Methods, notation and tools for modeling Command and Control Systems

Signaling is the keystone of the railway transportation system and besides it, the interlocking system acts a central role granting the key issues such safety of the overall system. In order to develop a new Interlocking System, in addition to study the interlocking principles and to have a reasonable background in computer based architecture we have to learn from the state-of-the-art of the existent railways vendor’s proposal. To cover the topic, this report brings together all the main aspects which relate to a choice of ones of the most used Interlocking Systems in Europe. This include the overall architecture, fault resilience policy, software used to implement the main functions and to interact with railway By the time, computer science and technologies, lie at the heart of our economy, our daily lives, and scientific enterprise. The railway’s domain, being one of the backbone of the world economy, has benefited from this revolution by giving in turn to the academic and to the enterprise research, a wide set of problems to deal with. One of them is the signaling systems which control and preserve the safety of the transportation. The introduction of the EN50128 guidelines , issued by the European Committee for Electro-technical Standardization (CENELEC), address the development of "Software for Railway Control and Protection Systems", and constitute the main reference for railway signaling equipment manufacturers in Europe and in future it will be also embraced by other countries. Formal methods are rated as highly recommended for the specification of systems/components with the higher levels of SIL. Contextually some European railway companies have constituted a consortium to define a standard interlocking system at a European level: the Euro interlocking project. Inside this project a trend has developed towards the use of specific formal method such statecharts for modeling interlocking rules because the above cited formalism have been considered suitable to express the sequences of checks and actions typical of an interlocking system. This report analyze the methods and tools present in the relative literature with the main scope to define the main concerns and past, present and possibly future best practice in developing, verify and validate interlocking software. The document is structured in the following thematic sections that evolve starting by the domain problem landing to the main objective: ? Introduction ? Domain Problem ? System architecture ? System failure resilience policy ? System software ? Method, notation and tools ? Conclusion o Bombardier Transportation Ebi-lock ? Final consideratio