EP3395643B1 - Method for checking safety requirements of ssi-based data used in an interlocking control system - Google Patents

Method for checking safety requirements of ssi-based data used in an interlocking control system Download PDF

Info

Publication number
EP3395643B1
EP3395643B1 EP17305477.6A EP17305477A EP3395643B1 EP 3395643 B1 EP3395643 B1 EP 3395643B1 EP 17305477 A EP17305477 A EP 17305477A EP 3395643 B1 EP3395643 B1 EP 3395643B1
Authority
EP
European Patent Office
Prior art keywords
data
unsafe
interlocking
state
application data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP17305477.6A
Other languages
German (de)
French (fr)
Other versions
EP3395643A1 (en
Inventor
Cydney Minkowitz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alstom Transport Technologies SAS
Original Assignee
Alstom Transport Technologies SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alstom Transport Technologies SAS filed Critical Alstom Transport Technologies SAS
Priority to EP17305477.6A priority Critical patent/EP3395643B1/en
Priority to AU2018202873A priority patent/AU2018202873B2/en
Publication of EP3395643A1 publication Critical patent/EP3395643A1/en
Application granted granted Critical
Publication of EP3395643B1 publication Critical patent/EP3395643B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L19/00Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
    • B61L19/06Interlocking devices having electrical operation
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L21/00Station blocking between signal boxes in one yard
    • B61L21/04Electrical locking and release of the route; Electrical repeat locks
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/60Testing or simulation

