The safety of railway networks is a very important issue. Roughly speaking, it can be split into safety along lines and safety of railway facilities such as stations, junctions, yards, etc. In modern networks the safety along lines is controlled by automatic block systems that do not give clearance to trains to enter a section (block) until the latter is detected to be unoccupied. Meanwhile, the safety within railway facilities is supervised by railway interlocking systems. Decision making in a railway interlocking is a very important issue which is considered to be very labour-intensive. Decision-making in both automatic block systems and railway interlocking systems, unlike road traffic light systems, is not based on time (they are not scheduling problems) but in space. Basically, two different trains should never be allowed to access the same section (whatever time has passed). There are many different approaches to automate decision-making in railway interlocking systems. The classic approaches are offline: only certain routes are allowed and their compatibility is decided in advance. Meanwhile, modern approaches make decisions in real time and are independent from the topology of the railway network, but can be applied only to small or medium size railway networks. Nevertheless, these last approaches have the following drawbacks: the performances are very dependent on the number of trains in the railway network; and are unsuitable to large networks since they take long time to be run. On the other hand, algebraic approaches based on computer algebra concepts have been used in artificial intelligence for implementing expert systems. In this paper we present a completely new algebraic model, based on these concepts of computer algebra that overcomes these drawbacks: the performance of our approach is independent of the number of trains in the railway network and also is suitable for large railway networks.
Government of SpainTIN2015-66471-PComunidad Autónoma de MadridCASI-CAM S2013/ICE-28451. Introduction
The safety of railway networks is a very important issue. Roughly speaking, it can be split in safety along lines and safety of railway facilities such as stations, junctions, yards, etc.
In modern networks the safety along lines is controlled by automatic block systems, that do not give clearance to trains to enter a section (block) until the latter is detected to be unoccupied.
Meanwhile, the safety within railway facilities is supervised by railway interlocking systems. Decision making in a railway interlocking is a very important issue which is considered very labour-intensive.
Railway interlocking systems are conceived so that different trains can be placed on different sections. Semaphores (mechanical devices) or light signals and turnouts must be stated so that two trains cannot collide when moving, if obeying the signalling. A railway interlocking system has the purpose of not allowing unsafe situations in the railway network. In fact the most sophisticated railway interlocking systems also forbid the switches under the train to be changed before the train has left that section, an issue that is not addressed in this article.
Let us underline that decision making in both automatic block systems and railway interlocking systems, unlike road traffic light systems, are not based on time (that is, they are not scheduling problems) but in space: basically, two different trains should never be allowed to access the same section (whatever time has passed since the first one entered the section). The reason is that trains need long distances to break and a train can be unexpectedly found stopped at a certain place due, for instance, to a breakdown. This approach has allowed to introduce semiautomatic train operation and even driverless train operation in some subways and airport shuttle services much earlier than autonomous cars were developed, although that is not the topic of this article.
The first railway interlocking systems were mechanical and were installed in the second half of the nineteenth century (Figure 1). In the mid twentieth century the control was relays-based (Figure 2). From the 1980s, most of the new railway interlocking systems are computer-controlled (electronic interlocking systems) [1–4]. Many of the interlocking systems are specifically designed for a particular railway network and they are not topology-independent. For instance, the first topology-independent railway interlocking system in Spain was installed only in 1993 [5]. Detecting if the situation of trains in a railway network is dangerous is an eye-catching problem. Traditionally, an offline approach is followed: only certain routes are considered and what is allowed by the interlocking is established in advance, usually by hand [6].
A mechanical railway interlocking system still in use at a junction in 2009. On the left a general view of the system is shown. The levers operated the semaphores (mechanical devices) and the switches of the turnouts. On the right a top view is shown. In the latter the bars that detect if a given lever conflicts with that controlled by another lever are clearly visible (it was common that the mechanical railway interlocking had glass tops so that the internal system could be appreciated).
One of the corridors full of relays of the relay interlocking system of a big railway station in the ‘90s.
Modern approaches use algorithms for checking in real time the safety of a railway network: any proposed change in the position of switches and the signals aspects is analyzed in real time before being authorized. Clearly, an exhaustive analysis of all the possible movements allowed to all trains according to the proposal has to be performed. Obviously, the performance of the algorithm is a crucial issue of these approaches. It is surprising that, in real railway interlocking systems, unacceptable errors can be found (this happened, for instance, in the railway interlocking system of a tiny subway station [7]).
There are many different papers regarding computer applications to railway interlocking systems in general [8] and decision making in particular. These latter works either create a formal specification for an existing railway system (in order to verify it or to create a new decision making tool) or describe a completely new model for railway interlocking systems. Some of these approaches depend strongly on the number of trains in the railway network and are not suitable for large railway networks.
This paper deals with a new algebraic method for detecting the safety in a railway network that overcomes these previous drawbacks. It uses computer algebra concepts (like Boolean polynomials, ideals, Groebner bases, or normal forms) to solve the problem of decision making in a railway interlocking system.
