Abstract
In this paper, an efficient approach to data validation ofdistributed geographical interlocking systems (IXLs) is presented.In the distributed IXL paradigm, track elements are controlled bylocal computers communicating with other control components overlocal and wide area networks. The overall control logic isdistributed over these track-side computers and remote servercomputers that may even reside in one or more cloud server farms.Redundancy is introduced to ensure fail-safe behaviour,fault-tolerance, and to increase the availability of the overallsystem. To cope with the configuration-related complexity of suchdistributed IXLs, the software is designed according to the digitaltwin paradigm: physical track elements are associated with softwareobjects implementing supervision and control for the element. Theobjects communicate with each other and with high-level IXL controlcomponents in the cloud over logical channels realised bydistributed communication mechanisms. The objective of this articleis to explain how configuration rules for this type of IXLs can bespecified by temporal logic formulae interpreted on Kripke Structurerepresentations of the IXL configuration. Violations ofconfiguration rules can be specified using formulae from awell-defined subset of LTL. By decomposing the completeconfiguration model into sub-models corresponding to routesthrough the model, the LTL model checking problem can be transformedinto a CTL checking problem for which highly efficient algorithmsexist. Specialised rule violation queries that are hard to expressin LTL can be simplified and checked faster by performing sub-modeltransformations adding auxiliary variables to the states of theunderlying Kripke Structures. Further performance enhancements areachieved by checking each sub-model concurrently. The approachpresented here has been implemented in a model checking tool whichis applied by Siemens Mobility for data validation of geographicalIXLs.
Highlights
BackgroundRailway interlocking systems (IXLs) are designed according to different paradigms [Pac[02], Chapter 4]
We have presented an efficient model checking approach and associated tool support for data validation of geographical interlocking systems
The tool is fast enough to uncover violations of configuration rules or prove the absence of rule violations interactively, while working on a configuration: all checking results for IXL configurations provided by Siemens Mobility were calculated within a few seconds
Summary
BackgroundRailway interlocking systems (IXLs) are designed according to different paradigms [Pac[02], Chapter 4]. Two of the most widely used are (a) route-based interlocking systems and (b) geographical interlocking systems The former are based on predefined routes through the rail network and use interlocking tables specifying safety conflicts between different routes and the point positions and signal states to be enforced before a route may be entered by a train. In today’s software-controlled electronic interlocking systems, instances of software components “mimic” the elements of the electric circuit, acting as digital twins of the associated physical track elements. Following the object-oriented paradigm, different components are developed, each corresponding to a specific type of physical track element, such as points, track sections associated with signals, and others with axle counters or similar devices detecting trains passing along the track. The software components are developed for re-use, so that novel interlocking software designs can be realised by means of configuration data, specifying which instances of software components are required, their attribute values, and how their communication channels shall be connected
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
