Title: Verification of Railway Interlocking Tables using Coloured Petri Nets*
1 Verification of Railway Interlocking Tables
using Coloured Petri Nets
- Somsak Vanit-Anunchai
- somsav_at_sut.ac.th
- School of Telecommunication Engineering
- Suranaree University of Technology
- Nakhon Ratchasima 30000 Thailand
- Supported by National Research Council of
Thailand
2Introduction to railway signalling
24
41T
24T
23
103T
16
9T
3T
1T
16T
103
42T
15
1
3
Railway Signalling System divides rail track
into sections. Only one train is allowed in one
section at atime. A section or route comprises
wayside equipment 1) Track Circuits used to
indicate the presence of trains 2) Signals to
allow the train enter into the route. 3) points
(switches ) to diverge the train to another
track. Each wayside equipment has an
Identification number.
3 A typical (small) station
24
41T
24T
23
103T
16
9T
3T
1T
16T
103
42T
1
15
3
Route Released ? Normal
Route 3(2) locked
Require TC
Interlocking Tables or Control Tables are the
tabular representation specifying how the train
move together with the states and actions of
related equipment.
4 Approach Lock Cannot cancel
Signalman can cancel
24
41T
24T
23
103T
16
9T
3T
1T
16T
103
42T
15
3
1
5Motivation (Problems)
- Problems with manual inspection of railway
Interlocking table ? labour intensive, erorr
prone - State Railway of Thailands projects involves
300-350 stations - Existing track layout changed (added)
- ? existing signalling changed.
- Other software tools usually are designed for a
specific railway company but SRTs Operating rule
is unique and sometimes changed. - Need simple formal methods for signal engineers
6Selected related work (quick look)
Logistic
7Selected related work
8Selected related work
9Our CPN model of the Control Table of the small
station comprises two parts
- Signalling Layout
- Interlocking
- The CPN model comprises
- 72 Places ,
- 12 Fusion places ,
- 21 Substitution Transitions,
- 33 Transitions and 12 ML functions.
10CPN model of the Control Table
- Signalling Layout
- - The CPN model mimics the signalling plan
- - Provides geographic information how each
wayside equipment connect to each other - - Provides ability to simulate the trains
moving - - Comprises lower CPN subpages which represent
the trains movement when passing signals,
passing point and moving between 2 consecutive
track circuits - ? modelling wayside equipments
11 CPN model The southern part of the station
12Modelling Approach
- The CPN model in the signalling layout part
depends on the track layout. - ? It is inevitable.
- But the CPN diagram can be quickly, manually
built when we have CPN patterns (library). - The work on CPN patterns for this project is in
progress .
13CPN model of the Control Table
- 2. Interlocking part comprises 3 CPN subpages
- 2.1 UserCommand
- ? sets and locks the points along the route
- 2.2 Routesetting
- ? sets the required route
- 2.3 RouteReleased
- ? using the passage of the train restores the
route to Normal state and unlocks the points
14Modelling Approach
- The CPN model in the Interlocking part depends
on the contents in the control table. - Because of 300 stations (to go), we attempt to
make the generic net structure. - The contents of the control table are coded in
ML functions used in arc inscriptions. - ? Thus 300 stations can use the same net
structure of the Interlocking part.
15CPN Model Route Setting
require_point_normal(route) require_point_rever
se(route)
16Excel ? XML
XSLT script
It took me 2- man-months to complete the first
model (including analysis). But the double track
station? It took me only 8-man hours to build
the model (not including analysis).
? ML functions are automatically created from XML
control table using XSLT.
17CPN Model Route Setting
This part is a great help regardless of
assumptions.
require_point_normal(route) require_point_rever
se(route)
18Assumptions and their affects on the correctness
of the model
- To start building the model we have 10
assumptions. - Q The important question is how these
assumptions affect the model. - A I consider that there are some differences
between the real system and the model. However
the model in this paper can detect a large part
of errors which we always encounter. - A larger part something is missing or added
(extra) in the Control Table.
19Analysis
- The desired property is no collision.
- No two train in two consecutive track circuits.
- Using ML query functions.
- To convince the model correctness
- After route(s) setting and train(s) movement ,
- The terminal markings shall be as we expect.
- To debug the model using an incremental approach
. Starting from one route setting - one train -
20Terminal markings
Using query ML and state space search No train
collision is detected in case A,B and C
21Conclusion
- A control table for the small and typical single
line railway station is modelled and analysed. - This CPN model can be adapted and re-used for
SRTs double track projects (300-350 stations) . - We propose to convert Control tables to ML
functions using XSLT. - Thus the CPN models of other interlocking can be
rapidly built. - These models will help to detect errors in
control tables in the early phase of system
development.
22Future work
- Relaxes modelling assumptions
- Revises the CPN subpages and arranges a library
of CPN patterns - Create CPN models directly from Track layout
drawing.
23- Thank You!
- Questions and comments?
24(No Transcript)
25Initial markings
- - noTrain at other places
- setting commands for all 8 routes
- - Both blocks in Coming states
- A Block request command for going toward Bangkok
26Analysis results
State space sizes
More trains ? less number of possible train
movements Less trains ? more number of possible
train movements Not true in general (e.g. double
track and large stations)