Towards a Formal Methods Body of Knowledge for Railway Control and Safety Systems

Railway signaling is now since more than 25 years the subject of successful industrial application of formal methods in the development and verification of its computerized equipment. However the evolution of the technology of railways signaling systems in this long term has had a strong influence on the way formal methods can be applied in their design and implementation. At the same time important advances had been also achieved in the formal methods area. The evolution of railways signaling systems has seen railways moving from a protected market based on national railway companies and national manufacturers to an open market based on international standards for interoperability, in which systems of systems are providing more and more complex automated operation, but maintaining, and even improving, demanding safety standards. The scope of the formal methods discipline has enlarged from the methodological provably correct software construction of the beginnings to the analysis and modelling of increasingly complex systems, always on the edge of the ever improving capacity of the analysis tools, thanks to the technological advances in formal verification of both qualitative and quantitative properties of such complex systems. In spite of these advances, the verification of complex railway signalling systems is still a main challenge and an important percentage of the cost in the development of these systems. We will discuss a few examples of such systems that witness these difficulties. The thesis we will put forward in this talk is that the complexity of future railway systems of systems can be addressed with advantage only by a higher degree of distribution of functions on local interoperable computers communicating by means of standard protocols and by adopting a multi-level formal modelling suitable to support the verification at design time and at different abstraction levels of the safe interaction among the distributed functions.