
TrainUP (cid:3)
TrainUP (cid:3)
TrainDOWN TrainUP (cid:3)
TrainDOWN (cid:3)
TrainDOWNB (cid:3)
TrainUP (cid:3)
TrainUP (cid:3)
NoTrain (cid:3)
TrainDown (cid:3)
TrainUP (cid:3)
TrainDOWN (cid:3)
TrainDOWNC1 (cid:3)
TrainUP (cid:3)
TrainUP (cid:3)
TrainUP (cid:3) noTrain (cid:3) noTrain (cid:3)
TrainDOWN (cid:3)
TrainDOWNC2 (cid:3)
TrainUP (cid:3)
TrainUP (cid:3) noTrain (cid:3)
TrainUP (cid:3) noTrain (cid:3)
TrainDOWN (cid:3)
TrainDOWNC3 (cid:3)
TrainUP (cid:3)
TrainUP (cid:3) noTrain (cid:3) noTrain (cid:3)
TrainUP (cid:3)
TrainDOWN (cid:3)
TrainDOWND (cid:3)
TrainUP (cid:3)
TrainUP (cid:3) noTrain (cid:3) noTrain (cid:3) noTrain (cid:3)
TrainDOWN (cid:3)
TrainDOWN (cid:3)
Tables 5 and 6 show analysis results: state space sizes; execution time; and the number of deadlocks. Allmarkings are safe (no train collision). In particular, Tables 5 illustrates that our approach can reduce thestate space sizes.1. B[Coor2010] was the old analysis result of Case B (from [12]).2. B[no Flank Protection] is a new result of Case B when the CPN model is revised not only usingprioritized transitions; inhibitor arcs; reset arcs but also including the automatic route setting andautomatic route canceling functions. However the model has not included the flank protection.This result shows that our proposed reduces the number of states to about 70%. The number ofterminal markings is also reduced significantly.3. B[with Flank Protect] is the result of Case B when we add the flank protection into the model.Because of this restriction, the non-conflicting routes in [12] that has no overlapped section nowbecome conflicted so that the state space size is reduced drastically .Revising model structure with the flank protection requirement, we are able to analyse the scenariosthat we cannot reach before (Case C1, C2, C3 and D). The details of the terminal markings are listed inTable 7. They show the occupancies of trains on the tracks in front of the entry signal. In all terminalmarkings other tracks are unoccupied. All signals are in the normal states. Terminal markings no. 5 ofCase C1 and no. 7 of Case D suggest that the signal man can manage the traffic such that no deadlockoccurs. For the traffic of Case C2 and C3 there always be deadlocks so that the emergency procedureshall be carefully conducted to solve the deadlocks.Table 5: Comparison of the state space sizes (with [12]).
Case (cid:3)
Node (cid:3)
Arc (cid:3)
Time(hh:mm:ss) (cid:3)
No. (cid:3) of (cid:3) Terminal (cid:3)
Markings (cid:3)
A[Coor2010] (cid:3) (cid:3) (cid:3) (cid:3) (cid:3) A[no (cid:3)
FlankProtection] (cid:3) (cid:3) (cid:3) (cid:3) (cid:3) A[with (cid:3)
FlankProtection] (cid:3) (cid:3) (cid:3) (cid:3) (cid:3) B[Coor2010] (cid:3) (cid:3) (cid:3) (cid:3) B[no (cid:3)
FlankProtection] (cid:3) (cid:3) (cid:3) (cid:3) (cid:3) B[with (cid:3)
FlankProtection] (cid:3) (cid:3) (cid:3) (cid:3) (cid:3)(cid:3) Table 6: Summary of state space results.
