Hierarchical modelling of complex control systems: dependability analysis of a railway interlocking

This paper reports an experience made in building a model and analysing the dependability of an actual railway station interlocking control system. Despite our analysis has been restricted to the Safety Nucleus subsystem, mastering complexity and size required a considerable effort. We identified a modelling strategy, based on a modular, hierarchical decomposition allowing to use different methods and tools for modelling at the various level of the hierarchy. This multi-layered modelling methodology led to an accurate representation of the system behaviour and allowed us (i) to keep under control the size of the models within the different levels to be easily managed by the automatic tools, (ii) to make changes in the model in a very easy and cheap way. The paper contains also examples of the extensive analyses performed regarding the sensitivity of the dependability measures to variations of critical parameters and towards the validation of the assumptions made.