JP5302874B2 - Interlocking chart verification device and interlocking chart verification method - Google Patents

Description

  TECHNICAL FIELD The present invention relates to a technology for verifying interlocking charts that define interlocking specifications of interlocking devices that are a type of railway security device, and more particularly, to a technique for verifying in advance the safety of trains when train control is performed according to the interlocking charts. .

  The interlocking device is a device having a railroad security function, and controls equipment such as traffic lights and switchboards while maintaining a predetermined relationship so that the train can operate safely. In this way, operating equipment while maintaining a predetermined relationship is called interlocking. In particular, the fact that one facility in an interlocking relationship restricts the operation of the other facility is called a lock. The simplest example of a lock is an example of a traffic light and a switch on its route. If the switch cannot be changed to the direction of the route, the signal display will be displayed as a progress indicator. Lock it out of control. If the traffic signal is displayed without showing the course, the train will derail or enter an unexpected location.

  The interlocking device is a device for maintaining such interlocking relationship, and an error in the specification of the interlocking device may lead to a serious accident. Therefore, conventionally, there are techniques for verifying in advance the interlocking specifications of the interlocking device and the behavior of the mounted interlocking device itself.

  The specification of the interlocking device is called the interlocking specification. The interlock specification is described in a format called an interlock chart. The interlocking chart is composed of a wiring schematic and an interlocking table.

  Patent Document 1 discloses a method for verifying the interlocking specification of the interlocking device using a formal verification technique that is a verification technique based on a mathematical theory. By using a formal verification method, it is possible to verify whether facilities such as traffic lights and switchboards meet predetermined requirements for railway security, regardless of any linkage specified in the linkage specification.

  Further, in Patent Document 2, the method of Patent Document 1 is expanded so that any equipment handling operation such as a traffic light or a switch is performed by any equipment that does not satisfy the requirements for railway security. A method of verifying whether it is satisfied is disclosed.

  Similarly, in Patent Document 3, the method of Patent Document 1 is expanded to verify whether facilities such as traffic lights and switchboards meet requirements related to railway security even when a train set in advance is operated. A method is disclosed.

JP-A-10-16776 JP 2000-127971 A JP 2000-137624 A

  The verification method disclosed in Patent Document 1, Patent Document 2, and Patent Document 3 is a method for verifying whether the facility satisfies the requirements of the facility for railway security when the facility operates according to the interlocking specification. Railway security refers to the prevention of train collision and derailment. In other words, the requirements for the facilities for railway security are requirements that the facilities must satisfy in order to satisfy the requirements for the trains for railway security, such as the prevention of train collision and derailment.

  The requirements for equipment for railroad security depend on a schematic wiring diagram describing the installation location of the equipment and the track configuration. However, since the wiring schematic differs from station to station, the equipment requirements for railway security are created manually for each station with reference to the wiring schematic. In more detail, a person determines with reference to the wiring schematics whether the equipment meets the requirements of the train for rail security (whether train collision or derailment will occur) It is necessary to derive equipment requirements for railway security.

  As described above, in the prior art, since the requirements for railway security are derived manually, it is necessary to prevent errors and omissions from occurring. In particular, in a station where there are multiple routes, the wiring schematic is complicated, so that attention is required to prevent errors and omissions. Therefore, there is a problem that a lot of time and labor costs are required for manual work. Therefore, it is an issue to prevent errors and omissions in the equipment requirements for railway security, and to reduce manual labor for creating railway security equipment requirements.

  In the prior art, as described above, equipment requirements are created and verified as requirements for railroad security. However, in this method, it is possible to verify train deadlock, which is one of railroad security requirements. Can not. Train deadlock means that two or more trains are forced to stop due to the influence of each other's existing track positions and become stuck. It can be said to be a dangerous phenomenon including the factor of a collision accident because it stops in order to avoid a collision of the train and enters a deadlock state. Also, in order to recover from a deadlock state, it is necessary to stop the train operation on the relevant line, check the safety by hand, and bring the train back, so the time required for recovery and the cost of stopping the train operation are not small .

  Thus, although it can be said that avoiding a deadlock of a train is an important requirement related to railway security, it cannot be expressed as a requirement of equipment. The reason will be described below.

  The deadlock state of the train is a state where the train cannot enter the inside of a certain traffic light set in the course of the train. Since the presence of the train can be detected by the track circuit, the requirement of the facility that “when a certain track circuit falls, the corresponding traffic signal will eventually be displayed” represents the requirement for avoiding deadlock. However, even if an interlocking specification that does not cause deadlock is given, if the train travels on a route in the opposite direction to the assumed route, the track circuit will fall, but the traffic light may not always show the progress. The requirements for the equipment as a deadlock avoidance requirement are not satisfied. In other words, the equipment requirements are only sufficient conditions for deadlock avoidance requirements.

  As described above, since the requirement for avoiding deadlock cannot be expressed as the requirement for equipment, there is a problem that the conventional technology cannot verify the avoidance of deadlock of a train. Then, it becomes a subject to be able to verify the deadlock avoidance of a train.

  In the prior art, the course of the train and the number of trains to be operated are set in advance from the train operation plan and verified within the set range. For this reason, there is a problem that there is no guarantee that the railway security requirements are met when the number of trains that exceed the set range is operated. In other words, in order to guarantee the correctness of the interlocking specification, it is assumed that the trains of all routes / numbers are operated (when the train schedule is disturbed, when it is recovered, the train operation plan is exceeded) It becomes a problem to be able to verify the case where the route / number of trains are operated within a range to be operated or more. In particular, the presence or absence of deadlocks depends on the number of trains to be operated, so it should be verified when the number of trains / routes with expanded settings is operated.