Case Nodes Arc Time (hh:mm:ss) No. of Deadlocks C1 24,133 45,704 00:55:03 5C2 196 348 00:01:11 2C3 2,004 4,788 00:05:35 3D 76,257 137,398 04:07:27 7
This paper restructures the previous CPN model in [12] to make the analysis process easier and alleviatethe state explosion problem. Our study shows that adding the automatic route setting and automaticroute canceling functions into the CPN model reduces the number of undesired deadlocks. These twofunctions are not specified in the interlocking table but they are normally conducted by the signalmen.Our study also shows that using prioritized transitions, inhibitor arcs and reset arcs can reduce the state.Vanit-Anunchai 27Table 7: Terminal Markings.
Case No. 1-1T 3-1T 61T 62T 63T 4-2BT 2-2BTC1 1 noTrain noTrain TrainUP TrainUP TrainUP TrainDOWN TrainDOWN2 TrainUP TrainUP TrainUP TrainDOWN TrainDOWN noTrain noTrain3 noTrain TrainUP TrainUP TrainUP TrainDOWN noTrain TrainDOWN4 TrainUP noTrain TrainUP TrainDOWN TrainUP TrainDOWN noTrain5 noTrain noTrain noTrain noTrain noTrain noTrain noTrainC2 1 TrainUP TrainUP noTrain TrainUP TrainDOWN noTrain TrainDOWN2 TrainUP noTrain noTrain TrainUP TrainUP TrainDOWN TrainDOWNC3 1 noTrain TrainUP noTrain noTrain TrainUP TrainDOWN noTrain2 noTrain TrainUP noTrain TrainUP TrainUP TrainDOWN TrainDOWN3 TrainUP TrainUP noTrain TrainDOWN TrainUP TrainDOWN noTrainD 1 TrainUP noTrain noTrain TrainDOWN TrainUP TrainDOWN noTrain2 noTrain TrainUP noTrain TrainUP TrainDOWN noTrain TrainDOWN3 noTrain noTrain noTrain TrainUP TrainUP TrainDOWN TrainDOWN4 TrainUP TrainUP noTrain TrainDOWN TrainDOWN noTrain noTrain5 noTrain noTrain noTrain noTrain TrainUP TrainDOWN noTrain6 noTrain TrainUP noTrain noTrain TrainDOWN noTrain noTrain7 noTrain noTrain noTrain noTrain noTrain noTrain noTrain space sizes. Although the flank protection significantly reduces the state space size, we discover that itmasks out errors in the route locking part of the interlocking table (Table 1). It seems inevitable thatthe verification of the interlocking table without the flank protection shall be conducted before the flankprotection functions are verified.From a modelling perspective it is easy to add the flank protection requirement but from analysisperspective it is not so easy to be verified. The flank protection is a fail safe requirement preventing anaccident when equipment fails or a train passes a signal at danger. This dangerous scenario normallycannot be reached in our regular CPN model. To verify the flank protection and reach the states thatare normally unreachable, the CPN model needs to allow the train pass a signal at danger. Thus, wesuggest to conduct experiments by deleting the signal from the signalling layout and let the train passover. This can be easily done by modify the configuration tokens that represent geographic information.This modified
CPN models are used to generate the reachability graphs. When we search the entiregraphs, we expect no train collision. However, if those points are not related to the required route at all,accidents definitely do not occur regardless of the point positions either normal or reverse. Thus, to provethe safety properties of the flank protection requirement we need to prove two properties. Firstly, if theflank protection works correctly, no train collision occurs. Secondly, if the CPN model does not includethe flank protection, trains will collide.When verifying the flank protection in the interlocking table, we always assume that the flank pointsare known. However, for a large and complex station layout, it is difficult to identify the flank pointswithout any errors. To facilitate the design and verification tasks, we suggest to use the modified CPNmodel generating train collision scenarios. Tracing the markings before trains collide should help usidentify the flank points and their correct positions.
Acknowledgments
The author is thankful to the anonymous reviewers. Their constructive feedbackhas helped the author improve the quality of this paper.