The paper is structured in the following way. In Section 2, we will discuss techniques related to ours. In Section 3, we will define formally concepts related to railway networks. In Section 4, we will describe our method (as a black box) for determining the safety of a railway network. In Section 5, we will explain the basis of our algebraic approach based on the calculations of Groebner bases and normal forms. In Section 6, we will show the advantages of our model. As said above in this section, there are very many different approaches to decision making in a railway interlocking (see, e.g., the survey [8]), but usually the code is not available. That is why different approaches are described in Section 6 but the new system proposed is just compared with four (but very different) approaches, for which the complete implementation was available. Finally, in Section 8, we will set our conclusions.
2. Related Works2.1. An Overview of Different Approaches
In this section, we will analyze different approaches for the problem of detecting the safety of a certain situation in a railway network.
In the classic approach, admissible train routes are predefined. A route denotes a path along the topology of the station or junction (for instance a path from an entrance of the station to a certain track where the train will stop). Establishing a route implies adequately setting the switches of the turnouts and light signals along the train route. Once an engine driver has been given a proceed signal concerning a route, the route is locked (that is, it cannot be changed before the train has completely cleared it). The standard approach to railway interlocking systems design is to predefine the admissible train routes and to manually study in advance their compatibility.
Many works have been proposed for railway interlocking systems (see, for instance, the survey [8]). These works either are specifically designed for an existing railway system or develop a generic new model. The Ph.D. thesis [9] uses a theorem prover implemented in higher-order logic to detect the safety of a certain situation in a railway interlocking. This work is revisited using an annotated logic program with temporal reasoning in [10]. The work [6] uses ordered binary decision diagrams to model railway interlocking systems. The work [11] uses Z notation for an example in the Slovak National Railways. In [12], a VDM model is presented for a case in the Danish State Railways. In [13–15] statecharts are used instead.
An early topology-independent formal model is [16]. It uses different layers of abstraction (called domains). Petri nets are used for the dynamic domains and double point graphs as well as logic invariants for the static domains. It is implemented in Objective-C and PROLOG. Let us underline that it does not follow the standard approach to railway interlocking systems; the concept of routes has been replaced with a context-free check of the permissibility for each controlling command.
A generic tool for verifying and validating railway interlocking systems is detailed in [17]. The track interlocking tables corresponding to an existing tramway network is represented using a domain-specific language (DSL) as illustration, and they are automatically transformed into an executable control system model expressed in SystemC.
In [18] DSL is also used to represent and analyze the track layout diagrams, interlocking tables, and circuit diagrams of existing relay interlockings of the DSB (Danish state Railways).
In [19] the size of the layouts that can be addressed using formal methods for checking interlocking tables described with control tables is explored. The symbolic model checker NuSMV and the verification system SPIN are used and the conclusion is that these methods cannot be used to address large layouts.
The model checker NuSMV is also used in [20], where a formal model is built from a high-level (logic) description. The interlocking system is interpreted as an Abstract State Machine (ASM). The approach is applied to certain railway interlocking systems of Queensland Rails (QR) network.
Duration calculus, a specific technique for real-time systems [21], has also been applied to decision making in a railway interlocking [22].
2.2. Some Approaches with Available Code
The following topologically independent approaches do not consider the direction of the trains (allowing to directly deal with special situations like reversing loops and reversing triangles).
Model Based on Graphs. In [23] the problem is translated into graph theory language and treated using a matrices-based approach. This approach cannot be used for large railways networks because the matrices involved are square and sparse but N×N (where N is the number of sections of the network).
Algebraic Model. In [24], the problem is directly translated into an algebraic problem. According to this model, the safety of a railway network may be detected by calculating the Groebner basis [25–27] of a polynomial ideal. This approach is not suitable for large stations since the calculation of the Groebner bases of these polynomial ideals usually take a long time. These Groebner bases depend not only on the position of the switches of the turnouts and the color of the light signals, but also on the position of the trains. Curiously, computing times decrease in this model when the number of trains increases, as variables (representing sections) are substituted by numbers (representing trains).
Model Based on Boolean Propositional Logic. In [28], the problem is directly translated into many SAT problems which can be solved using an algorithm based on the DPLL technique [29]. Indeed, the safety of a railway network may be detected by solving N SAT problems where N is the number of sections of the railway network. These SAT problems depend on the position of the switches of the turnouts and the color of the light signals, as well as on the position of the trains. Like the previous approaches, this approach is not suitable for large stations, since many SAT problems need to be solved for a particular configuration of the railway network.
Logic-Algebraic Model. According to the model [30], the safety of the railway network may be detected by calculating a Groebner basis of an ideal of Boolean polynomials, G (which usually takes considerable time), and the normal forms of N polynomials modulo G (which is usually very fast computed). Like in [24], only a Groebner bases calculation is required for a particular state of the railway network. However, this model is much faster than [24], since the Groebner basis of this model (unlike the model [24]) is calculated on Boolean polynomials. This model is also faster than the previous one [28]. Nevertheless, this approach depends on the position of the trains and the performing time for calculations strongly depends on the number of trains.
ASP Model. According to [31], the problem to check the safety of the railway network is directly translated in the answer set programming (ASP) paradigm, defining relations and derived relations and solving the problem with logic techniques from ASP. This approach is much faster and efficient than previous approaches and thus can be applied to larger railway stations. From an operational point of view, the response time of this model depends on the number of trains in the station; i.e., more trains means more time to check the safety.