  Furthermore, for the same reason, when there is a train route / number setting (hereinafter referred to as a train operation setting) that does not satisfy the railway safety requirements, the conventional technology cannot grasp the train operation setting. There is a problem. In particular, for deadlocks, rather than avoiding deadlocks in the interlocking device, train operation is set so that the train operation settings that cause deadlocks in this interlocking device are grasped and such train operations are not performed. Other railway security devices such as management systems may be designed. That is, in the interlocking specification, comprehensively grasping the train operation settings that do not satisfy the railway safety requirements is an issue in designing a railway safety device other than the interlocking device.

  In addition, in the conventional technology, exhaustive verification is performed within the set train operation setting range, but at that time, there is a problem that the verification is clear even if the result is clear or the result is unnecessary (the result is not used). . For example, when a deadlock occurs in a certain train operation setting, it is clear that a deadlock occurs even if a train operating on an arbitrary route of the train operation setting is added. Or, if it is found that a train collides in a certain train operation setting, it is known that the interlocking specification is incorrect and needs to be corrected, so other train operation settings and other requirements such as deadlock There is no need to verify the linked specifications.

  Although it depends on the interlocking specifications to be verified and the scale of train operation settings, the verification takes a certain amount of time, so the time loss due to these unnecessary verifications cannot be ignored.

  Therefore, it becomes a problem to discriminate verifications with clear results and verifications that do not require results before verification, and to avoid such unnecessary verification.

  The object of the present invention is to deal with these problems and reduce manual labor to comprehensively verify whether the interlocking specification satisfies the requirements of railway security, particularly the requirement of avoiding deadlock, without errors or omissions. Is to provide technology.

  Therefore, the present invention is an interlocking specification verification device that verifies the interlocking specification that represents the specification of the interlocking device installed on the railway line, and includes the interlocking specification and the train requirement type that is a requirement type related to the train for railway security. Stores and links the linked specification to the formal language specification in the form of a graph that represents the position of the train operating on the railway line, and the train operation setting that is the train information that operates on the railway line to the formal language specification A setting unit that obtains a train-set formal language specification by adding a train generation unit that generates a train requirement that represents a train requirement that operates on a railway line, corresponding to the train-configured formal language specification, based on the train requirement type And a verification unit that verifies whether the formal language specification with train setting satisfies the train requirement.

  According to one aspect of the present invention, it is possible to efficiently verify that the interlocking specifications satisfy the requirements of the train for rail security including avoiding the deadlock of the train for the setting of each train operation, Train operation settings that do not meet train requirements for railway security can be efficiently grasped.

It is a block diagram which shows the structural example of an interlocking specification verification apparatus. It is a figure which shows the hardware structural example of an interlocking specification verification apparatus. It is a figure which shows the example of the wiring schematic which is a component of the interlocking chart used as the input of the interlocking specification verification apparatus. It is a figure which shows the example of the interlocking | linkage table | surface which is a component of the interlocking | linkage chart used as the input of an interlocking specification verification apparatus. It is a figure which shows the example of the graph data of the train non-setting format specification which an interlocking chart conversion part produces. It is a figure which shows the example of the graph data of the train setting completed format specification which a format specification holding part hold | maintains. It is a figure which shows the example of the variable data of the train setting completed formal specification which the formal specification holding part of one Embodiment of this invention hold | maintains. It is a figure which shows the example of the data of a train requirement which a train requirement holding part hold | maintains. It is a figure which shows the example of the data of the interlocking chart conversion information which a conversion information holding part hold | maintains. It is a figure which shows the example of the data of a format verification result which a format verification result holding part hold | maintains. It is a flowchart which shows the example of a procedure of verification of a train setting completed format specification by a train operation setting part, a train requirement production | generation part, and a format verification part. It is a flowchart which shows the example of a procedure which sets train operation information to a train non-setting format specification by the train operation setting part of one Embodiment of this invention. It is a flowchart which shows the example of a procedure which produces | generates a train requirement by a train requirement production | generation part. It is a flowchart which shows the example of a procedure which carries out the screen output of a format verification result by a counterexample reverse conversion and display part.

  The interlocking specification verification device is a device that verifies whether the interlocking specification satisfies the requirements for railway security. The interlocking specification verification device of this embodiment describes the interlocking specification by the interlocking diagram composed of the wiring schematic diagram and the interlocking table, and the train is controlled using the interlocking device according to the interlocking specification. Is a device that verifies whether the train requirements for railway security such as collision avoidance, derailment avoidance, and deadlock avoidance are satisfied.

  The interlocking specification verification apparatus according to the present embodiment converts the interlocking specification into a formal language specification that represents the on-line position of the train. In this formal language specification, a train-configured formal language specification in which the train operation that is train information that operates on the railway line is set is output. The train-set formal language specification is a specification in which the train is placed on the specification that represents the position of the train. On the other hand, based on the train requirement type for railway security, generate train requirements that represent train requirements corresponding to train-set formal language specifications, and verify whether the train-configured formal language specifications satisfy the train requirements .

