# Design of railway signalling using SAT-based planning

#### Bjørnar Luteberget

Koen Claessen Christian Johansen

#### NWPT, Oct, 2018



UiO **Conversity of Oslo** 







UNIVERSITY OF GOTHENBURG

## Overview

- 1. Railway control system design and its challenges.
- 2. Specification language for design capacity.
- 3. Implementation of a tool for checking capacity.

Constructing a new railway line starts with a track plan:



Constructing a new railway line starts with a track plan:



By adding detectors, we can allocate smaller pieces of tracks to the train:



By adding detectors, we can allocate smaller pieces of tracks to the train:



Now, other trains can occupy different sections.



We add signals to indicate to drivers when they can proceed.



This situation is in principle safe, but is it a good design?



#### Requirements

# Will my station design handle the actual traffic?

Two methods used in practice:

- Whole-network time table analysis: a whole discipline in itself – complicated theory and software
- 2. Manual, ad-hoc analysis: varying quality, little documentation, low repeatability.







# Design-implementation-operation



- M. Abril, F. Barber, L. Ingolotti, M.A. Salido, P. Tormos, and A. Lova. An assessment of railway capacity. *Transportation Research*, 44(5):774 – 806, 2008.
- [2] Arne Borälv and Gunnar Stålmarck. Formal verification in railways. In Industrial-Strength Formal Methods in Practice, pages 329–350. Springer, 1999.
- [3] A. Fantechi, W. Fokkink, and A. Morzenti. Some trends in formal methods applications to railway signalling. In *Formal Methods for Industrial Crit Sys.*, 2012.
- [4] Alex Landex. *Methods to est. railway cap. and passenger delays*. PhD thesis, 2008.

# Design-implementation-operation



# Specification capture

Railway engineers gave us examples of performance properties that governed their designs.

Typical categories:

- 1. Running time (get from A to B)
  - Similar to a simulation test, but smaller specification.
- 2. Frequency (several consecutive trains)
  - Route trains into alternate tracks.
- 3. Overtaking
- 4. Crossing
  - Let one train wait on a side track while another train passes.

# Capacity specifications

Local requirements suitable for construction projects.

- Operational scenario S = (V, M, C):
- Vehicle types V = {(l<sub>i</sub>, v<sub>i</sub><sup>max</sup>, a<sub>i</sub>, b<sub>i</sub>)}, defined by length, max velocity, max accel, max braking.
- ► Movements M = {(v<sub>i</sub>, ⟨q<sub>i</sub>⟩)}, defined by vehicle type v and ordered sequence of visits ⟨q<sub>i</sub>⟩.

• Each visit  $q_i = (\{l_i\}, t_d)$  is a set of alternative locations  $l_i$  and an optional dwelling time  $t_d$ .

► Timing constraints C = {(q<sub>a</sub>, q<sub>b</sub>, t<sub>c</sub>)} which orders two visits and sets a maximum time from the first to the second t<sub>q<sub>a</sub></sub> < t<sub>q<sub>b</sub></sub> < t<sub>q<sub>a</sub></sub> + t<sub>c</sub>. The maximum time constraint can be omitted (t<sub>c</sub> = ∞).

#### Constraints

**Verification** of these specifications would involve finding satisfying train trajectories and control system state:

 $\exists p : \operatorname{spec}(p)$ 

Also, constrained by:

- 1 Physical infrastructure
- 2 Allocation of resources (collision safety)
- 3 Limited communication
- 4 Laws of motion

# Constraints (2) Allocation of resources

#### An elementary route is a set of resources allocated together.



Routes are conflicting if they use any of the same resources.



# Constraints (3) Limited communication

Signal information only carries across two signals ("pre-signalling").



## Constraints (4) Laws of motion

Trains move within the limits of given maximum acceleration and braking power. Train drivers need to plan ahead for braking so that the train respects its given movement authority and speed restrictions at all times.



$$v - v_0 \le a\Delta t, \qquad v^2 - v_i^2 \le 2bs_i.$$

# Automated verification

Design-time capacity verification amounts to planning in a mixed discrete/continuous space.

Some suggestions:

- PDDL+, planning domain description language for mixed discrete-continuous planning domains [1].
- SMT with non-linear real arithmetic [2, 4].
- dReal: δ-complete decision proc. for FOL with reals [3].