Definitions

  • the present invention concerns a method for checking safety requirements of SSI-based data (for Solid State Interlocking based date) used in an interlocking control system.
  • An interlocking control system is a computer based railroad signaling system whose purpose is to ensure the safe movements of railroad vehicles, in particular in order to prevent collisions and derailments.
  • the present invention relates therefore to the domain of circulation management of vehicles using a transportation network, such as a railroad transportation network, a subway network, a tramway network, or the like.
  • a transportation network such as a railroad transportation network, a subway network, a tramway network, or the like.
  • the circulation management is achieved through interlocking equipment of an interlocking system, often called “yard equipment” and/or “wayside equipment” and/or “trackside equipment”, which are designed to perform specific train circulation-related operations.
  • This equipment may comprise signaling devices and/or railroad switches and/or track circuits, or the like.
  • This field equipment may be controlled remotely by operators through an interlocking control system, in a semi-automatic or automatic manner, based on a software architecture executed by computing means of the control system.
  • the interlocking control system includes a communication network through which the system is interfaced with the field equipment.
  • An interlocking control system is usually designed through known methods which design both the hardware and the software components of the system, as well as the communication network used for interfacing the transportation network wayside equipment with the developed hardware.
  • the interlocking control system comprises hardware, including one or more control units, for controlling the interlocking equipment, each control unit comprising computing means intended for controlling the interlocking equipment remotely through the communication network.
  • control units may be station-based, the communication network being configured to link the units to the interlocking equipment arranged trackside.
  • the communication network usually comprises a network of cables connected to each element of the interlocking equipment and to one or several of the control units.
  • the computing means of the control units execute software, in other words a system of one or more computer programs.
  • the interlocking control system comprises a plurality of interlocking applications, and the functioning of each interlocking application, also called the logic of each application, is configured using software tools.
  • SML400GP SSI-based product which is part of a family of products known as Smartlock 400, which was designed as a successor to previous Solid State Interlocking (SSI) products.
  • the logic for a specific SML400GP SSI-based interlocking application is expressed using an extension of the SSI language, known per se as the SML400 language.
  • the SML400GP SSI-based product consists of interlocking hardware, software, communications technology, as well as tools for the preparation and verification of data.
  • the core of the product is the well-known Central Interlocking (CIXL) module, and it interprets, in a manner known per se, SSI data, which in the following of the description will be referred as application data.
  • the application data are prepared off-line in a manner known per se, preferably in an office environment using standard computers, and they are subsequently embedded in the CIXL.
  • the application data is the data specific to the signaling area that the interlocking control system controls; the CIXL contains fixed software used to interpret these specific application data.
  • the operation of the interlocking control system is based, in a manner known per se, on exchange of data, in the form of signals, between the interlocking control system and the interlocking equipment.
  • the application data define the interlocking equipment logic for a predetermined signaling application and are usually verified and validated before being supplied to the interlocking control system.
  • This verification includes, in a manner known per se, a series of manual and automatic procedures aiming at checking that the data are suitable for being installed in the interlocking control system from a formal point of view, i.e. that they fulfill formal constraints.
  • the application data must satisfy the processing requirements of the CIXL in order to be sufficiently self-consistent and complete so as not to cause the CIXL interpreter software to malfunction.
  • Tools exist to automatically verify the application data but they only perform checks to ensure that the application data meets run-time constraints of the CIXL. They do not check if certain logical conditions, in particular safety conditions, are satisfied, i.e. conditions that could lead to incidents that may cause harm to trains and their passengers.
  • the technique used involves checking the model against test scenarios that manifest different train movements that may be made in the interlocking application, so it is more a test via simulation approach than a proof approach.
  • the technique is also currently limited to checks on a single interlocking application, i.e. it has not been used to verify application data of communicating interlockings.
  • the method according to the present invention is arranged to validate the application data that the CIXL subsystem interprets against safety requirements.
  • the method for checking safety requirements of SSI-based data used in an interlocking control system uses the same data model in the same environment in which the existing tools of the SML400GP SSI-based toolset run.
  • the method for checking safety requirements of SSI-based data used in an interlocking control system is preferably executed by a computer-implemented software module, and it comprises the steps and sub-steps defined herein below and schematically illustrated in the block diagram of figure 1 .
  • an application data file is generated in a manner known per se.
  • the application data file comprises SML400 application data of the type which is usually installed on a CIXL.
  • SML400 application data is a code that represents interlocking logic, i.e. an implementation of the signaling requirements that a CIXL must satisfy.
  • the interlocking logic is applied to the interlocking equipment in zones corresponding to signaling areas of the transportation network that the CIXL controls.
  • the application data are created from code related to one or more virtual interlockings, referred to as VIXLs.
  • each VIXL of a CIXL is defined using a procedural, object-centered language, which is designed to be backwards compatible with the language used for configuring SSI-based interlocking control systems.
  • the application data are interpreted on contents of memories representing states of signaling functions (e.g. signals, switches, track sections and routes) that the interlocking control system controls. Iterating in cycles, the CIXL receives indications of the current states of the signaling functions, updates the memories accordingly as the logic demands, sends commands to control the signaling functions to their new states, and processes requests from a signaler (or requests made within the application data).
  • states of signaling functions e.g. signals, switches, track sections and routes
  • a constraint violation file is prepared, this file being preferably written in a manner known per se in SSI-like notation.
  • the constraint violation file contains data representative of constraint violations expressed in SML400-like syntax.
  • the constraint violation file comprises therefore a plurality of conditions that describe a plurality of unsafe scenarios of the interlocking equipment.
  • a constraint violation may be used to express conditions when it would be unsafe to move a particular switch, such as the following scenario. It is unsafe whenever the switch is in one position and at least one of the track sections on which it lies becomes occupied, in the case when the switch is moved to the other position and at least one of the track sections on which it lies is already occupied.
  • a subsequent step 6 data of the application data file are selected according to a first constraint violation condition of the plurality of violation constraint conditions of the constraint violation file.
  • a first constraint violation condition of the plurality of violation constraint conditions of the constraint violation file.
  • only the data which correspond to an unsafe scenario defined in the first constraint violation condition are selected from the whole data of the application data file. For example, with reference to the above-disclosed example related to the movement of a switch, all the data which refer to the unsafe movement of the switch are selected.
  • a context comprises in a manner per se known a plurality of paths through the application data that process a specific signaling request. Taking the above example of the switch movement, one context may be for a request to move the switch, and another context may be for a request to set a route which in turn relies on the switch being moved.
  • the paths in a context typically contain data that test and/or update relevant parts of the signaling function memories so that, when executed, enables the particular request to be fulfilled.
  • each unsafe scenario of the plurality of unsafe scenarios contained in the constraint violation file corresponds at least one context, preferably a plurality of contexts, each context comprising a plurality of paths in the application data. If a context comprises paths that could lead to an unsafe state, the method forces them to be executed.
  • a scenario corresponds to a set of variables disclosing the scenario from the point of view of the settings of the interlocking equipment, i.e. each variable discloses a predetermined setting of one of the interlocking equipment.
  • predetermined initialized values are therefore assigned to said variables, thus obtaining an initial state for the unsafe scenario.
  • the paths belonging to the at least one context identified at step 7 are executed, in the application data context itself.
  • the unsafe scenario identified at step 6 starting from the initial state, all possible paths of the at least one context are followed. Therefore, for the given unsafe scenario, starting from a predetermined initial state, each path is executed in the application data and respective resulting states are obtained.
  • step 12 at the end of each path, a check is done to determine if an unsafe state has been reached, by comparing the respective resulting state with the data of the scenario (i.e. with the data of the constraint violation file).
  • Steps 10 and 12 are repeated, starting each time, for each path, with the corresponding resulting state reached at the previous step, until unsafe states or no new safe states are reached.
  • each path that leads to an unsafe state is displayed to a user in a manner per se known.
  • the method for checking safety requirements of SSI-based data above disclosed operates on the same data model on which the other SML400 application data tools operate.
  • the data model is accessed and interpreted in a way that is equivalent to the way the CIXL interprets the application data. This means that the method according to the present invention is run on data that are semantically correct and that manifest similar behavior as the target data.
  • the method according to the present invention allows to validate CIXL application data against specified safety constraints, or rather to prove that there is no execution path in the application data that would result in a state that violates the constraints.
  • the method performs an exhaustive search on parts of the application data that could lead to an unsafe state, by executing those parts on that state and all new safe states that result from the execution, until an unsafe state is reached or all states have been searched.
  • the SML400GP SSI-based application data tools operate on a model of the data rather than on the target data, unlike other solutions, all of the target data are represented in the model.
  • all data are considered in the proofs, excluding parts of the data that are evaluated to be irrelevant to the safety condition currently being proved, rather than ignoring certain parts of the data a priori.

