Verification and generation of geographical data using domain theory

(1)

using a domain theory

(revised extended abstra t)

Lars-HenrikEriksson

lheit.uu.se

DepartmentofInformationTe hnology

?

UppsalaUniversity

Box337

SE-75105UPPSALA,Sweden

Abstra t. Veri ationandgenerationofinterlo kinggeographi aldata

usingadomaintheoryforrailway signallingis des ribed.Examplesare

takenfromthemethodologyusedindustriallybyIndustrilogikL4iAB.

Railwayinterlo kingsformafamilyofsystemswheretheindividualsystems

haveidenti alfun tionsonanabstra tlevel,astheyimplementgeneralsignalling

prin iples.Onthe on retelevel,dieren esin fun tionbetweendierentinter-

lo kings is determined by the parti ular physi al layout and other properties

{both abstra t and on rete(su h asthe maximumspeedpermittedthrough

parti ularpoints){ofthetra ksystem ontrolledbytheinterlo king.Aformal

des ription of these properties is alled the geographi al data of the parti ular

interlo king. (Thissense of geographi al data issimilar, but notindenti al, to

the oneused in work on formalveri ationof geographi aldata of thebritish

SSIinterlo kings[4℄[5℄.)

Using geographi al data, generi requirements spe i ations that des ribe

general signalling prin iples an be spe ialised to give a requirements spe i-

ation for aparti ular interlo king installation. Similarly, interlo kings an be

implementedusing generi modules (either in softwareorhardware) whi h are

ongured using geographi al data to give a spe ialised implementation for a

parti ular site. An example of interlo kings working using this prin iple are

BombardierTransportationEBILOCKfamilyofinterlo kings.

Giventhatthepre iserequirementsofageneri spe i ation,aswellasthe

pre isebehaviourofageneri interlo king,are riti allydependentonthegeo-

graphi aldata,the orre tnessofthegeographi aldataisofprimaryimportan e.

Somekindsofgeographi aldata{letus allthem\primary"geographi aldata

{aredire tdes riptionsofthephysi altra kstru tureandits on reteproper-

ties.Clearly,thisdata annotbeformally veried,but itsinternal onsisten y

?

TheworkpresentedhereinwasdonewhiletheauthorwasemployedbyIndustrilogik

L4i AB,Box 3470,SE-103 69STOCKHOLM, Sweden.Iwishtothank myformer

(2)

adomaintheoryforrailsystems.

Otherkindsofgeographi aldata{letus allthem\se ondary"geographi al

data{aredatathatarewhollyorinpartdeterminedbytheprimarygeograph-

i aldata.Oneexampleisthedes riptionofallpossibleroutesthroughthetra k

system{aroutetypi allybeingdened asapaththroughthetra ksystemon

whi hatrain ould run,beginningand endingat asignal.Anotherexampleis

thevariouskindsofprote tionareasrequiredaroundaroutetopreventpossible

ollisionwithtrainsorvehi les losetotheroute.The onstru tionandveri a-

tionofse ondarygeographi aldataisof riti alimportan etothesafetyofthe

interlo king,whilebeingoneofthemosttime- onsuminganderrorpronetasks

in theinterlo kingdesignpro ess.

GivenasuÆ iently omplete domaintheoryandgeneri requirementsspe -

i ation,se ondarygeographi aldata anbeformallyveriedorautomati ally

generatedgivenasetofprimarygeographi aldata.Inthispresentation,Iwillil-

lustratehowthisisdoneintheformalspe i ationandveri ationmethodology

used forindustrial proje tsbyIndustrilogik L4iAB(e.g. [1℄[2℄[3℄). Thesample

domaintheoryaxiomsareadaptedfrom generi formalspe i ationsdeveloped

byIndustrilogikforSwedishandNorwegianrailwaysignalling.

The tra k system is represented as a set of \units", a unit being a set of

points,alinearpie eoftra k,abuerstop, rossing,et .Arelation onne tsTo

des ribes whi h units are adja ent to ea h other. Thepredi ate points is true

of units that are points. Foreveryset of points, therelations leftBran h and

rightBran hdes ribewhatunits arerea hedfromthefa ingpoints,takingthe

leftorrightdire tion,respe tively.Thereisalsoasetofsignals.Everysignalis

assumedtobelo atedattheboundarybetweentwounits.Relationsaheadand

inR eardes ribesthelo ationanddire tionofasignalbygivingtheunit ahead

of the signal (the unit the signal is fa ing) and the unit in rear of the signal.

Fragments of a domain theory for the tra k system is given by the following

predi atelogi formulae:

1 8u1;u22UNITS ( onne tsTo(u1;u2)! onne tsTo(u2;u1))

2 8u2UNITS : onne tsTo(u;u)

3 8w;u2UNITS(points(w)^rightBran h(u;w)! onne tsTo(u;w))

4 8w 2 UNITS (points(w) ! 9u1;u2;u3 2 UNITS ( onne tsTo(w;u1)^

onne tsTo(w;u2)^ onne tsTo(w;u3)û16=u2û16=u3û26=u3^8u42

UNITS ( onne tsTo(w;u4)!u1=u4_u2=u4_u3=u4)))

5 8s2SIGNALS9u2UNITS(ahead(s;u)^8u12UNITS(ahead(s;u1)!

u=u1))

Formulae(1) and (2) statethat the onne tsTo relation is symmetri and

irre exive.Formula(3)statesthattheunitrea hedbygoingrightthroughfa ing

points must beadja ent to the points. Formula (4) statesthat a set of points

is adja ent to exa tly three dierent units.Formula (5) states that asignal is

aheadofexa tlyoneunit.

