Proving Safety of a Railway Signalling System Incorporating Geographic Data

Abstract

Solid State Interlocking (SSI), a computer-based railway signalling system, is used extensively by British Rail and also by other railway administrations. An interlocking is implemented as a generic program, the same for all areas, together with a geographic database which serves as a detailed map of the track and signalling equipment in a specific area of control. We formally model SSI behaviour as that of a finite state automaton with next-state and output functions defined by geographic data. Safety of interlocking is modelled as a family of predicates of state, and a proof strategy based on mathematical induction is designed for showing that safety predicates remain invariant over an indefinite number of cycles. The strategy allows for a mixed approach to proof: high-level hand proof of lemmas relating to the transitivity of safety, and lower-level mechanized proof of detailed steps. The formal model also lends itself to investigation of the safety of behaviour patterns in the environment controlled by an interlocking. A pattern of is a subset of input sequences, and the automaton connects this to a set of states which remain invariant under such input. This connection is shown to induce topologies into state-space and into the environment.