However, all of the previous approaches (except ASP) are not suitable for very large railway networks with many trains, since they involve long time to detect dangerous situation. In this paper, we will propose a completely new approach based on the calculation of a Groebner basis. In this new algebraic approach, unlike the algebraic approach in [24], we deal with Boolean polynomials and we use specialized algorithms for calculating Groebner bases over Boolean polynomials [32]. The approach here presented is completely different from [30]. Indeed, the set of polynomials for which we calculate the Groebner basis does not depend on the trains in the railway network (unlike [30]). As we will see in Section 6, once a precomputation has been performed, our approach is much faster than the previous ones (see Section 6) and is suitable for very large stations.
3. Basic Concepts regarding a Railway Interlocking System
Let us consider the tiny station in Figure 3(Notice that the turnouts represented in the figures are really punctual elements that do not represent section themselves, they only represent the connectivity between sections.). As may be seen, the railway network represented is divided into sections, denoted in this case S1,…,S11 (there is a light signal between sections S1 and S2, a turnout D1 connecting sections S2,S3 and S9, and another light signal between sections S10 and S9, and so on).
A very simple station.
Taking D1 on Figure 3 as example, the position of the switches can hold two states:
Direct track position: the switch of turnout T1 connects sections S2 and S3.
Diverted track position: the switch of D1 connects sections S2 and S9.
The position of the switches of the turnouts in Figure 3 is as follows: D1 is in the direct track position (connecting S2 and S3) and D2 in the diverted track position (connecting S11 and S6). Note the symbols under the turnouts.
In this paper only nontrailable turnouts will be considered. However, it will be easy to extend this approach in order to model trailable turnouts just adding more polynomials. Let us underline that a trailable turnout is a turnout that allows to be passed even when the switch is not in the correct position.
A light signal can hold two states:
Proceed, represented by or in the figures. For instance, in Figure 3, indicates “proceed", thus it is possible to pass from S1 to S2,
Stop, represented by or in the figures. For instance, in Figure 3, indicates “stop", thus it is not possible to pass from S4 to S5.
If, for instance, three trains are placed on S1,S10, and S8 (respectively), and the switch of D1 is in the direct track position, and the switch of D2 is in the diverted track position; , , indicate “proceed" and , , , indicate “stop" (see Figure 4); the proposed situation is dangerous because section S7 and S8 are reachable by the trains placed in S10 and S8.
Example of dangerous situation.
If, for instance, two trains are placed on S1 and S10 (respectively), and the switch of D1 is in the direct track position, and the switch of D2 is in the diverted track position; , , indicate “proceed" and , , , indicate “stop" (see Figure 5); the proposed situation is safe.
Example of safe situation.
More formally, let us consider a railway network with M sections and N trains placed in it. A section is a connected (single piece) part of the network, separated from the adjacent (neighbour) sections by a light signal or a turnout.
It is possible to pass from section Si to the adjacent section Sj if and only if
there is a turnout between sections Si and section Sj, and its switch directs trains from Si to section Sj and conversely (like S2 and S3 in Figure 3),
there is a light signal controlling the pass from Si to Sj, and it indicates “proceed” (for instance, the light signal controlling the movement from S1 to S2 in Figure 3, indicates “proceed”),
there is no light signal controlling the pass from Si to Sj, and they are not connected by a turnout, but there is a light signal controlling the pass from Sj to Si (like S2 and S1 in Figure 3).
We provide afterwards a recursive definition illustrating the idea that a train may reach a given section.
Definition 1.
The notion “a train ti can reach section Sj” is recursively defined as
if train ti is in section Sj then it can reach section Sj,
if train ti is in section Sl and it can reach section Sk and it is possible to pass from section Sk to section Sj according to the position of the switches and the color of the light signals, then train ti can reach section Sj.
Definition 2.
Let M be a positive integer, M≤N, and let {w1,w2,…,wM}⊆{1,2,…,N}. The position of M trains in sections Sw1,…,SwM (one in each section) is dangerous if and only if there is a section Si reachable from two sections Sj and Sk (j≠k) where two different trains are placed.
4. Overview of Our Approach4.1. Description
In this section we will describe the approach proposed for determining the safety of a railway network composed of N sections, denoted as S1,…,SN.
Our approach is based on defining a set of Boolean polynomials (that is to say, polynomials whose coefficients are in {0,1}) in variables s1,…,sN,t1,…,tN. A variable si and a variable ti are considered for each section Si in the railway network. More precisely,
a polynomial variable, si, is assigned to each section Si;
another polynomial variable, ti, is considered for each section Si. Let us underline that variables ti represent neither a section nor a train. The polynomial variables ti will be used to introduce both the allowed connectivity between sections (see the paragraphs immediately below and Section 5) and the sections occupancy (through the membership of some of these polynomial variables to a certain polynomial monomial that introduces the positions of the trains).
For a configuration of the railway network (defining the position of the switch of each turnout and the color of each light signal), we will consider the following steps.
Step 1.
Obtain a set K of polynomials according to the connectivity of the railway network: if it is possible to pass from section Si to section Sj, we will consider the polynomial ti+sitj. That is to say, we have that (1)K=ti+sitj∣itispossibletopassfromsectionSitosectionSj
Step 2.
