The role of formal methods in developing a distribuited railwai interlocking system

The development of computer controlled Railway Interlocking Systems (RIS) has seen an increasing interest in the use of Formal Methods, due to their ability to precisely specify the logical rules that guarantee the safe establishment of routes for trains through a railway yard. Recently, a trend has emerged about the use of statecharts as a standard formalism to produce precise specifications of RIS. This paper describes an experience in modelling a railway interlocking system using statecharts. Our study has addressed the problem from a 'geographic', distributed, point of view: that is, our model is composed by models of single physical entities (points, signals, etc..) that collectively implement the interlocking rules, without any centralized database of rules, which is on the other hand a typical way of implementing such a system (what we call 'functional' approach). We show how a distributed model of this kind may be used to develop a distributed implementation, that employs physically distributed controllers communicating through a 'safe' field bus. Ensuring safety of this kind of RIS is entirely based on formal verification.