Description

  • The present invention concerns a method for checking safety requirements of SSI-based data (for Solid State Interlocking based date) used in an interlocking control system.
  • An interlocking control system is a computer based railroad signaling system whose purpose is to ensure the safe movements of railroad vehicles, in particular in order to prevent collisions and derailments.
  • The present invention relates therefore to the domain of circulation management of vehicles using a transportation network, such as a railroad transportation network, a subway network, a tramway network, or the like. In a manner known per se, the circulation management is achieved through interlocking equipment of an interlocking system, often called "yard equipment" and/or "wayside equipment" and/or "trackside equipment", which are designed to perform specific train circulation-related operations. This equipment may comprise signaling devices and/or railroad switches and/or track circuits, or the like.
  • This field equipment may be controlled remotely by operators through an interlocking control system, in a semi-automatic or automatic manner, based on a software architecture executed by computing means of the control system. The interlocking control system includes a communication network through which the system is interfaced with the field equipment.
  • An interlocking control system is usually designed through known methods which design both the hardware and the software components of the system, as well as the communication network used for interfacing the transportation network wayside equipment with the developed hardware.
  • The interlocking control system comprises hardware, including one or more control units, for controlling the interlocking equipment, each control unit comprising computing means intended for controlling the interlocking equipment remotely through the communication network.
  • Practically, the control units may be station-based, the communication network being configured to link the units to the interlocking equipment arranged trackside. For this purpose, the communication network usually comprises a network of cables connected to each element of the interlocking equipment and to one or several of the control units.
  • For controlling the interlocking equipment, the computing means of the control units execute software, in other words a system of one or more computer programs.
  • In particular, the interlocking control system comprises a plurality of interlocking applications, and the functioning of each interlocking application, also called the logic of each application, is configured using software tools.
  • A particular product is nowadays used, the so-called SML400GP SSI-based product, which is part of a family of products known as Smartlock 400, which was designed as a successor to previous Solid State Interlocking (SSI) products.
  • In particular, the logic for a specific SML400GP SSI-based interlocking application is expressed using an extension of the SSI language, known per se as the SML400 language. The SML400GP SSI-based product consists of interlocking hardware, software, communications technology, as well as tools for the preparation and verification of data.
  • The core of the product is the well-known Central Interlocking (CIXL) module, and it interprets, in a manner known per se, SSI data, which in the following of the description will be referred as application data. The application data are prepared off-line in a manner known per se, preferably in an office environment using standard computers, and they are subsequently embedded in the CIXL.
  • The application data is the data specific to the signaling area that the interlocking control system controls; the CIXL contains fixed software used to interpret these specific application data.
  • As above disclosed, the operation of the interlocking control system is based, in a manner known per se, on exchange of data, in the form of signals, between the interlocking control system and the interlocking equipment.
  • The application data define the interlocking equipment logic for a predetermined signaling application and are usually verified and validated before being supplied to the interlocking control system. This verification includes, in a manner known per se, a series of manual and automatic procedures aiming at checking that the data are suitable for being installed in the interlocking control system from a formal point of view, i.e. that they fulfill formal constraints.
  • In particular, the application data must satisfy the processing requirements of the CIXL in order to be sufficiently self-consistent and complete so as not to cause the CIXL interpreter software to malfunction. Tools exist to automatically verify the application data, but they only perform checks to ensure that the application data meets run-time constraints of the CIXL. They do not check if certain logical conditions, in particular safety conditions, are satisfied, i.e. conditions that could lead to incidents that may cause harm to trains and their passengers.
  • Other tools are used to execute the application data in a laboratory test environment to provide confidence that the data are compliant to the signaling principles and the interlocking logistical requirements, however, the setting-up and running of the tests is a time consuming process, and it is almost impossible to create test scenarios that would take into account every possible circumstance that could lead to a violation of a safety condition.
  • In order to solve the problem of safety validation, some methods for checking safety requirements of application data used in an SSI interlocking control system have been proposed.
  • Document " Towards an Integrated Model Checker for Railway Signalling Data", Michael Huber and Steve King, Springer-Verlag Berlin Heidelberg 2002, p. 20, discloses the use of model checking techniques, known per se, for automatically checking safety conditions of application data used in an SSI interlocking control system. The technique disclosed involves the automatic translation of a subset of the whole application data into a predetermined model expressed using a formalism different from the one with which the application data have been created, so that they can be checked by using a pre-existing general purpose model checking software. The behavior of the predetermined model is a close approximation of the behavior of an interlocking control system employing the application data, but the use of the general purpose model checking software is inefficient and requires expert skills. The document concludes that a purpose-build SSI data checker would be more optimal and usable.