Calculate the Groebner basis, G, of the following ideal: (2)I=K+s12+s1,…,sN2+sN,t12+t1,…,tN2+tN
(with respect to a certain order for the monomials and a certain order for the polynomial variables). Although Groebner bases [25–27] is a complicated concept of algebra to be completely detailed here, in Section 5.1, we will describe those properties of this concept which are relevant for our purpose.
Once these two steps are calculated, we can determine whether the position of a set of trains is dangerous or not. In this approach, a train only can be placed in one section at the same time, however, as we will see later in Section 7, we can extend the proposed model to take into account when a train occupies several sections at the same time.
Step 3.
Let M be a positive integer, M≤N, and let {w1,w2,…,wM}⊆{1,2,…,N}. For determining if the position of M trains in sections Sw1,Sw2,…,SwM (one in each section) is dangerous, we calculate the normal form of the monomial tw1tw2…twM modulo I (I can be given through the Groebner basis G previously calculated): (3)NFtw1tw2…twM,I
Like Groebner bases, the concept of normal form is also enough complicated to be completely described here. Nevertheless, in Section 5.1, we will describe those properties relevant for our purpose.
In this step we can detect if the position of the trains is dangerous. Indeed, as we will see in Theorem 9, we have that the position of the trains is dangerous if and only if NF(tw1tw2…twM,I) contains a number of tα variables lower than M.
As we will see, Step 1 and Step 2 are only needed to be performed again if the configuration of the railway network changes. Only Step 3 must be performed (which is very fast done, around 0.0001 seconds) for different placement of the trains. As we have previously stated, this is an important advantage of the present approach over the previous approaches, which require to completely run the algorithm for different positions of the trains.
4.2. Example of the Approach
Let us consider the example of the railway network depicted in Figure 3. Since this railway network contains 11 sections, we will make use of polynomials in variables s1,…,s11,t1,…,t11.
Step 1.
We calculate the set K of ti+sitj polynomials related to the connectivity of the railway network (defined in Step 1 of Section 4.1):(4)K=t1+s1t2,t2+s2t1,t2+s2t3,t3+s3t2,t3+s3t4,t5+s5t4,t9+s9t10,t10+s10t11,t11+s11t10,t6+s6t11,t6+s6t7,t7+s7t8,t8+s8t7
(for instance, t1+s1t2 is included in K because it is possible to pass from section S1 to section S2). Observe that trailing through a switch set against is not allowed. Then it is as if the turnout was guarded by (possibly) nonexistent light signals. For instance, it is considered that moving from s9 to s2 and from s5 to s6 is forbidden.
Step 2.
We calculate the Groebner basis of the ideal:(5)I=K+s12+s1,…,s112+s11,t12+t1,…,t112+t11:and(6)G=t1+s1t2,t2+s2t1,t2+s2t3,t3+s3t2,t3+s3t4,t5+s5t4,t9+s9t10,t10+s10t11,t11+s11t10,t6+s6t11,t6+s6t7,t7+s7t8,t8+s8t7is obtained.
Step 3.
Once the Groebner basis is calculated, we can immediately determine if the position of a set of trains is dangerous for this configuration of the railway network.
As example, if there are three trains respectively placed in sections S1S10S8, in order to determine if the position of the trains is dangerous, we just simply need to calculate: (7)NFt1t10t8,I=t4t11
As may be seen, there are only two variables tα in NF(t1t10t8,I)=t4t11, which is lower than the number of trains. Therefore, we determine that the position of the trains in {S1,S10,S8} is dangerous (as may be seen, section S7 is reachable from sections S8 and section S11, where trains are placed).
As example, if there are now two trains respectively placed in sections S1,S10, in order to determine if the the position of the trains is dangerous we just simply need to calculate: (8)NFt1t10,G=t1t11
As may be seen, there are two variables tα in NF(t1t10,I)=t1t10, which is equal to the number of trains in the railway network. Therefore, we determine that the position of the trains in {S1,S10} is not dangerous.
5. Theoretical Foundations of Our Approach
In this section we will detail the theoretical foundations of our algebraic approach for the problem of detecting dangerous situation in a railway network. In Section 5.1, we will give some outlines about concepts of computer algebra (like Boolean polynomials, ideals, Groebner bases, normal forms) which are relevant for this paper. In Section 5.2 we will describe the problem of detecting dangerous situation in an interlocking system by means of states and transformation of the states by means of operations. As we will see in Section 5.3, these states may be represented in algebraic terms (by means of Boolean monomials) which will allow us to determine whether the position of the trains is dangerous or not.