Aparti ularset ofprimarygeographi aldatadeterminesalogi alinterpre-

(3)

theinterpretationwillbeamodel, i.e.everyaxiomwill omputeto true.

Now, onsider routes as pie es of se ondary geographi aldata. Routes are

prin ipally sets of units. Toavoid havingto quantify oversets, everyroute is

represented by an identier in the set R OUTES, while the relation partOf

relatesea hunittoidentiersofanyroutesitispartof.Thedire tionofaroute

isdeterminedusingtherelationbeforewhi hrelatesarouteidentiertotheunit

immediately pre edingtheroute. Thedened predi atefirst hara terisesthe

rstunit ofaroute.Fragmentsofthetheoryforroutesisgivenbytheformulae:

6 8r2R OUTES9u2UNITS(before(r;u)^8u12UNITS(before(r;u1)!

u=u1))

7 8r 2 R OUTES 8u 2 UNITS (before(r;u) ! :partOf(r;u) ^9u1 2

UNITS (partOf(r;u1)^ onne tsTo(u;u1)))

8 first(r;u)partOf(r;u)^8u12UNITS(before(r;u1)! onne tsTo(u;u1))

9 8r2R OUTES9s2SIGNALS(8u2UNITS(ahead(s;u)!before(r;u))^

8u2UNITS (inR ear(s;u)!first(r;u)))

10 8r1;r22R OUTES( onfli t(r1;r2)$r16=r2^9u2UNITS(partOf(u;r1)^

partOf(u;r2))

Formula(6) statesthatthere is exa tlyoneunit lo atedbefore ea h route,

while (7) statesthat this unit is in fa t adja ent to the rst unit of the route

whilenotbeingpartoftherouteitself.Formula(8)denestheauxiliarypredi ate

first. Formula (9) statesthat there must be a signal at the beginning of the

route, fa ingtheunit beforetheroute.Formula(10)statesthattworoutesare

in on i tiftheyhavesomeunit in ommon.

These ondarydata anbeveriedinthesamemannerastheprimarydata.

Howeveritisalsopossibletoautomati allygeneratethese ondarydata.Primary

datagivesa\partialinterpretation"ofthedomainaxiomswherese ondarydata

predi atesare undetermined.Sin ethe setsare nite,this essentially reatesa

propositionalsatisabilityproblemwhi h anbesolvedusingaSATsolver.The

SATsolverwouldgeneratetruthassignmentstothese ondarydatapredi ates,

ee tively reating orre tse ondarygeographi aldata.

Aproblem isthat thenumberofroutesis notknown inadvan e, whilethe

number of elements of the set R OUTES must be known in order to reate a

SATproblem.Onepossibilityismakinga onservativeestimateofthemaximum

numberofpossibleroutes.Anotheroneistoin ludeonlyoneroute,butgenerate

the omplete set of routesbynding su essivesolutionsto theSATproblem.

The latter approa h is implemented in the SST/SVT formal methods toolset

usedbyBombardierTransportationforinterlo kingsoftwaredevelopment.

Thesete hniquespresupposetheexisten eofa ompletedomain theoryfor

railway tra k systems and signalling, whi h shows that su h a theory has a

(4)

1. Eriksson,L-H.: UsingFormalMethods inaRetrospe tiveSafetyCase, InHeisel,

M.,Liggesmeyer,P.,Wittmann,S.(eds.):ComputerSafety,Reliability,andSe u-

rity {23rdInternationalConferen e,SAFECOMP 2004, SpringerLe tureNotes

inComputerS ien e3219,Springer-Verlag(2004)

2. Eriksson,L-H.:Spe ifyingRailwayInterlo kingRequirementsforPra ti alUse,In

S hoits h,E.(ed.):Pro eedingsofthe15thInternationalConferen eonComputer

Safety,Reliability andSe urity(SAFECOMP'96),Springer-Verlag(1996)

3. Eriksson,L-H.andJohansson, K.:Usingformalmethodsfor qualityassuran eof

interlo kingsystems,InMellit,B.et.al.(eds.):Computers inRailwaysIV,Com-

putationalMe hani spubli ations(1998).

4. Morley,M.J.,SafetyAssuran einInterlo kingDesign,Ph.D.thesis,Universityof

Edinburgh(1996).

5. Simpson,A.C.,Wood o k,J.C.P.,andDaviesJ.W.:Theme hani alveri ation

of SolidStateInterlo king geographi data.InGroves, L. and Reeves, S.(eds.),

Pro eedingsofFormalMethodsPa i ,Wellington,NewZealand,9{11July,pages