  • Document " Verification of railway interlocking systems", Simon Busard, Quentin Cappart, Christophe Limbree, Charles Pecheur, Pierre Schaus, in Proceedings ESSS 2015 discloses a more recent experiment of using a general purpose model checker software, known per se, on application data of SSI interlocking systems, which shows better performance results. Like the previous solution, this solution involves the automatic translation of the application data into the formalism required by the model checker software, and the behavior of the model is an approximation of the behavior of the interlocking control system employing the application data. However, only certain types of data are included in the model, based on the assumption that only those types of data are safety related, ignoring the possibility that the misuse of other types of data could lead to an unsafe state. The technique used involves checking the model against test scenarios that manifest different train movements that may be made in the interlocking application, so it is more a test via simulation approach than a proof approach. The technique is also currently limited to checks on a single interlocking application, i.e. it has not been used to verify application data of communicating interlockings.
  • In view of the above, there is therefore the need to provide a method for checking safety requirements of SSI-based data used in an interlocking control system which checks automatically all possible scenarios, which does not employ a general purpose model checking software and/or which does not requires expert skills, thus overcoming the limitations of the prior art solutions.
  • This and other objects are fully achieved by virtue of a method for checking safety requirements of SSI-based data used in an interlocking control system having the characteristics defined in independent claim 1.
  • Preferred embodiments of the invention are specified in the dependent claims, whose subject-matter is to be understood as forming an integral part of the present description.
  • Further characteristics and advantages of the present invention will become apparent from the following description, provided merely by way of a non-limiting example, with reference to the enclosed drawings, in which:
    • Figure 1 shows a block diagram of the steps of a method for checking safety requirements of SSI-based data used in an interlocking control system according to the present invention.
  • The method according to the present invention is arranged to validate the application data that the CIXL subsystem interprets against safety requirements.
  • The method for checking safety requirements of SSI-based data used in an interlocking control system according to the present invention uses the same data model in the same environment in which the existing tools of the SML400GP SSI-based toolset run.
  • The method for checking safety requirements of SSI-based data used in an interlocking control system according to the present invention is preferably executed by a computer-implemented software module, and it comprises the steps and sub-steps defined herein below and schematically illustrated in the block diagram of figure 1.
  • In a first step 2, an application data file is generated in a manner known per se. The application data file comprises SML400 application data of the type which is usually installed on a CIXL. SML400 application data is a code that represents interlocking logic, i.e. an implementation of the signaling requirements that a CIXL must satisfy.
  • The interlocking logic is applied to the interlocking equipment in zones corresponding to signaling areas of the transportation network that the CIXL controls. In other words, the application data are created from code related to one or more virtual interlockings, referred to as VIXLs.
  • The logic for each VIXL of a CIXL is defined using a procedural, object-centered language, which is designed to be backwards compatible with the language used for configuring SSI-based interlocking control systems.
  • The application data are interpreted on contents of memories representing states of signaling functions (e.g. signals, switches, track sections and routes) that the interlocking control system controls. Iterating in cycles, the CIXL receives indications of the current states of the signaling functions, updates the memories accordingly as the logic demands, sends commands to control the signaling functions to their new states, and processes requests from a signaler (or requests made within the application data).
  • In a subsequent step 4, a constraint violation file is prepared, this file being preferably written in a manner known per se in SSI-like notation. The constraint violation file contains data representative of constraint violations expressed in SML400-like syntax. The constraint violation file comprises therefore a plurality of conditions that describe a plurality of unsafe scenarios of the interlocking equipment.
  • For example, a constraint violation may be used to express conditions when it would be unsafe to move a particular switch, such as the following scenario. It is unsafe whenever the switch is in one position and at least one of the track sections on which it lies becomes occupied, in the case when the switch is moved to the other position and at least one of the track sections on which it lies is already occupied.
  • In a subsequent step 6 data of the application data file are selected according to a first constraint violation condition of the plurality of violation constraint conditions of the constraint violation file. In particular, only the data which correspond to an unsafe scenario defined in the first constraint violation condition are selected from the whole data of the application data file. For example, with reference to the above-disclosed example related to the movement of a switch, all the data which refer to the unsafe movement of the switch are selected.