5.1. Some Introductory Notes about Boolean Polynomials and Ideals
In this section we will describe some outlines about Boolean polynomial. A polynomial p∈Z2[x1,…,xN] is a polynomial in the variables x1,…,xN whose coefficients lie in the field Z2={0,1}. An example of this kind of polynomials is (9)p=x1x27+x3+x2x3x4
We must take into account the fact that the coefficients lie in Z2, and therefore, we have that (since 1+1=0 in Z2), for example, (10)x1x2+x3x4+x3x4=x1x2+1+1x3x4=x1x2
As we have previously seen, the concept of ideal will play an important role in our approach. An ideal is a special kind of subset of a ring: it is also a ring and has the curious property that the product of an element of the subring by an element of the ring (and vice versa, if the ring is not a commutative one) always belongs to the subring. For instance, the set of even numbers is an ideal of the integers. In our case, the ideal J, generated by p1,…,pm, denoted J=〈p1,…,pm〉, turns out to be the set of polynomials of the following form: (11)β1p1+…+βmpmwhere β1,…,βN are polynomials in Z2[x1,…,xN], that is, J is the set of algebraic combinations of p1,…,pm.
Given a polynomial p, we define p+J as the set of polynomials of the form p+q where q∈J. It is possible that p+J=q+J although p≠q.
Example 3.
Let us consider the ideal J=x1+x2x3,x2+x3x4 and the polynomial p=x1x4+x2. We have that (12)p+J=x1x4+x2+J=x2x3x4+x2+Jx1=x2x3becausex1+x2x3∈J=x32x42+x2+J1stocurrenceofx2=x3x4becausex2+x3x4∈J=x32x42+x3x4+J2ndocurrenceofx2=x3x4becausex2+x3x4∈J
In this paper, we will consider polynomials in Z2[s1,…,sN,t1,…,tN]. The ideal I defined in Section 4 is generated by the following polynomials:
The polynomials si2+si, ti2+ti∈I,i=1,…n,. This involves that, for every polynomial p, we can get a polynomial q such that p+I=q+I and the exponents of all the variables in q is 1.
Example 4.
Let us consider, for example, the ideal I and the polynomial p=s12t23+s1t2+s13. We have that (13)p+I=s12t23+s1t2+s13+I=s1t22t2+s1t2+s12s1+Is12=s1,t23=t22t2ands13=s12s1=s1t2t2+s1t2+s1s1+It22=t2ands12=s1=s1t22+s1t2+s12+It2t2=t2ands1s1=s12=s1t2+s1t2+s1+It22=t2ands12=s1=s1+I2s1t2=0
Remember that (as we have seen before) (14)K=ti+sitj∣itispossibletopassfromsectionSitosectionSjand (15)I=K+s12+s1,…,sN2+sN,t12+t1,…,tN2+tN
The polynomial ti+sitj∈I if it is possible to pass from section Si to section Sj. This involves that for every monomial t1·…·tn we can obtain other monomials in variables t and s.
Example 5.
In the example of the railway network described in Figure 3, we have that p=t1t10t8: (16)p+I=t1t10t8+I=t1t10s8t7+It8=s8t7becauset8+s8t7∈I=t1s10t11s8t7+It10=s10t11becauset10+s10t11∈I=t1s10s11t6s8t7+It11=s11t6becauset11+s11t6∈I=t1s10s11s6t7s8t7+It6=s6t7becauset6+s6t7∈I=t1s10s11s6t72s8+It7t7=t72=t1s10s11s6t7s8+It72=t7=t1s10s11s6t8+Is8t7=t8becauset8+s8t7∈I
By means of these substitutions induced by the ideal I, we can obtain, for every monomial p, another monomial q whose variables are to power 1 and such that p+I=q+I.
An important solved issue in computer algebra is to find the “simplest” monomial q such that q+I=p+I. In a formal way, we pose the problem of finding the minimal polynomial q (where a total order between monomials, ⪯, must be defined) such that p+I=q+I. This polynomial q is what is called normal form of p modulo the ideal I (under the order ⪯), NF(p,I), which can be calculated by performing pseudodivisions of the polynomial p by a Groebner basis of the ideal I (which are required to be previously calculated). In this way, the concept of normal form requires defining a monomial order.
For the purpose of this paper, we will define the following order between monomials:
If p contains a lower number of tα variables than q, we have that p⪯q.
If p contains exactly the same number of tα variables as q, we have that p⪯q⇔p⪯Lexq, where ⪯Lex is the typical lexicographical order used in computer algebra.
By means of this order ⪯, the normal form of p modulo I, NF(p,I), returns the monomial q with minimal number of variables in t such that p+I=q+I. Next equations are examples of ⪯ order used in this approach: (17)s3⪯t1=Truet1⪯s3=Falset2⪯t1=Truet1⪯t2=Falses1⪯s2=False
5.2. An Approach to the Railway Interlocking Problem Based on States
Here we will see how the interlocking problem can be described by means of states which are transformed by means of operations. On the one hand a state describes the sections where the trains are presently placed in the railway network at a given moment; on the other one, past states describe the sections where the trains were placed in the railway network in the past. Operations of the states (i.e., transitions between states) represent possible movements of the trains in the railway network.
For our purpose, each state is described by a subset of variables s1,…,sN, t1,…,tN.
The following are examples of possible states of the railway network in Figure 3: E0=t1t10t8,E1=t1t10s8t7,E2=t1s10t11s8t7,E3={t1s10s11t6s8t7},E4={t1s10s11s6t7s8t7},E5={t1s10s11s6t8}.