References [1] A. Svendsen et al (2008):
The Future of Train Signaling . In: ProceedingsofMoDELS2008, LectureNotesinComputerScience 5301, Springer Verlag, pp. 128–142, doi: . [2] T. Basten, R. Bol & M. Voorhoeve (1995): Simulating and Analyzing Railway Interlockings in ExSpec . IEEEParallel & Distributed Technology, Systems & Applications 3(3), pp. 50–62, doi: .[3] J. Bjørk, A. M. Hagalisletto & P. Enger (June 2006):
Large Scale simulations of Railroad Nets . In:Proceedings of the Fourth International Workshop on Modelling of Objects, Components and Agents,MOCA’06,Bericht272,FBI-HH-B-272/06, pp. 45–101.[4] C. Chevillat, D. Carrington, P. Strooper, J. G. S¨uß & L. Wildman (2008):
Model-Based Generation of In-terlocking Controller Software from Control Tables . In: Proceedingof ECMDA-FA2008, LectureNotes inComputerScience 5095, Springer, Heidelberg, pp. 349–360, doi: .[5] A. Cimatti, F. Giunchiglia E. Clarke & M. Roveri (1999):
NuSMV: A new symbolic model verifier . In: Pro-ceedingsof InternationalConferenceonComputerAidedVerification,CAV’99, LectureNotesin ComputerScience 1633, Springer Verlag, pp. 495–499, doi: .[6] W.J. Fokkink & P.R. Hollingshead (May 1998):
Verification of Interlockings: from Control Tables to Lad-der Logic Diagrams . In: Proceedings of 3rd Workshop on Formal Methods for Industrial Critical Systems(FMICS’98), Stichting Mathematisch Centrum, Amsterdam, pp. 171–185.[7] A. M. Hagalisletto, J. Bjørk, I. C. Yu & P. Enger (2007):
Constructing and Refining Large-Scale RailwayModels Represented by Petri Nets . IEEETransactionson Systems, Man, and Cybernetics,PartC 37(4), pp.444–460, doi: .[8] K. M. Hansen (1994):
Formalizing Railway Interlocking Systems . In: NordicSeminaronDependableCom-putingSystems, Department of Computer Science, Technical University of Denmark, pp. 83–94.[9] C. W. Janczura (1998):
Modelling and Analysis of Railway Network Control Logic using Coloured PetriNets . Ph.D. thesis, School of Mathematics and Institute for Telecommunications Research, University ofSouth Australia, Adelaide, Australia.[10] K. Jensen & L.M. Kristensen (2009):
Coloured Petri Nets: Modelling and Validation of Concurrent Systems .Springer, Heidelberg, doi: .[11] S. Vanit-Anunchai (2009):
Verification of Railway Interlocking Tables using Coloured Petri Nets . In: thetenth Workshop and Tutorial on Practical Use of Coloured Petri Nets and the CPN Tools, DAIMI PB 590,Department of Computer Science, University of Aarhus, pp. 139–158.[12] S. Vanit-Anunchai (2010):
Modelling Railway Interlocking Table Using Coloured Petri Nets . In D. Clarke& G. Agha, editors: Proceedings of the 12th International Conference on Coordination Models and Lan-guages, (Coordination2010), Lecture Notes in Computer Science 6116, Springer, Heidelberg, Amsterdam,Netherlands, pp. 137–151, doi: .[13] M. Westergaard (2013):
CPN Tools 4: Multi-formalism and Extensibility . In Jos´e Manuel Colom & J¨orgDesel, editors: Petri Nets, LectureNotes in Computer Science 7927, Springer, pp. 400–409, doi: .[14] K. Winter (2002):
Model Checking Railway Interlocking Systems . In: Proceeding of the 25th AustralianComputerScienceConference(ACSC2002).[15] K. Winter, W. Johnston, P. Robinson, P. Strooper & L. van den Berg (2005):
Tool Support for Checking Rail-way Interlocking Designs . In: Proceedingofthe10thAustralianWorkshoponSafetyRelatedProgrammableSystems(SCS’05), Australian Computer Science Communications, pp. 101–107.[16] K. Winter & N. Robinson (2003):