  • At this point, in a subsequent step 7, at least one application data context is determined, for the unsafe scenario of the first constraint violation condition, in a manner per se known. A context comprises in a manner per se known a plurality of paths through the application data that process a specific signaling request. Taking the above example of the switch movement, one context may be for a request to move the switch, and another context may be for a request to set a route which in turn relies on the switch being moved. The paths in a context typically contain data that test and/or update relevant parts of the signaling function memories so that, when executed, enables the particular request to be fulfilled. As a consequence, to each unsafe scenario of the plurality of unsafe scenarios contained in the constraint violation file corresponds at least one context, preferably a plurality of contexts, each context comprising a plurality of paths in the application data. If a context comprises paths that could lead to an unsafe state, the method forces them to be executed.
  • Returning now to figure 1, at step 8, for the unsafe scenario identified at step 6, all the variables that define all possible states of the scenario are initialized, thus setting an initial state for said variables. In particular, it is known that a scenario corresponds to a set of variables disclosing the scenario from the point of view of the settings of the interlocking equipment, i.e. each variable discloses a predetermined setting of one of the interlocking equipment. At step 8, predetermined initialized values are therefore assigned to said variables, thus obtaining an initial state for the unsafe scenario.
  • Subsequently, at step 10, the paths belonging to the at least one context identified at step 7 are executed, in the application data context itself. In particular, for the unsafe scenario identified at step 6, starting from the initial state, all possible paths of the at least one context are followed. Therefore, for the given unsafe scenario, starting from a predetermined initial state, each path is executed in the application data and respective resulting states are obtained.
  • A this point, at step 12, at the end of each path, a check is done to determine if an unsafe state has been reached, by comparing the respective resulting state with the data of the scenario (i.e. with the data of the constraint violation file).
  • If no unsafe state has been detected, it is further determined if the resulting state (which should therefore be a safe state) has not been reached.
  • Steps 10 and 12 are repeated, starting each time, for each path, with the corresponding resulting state reached at the previous step, until unsafe states or no new safe states are reached.
  • At the end of the loop, at step 14 each path that leads to an unsafe state is displayed to a user in a manner per se known.
  • The above disclosed steps 6 to 12 are repeated for any constraint violation condition of the plurality of violation constraint conditions of the constraint violation file.
  • The method for checking safety requirements of SSI-based data above disclosed operates on the same data model on which the other SML400 application data tools operate. The data model is accessed and interpreted in a way that is equivalent to the way the CIXL interprets the application data. This means that the method according to the present invention is run on data that are semantically correct and that manifest similar behavior as the target data.
  • As clearly detailed in the above, the method according to the present invention allows to validate CIXL application data against specified safety constraints, or rather to prove that there is no execution path in the application data that would result in a state that violates the constraints.
  • To this end, starting from an initial state, the method performs an exhaustive search on parts of the application data that could lead to an unsafe state, by executing those parts on that state and all new safe states that result from the execution, until an unsafe state is reached or all states have been searched.
  • The main advantages of the method according to the present invention are the followings:
    • limited informatics skills are required to perform the method;
    • the validation method is performed by a user-friendly software system that provides support for the interlocking configuration process: it is enough to create a text file with the constraint violations expressed in a few lines using SSI-like notation and to select a menu command of the interlocking configuration system;
    • the method is applied to application data of single VIXLs or on data that relate to multiple VIXLs of the same interlocking or different interlockings, thus enabling safety requirements of data related to communicating interlockings to be checked.
    • the method can be performed in phases, by running separate proofs to validate safety requirements related to different signaling functions of different VIXLs, to enable the validation activity to be performed in parallel;
    • the method splits the application data into manageable partitions and it uses bespoke algorithms to search them efficiently;
    • the method applies domain-specific heuristics (knowledge about signaling applications in general and SSI-based applications in particular) that are derivable automatically from the types of constraint violations. These techniques serve to limit the search space for each proof, thus making the solution feasible for complex data.
  • In experiments done, the method has found known data errors, related to a certain type of safety condition, in reasonable time.
  • Although the SML400GP SSI-based application data tools operate on a model of the data rather than on the target data, unlike other solutions, all of the target data are represented in the model. In particular, according to the method of the present invention, all data are considered in the proofs, excluding parts of the data that are evaluated to be irrelevant to the safety condition currently being proved, rather than ignoring certain parts of the data a priori.