  In this way, the conventional interlocking specification verification device verifies the facility specification obtained from the interlocking specification and the facility requirement manually generated based on the train requirement, whereas the interlocking specification of the present embodiment. The verification device obtains a train specification (train-set formal language specification) from the interlock specification and train operation, and verifies the train specification against the train requirements.

  Hereinafter, it will be described in detail with reference to the drawings. FIG. 1 is a block diagram illustrating a configuration example of the interlocking specification verification apparatus 201 of the present embodiment. The interlocking specification verification apparatus 201 includes an input unit 101, an interlocking chart holding unit 102, an interlocking chart conversion unit 103, a conversion information holding unit 104, an inference rule holding unit 114, a train operation setting unit 105, a train requirement generation unit 106, and a formal specification holding. Unit 107, train requirement holding unit 108, train requirement type holding unit 109, format verification unit 110, format verification result holding unit 111, counterexample reverse conversion / display unit 112, and output unit 113.

  The input unit 101 receives an input of the interlocking chart to be verified, and registers the input interlocking chart in the interlocking chart holding unit 102.

  The interlocking chart conversion unit 103 acquires the interlocking chart from the interlocking chart holding unit 102, converts the acquired interlocking chart into a train unset format specification, and creates interlocking chart conversion information. The converted train unset format specification is output to the train operation setting unit 105, and the created linked chart conversion information is registered in the conversion information holding unit 104.

  The train operation setting unit 105 acquires the train non-setting format specification from the interlocking chart conversion unit 103. For the acquired train unset format specification, unverified train operation (train route and number of trains to be operated) is set, and a train set format specification is created. The created train-set format specification is registered in the format specification holding unit 107. The registered train format specification is verified by the format verification unit 110, and the format verification result is registered in the format verification result holding unit 111. Thereafter, the train operation setting unit 105 acquires the format verification result from the format verification result holding unit 111 and the inference rule for inferring the verification result from the inference rule holding unit 114, and based on the acquired format verification result and the inference rule Inferring the format verification result of the train-set formal specification in which unverified train operation is set in the train-unset formal specification. The obtained format verification result is registered in the format verification result holding unit 111. Furthermore, if there is an unverified train operation, an unverified train operation is set in the train unset format specification, a train set format specification is created, and registered in the format specification holding unit 107.

  The train requirement generation unit 106 receives the train requirement type from the train requirement type holding unit 109, the train specification type specification from the format specification holding unit 107, the linkage diagram conversion information from the conversion information holding unit 104, and the format verification result holding unit 111. Get the format verification result from each. The train requirement type is a train requirement type for railway security, such as “avoidance of train collision”, “avoidance of train derailment”, and “avoidance of train deadlock”. Furthermore, the train requirement generation unit 106 creates an unverified train requirement with the type indicated by the train requirement type corresponding to the acquired train-set format specification. When the train requirement type is specified as a train requirement corresponding to the train-set format specification, the linked chart conversion information is used. Similarly, when the unverified train requirements are selected, the obtained form verification result is used. The created train requirement is registered in the train requirement holding unit 108 in association with the identifier of the train-set format specification.

  The format verification unit 110 acquires the train-set format specification from the format specification holding unit 107 and the train requirement corresponding to the train-set format specification from the train requirement holding unit 108. Then, it verifies whether the train-set format specification satisfies the train requirement, and registers the verification result in the format verification result holding unit 111.

  Detailed procedures of the train operation setting unit 105, the train requirement generation unit 106, and the format verification unit 110 will be described later with reference to FIGS. 11, 12, and 13.

  The counterexample reverse conversion / display unit 112 acquires the format verification result from the format verification result holding unit 111, the linked chart from the linked chart holding unit 102, and the linked chart conversion information from the conversion information holding unit 104. Further, the counterexample reverse conversion / display unit 112 converts the counterexample (specific example of denial of railway security) included in the format verification result based on the interlocking chart conversion information into an operation sequence (operation time series or operation) on the interlocking chart. State transition series). Then, the operation sequence obtained by the conversion is executed on the interlocking chart, and the train operation and facility display switching are displayed on the screen via the output unit 113. The detailed procedure of the counterexample inverse transform / display unit 112 will be described later with reference to FIG.

  The output unit 113 acquires screen output information from the counterexample inverse transform unit / display unit and performs screen display.

  FIG. 2 is a diagram illustrating a hardware configuration example of the interlocking specification verification apparatus 201.

  The interlocking specification verification apparatus 201 includes a CPU 202, a memory 203, an external storage device 204, a display device 205, an input device 206, and an external medium input / output device 207.

  The CPU 202 executes various processes by executing programs stored in the memory 203. A part of the memory 203 functions as a work area for the CPU 202 and stores a program and data necessary for executing the program. Specifically, the programs constituting the interlocking chart conversion unit 103, the train operation setting part 105, the train requirement generation part 106, the format verification part 110, and the counterexample reverse conversion / display part 112 are stored and the interlocking chart holding part 102 The conversion information holding unit 104, the inference rule holding unit 114, the format specification holding unit 107, the train requirement holding unit 108, and the data held by the format verification result holding unit 111 are stored.

  The external storage device 204 stores various data. The external storage device 204 is, for example, a hard disk device. Specifically, a train requirement type holding unit 109 is stored.