Using these tools/techinques and straight-forward modeling did not make our problem manageable on relevant scales.

- M. Fox and D. Long. Modelling mixed discrete-continuous domains for planning. J. Artif. Intell. Res., 27:235–297, 2006.
- [2] M. Franzle, C. Herde, T. Teige, S. Ratschan, and T. Schubert. Efficient solving of large non-linear arithmetic constraint systems with complex boolean structure. *J. SAT*, 1:209–236, 2007.
- [3] S. Gao, S. Kong, and E. M. Clarke. dReal: An SMT solver for nonlinear theories over the reals. CADE-24 vol. 7898 of *LNCS*, pages 208–214. Springer, 2013.
- [4] D. Jovanovic and L. de Moura. Solving non-linear arithmetic. ACM Comm. Computer Algebra, 46(3/4):104–105, 2012.

# Dispatch vs. driver

#### Split the planning work into two separate points of view:

#### Dispatcher



#### **Train driver**



# Dispatch vs. driver

#### Split the planning work into two separate points of view:

Dispatcher



**Train driver** 



# Dispatch vs. driver

#### Split the planning work into two separate points of view:

Dispatcher



**Train driver** 





Elementary routes and their conflicts



## Solver architecture



# SAT encoding of dispatch planning

General idea: represent which train occupies which elementary route in each of a sequence of steps.



# SAT encoding

Planning as bounded model checking (BMC). Build planning steps as needed using incremental SAT solver interface.

Movement correctness:

- ► Conflicting routes are not active simultaneously conflict $(r_1, r_2) \Rightarrow o_{r_1}^i = \text{Free} \lor o_{r_2}^i = \text{Free}.$
- ► Elementary route allocation is consistent with train movement:  $(o_r^i \neq t \land o_t^{i+1} = t) \Rightarrow$  $\bigvee \{ o_{r_x}^{i+1} = t \mid \text{route}(r_x), \text{entry}(r) = \text{exit}(r_x) \}$

Satisfy specification:

 Visits happen in order (timing requirement is measured on simulation).

# Freeing



If A holds a train t of length 200.0 m, freeing A is constrained by:

$$A^i \Rightarrow \left( A^{i+1} \lor \left( B^i \land C^i \right) \lor \left( D^i \land E^i \right) \right).$$

# Eliminate equivalent solutions

- ightarrow Can free  $\Rightarrow$  must free
- Can allocate  $\Rightarrow$  must allocate
- Exception to allocation: deferred progress

   a train may waiting for a conflict to be resolved, even if the
   conflict starts in the future.

Crossing example: exactly two solutions:



- Overlaps. Partial release.
- Loops in the infrastructure / loops in the dispatch.

## Solver architecture



#### Discrete event simulation

Initialize a world, and let processes mutate the world coordinated by a global scheduler.

- Scheduler: priority queue of events, ranked by time.
- enum PState { Finished, Wait([EventId]) }
  trait Process<T> {
  fn resume(&mut self, s:&mut Sim<T>) -> PState; }
- Observable values fire events when changed.

Railway simulation uses the following processes:

- Elementary route activation (subproc.: turn switch)
- Resource release (observe detectors)
- ► Train driver (observe signals, choose accel/brake).

