In this, the third and final, blog post on Signal Design Automation we will look at how Formal Verification and automation are used at Stockholm Metro to increase railway safety. The rail-based public transport system in Stockholm, Sweden is relatively complex and diverse with a combination of subway, light rail and heavy rail. It also uses signaling systems from a wide range of suppliers with signaling principles from different parts of the world.
Maintaining and upgrading these systems to the standards of a modern mass transit facing ever increasing passenger numbers is challenging, from a cost and resource perspective as well as from a safety perspective. In order to address this, Stockholm Metro has deployed modern Signal Design Automation processes covering both railway safety verification and development of interlocking application software.
Formal Verification for Relay-Based Interlocking
Formal Verification is a method to prove with 100% certainty that a system fulfills a given set of safety requirements. In practice this verification is automated, using computer programs that implement mathematical algorithms performing the proofs. In Sweden the use of Formal Verification is encouraged by the National Transportation Agency and Stockholm Metro has been using it for over fifteen years, to catch errors early, reduce testing and increase trust in railway safety.
To enable efficient Formal Verification of relay-based designs, Stockholm Metro is using the Prover Extractor tool to check that the relay drawings follow their design standards and to extract the logic into a verification model for the Prover iLock Verifier. The safety requirements are captured in a Generic Safety Specification (GSS), formalized in the PiSPEC language.
One project where this process is currently applied is for the extension of one of the subway lines, the Blue Line. This extension is continuing the use of relay-based interlockings, from the existing part of the line. The relay drawings of each interlocking location are formally verified with Prover iLock Verifier against the GSS, any issues that are detected can easily be debugged and resolved prior to installation, reducing the effort required for testing and re-installations. The effort spent on safety reviews is also reduced, as the number of issues in the reviewed design drawings is much lower.
Design Automation for Computerized Interlocking
Encouraged by their successful experience of automated Formal Verification, Stockholm Metro has taken the natural step to also apply a full Signal Design Automation process, automating also functional testing and generation of revenue service interlocking software. To date they have done this in two different projects:
- The re-signaling and extension of the Tvärbanan light rail system
- The capacity increase and signaling modernization project of the Roslagsbanan commuter railway.
Here we will take a closer look at the latter project. Roslagsbanan is one of the oldest railways in Sweden, inaugurated in 1885, since then it has undergone many changes including the switch to a computerized Mircrolok II interlocking system supplied by Union Switch & Signal in the 1990’s.
Then, in 2007 the decision was taken to increase the system capacity by introducing double track and optimizing the signaling system. As Stockholm Metro was satisfied with the performance of the Microlok II system and its integration with other components of the signaling system it was their choice also for this modernization. However, they had concerns regarding the lack of resources and competence in Sweden for the labor-intensive application development and railway safety assessment, which further encouraged the move to automation and the choice of the Prover Trident process.
With the goal to generate the Specific Application (SA) software for each individual Microlok II interlocking installation from a set of general signaling requirements, Prover was given the task to develop this Generic Application (GA). The system supplier, Ansaldo STS Sweden, was tasked with the development of the SAs, using the Prover iLock automation tool suite and the GA.
Prover Certifier is used for final sign-off verification as part of the safety case for each installation. Using this approach, the first applications were successfully developed and commissioned in 2014. The project covers more than 30 applications.
It was originally planned that Stockholm Metro would supply documentation of the signaling requirements and principles to capture in the GA, but most of this documentation was missing and there were no resources available to produce it.
Instead it became part of Prover’s work to do this documentation as part of the GA definition task, using whatever documentation was available, complemented with interviewing the available signaling experts. Fortunately, the Prover iLock tool was a good help in this process, with its strong support for prototyping and evaluating requirements at an early project stage.
In addition to the savings from the reduced effort for development, testing and safety verification the project has identified a number of other benefits of automation:
- The design and functionality of different signal locations are more consistent.
- Maintenance is simplified, new features can efficiently be applied at all installed locations, with minimal effort.
- It is much easier to evaluate, and implement, different design choices and optimizations of the software.
Conclusions for increased railway safety
Starting from a rather limited application of automation for formal safety verification Stockholm Metro have taken a stepwise approach to introducing more and more automation into their signaling work and to achieve increased railway safety.
Today they are at a point where a full automation process, covering code generation, functional test and sign-off verification, have been applied in multiple production projects. Signal design automation, and Formal Verification, are now considered key factors for success when Stockholm Metro is planning the procurement of a new signaling system for the complete subway network.