Claims (2)

  1. Method for checking safety requirements of Solid State Interlocking based data used in an interlocking control system for controlling an interlocking equipment, the method comprising the steps of:
    a) obtaining (2) application data representative of interlocking logic operations of the interlocking equipment;
    b) preparing (4) a constraint violation file containing data representative of a plurality of constraint violation conditions, said data describing a plurality of unsafe scenarios of the interlocking equipment;
    for each constraint violation condition of the plurality of constraint violation conditions:
    c) selecting (6) data of the application data according to the constraint violation condition, said selected data corresponding to a predetermined unsafe scenario of the plurality of unsafe scenarios defined in the constraint violation file;
    d) determining (7) at least one predetermined context associated to said unsafe scenario, said context comprising a plurality of paths through the application data;
    e) initializing (8) variables that define all possible states of said unsafe scenario, thus obtaining a predetermined initial state, said variables being representative of the scenario from the point of view of settings of the interlocking equipment;
    f) executing (10), starting from said initial state, all possible paths of the context in the application data, thus obtaining respective resulting states;
    g) at an end of each path, determining (12) if an unsafe state has been reached by comparing a respective resulting state with the data of the constraint violation file;
    h) if no unsafe state has been detected, determining (12) if the resulting state has not been reached;
    i) repeating steps f), g) and h), starting, for each path, from the respective resulting state, until unsafe states or no new states are reached.
  2. Method according to claim 1, further comprising, after step i), the step of displaying (14) each path that leads to an unsafe state.
EP17305477.6A 2017-04-28 2017-04-28 Method for checking safety requirements of ssi-based data used in an interlocking control system Active EP3395643B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP17305477.6A EP3395643B1 (en) 2017-04-28 2017-04-28 Method for checking safety requirements of ssi-based data used in an interlocking control system
AU2018202873A AU2018202873B2 (en) 2017-04-28 2018-04-26 Method for checking safety requirements of SSI-based data used in an interlocking control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP17305477.6A EP3395643B1 (en) 2017-04-28 2017-04-28 Method for checking safety requirements of ssi-based data used in an interlocking control system

