Geographical Versus Functional Modelling by Statecharts of Interlocking Systems

The development of computer controlled Railway Interlocking Systems (RIS) has seen an increasing interest in the use of Formal Methods, due to their ability to precisely specify the logical rules that guarantee the safe establishment of routes for trains through a railway yard. Recently, a trend has emerged about the use of statecharts as a standard formalism to produce precise specifications of RIS. This paper describes an experience in modelling a railway interlocking system using statecharts. Our study has addressed the problem from a "geographical", distributed, point of view: that is, our model is composed by models of single physical entities (points, signals, etc..) that collectively implement the interlocking rules, without any centralized database of rules, which is on the other hand a typical way of implementing such a system (what we call "functional" approach). One of the main aims of our approach, is to verify its ability to reduce revalidation efforts in the case of physical modifications to the yard; we show how the geographical approach may reduce this effort by requiring only the revalidation of those software modules that are actually affected by the changes.