  Or the program which comprises the interlocking chart conversion part 103, the train operation setting part 105, the train requirement production | generation part 106, the format verification part 110, and the counterexample reverse conversion and display part 112, the interlocking chart holding part 102, and the conversion information holding part 104 At least part of the data held by the inference rule holding unit 114, the format specification holding unit 107, the train requirement holding unit 108, and the format verification result holding unit 111 is also stored in the external storage device 204, and various processes are executed. Alternatively, the CPU 202 may read the data into the memory 203 and execute the program. Each program may be stored in the memory 203 or the external storage device 204 in advance, or may be introduced from another device into the memory 203 or the external storage device 204 via an available medium as necessary. Also good. The medium refers to, for example, a storage medium that can be attached to and detached from the external medium input / output device 207, or a communication medium such as a network, a carrier wave that propagates through the network, and a digital signal.

  The display device 205 displays the processing result of the program. The display device 205 is, for example, a display. The input device 206 receives a process execution instruction, input of information necessary for the process, and the like from the user of the interlocked specification verification apparatus 201. The input device 206 is, for example, a keyboard and a mouse.

  The external medium input / output device 207 performs input / output of data stored in the external storage device 204 with the external medium. The external medium is a portable storage medium that can be attached to and detached from the external medium input / output device 207, and the external medium output device 207 is a drive device that can read from and write to the external medium.

  FIG. 3 is a diagram showing an example of a schematic wiring diagram, which is a component of the interlocking diagram that is input to the interlocking specification verification device 201.

  The wiring schematic shows the arrangement of the traffic light, track circuit, and switch. Traffic lights 301, 302, 305, 309, 313, 318, 320, and 321 represent installed traffic lights. Similarly, track circuits 308, 303, 304, 306, 307, 310, 312, 311, 317, 314, 319, 315, and 316 represent track circuits installed on the track. In addition, track circuits 303 and 310 indicate that a switch is installed on both track circuits. Similarly, a switch is installed on the track circuit 306 and the track circuit 311, on the track circuit 314, and on the track circuit 315. Details on how to read the wiring diagrams are described in Yoshiaki Hishinuma, “Introduction to Signal Security and Railway Communications”, Chuo Shoin, March 1988, p.65-66.

  FIG. 4 is a diagram illustrating an example of an interlocking table that is a component of the interlocking chart that is input to the interlocking specification verification apparatus 201.

  The linkage table 401 includes an equipment name 402, an equipment number 403, a lock 404, a signal control or check lock 405, a path lock 406, and an approach or hold lock 407.

  The equipment name 402 is the type of equipment and its name. The facility number 403 is an identification number for uniquely identifying the facility. The lock 404 indicates the opening direction of the traffic light. Specifically, the lock 404 indicates the turning device constituting the course indicated by the traffic light and its direction. The signal control or lock 405 indicates that when the target is a traffic signal, if the train is on the track circuit on which the signal is entered, the traffic signal is stopped. When the object is a switch, if a train is on the track circuit, it indicates that the switch cannot be converted. The route lock 406 indicates that the route indicated by the traffic light continues to be guaranteed while the train is on the track circuit. If the approach or hold lock 407 is once displayed on the traffic light and then changed to a stop display when the train is on the track circuit, the safety of the approaching train is It indicates that the route indicated by the traffic light will continue to be guaranteed until the entered time has elapsed. The detailed reading of the interlocking table is explained in Yoshiaki Hishinuma, “Introduction to Signal Security and Railway Communications” mentioned above.

  FIG. 5 is a diagram illustrating an example of graph data of the train non-setting format specification created by the interlocking chart conversion unit 103.

  The train non-setting format specification is composed of graph data and variable data representing the state and setting of equipment such as a track circuit and a switch.

  The graph data shown in FIG. 5 includes nodes 501, 502, 507, 509, 511, 512, 516, 518, 523, 526, 540, 532, 534, 536, and 539, and edges 503, 504, 505, 506, 508, 510, 513, 514, 515, 517, 519, 520, 521, 522, 524, 525, 527, 528, 529, 530, 531, 533, 535, 537, and 538.

  Each node represents a position where the train can be located. For example, when the current node where a certain train is currently located is the node 502, this indicates that the train is located on the track circuit 308. A standing line position represented by one node is unique, but a plurality of nodes may represent the same standing line position. For example, like the node 502, the node 501 is a node indicating that the train is on the track circuit 308.

  Each edge represents a transition from node to node, and has a transition condition for the transition and an update process performed at the time of transition as additional information. This transition condition and the update process to be performed at the time of transition are a condition for variable data that is a component of the train non-setting format specification, and an update process. Also, these conditions and update processing are derived from the linkage table 401.

  For example, in order for a train to enter the track circuit 303 that is the inward track circuit of the traffic light 301 from the track circuit 308, the train switches over the track circuit 303 and the track circuit 310 from the lock 404 of the interlocking table 401. The vessel must be in the orientation direction. Therefore, the transition condition of the edge 505 representing the transition from the node 502 representing the standing line on the track circuit 308 to the node 507 representing the standing line on the inward track circuit 303 of the traffic light 301 is set on the track circuit 303 and the track circuit 310. The condition is that the directional variables of the switch are fixed, or the lock variables of those switches are unlocked.

  In addition, the lock 404 of the interlocking table 401 is a chain so that the switch on the track circuit 303 and the track circuit 310 cannot be changed at the same time when the train enters the track circuit 303 which is the inner track circuit of the traffic light 301. It also means locking. Therefore, the update processing of the edge 505 representing the transition from the node 502 representing the standing line on the track circuit 308 to the node 507 representing the standing line on the inner track circuit 303 of the traffic light 301 is performed on the track circuit 303 and the track circuit 310. This is a process of setting the direction variable of the switch to a fixed position and setting the lock variable of the switch to the lock.