## Solver architecture



















## **Case studies**



| Infrastructure | Property     | Result | $n_{\text{DES}}$ | $t_{SAT}$ | $t_{\text{DES}}$ | $t_{\text{total}}$ |
|----------------|--------------|--------|------------------|-----------|------------------|--------------------|
| Simple         | Run.time     | Sat.   | 1                | 0.00      | 0.00             | 0.00               |
| (3 elem.)      | Crossing     | Unsat. | 0                | 0.00      | 0.00             | 0.00               |
|                | Run.time     | Sat.   | 1                | 0.01      | 0.00             | 0.01               |
| Two track      | Frequency    | Sat.   | 1                | 0.01      | 0.00             | 0.01               |
| (14 elem.)     | Overtaking 2 | Sat.   | 1                | 0.00      | 0.00             | 0.01               |
| (14 cicili.)   | Overtaking 3 |        | 0                | 0.01      | 0.00             | 0.01               |
|                | Crossing 3   | Unsat. | 0                | 0.01      | 0.00             | 0.01               |
| Kolbotn (BN)   | Run. time    | Sat.   | 2                | 0.01      | 0.00             | 0.02               |
|                | Overtake 4   | Sat.   | 1                | 0.05      | 0.00             | 0.06               |
| (56 elem.)     | Overtake 3   | Unsat. | 0                | 0.05      | 0.00             | 0.06               |
|                | Run. time    | Sat.   | 2                | 0.01      | 0.00             | 0.02               |
| Eidsvoll (BN)  | Overtake 2   | Sat.   | 1                | 0.08      | 0.00             | 0.08               |
| (64 elem.)     | Crossing 3   | Sat.   | 1                | 0.04      | 0.00             | 0.04               |
|                | Crossing 4   | Unsat. | 0                | 0.21      | 0.00             | 0.21               |
| Asker (BN)     | Overtaking 2 | Sat.   | 1                | 0.20      | 0.00             | 0.21               |
| (170 elem.)    | Overtaking 3 | Unsat. | 1                | 0.73      | 0.00             | 0.74               |
| (170 eleni.)   | Crossing 4   | Sat.   | 0                | 0.75      | 0.00             | 0.77               |
|                | Run. time    | Sat.   | 1                | 0.02      | 0.00             | 0.04               |
| Arna (CAD)     | Overtaking 2 | Sat.   | 1                | 0.50      | 0.00             | 0.51               |
| (258 elem.)    | Overtaking 3 | Sat.   | 1                | 1.43      | 0.00             | 1.45               |
|                | Crossing 4   | Sat.   | 1                | 1.73      | 0.00             | 1.74               |
| Gen. 3x3       | High time    | Sat.   | 1                | 0.01      | 0.00             | 0.01               |
| (74 elem.)     | Low time     | Unsat. | 27               | 0.18      | 0.01             | 0.19               |
| Gen. 4x4       | High time    | Sat.   | 1                | 0.01      | 0.00             | 0.03               |
| (196 elem.)    | Low time     | Unsat. | 256              | 2.08      | 0.26             | 2.34               |
| Gen. 5x5       | High time    | Sat.   | 1                | 0.06      | 0.00             | 0.09               |
| (437 elem.)    | Low time     | Unsat. | 3125             | 38.89     | 4.35             | 43.24              |

TABLE I: Verification performance on test cases, including Bane NOR (BN) and RailCOMPLETE (CAD) infrastructure models. The number of elementary routes (*elem*.) is shown for each infrastructure to indicate the model's size.  $n_{\text{DES}}$  is the number simulator runs,  $t_{\text{SAT}}$  the time in seconds spent in SAT solver,  $t_{\text{DES}}$  the time in seconds spent in DES, and  $t_{\text{total}}$ the total calculation time in seconds.

## Future work

- Improved abstraction refinement? Would need more difficult cases to solve.
- ► Support for turning trains and loops in the infrastructure.
- Interface to more comprehensive simulation software?
- Depends on feedback from engineers.

## Future work

- Improved abstraction refinement? Would need more difficult cases to solve.
- Support for turning trains and loops in the infrastructure.
- Interface to more comprehensive simulation software?
- Depends on feedback from engineers.
- Fast and fully automatic verification could be a basis for design synthesis.

## Thanks for listening!

## **Design synthesis**

Create signal and detector placement for a given track plan.

- Schedulability: is the dispatch possible (add more signals and detectors)
- Timing: running time can become worse with more signals. Signal information only carries across two signals ("pre-signalling").



## Idea for approach to synthesis/optimization

1. Maximal schedulability design.



- 2. Run dispatch planner to see which signals are not needed (optimization).
- 3. Add/remove signals on non-branching sections to improve timing.
- 4. Move signals locally to improve timing (local search).

## Solver architecture



## RailCons project: automated verification

Project objectives:

- Verify that railway signalling and interlocking designs comply with regulations.
- Provide tools which allow railway engineers to perform such verification as part of their daily routine ("lightweight verification").

"Formal methods will never have a significant impact until they can be used by people that don't understand them."

