Simulating and analyzing railway interlockings in ExSpect

Abstract

This study evaluates the ability of ExSpect, a toolkit for simulating and analyzing complex distributed systems using colored Petri nets, to analyze ISL specifications for railway interlockings.A railway interlocking--which is designed to guarantee the safety of train movements--is an extremely complex distributed system. The behavior of such a system - and thus its correctness - is hard to understand and even more difficult to analyze. Recognizing that verification of safety requirements in such a system would not be possible without a way to formally describe system behavior, the Dutch railway company, Nederlandse Spoorwegen, designed a set of formal languages, called the Interlocking Specification Language, also known as Euris.Engineers at NS envisioned that ISL would let them describe and simulate interlocking behavior, verify safety requirements, and optimize interlocking behavior. This in turn could lead to the creation of an infrastructure that would allow more flexible train schedules.However, although ISL is an important step toward a more formal approach to building and maintaining interlockings, it is not suitable for verifying safety requirements because it lacks a firm mathematical basis. The study described here, conducted by the Eindhoven University of Technology in cooperation with NS, is a first step toward the simulation and verification of ISL specifications that is grounded in mathematical theory.As part of the study, we translated a small part of an ISL specification into the graphical and functional language used by the ExSpect toolkit. ExSpect, which is short for Executable Specification tool, is a graphical specification and simulation package developed at the university and commercially available from Bakkenist Management Consultants. It is a general-purpose tool, based on the theory of Petri nets, that combines a graphical user interface for specifying and simulating many types of distributed systems with analysis tools for verifying the properties of such systems.The goals of the study were to investigate to what extent NS engineers could use ExSpect to improve simulation and verification in ISL and to evaluate the strengths and weaknesses of ExSpect in an interesting real-world application. Many constructs in ISL map almost directly to ExSpect constructs. Thus, the study also laid the foundation for an ISL-to-ExSpect compiler.The study revealed that ExSpect has many advantages over ISL in simulation. It also revealed that we cannot yet verify any safety properties of an interlocking. First, it is not clear exactly what the safety requirements of an interlocking are, as they are described in ISL. Second, and more compelling, a railway interlocking specification is far too complex for formal verification with current technology.We did, however, learn some interesting things about ExSpect's abilities and gained much insight into possible extensions.