Publications (2)

Publication Number Publication Date
EP3395643A1 EP3395643A1 (en) 2018-10-31
EP3395643B1 true EP3395643B1 (en) 2020-03-11

Family

ID=58701568

Family Applications (1)

Application Number Title Priority Date Filing Date
EP17305477.6A Active EP3395643B1 (en) 2017-04-28 2017-04-28 Method for checking safety requirements of ssi-based data used in an interlocking control system

Country Status (2)

Country Link
EP (1) EP3395643B1 (en)
AU (1) AU2018202873B2 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115525929A (en) * 2022-09-19 2022-12-27 卡斯柯信号有限公司 Formal verification method and system for interlocking data security
CN116187104B (en) * 2023-04-27 2023-08-01 华侨大学 Safety analysis and development method and device for rail transit interlocking system
CN117670630B (en) * 2024-02-02 2024-04-30 华侨大学 Safety analysis method, system, equipment and medium for high-speed railway interlocking system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101167050A (en) * 2005-04-21 2008-04-23 阿尔斯通铁路公开有限公司 Control system for railway signalling network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None *

Also Published As

Publication number Publication date
AU2018202873A1 (en) 2018-11-15
EP3395643A1 (en) 2018-10-31
AU2018202873B2 (en) 2022-05-19

Similar Documents

Publication Publication Date Title
Könighofer et al. Shield synthesis
ES2307954T3 (en) METHOD AND DEVICE FOR GENERATING LOGIC CONTROL UNITS FOR ESSENTIAL COMPUTER APPLIANCES BASED ON RAILWAY STATIONS.
AU2018202873B2 (en) Method for checking safety requirements of SSI-based data used in an interlocking control system
Boulanger CENELEC 50128 and IEC 62279 standards
Comptier et al. Safety analysis of a CBTC system: a rigorous approach with Event-B
Song et al. Validation, verification and evaluation of a train to train distance measurement system by means of colored petri nets
Vu et al. Formal modeling and verification of interlocking systems featuring sequential release
Li et al. HAZOP study on the CTCS-3 onboard system
Comptier et al. Property-based modelling and validation of a CBTC zone controller in Event-B
James et al. On modelling and verifying railway interlockings: Tracking train lengths
Mitsch et al. Formal verification of train control with air pressure brakes
Vanit-Anunchai Modelling and simulating a Thai railway signalling system using Coloured Petri Nets
Xie et al. Safety and reliability estimation of automatic train protection and block system
Khan et al. On the real time modeling of interlocking system of passenger lines of Rawalpindi Cantt train station
Luo et al. Applying sofl to a railway interlocking system in industry
Ferrari et al. Product line engineering applied to CBTC systems development
Banci et al. Some experiences on formal specification of railway interlocking systems using statecharts
Zhang Aspect-oriented approach to modeling railway cyber physical systems
RU2470339C2 (en) Method for certification of monitoring/control system and monitoring/control system certified using said method
Issad et al. A model-based methodology to formalize specifications of railway systems
Tarasyuk et al. Quantitative verification of system safety in Event-B
Cappart et al. A dedicated algorithm for verification of interlocking systems
Ito Method of evaluating the influence factor of safety in the automated driving system: the chasm between SAE level 2 and level 3
CN117670630B (en) Safety analysis method, system, equipment and medium for high-speed railway interlocking system
Minkowitz Rule-Directed Safety Validation of SSI-Based Interlocking Application Data Models

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20190401

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20191023

RIN1 Information on inventor provided before grant (corrected)

Inventor name: MINKOWITZ, CYDNEY

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1242798

Country of ref document: AT

Kind code of ref document: T

Effective date: 20200315

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602017012894

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200611

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20200311

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200611

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200612

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200805

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200711

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 602017012894

Country of ref document: DE

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1242798

Country of ref document: AT

Kind code of ref document: T

Effective date: 20200311

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200428

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200430

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200430

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20201103

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

26N No opposition filed

Effective date: 20201214

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200428

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200311

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20230424

Year of fee payment: 7

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230823

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: BE

Payment date: 20230419

Year of fee payment: 7

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20230419

Year of fee payment: 7