We can transform a state Ei into another one Ej by means of one of these operations (we will denote Ei→Ej):
When it is possible, substitute all ti in Ei by the monomial sitj∈I if it is possible to pass from Si to Sj. For example, we have that E0→E1 (E0={t1t10t8} and E1={t1t10s8t7}) by substituting t8 by s8t7, because t8+s8t7∈I.
When it is possible, substitute all sitj in Ei by the variable ti∈I if it is possible to pass from Si to Sj. For example, we have that E4→E5 (E4={t1s10s11s6t7s8t7} and E5={t1s10s11s6t8}) by substituting s8t7 by t8, because t8+s8t7∈I.
Variables t and s in these states inform about possible movements of the trains. Variables t indicate the present position of the trains, and variables s the sections through which these trains have gone. Indeed,
the state E0={t1t10t8} represents that there are trains in the sections S1,S10, S8 (variables t1,t10,t8 appear in E0);
the state E1={t1t10s8t7} represents that there are trains in the sections S1,S7,S10 (variables t1,t7,t10 appear in E1) and that (at least) one of these trains has passed through the section S8 (variable s8 appears in E1);
the state E2={t1s10t11s8t7} represents that there are trains in the sections S1,S7,S11 (variables t1,t7,t11 appear in E2) and that (at least) one of these trains has passed through the sections S8,S10 (variables s10,s8 appear in E2);
the state E3={t1s10s11t6s8t7} represents that there are trains in the sections S1,S6,S7 (variables t1,t6,t7 appear in E3) and that (at least) one of these trains has passed through the sections S8,S10,S11 (variables s8,s10,s11 appear in E3).
As may be seen, states E0,E1,E2, E3 contain the same number of variables t representing the position of the trains in different times. However, we can transform the state E3={t1s10s11t6s8t7} into the state E4={t1s10s11s6t7s8t7}={t1s10s11s6t7s8} by substituting t6 with s6t7 (the train which was in section S6 moves to section S7). In this case, the number of “t” variables is lower than the cardinal of E3, since the variable t7 (that we add with the operation) indeed belongs to the previous state E3. The operation means that the train which was in section S6 moves to section S7, and, since section S7 was occupied by another train, a possible collision may happen.
Following this reasoning, we have the following.
Proposition 6.
Let M be a positive integer, M≤N, and let {w1,w2,…,wM}⊆{1,2,…,N}. The position of M trains in sections Sw1,Sw2,…,SwM (one in each section) is dangerous ⇔ the state E0={t1…tM} can be transformed into a state Ez with a number of tα variables lower than M.
In the previous example we had {t1t10t8}=E0→E1→E3→E4={t1s10s11s6t7s8}. According to the previous proposition, the position of the trains in sections S1, S10, S8 (related to the state E0={t1t10t8}) is dangerous in the railway network (as we saw in Section 3).
5.3. Interpretation of States in Algebraic Terms
In this section, we will represent each of the states described in the previous section by means of a Boolean monomial. As we will see, this representation will be useful for determining whether the position of the trains is dangerous or not.
We represent each state E, a set consisting in one monomial, by means of precisely such monomial, so φ(E)∈Z2[s1…,sN,t1…,tN], and can be expressed as follows: (18)φE=∏i∈S^si∏j∈T^tjwhere S^,T^⊆{1,…,N}∧T^≠∅. In this way, we have the following:
φ(E0)=φ({t1t10t8})=t1t10t8
φ(E1)=φ({t1t10s8t7})=t1t10s8t7
φ(E2)=φ({t1s10t11s8t7})=t1s10t11s8t7
φ(E3)=φ({t1s10s11t6s8t7})=t1s10s11t6s8t7
φ(E4)=φ({t1s10s11s6t7s8})=t1s10s11s6t7s8
As we saw in Section 5.1, the operations previously defined for transforming a state E1 into E2 are completely related to the fact that φ(E1)+I=φ(E2)+I. Therefore, we have the following.
Proposition 7.
Let Ea,Eb be two states. We have that (19)Ea→Eb⇔φEa+I=φEb+I
Let us clarify this proposition with the example of Figure 6. In this case we have that K={t1+s1t2} because the light signal represented by indicates “proceed", thus I=K+{t1+t12,t2+t22,s1+s12}.
Two sections connected.
We can define as possible states Ea,Eb,Ec where (20)φEa=t1+Itraint1isplacedins1φEb=t2+Itraint2isplacedins2φEc=s1t2+It1=s1t2becauset1+s1t2∈IState Ec is equivalent to state Ea and different from state Eb (Ea→Ec and Ec→Ea). Calculating NF(φ(Ea)·φ(Eb)) that represents two trains placed in sections s1 and s2 respectively, we have that (21)NFφEa·φEb=t1t2+I=s1t2t2+It1=s1+t2becauset1+s1t2∈I=s1t2+It22=t2
Consequently, Proposition 6 can be stated in the following way.
Proposition 8.
Let us consider a railway network composed of N sections, let M be a positive integer, M≤N and let {w1,w2,…,wM}⊆{1,2,…,N}. The position of M trains in sections Sw1,Sw2,…,SwM (one in each section) is dangerous ⇔ there is a monomial p with a number of tα variables lower than M, such that p+I=tw1tw2…twM+I.