  FIG. 6 is a diagram showing an example of the train-set format specifications graph data held by the format specification holding unit 107.

  The example shown in FIG. 6 is an example in which the operation of train A and train B is set for the graph data of the train non-setting format specification in FIG. Train A is a train that operates from the track circuit 308 in the downward direction, and train B is a train that operates from the track circuit 316 in the upward direction.

  The graph 603 and the graph 604 coincide with the example of the graph data of the train non-setting format specification shown in FIG. Nodes 601 and 606 represent the initial nodes of the graph. An edge 602 and an edge 605 represent transitions from the initial node 601 or the initial node 606, respectively.

  A graph including the graph 603, the initial node 601, and the edge 602 is a graph representing the operation of the train A. The current node representing the current position of the train A starts from the initial node 601 and transitions to the node 502 by the edge 602. This indicates that the train A is arranged on the track circuit 308 corresponding to the node 502 and has started operation.

  Similarly, a graph including the graph 604, the initial node 606, and the edge 605 is a graph representing the operation of the train B. The current node representing the current position of the train B starts from the initial node 606 and transitions to the node 539 by the edge 605. This indicates that the train B is arranged on the track circuit 316 corresponding to the node 539 and has started operation.

  FIG. 7 is a diagram illustrating an example of variable data of the train-set format specification held by the format specification holding unit 107.

  The variable data of the train specification format specification includes global variable data 701 that is common data for train A and train B, and local variable data 704 for train A and local data for train B that are local data for train A and train B, respectively. Includes local variable data 705.

  The global variable data 701 includes a switch state data 702 and a track circuit state data 703. The state data of the switch is a structure having a state related to its direction and lock.

  The local variable data 704 for train A includes a time variable 706 for train A and a position variable 707 representing the current node and the previous node of train A. The time variable 706 is a variable used for the transition condition based on the approach or the reserved lock 407. If the time variable is within a predetermined time, the time variable 706 is used so that transition is possible. The position variable 707 includes a previous node variable 708 representing the previous node and a current node variable 709 representing the current node. These variables are used when describing the current node of train A and the requirements for the previous node.

  Similarly, the local variable data 705 for train B includes a time variable 710 for train B, a current variable for train A, and a position variable 711 representing the previous node. Further, the position variable 711 includes a previous node variable 712 representing the previous node and a current node variable 713 representing the current node.

  FIG. 8 is a diagram illustrating an example of train requirement data held by the train requirement holding unit 108.

  The train requirement data 801 includes a derailment avoidance requirement 802, a collision avoidance requirement 803, and a deadlock avoidance requirement 804.

  The derailment avoidance requirement 802 is a requirement for the train A and the train B to avoid derailment. If the train A and the train B are on the track circuit with the switch, the switch The vessel represents the requirement that it be locked.

  The collision avoidance requirement 803 is a requirement for avoiding a collision between the train A and the train B, and represents a requirement that the on-line positions of the train A and the train B are not equal.

  The deadlock avoidance requirement 804 is a requirement for avoiding that the train A and the train B fall into a deadlock state, and the on-line positions of the train A and the train B are fixed and cannot be further advanced. Represents. The fixed train position of the train (that is, deadlock) means a situation in which it is not possible to make a transition from the current node to any other adjacent node in a graph composed of nodes representing the train track position. By the way, because train A is node 512 and train B is node 540, train B is not considered a deadlock even if the current node is node 512 or node 540, respectively, even if it cannot transition to another adjacent node. .

  FIG. 9 is a diagram illustrating an example of the linked chart conversion information data held by the conversion information holding unit 104.

  The linked chart conversion information 901 includes a linked chart identifier 902, an equipment type 903, a name 904 on the linked chart, and a name 905 on the formal specification.

  The interlocking chart identifier 902 is an identifier for uniquely identifying the interlocking chart. The equipment type 903 represents the equipment type of the equipment included in the interlocking chart. A name 904 on the interlocking chart represents a name in the interlocking chart of the facility. A name 905 on the formal specification represents a name on the formal specification of the facility. The name 905 on the formal specification includes a node name 906 and a variable name 907. The node name 906 is a node name representing the installation position of the equipment in the graph data of the format specification. The variable name 907 is a variable name representing the state of the equipment in the variable data of the format specification. For example, in the case of the track circuit 308, the name 904 on the interlocking chart is lower 1T, and the node name 906 is also lower 1T. Furthermore, the variable name 907 representing the state of the track circuit is TrackD1T. Further, for example, in the case of the switch on the starting circuit 303 and the track circuit 310, the name 904 on the interlocking chart is 51. The node name 906 is 51 iT and 51 bT, and the variable name 907 is Point51.

  FIG. 10 is a diagram illustrating an example of format verification result data held by the format verification result holding unit 111.

  The format verification result 1001 includes an interlocking chart identifier 1002, a train-set format specification identifier 1003, a train requirement type 1004, a train operation setting 1005, a verification result 1006, and a counter example 1007.

