Modeling a Safe Interlocking Using the Event-B Theory Plug-in

Interlocking (IXL) is a railway signaling sub-system. Its principal role is controlling the movement of points, the change of signal aspect and setting up tra c directions on a railway network. These controls are performed via commands on signaling system devices. The main issue of IXL concerns the safety of commands, or more precisely, properties preventing risks of train collision and derailment. This paper presents an Event-B model of a safe IXL in which IXL commands are filtered to ensure safety properties. In the model, railway terms are expressed with the Theory plug-in datatypes and operators. This approach has a two-fold advantage. Firstly, the model is lighter. In fact, complex mathematical expressions are held separately in Theory plug-in operators. Moreover, proof rules defined in Theories reduce the e↵ort of proving activities. Secondly, domain specific terms are defined and reusable. The model is illustrated by an animation using the ProB plug-in.