In order to find this polynomial p, we make use of NF(tw1tw2…twM,I), the normal form of the monomial modulo the ideal I. According to Section 5.1, NF(tw1tw2…twM,I), returns the monomial p with minimal number of tα variables such that p+I=tw1tw2…twM+I. Consequently, we have the following result.
Theorem 9.
Let us consider a railway network composed of N sections and let M be a positive integer, M≤N. The position of M trains located in sections Sw1,Sw2,…,SwM is dangerous ⇔NF(tw1tw2…twM,I) contains a number of tα variables lower than M.
6. Evaluation and Discussion
In this section, we will analyze the performance of the approach presented here, comparing it with other techniques with available implementations. Indeed, we have made a comparison between the times required to calculate the safety of the railway network with different N sections and M trains. All experiments have been carried out on the same computer.
6.1. Comparing the Performances of the Logic, Algebraic, and Logic-Algebraic Models
In Table 1, a comparison between the times required to calculate the safety of certain railway networks in different situations using different models is shown. The Logic [28], Algebraic [24], and Logic-Algebraic [30] models were implemented in the computer algebra system Maple.
Time comparative of methods implemented in for detecting the safety in a railway interlocking system with N sections and M trains.
M=15N=32
M=15N=64
M=45N=93
M=60N=127
M=65N=160
M=105N=224
Logic
10.23 s
250.250 s
>1 h
>1h
>1h
>1h
Algebraic
15.356 s
380.368 s
>1 h
>1h
>1h
>1h
Logic-Algebraic
0.005 s
0.060 s
1.1 s
3.348 s
10.323 s
38.392 s
We can state that these three models are strongly dependent on the number of sections and trains. From the experiments carried out (and as can be seen in the first two columns of Table 1), we can affirm that timings grow very quickly with the number of sections. The timings obtained make it clear that these models are not appropriate for middle size or large size railway networks.
Regarding the influence of the number of trains on timings, they grow quickly both in the Logic and Logic-Algebraic models. In the Algebraic Model, the polynomial variable corresponding to the section is substituted by an integer number when a train is declared to be in a certain section. Therefore more trains mean less variables in the Groebner basis. So, curiously, if the number of sections is fixed, timings decrease if the number of trains increases. In the degenerated case of one different train in each section, we would have time to be equal to 0 in the Groebner basis computation, as there is no variable left.
6.2. Comparing the Performances of the ASP and the New Model
Meanwhile, the ASP model [31] and the new proposed model can be applied to large railway networks. We have used as example for the benchmarks Madrid Chamartin station in its state prior to the transformation of some of its tracks into international gauge [33], with 300 sections and more than 200 turnouts and light signals.
The ASP model was implemented in Smodels. Finally, the model introduced in this article has been implemented in PolyBoRi [32], an specialized software to calculate Groebner bases and normal forms on Boolean rings. Table 2 shows the times obtained considering different numbers of trains (Times in Smodels are calculated taking into account the lparse and smodels executions. We apply the same rule in PolyBoRi.).
Time comparative between the ASP model and the new model, with 300 sections and M=5,15,30 trains.
M=5N=300
M=15N=300
M=30N=300
ASP
0.646s
0.716s
0.799s
New model (GB preprocess)
2.3s
2.3s
2.3s
New model (NF)
0.0001s
0.00039s
0.0054s
The main results from Table 2 are, one the one hand, that the efficiency of our method is always high superior to the other approaches tested when the GB is previously calculated; on the other hand, the time to calculate the GB is reasonably fast (e.g., ~2.3s for Chamartin Station), providing very competitive times for large networks. Moreover, the Groebner bases computed in the preprocess step can be stored and used in case the same situation is proposed again. Let us observe that our two steps method connects somehow with the traditional methods that check the compatible routes in advance.
In our approach, computation timings for the Groebner bases preprocess grow when the number of sections increases (as happens in all the other models).
But, unlike the other approaches, ours does not need to perform all the calculations for the different positions of the trains for a given specific particular state of the turnouts and light signals. Indeed, we only need to calculate the normal form of one monomial (once the Groebner basis is calculated for this particular state of turnouts and light signals), as detailed in Theorem 9. The time for calculating this normal form grows with the number of trains, as can be seen in Table 2. Nevertheless, these timings of this second step have always been negligible (lower than 0.01s in all the experiments carried out, regardless of the size of the railway network or the number of trains).
On the contrary, the other approaches require to recalculate all the computations.
6.3. Comparison: Final Remarks
The approach presented in this paper only focuses on the safeness of the proposed situation; meanwhile other approaches like [23, 34] also consider other properties such as reachability of sections or the situation of the switches of the turnouts under a train (that shouldn’t be changed under any circumstance to avoid derailments due to a premature change of the switch during the transit of the train). Another issue not treated in our model is the confirmation that the switches of the turnouts and the light signals have really been set to the ordered situation (something considered, for instance, in [34]; this latter approach uses a real-time system, a flexible approach with a wide variety of applications [21]).
On the other hand, our new approach can handle really big layouts (like the one in the example of Table 1, with, as said above, 300 sections and more than 200 turnouts and light signals, what is a far bigger layout than any one that we have found treated in real time). For instance, the authors of [34] mention that “our study is unique in the fact that modeling and verification of mid to large size railway yard is being undertaken in UPPAAL model checker (…)” and the example presented (Rawalpindi Cantt station) has 25 semaphores and 27 mechanically operated points.