  The interlocking chart identifier 1002 is an identifier for uniquely specifying the interlocking chart and the train non-set format specification. The train-set format specification identifier 1003 is an identifier for uniquely identifying the train-set format specification. Since a plurality of different train-set format specifications can be created from one train-unset format specification, a train-set format specification identifier 1003 is required separately from the interlocking chart identifier 1002. The train requirement type 1004 is the same as the train requirement type held by the train requirement type holding unit 109. For example, “train avoidance”, “train derailment”, “train deadlock avoidance”, etc. This is a type of train requirement. The train operation setting 1005 is train operation setting information such as the train operation start position and the number of trains starting operation from that position. When the train operation setting 1005 is set for the train non-set format specification indicated by the interlocking chart identifier 1002, the train-set format specification indicated by the train-set format specification identifier 1003 is obtained. The verification result 1006 indicates a result of verifying the train-set format specification indicated by the train-set format specification identifier 1003 with the requirements indicated by the train requirement type 1004. A counter example 1007 shows a counter example when the verification result 1006 does not satisfy the requirement (an example of a graph node transition sequence when the requirement is not satisfied).

  FIG. 11 is a flowchart illustrating an example of a procedure for verifying a train-set format specification by the train operation setting unit 105, the train requirement generation unit 106, and the format verification unit 110. The processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the interlocking specification verification device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.

  CPU202 acquires the train non-setting format specification from the interlocking chart conversion part 103 by performing the train operation setting part 105 (step 1101).

  The train operation setting unit 105 acquires all format verification results for the acquired train unset format specification from the format verification result holding unit 111 (step 1102).

  The train operation setting unit 105 refers to the acquired format verification result and checks whether there is an unverified train operation setting. For example, in the case of the train operation setting as shown in FIG. 10, any track circuit is designated as the train operation start position, and it is confirmed whether the verification result is obtained for every train number. If there is a train operation setting for which a verification result is not obtained, step 1104 is executed. If verification results have been obtained for all operation settings, the execution is terminated (step 1103).

  The train operation setting unit 105 acquires an inference rule for inferring the verification result from the inference rule 114 holding unit, and infers a formal verification result for an unverified train operation setting using the obtained formal verification result (step) 1104). There are various inference rules. For example, in the case of a train operation setting as shown in FIG. 10, when a deadlock occurs in a certain train operation setting, a deadlock occurs even in an operation setting in which the train operation start position and the number of trains are added to the operation setting. I can reason. Moreover, when it turns out that there is no possibility that a train will derail in a certain train operation setting, it can be inferred that there is no possibility of derailment in an operation setting in which the number of trains is added to the operation setting. If a train with the number of tracks equal to the total number of track circuits shown in the linkage diagram is operated from a certain train operation start position, and there is no deadlock, more trains can be operated from the same train operation start position. It can be inferred that deadlock does not occur. Since these inferences are performed based on the format verification results acquired in step 1102, depending on the format verification results, it may not be possible to infer verification results for unverified train operation settings.

  In step 1104, the train operation setting unit 105 executes step 1106 if the format verification result for the unverified train operation setting can be inferred, and executes step 1107 if it cannot be inferred (step 1105).

  The train operation setting unit 105 registers the format verification result obtained by the inference in step 1104 in the format verification result holding unit 111. Then, it returns to step 1102 and performs (step 1106).

  The train operation setting unit 105 sets the unverified train operation setting with respect to the train unset format specification acquired in step 1101, and creates the train set format specification. The created train-set format specification is registered in the format specification holding unit 107 (step 1107).

  The procedure from Step 1101 to Step 1107 by the train operation setting unit 105 will be described in detail with reference to FIG.

  The CPU 202 executes the train requirement generation unit 106 to create an unverified train requirement with the train requirement for the train-set formal specification created in step 1107 (step 1108).

  The procedure of step 1108 by the train requirement generation unit 106 will be described in detail with reference to FIG.

  The CPU 202 executes the format verification unit 110 to verify whether the train-set format specification created in step 1107 satisfies the train requirement created in step 1108 (step 1109).

  The format verification unit 110 registers the format verification result obtained in the verification in step 1107 in the format verification result holding unit 111. Then, it returns to step 1102 and performs (step 1110).

  FIG. 12 is a flowchart showing an example of a procedure for setting the train operation information in the train non-setting format specification by the train operation setting unit 105. The processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the interlocking specification verification device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.

  CPU202 acquires the train non-setting format specification from the interlocking chart conversion part 103 by performing the train operation setting part 105 (step 1201).

  The train operation setting unit 105 acquires train operation conditions via the input unit 101 (step 1202). The operation condition is a condition for train operation and gives a restriction on the train operation setting. For example, there are conditions such that a train starts operation only from a specific position, and that the number of trains starting operation from the same position is at most one.

  The train operation setting unit 105 acquires, from the format verification result holding unit 111, all format verification results of the train-set format specifications obtained by setting the train operation to the train non-set format specifications acquired in Step 1201 (Step 1203).

  The train operation setting unit 105 confirms whether the acquired format verification result includes a verification result in which the derailment avoidance or collision avoidance requirement is an error (does not satisfy the requirement). If a verification result that includes an error in the derailment avoidance or collision avoidance requirement is included, the execution is terminated. If not included, step 1205 is executed (step 1204).

  The train operation setting unit 105 refers to the obtained formal specification verification result and checks whether there is an unverified train operation setting. If there is a train operation setting for which no verification result has been obtained, step 1206 is executed. If verification results have been obtained for all operation settings, the execution is terminated (step 1205).