- (attributed to) Tom Melham

## Models: railway signalling and interlocking designs



(a) Track and signalling component layout

| Route | Start | End | Sw. pos | Detection sections | Conflicts |
|-------|-------|-----|---------|--------------------|-----------|
| AC    | А     | С   | X right | 1, 2, 4            | AE, BF    |
| AE    | А     | E   | X left  | 1, 2, 3            | AC, BD    |
| BF    | В     | F   | Y left  | 4, 5, 6            | AC, BD    |
| BD    | В     | D   | Y right | 3, 5, 6            | AE, BF    |

(b) Tabular interlocking specification

## Properties: technical regulations

- In our case study: Norwegian regulations from national railways (Bane NOR)
- Static kind of properties, often related to object properties, topology and geometry (example on next slide)



## Properties: technical regulations

Example from regulations:

A home main signal shall be placed at least 200 m in front of the first controlled, facing switch in the entry train path.



- Can be classified as follows:
  - Object properties
  - Topological layout properties
  - Geometrical layout properties
  - Interlocking properties

## Datalog verification tool

- Prototype using XSB Prolog tabled predicates, front-end is the RailCOMPLETE tool based on Autodesk AutoCAD
- Rule base in Prolog syntax with structured comments giving information about rules

```
%| rule: Home signal too close to first facing switch.
%| type: technical
%| severity: error
homeSignalBeforeFacingSwitchError(S,SW) :-
    firstFacingSwitch(B,SW,DIR),
    homeSignalBetween(S,B,SW),
    distance(S,SW,DIR,L), L < 200.</pre>
```



## Challenge: participatory verification

Challenge: Users (railway engineers) are not experts in verification techniques, so how can they

- build models of the systems to be verified?
- write properties in the verifier's input language?
- interpret the output of the verifier when violated properties are found?

Input to verification:

- Models: CAD extended with structured railway data (familiar to engineers, user-friendly)
- Properties: Datalog (unfamiliar to engineers, not user-friendly enough)

... consider another verification property input language?

# REMU project – Chalmers/GU Gothenburg

REMU project: Reliable Multilingual Digital Communication -

- Goals (among others): grammar development, testing, analysis.
- Tools: Grammatical Framework Programming language for multilingual grammar applications.

#### Controlled natural language

Controlled natural languages (CNLs) are subsets of natural languages that are obtained by restricting the grammar and vocabulary in order to reduce or eliminate ambiguity and complexity.

## **Grammatical Framework**

Define domain model in an abstract syntax, define one or more mappings to text in a concrete syntax. Abstract syntax:

 Domain-specific tree data structure for representing the desired content.

```
abstract ToyRailway = {
  cat Subject; Length; Restriction; Statement;
  fun Signal, Switch, Detector : Subject;
   LengthMeters : Int -> Length;
   GreaterThan, LessThan : Length -> Restriction;
   ObjectSpacing : Subject -> Subject -> Restriction
                         -> Statement; }
```

Example phrase in abstract syntax:

ObjectSpacing Signal Switch (GreaterThan (LengthMeters 20))

## **Grammatical Framework**

Concrete syntax:

- A mapping from the abstract syntax to text.
- Invertible, so a GF concrete syntax gives you a parser and a linearization (generator).

```
concrete ToyRailwayEng of ToyRailway = {
  lincat Subject = Str; Length = Str; (...)
  lin Signal = "signal"; (...)
   LengthMeters i = i ++ "m"
   GreaterThan l = "more than" ++ l
   ObjectSpacing o1 o2 r =
        "a" ++ o1 ++ "must be" ++ r
        ++ "from a" ++ o2; }
```

Parse: "a signal must be more than 20 m from a switch" ObjectSpacing Signal Switch (GreaterThan (LengthMeters 20))

 Complexity and constraints of natural language quickly becomes infeasible to handle when the language grows...

## Grammatical Framework's Resource Grammars

Comprehensive linguistic model of natural languages with a unified API for forming sentences.

- Parse/generate in 31 languages using a unified API.
- Ensures grammatical correctness of phrases using the type system.



API usage example: OrientationAngleTo vec = mkCN (mkCN angle\_N) (mkAdv to\_Prep (mkNP the\_Det vec));

## Related work

Domain-specific languages for railway verification:

- Verification of implementation of railway control systems (Vu, Haxthausen, Peleska, 2014). Concise verification properties.
- Verification of railway layouts (James, Roggenbach, 2014).
   Focus on integrating domain modeling (UML) with verification, focus on control systems and fixed designs.

