1
Satisfiability Testing in the Railway Industry
Simon ChadwickHead of ResearchWestinghouse Rail Systems Limited, Chippenham, UK
SAT2009
Twelfth International Conference on Theory and Applications of Satisfiability Testing
2
Contents
•Introduction
•Railways and Safety
•The Story of Signalling
•Where Signalling meets SAT
•Some final thoughts
3
IntroductionWRSL
•Westinghouse Rail Systems Limited
•Part of Invensys Rail Group
•Part of Invensys plc
4
Introduction
5
Introduction
6
Railways and Safety
•First railway?
Stockton & Darlington Railway
Opened 27th September 1825
7
Railways and Safety
•First railway accident?
William Huskisson (1770-1830)
Killed during the opening of the Liverpool and Manchester Railway, 15th September 1830.
8
Railways and SafetyIncremental rule building
Accident
Investigation
Changes
Improvement
Apply for 150 years:
9
Railways and SafetyCauses of Accidents
•Many causes:
– Civil engineering failure
– Failure of train
– Failure of operators
– Failure of signalling system
10
Railways and SafetyRailway Signalling assumes…
•Rails intact
•Civil engineering intact
•Trains intact
11
Contents
•Introduction
•Railways and Safety
•The Story of Signalling
•Where Signalling meets SAT
•Some final thoughts
12
To maintain the safety of trains by:1. Maintaining a safe distance between following
trains on the same track2. Safeguarding the movement of train at junctions
and crossings3. Regulating the passage of trains according to
service density and speed required4. Ensuring safety of trains in the event of
equipment failure
The Story of SignallingWhat is signalling for?
13
STOPPROCEED
The Story of SignallingEarly Signalling
14
• Regulation of train by time• Controlled by Policemen• No standard time• Electrical Telegraph• Block Instrument• Absolute Block Working
The Story of SignallingTime Interval Working
15
The Story of SignallingSemaphore Signals
16
BlockSection
Station Limits
Signal Box
Distant Signal
Home Signal
Starter Signal
Direction of travel
Station
BlockSection
The Story of SignallingBasic Signalling
17
BlockSection
Station Limits
Signal Box
Distant Signal
HomeSignal
Starter Signal
Direction of travel
Station
BlockSection
Outer HomeSignal
Overlap
The Story of SignallingOuter Home Signal
18
The Story of SignallingFour Aspect Signalling
19
The Story of SignallingFour Aspect Signalling
20
The Story of SignallingFour Aspect Signalling
21
The Story of SignallingFour Aspect Signalling
22
The Story of SignallingFour Aspect Signalling
23
The Story of SignallingFour Aspect Signalling
24
The Story of SignallingFour Aspect Signalling
25
The Story of SignallingFour Aspect Signalling
26
The Story of SignallingFour Aspect Signalling
27
The Story of SignallingFour Aspect Signalling
28
The Story of SignallingFour Aspect Signalling
29
The Story of SignallingFour Aspect Signalling
30
The Story of SignallingFour Aspect Signalling
31
The Story of SignallingFour Aspect Signalling
32
The Story of SignallingFour Aspect Signalling
33
The Story of SignallingFour Aspect Signalling
34
The Story of SignallingFour Aspect Signalling
35
The Story of SignallingFour Aspect Signalling
36
The Story of SignallingInterlocking and Control Centre
Interlocking
ControlSystem
Train detection inputs
Point control outputsPoint detection inputs
Signal lamp outputsLamp proving inputs
37
• The interlocking is the safety device for the signalling equipment.
• It will not allow an unsafe condition to occur• It ensures that all train movements are protected• The design of the interlocking is the responsibility of principle
design Engineers who must incorporate very strict rules.• The design is independently checked and tested.
The Story of SignallingInterlocking Principles
38
The Story of SignallingMechanical Interlocking
39
The Story of SignallingRelay Interlocking
40
The Story of SignallingSolid State Interlocking (SSI)
41
•Put WESTLOCK photo here
The Story of SignallingSolid State Interlocking WESTLOCK
42
The Story of SignallingLever Frame Control System
43
Cowlairs
The Story of SignallingControl Panel
44
The Story of SignallingLarge Control Panel
45
The Story of SignallingElectronic Control Centres
46
Contents
•Introduction
•Railways and Safety
•The Story of Signalling
•Where Signalling meets SAT
•Some final thoughts
47
Where Signalling Meets SAT
•Signalling meets SAT at the interlocking
•The interlocking can be seen as a logic engine
48
Interlocking
ControlSystem
Train detection inputs
Point control outputsPoint detection inputs
Signal lamp outputsLamp proving inputs
Where Signalling Meets SATAt the Interlocking
49
Where Signalling Meets SAT
If N = number inputsThen 2N combinations of inputs are possible
BUT… can have internal stored statesSo, order of combinations of inputs matters
BUT… can have timersSo, duration of combinations of inputs matter
50
Where Signalling Meets SAT
• I can express the behaviour of an interlocking as a set of
Boolean equations
• One of the interlocking products used by WRSL uses Ladder
Logic
• I can express safety rules about my interlocking as generic
rules
• I can use SAT theory to demonstrate that my interlocking logic
meets the safety rules
51
Where Signalling Meets SATWESTRACE Ladder Logic
52
Where Signalling Meets SATAt the Interlocking
P123TA TB TC TD TE
TG TH
S1 S2
S3
Example rules - general
1. Points should not be moved if the track is occupied
2. Signals can only show proceed aspect if the track is clear for route set
Example rules - specific
1. Points P123 should not be moved if track TC is occupied
2. If route is set S1 to S3, signal can only show proceedif tracks TC, TG are clear, plus TH if overlap
53
Where Signalling Meets SAT
SpecificInterlocking Logic
SignallingDesigner
GenericSafety Rules
SpecificSafety
RequirementsInstancing
Specific RailwayLayout
Satisfiable?
This is the hard bit!Are the safety properties complete?
54
Where Signalling Meets SATWRSL and IRG research
P123TA TB TC TD TE
TG TH
S1 S2
S3
WRSL is working with Swansea University to enhance our understanding of satisifiability testing, and understand how it can be applied to railway interlocking systems.
WRSL is also working with Prover Technology to evaluate use of their proof technology with Invensys Rail WESTRACE interlockings.
55
Contents
•Introduction
•Railways and Safety
•The Story of Signalling
•Where Signalling meets SAT
•Some final thoughts
56
Final thoughtsHigh Speed Trains
•European Rail Traffic Management System
(ERTMS)
57
Final thoughtsHigh speed trains
If you are driving one of these…
you need cab signalling!
58
Final thoughtsERTMS
•ERTMS = European Rail Traffic Management System
•Interoperability across Europe
•Signalling and Automatic Train Protection on the
train
•Interlocking is still required – but…
59
Final thoughtsSize and Complexity
Over time:
•Signalling systems have got more complex
•Scope of individual system components has got larger
•We have reached the limits of traditional approaches
Question:
Has size/complexity of modern safety systems exceeded ability of human understanding?
If the answer is “Yes” then we need practical applications of technologies such as SAT!
60
Thankyou!
Thankyou