  The train operation setting unit 105 acquires an inference rule for verification result inference from the inference rule 114 holding unit, and infers a format verification result for an unverified train operation setting using the format verification result (step 1206). Since this inference is performed based on the format verification result acquired in step 1203, the verification result for the unverified train operation setting may not be inferred depending on the format verification result.

  In step 1206, the train operation setting unit 105 executes step 1208 if the result of format verification for the unverified train operation setting can be inferred, and executes step 1209 if not inferred (step 1207).

  The train operation setting unit 105 registers the format verification result obtained by the inference in step 1206 in the format verification result holding unit 111. Then, it returns to step 1203 and performs (step 1208).

  The train operation setting unit 105 sets the unverified train operation with respect to the train unset format specification acquired in step 1201, and creates a train set format specification (step 1209).

  The train operation setting unit 105 registers the created train-set format specification in the format specification holding unit 107 (step 1210).

  FIG. 13 is a flowchart illustrating an example of a procedure for generating a train requirement by the train requirement generation unit 106. The processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the interlocking specification verification device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.

  The CPU 202 acquires the train-set format specification from the format specification holding unit 107 by executing the train requirement generation unit 106 (step 1301).

  The train requirement generation unit 106 acquires the conversion information when the train-set format specification is created from the interlocking chart from the conversion information holding unit 104 (step 1302).

  The train requirement generation unit 106 acquires, from the format verification result holding unit 111, all format verification results of the train-set format specifications acquired in step 1301 (step 1303).

  The train requirement generation unit 106 acquires the train requirement type from the train requirement type holding unit 109 (step 1304).

  The train requirement generation unit 106 compares the verification result acquired in step 1303 with the train requirement type acquired in step 1304, and extracts an unverified train requirement type. The extracted unverified train requirement type is materialized as a train requirement for the train-set format specification based on the conversion information acquired in step 1302 (step 1305).

  FIG. 14 is a flowchart illustrating an example of a procedure for outputting the format verification result on the screen by the counterexample inverse transform / display unit 112. The processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the interlocking specification verification device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.

  The CPU 202 acquires the verification result to be displayed from the format verification result holding unit 111 by the counterexample inverse transform / display unit 112 (step 1401).

  The counterexample inverse transformation / display unit 112 acquires a linked chart, which is the target specification of the verification result acquired in Step 1401, from the linked chart holding unit 102 (Step 1402).

The counterexample reverse conversion / display unit 112 acquires the conversion information of the linked chart acquired in step 1402 from the conversion information holding unit 104 (step 1403).
The counterexample reverse conversion / display unit 112 performs reverse conversion on the counterexample included in the verification result acquired in step 1401 to the motion sequence on the interlocking chart acquired in step 1403 based on the conversion information acquired in step 1403 (step 1404). ).

  The counterexample inverse conversion / display unit 112 displays the wiring schematic diagram of the interlocking chart on the screen via the output unit 113 (step 1405).

  The counter-example reverse conversion / display unit 112 switches the train operation display and the display of the wiring schematic equipment on the wiring schematic displayed in step 1405 based on the operation sequence on the interlocking chart created in step 1404 (step 405). 1406).

  As described above, a means for efficiently verifying all train operation settings that the interlocking specifications provided in the interlocking charts and the like satisfy the train requirements for railway security including deadlock avoidance, Conversely, the means to efficiently detect train operation settings that do not meet the train requirements for railway security, and the detected counterexamples (operation sequence when the requirements are not met) are visually displayed on the linkage chart. It is possible to provide a dynamic specification verification apparatus having a display means. Linked specification designers can use these means to verify the linked specification to ensure that the linked specification meets the requirements for railway security, or the linked specification does not meet the requirements for railway security. Can be detected without omission and the situation can be confirmed. Therefore, it becomes possible to easily create interlocking specifications that satisfy the train requirements for railway security.

  According to this embodiment, since it is possible to directly verify whether the interlocking specification satisfies the train requirements for railway security, it is necessary to create the requirements for the railway security equipment from the train requirements for railway security. Disappear. As a result, it is possible to verify the railway security requirements without errors or omissions, and it is possible to reduce the trouble of creating the requirements for the railway security equipment.

  Moreover, according to this embodiment, since it becomes possible to verify deadlock avoidance, which is one of the train requirements for railway security, it is possible to create an interlocking specification that can avoid deadlock. Or for the same reason, it becomes possible to grasp the train operation setting in which deadlock occurs in the target interlocking specification.

  In addition, according to the present embodiment, when more than a certain number of formal verification results are obtained, it becomes possible to infer the results of any other unexecuted formal verification based on the obtained formal verification results. It will be possible to prove for all train operation settings that the subject interlocking specification satisfies the requirements for railway security, especially deadlock avoidance. Alternatively, for the same reason, it becomes possible to comprehensively grasp the train operation settings that do not satisfy the railway safety requirements, particularly the deadlock avoidance, in the target interlocking specification.

  Further, according to the present embodiment, it is possible to select verifications that need to be performed from the unexecuted verifications based on the performed format verification results, and to infer the results of the unexecuted format verifications. . Moreover, the train operation setting contrary to the train operation conditions received from the designer can be excluded from the verification target. Therefore, it is possible to avoid performing unnecessary verification such as verification with clear results and verification without results. In particular, verification of deadlock avoidance can be avoided for interlocking specifications that do not satisfy train collision avoidance and train derailment avoidance.