Controlled natural languages – formally defined restricted subsets of natural language – used for:

- Object Constraint Langauge, KeY reasoning about Java programs (Johannisson, 2007).
- Contract language CL (Prisacariu, Schneider, 2012) mapped into natural language and also diagrams (Camilleri, Paganelli, Schneider, 2014).
- Database queries for tax fraud detection (Calafato, Colombo, Pace, 2016).

## Overview of approach

- Define a Controlled Natural Language as a high-level domain-specific language to write properties.
- Represent properties as rephrasing of natural language specifications (adds tracability of requirements)



## RailCNL: Language design

Top-level statements:

- Constraint: logical constraints, typically used by a Datalog reasoner to infer new facts.
- Obligation: design requirement, CAD model is checked for compliance.
- Recommendation: design heuristics, CAD model checked, but violations are shown as warnings, can be dismissed.

#### Modules:



## RailCNL language design: ontology module

Statements about classes of objects and their properties and relations form a basis for for knowledge representation.

- Class names: "signal", "switch", ...
- Properties and values: "color", "red", "200.0m", ...
- ▶ Restrictions: Equality: "A signal must have height 4.5m".
- Relations name and multiplicity. "A distant signal should have <u>one or more</u> associated signals."

**Example 1** (Parse tree for an obligation statement.)

```
CNL: A vertical segment must have length greater than 20.0m.
AST: OntologyRestriction Obligation
    (SubjectClass (StringClassAdjective "vertical"
        (StringClass "segment")))
    (ConditionPropertyRestriction (MkPropertyRestriction
        (StringProperty "length")
        (Gt (MkValue (StringTerm "20.0m")))))
```

## RailCNL language design: graph module

For writing statements about the topology and geometry of objects' placement wrt. to railway tracks.

- Goal object: modifies a subject to optionally add orientation, direction, etc.
- Path restriction: combine subject, goal, and path condition. "All paths from a station border to the first facing switch must pass an entry signal".
- Distance restriction, see example:

Example 2 (Parse tree for a railway layout statement.)

**CNL:** Distance from an entry signal to first facing switch must be greater than 200.0 m.

```
AST: DistanceRestriction Obligation
   (SubjectClass (StringClassAdjective "entry"
        (StringClass "signal")))
   (FirstFound FacingSwitch)
   (Gt (MkValue (StringTerm "200.0m")))
```

## Tooling

- The quality of the tool support influences the success of a domain-specific language for non-IT-experts. Textual input is a part of the overall user interface design.
- Tool support for RailCNL:
  - Paraphrasing view present originals and CNL paraphrases side-by-side.
  - Issues view present verification errors in the CAD tool with links to the paraphrasing view.
  - Editor Text editor with support for writing (correct) CNL phrases.

## Side-by-side CNL/original (paraphrasing view)

#### Requirements tracing



Uriktig behandling, både under transport og oppsetting, kan føre til skader som nedsetter

## Issues view

## Backwards tracing – explanation of non-compliance

CAD program showing issues in layout plan

CNL debug view paraphrased text and translations

# ¢

Original text highlighting source of paraphrased text



#### ID: detector\_1

RailCNL: The distance from an axle counter to another must be larger than 21.0m.

AST: DistanceRestriction Obligation (SubjectClass (StringClassNoAdjective (String "axle\_counter"))) (AnyFound (AnyDirectionObject SubjectOtherImplied)) (Gt (MkVal Datalog: detector\_1\_start(Subj0, End, Dist) :- trainDetector(Subj0), next(Subj0, End

#### Placement and length

This section gives generalized rules for placement and length for train detection systems and its relationship to other infrastructure components. Detailed requirements are given in appendices.

#### General

a) No detection sections shall be shorter than 21 meters.

b) No dead zone shall be longer than 3 meters.

## Text editor CNL support

 Rule authoring tool – syntax checks, predictive parsing, chunked parsing, language exploration



## Advantages

RailCNL as a front-end for property input for verification:

- RailCNL is domain-specific: tailored to Datalog logic and regulations terminology. Gives readability and maintainability.
- Resembles natural language improves readability and engineer participation.
- Separate textual explanation (such as comments used in programming) are typically not needed.
- RailCNL statements are linked the original text. so that reading them side by side reveals to domain experts whether the CNL paraphrasing of the natural text is valid. If not, they can edit the CNL text.