  101: Input part 102: Interlocking chart holding part 103: Interlocking chart conversion part 104: Conversion information holding part 105: Train operation setting part 106: Train requirement generating part 107: Formal specification holding part 108: Train Requirement holding unit, 109: Train requirement type holding unit, 110: Format verification unit, 111: Format verification result holding unit, 112: Counterexample inverse conversion / display unit, 113: Output unit.

Claims (7)

An interlocking specification verification device for verifying interlocking specifications representing the specifications of interlocking devices installed on railway lines,
The interlocking specification, train train requirements type is a requirement type on for railway security, verification results of validated train configured formal language specification, and, seen from the verification result of the verified the train already set formal language specification of A storage unit that stores an inference rule for inferring a verification result of the train-set formal language specification for verification ;
A conversion unit that converts the interlock specification into a formal language specification in a graph format that represents the position of a train operating on the railway line;
Wherein the formal language specification, the outputs the train configured formal language specification that sets the train service is a train information that runs on railway lines, the storage unit the verification result of the verified the train configured format Language Specification Inferring the verification result of the train-set formal language specification from the verification result of the train-set formal language specification that has been verified, and inferring the inferred verification result from the verification unit according to the inference rule A setting part to be registered in
Based on the train requirement type stored in the storage unit, a generation unit that generates a train requirement that represents the requirement of a train that operates on the railway line, corresponding to the train-set formal language specification,
An interlocking specification verification apparatus, comprising: a verification unit that verifies whether the train-set formal language specification satisfies the train requirement. An interlocking specification verification device for verifying interlocking specifications representing the specifications of interlocking devices installed on railway lines,
A storage unit that stores the interlock specification, a train requirement type that is a requirement type related to a train for railroad security, and a verification result of the verified formal language specification that has been verified,
A conversion unit that converts the interlock specification into a formal language specification in a graph format that represents the position of a train operating on the railway line;
A setting unit that outputs a train-set formal language specification that sets a train operation that is train information that operates on the railway line in the formal language specification,
Based on the verified result of the train-set formal language specification stored in the storage unit, the requirement type to be verified is selected from the train requirement type, and based on the selected train requirement type, the A generation unit that generates a train requirement that represents a train requirement that operates on the railway line, corresponding to a train-set formal language specification,
A verification unit that verifies whether the train-set formal language specifications satisfy the train requirements;
Communicating dynamic specification verification device further comprising a. The interlock specification verification apparatus according to claim 1 , wherein the train requirement type includes at least a requirement type for avoiding a deadlock of a train . The setting unit receives a train operation condition that is a condition related to the train operation, and outputs the train-set formal language specification that sets the train operation when the train operation satisfies the received train operation condition. The interlocking specification verification apparatus according to any one of claims 1 to 3, wherein: The storage unit stores conversion information between the interlocking chart and the formal language specification,
Among the verification results of the verified train-set formal language specification, the verification result that does not satisfy the train requirement is a counterexample that represents an operation sequence of the train-configured formal language specification until reaching the situation that does not satisfy the train requirement. Including
From the verification result of the validated train-set formal language specification, the counterexample is obtained, and based on the conversion information stored in the storage unit, the counterexample is converted into an operation sequence of the interlocking chart, the operation based on the operation sequence, linkage specification verification apparatus according to any one of claims 1 to 4, characterized in that to have a counterexample inverse conversion display unit for outputting the result of execution on the interlocking chart. An interlocking specification verification method in an interlocking specification verification device for verifying interlocking specifications representing specifications of interlocking devices installed on railway lines, wherein the interlocking specification verification device is a requirement type related to the interlocking specification and a train for railway security. Inferring the verification result of the train-set formal language specification that has not been verified from the verification result of the train-set formal language specification that has been verified, the verification result of the train-set formal language specification that has been verified A storage unit for storing inference rules for
The interlock specification is converted into a formal language specification in the form of a graph representing the position of a train operating on the railway line,
To the formal language specification, output a train-configured formal language specification that sets train operation that is train information that operates on the railway line,
The verification result of the verified formal language specification that has been verified is acquired from the storage unit, and the verification result of the formal language specification that has not been verified from the verification result of the formal language specification that has been verified according to the inference rule Inferring the verification result, and registering the inferred verification result in the storage unit,
Based on the train requirement type stored in the storage unit, corresponding to the train-set formal language specification, generating a train requirement representing a requirement of a train operating on the railway line,
The train configured formal language specification, continuous dynamic specification verification how to said verifying meets the train requirements. An interlocking specification verification method in an interlocking specification verification device for verifying interlocking specifications representing specifications of interlocking devices installed on a railway line, wherein the interlocking specification verification device includes requirements for the interlocking specifications and a train for railway security. A storage unit for storing a train requirement type that is a type , and a verification result of the verified formal language specification that has been verified ,
The interlock specification is converted into a formal language specification in the form of a graph representing the position of a train operating on the railway line,
To the formal language specification, output a train-configured formal language specification that sets train operation that is train information that operates on the railway line,
Based on the verified result of the train-set formal language specification stored in the storage unit, the requirement type to be verified is selected from the train requirement type, and based on the selected train requirement type, the Generate train requirements representing train requirements on the railway line corresponding to the train-set formal language specification,
The interlock specification verification method characterized by verifying whether the train-set formal language specification satisfies the train requirement.

Images