## Further challenges and future work

#### Participatory verification:

- RailCNL is a common language shared between programmers and railway engineers for verification work.
- ► CNLs are not a magical solution to end-user programming.
- ► DSLs evolve along-side the application.

Language:

- Structures in regulations that span several phrases/rules (scopes, exceptions) – represent on textual or GUI level?
- Macros can users extend the language within the scope of their texts?

## Tool support:

- Can railway engineers from other disciplines create their properties themselves, from scratch, with editor support?
- Is example-based and editor-supported language learning good enough?

## Coverage

Classification for coverage analysis:

Not relevant for verification, examples:

Non-normative: the technical qualities of the track construction ensure safe and efficient traffic, with the least possible environmental impact.

Non-checkable: the tracks' construction must take into account the topography, soil, hydrology, climate, etc. of the location.

 Out of scope for static analysis, examples: Construction: Signs must have their original wrapping during transportation.
 Operation: A signal which cannot signal "stop" because

of fault must be unlit.

## Coverage

- Not covered:
  - exceptions (awkward to write out all premises)
  - linguistically complex: The safety zone (overlap) can be reduced to 200 m if the speed control system is designed such that the velocity at balise group (x) is not higher than 40 km/h when the signal (y) shows a "stop" aspect, and rolling stock will stop before the fouling point even when speed control communcation has failed in both the balise group and in the main signal.



- Covered:
  - ontology, graph, areas, interlocking (targets), ...

## **Coverage statistics**

| Eng. discipline | Chapter title               | Phrases | Normative | Relevant | Covered | Coverage |
|-----------------|-----------------------------|---------|-----------|----------|---------|----------|
| Track           | Planning: general technical | 140     | 74        | 74       | 70      | 95%      |
| Track           | Planning: geometry          | 278     | 157       | 152      | 119     | 78%      |
| Signalling      | Planning: detectors         | 144     | 106       | 35       | 21      | 60%      |
| Signalling      | Planning: interlocking      | 376     | 265       | 130      | 81      | 62%      |
| Total           |                             | 938     | 602       | 391      | 291     | 74%      |

Table 1: Coverage evaluation for a subset of Norwegian regulations. *Phrases* of the original text which could be classified as *normative* (i.e. applying some restriction on design) were evaluated for *relevance* to static infrastructure verification. The *coverage* is the percentage of relevant phrases expressible in RailCNL.

# Participatory verification: experience from meetings between programmers and railway engineers

#### Positive:

- invites engineers to splitting hairs
  - discuss semantics of natural language
  - leads to discussion of interpretation of regulations
- example-based learning
  - explain and explore language with the editor
  - change names and values / copy-paste coding

Negative:

- total understanding of language is infeasible
  - extend language: ask for examples, not grammar

## **Datalog verification**

- Datalog with negation (n.-as-failure) and arithmetic, implemented in e.g. XSB Prolog, RDFox, Soufflé.
- Prefer very fast (< 100 msec) re-evaluation integrated into CAD tool.
- Incremental Datalog approaches can exploit locality.

## Railway construction process

- 1. Politicians allocate funds for new railways, upgrades or maintenance.
- 2. National railway administration define high level requirements, such as passenger/freight capacities, travel times, maintainability, etc.
- 3. Engineering companies work out the detailed plans and specifications of the upcoming construction project.
- 4. Construction/implementation companies build the railway and implement control systems.
- 5. Finally, train companies can transport passengers and goods.

## CAD programs in railway signalling

 Overview of a station, typically showing tracks and signalling system components (signals, signs, balises)



## The railML XML standard data exchange format

- Thoroughly modelled infrastructure schema
- XML schema development by international standard committee



## Datalog

- Basic Datalog: conjunctive queries with fixed-point operators ("SQL with recursion")
  - Guaranteed termination
  - Polynomial running time (in the number of facts)
- Expressed as logic programs in a Prolog-like syntax:

$$a(X,Y) := b(X,Z), c(Z,Y)$$
$$(\exists x, y : ((\exists z : (b(x,z) \land c(z,y))) \to a(x,y))$$

- We also use:
  - Stratified negation (negation-as-failure semantics)
  - Arithmetic (which is "unsafe")