7. Model Extension for Trains Occupying Several Sections at the Same Time
Two trains are represented in Figure 7, one placed on section S10 and another one placed on sections S1,S2 at the same time. It is common to find these situations in a real railway when several trains can occupied several sections at the same time.
Possible situation of trains occupy several sections at the same time. The situation is safe.
In order to check the safety of a railway network with M trains that can occupy several sections at the same time, we will redefine Step 3 of Section 4 as follows.
Step 3.1. As long as E represents the sections occupied by a given train T, we calculate NF(φ(E),I)=E′. E′ is a reduced initial state representing the sections occupied by a train.
Step 3.2. Once M initial states E1′,…,EM′ have been calculated, we calculate the joint state E′′ which φ(E′′)=NF(φ(E1′)·…·φ(EM′),I) of all initial states.
Step 3.3. For determining if the position of M trains with initial states E1′,…,EM′ is dangerous, we need to check if (22)∑i=1MηEi′>ηE′′
where η(E)→N is a function that returns the number of tα variables in the monomial φ(E).
Example 10.
As example, the safety of the railway network on Figure 7 will be checked.
Step 3.1. The first train is represented by E1={t1t2} and the second one is represented by E2={t11}. Therefore, the initial train states will be (23)E1′=NFt1t2,I=t4s3E2′=NFt10,I=t11
Step 3.2. Joint calculations of all initial states are (24)E′′=NFφE1′·φE2′,I=t4t11
Step 3.3. Check the number of variables t in both monomials: (25)ηE1′+ηE2′=ηE′′=2so we have that the proposed situation of the trains on Figure 7 is safe.
Example 11.
Let us propose another example where the situation in the railway network is dangerous. Figure 8 represents two trains, one located in S10 and another one located on S6,S7,S8. In order to check if exists a dangerous situation, we will calculate the following.
Step 3.1. The first train is represented by E1={t10} and the second one is represented by E2={t6t7t8}. Therefore, the initial train states will be as follows: (26)E1′=NFt10,I=t11E2′=NFt6t7t8,I=t11
Step 3.2. Joint calculations of all initial states are(27)E′′=NFφE1′·φE2′,I=t11,
Step 3.3. Check the number of variables t in both monomials: (28)ηE1′+ηE2′>ηE′′So we have that the proposed situation of the trains on Figure 8 is dangerous.
Possible situation of trains occupying several sections at the same time. The situation is dangerous.
8. Conclusions
In this paper we have presented a new algebraic model for railway interlocking systems. According to this new model, the position of the trains in a railway network is dangerous if and only if the normal form of a certain monomial (representing the present position of the trains) contains a lower number of tα variables than the number of trains in the railway network. We have implemented this model on the computer algebra system PolyBoRi resulting in a very short program code. Moreover, we have compared the execution times with other very fast models implemented previously.
AppendixSmodels Code
As said above, the code has been developed in Smodels. The maximum number of trains and sections has been set to 300 in the ring definition (function __init__(self)) in order to book memory space, but these values can be increased. The whole code is included afterwards, except
the body of the definition of Buchberger function (that computes Groebner bases), taken from http://polybori.sourceforge.net/doc/tutorial/tutorialse3.html has been substituted by “...”,
the input corresponding to the connectivity between sections, included in function define_ideals(self) has been shortened (substituting all the polynomials but three by “…”).
The code used in the tests is as follows:
import time
from polybori.PyPolyBoRi import *
from polybori.gbcore import *
from polybori import *
from polybori.interred import *
from polybori.nf import *
from polybori.gbrefs import *
class Safety:
def __init__(self):
""" Variables ring declaration in Z2 by default in
PolyBoRi
"""
r = declare_ring([Block("t", 300), Block ("s", 300)],
globals());
def _buchberger(self, l):
⋯
⋯
return g
def define_ideals(self):
""" Define the main Ideal
"""
# Init timer to calculate elapsed time
t_start = time()
# Ideal definition
self.K = [t(2) + s(2) * t(1),
t(3) + s(3) * t(2),
⋯
⋯
(t(275) + s(275) * t(265))]
def calculate_gb(self):
""" Computes the Groebner Basis of a given Ideal K
"""
# Calculate Groebner basis
self.gb = self._buchberger(self.K)
def get_gb_polys(self, gb):
""" Returns the polynomials of a computed Groebner Basis
"""
return [poly for poly in gb]
def calculate_nf(self, poly):
""" Computes and returns the normal form of a polynomial
"""
return self.gb.nf(poly)
if __name__ == ‘ __main__’:
t_start = time()
# Create object
safety = Safety()
# Define main ideal
safety.define_ideals()
# Calculate Groebner Basis
safety.calculate_gb()
print("Elapsed time: %f" % (time() - t_start))
# Get polynomials from the Groebner basis
print(safety.get_gb_polys(safety.gb))
# Calculate Normal Form of a given polynomial
t_start = time()
print(safety.calculate_nf(t(0) * t(1) * t(4)))
print("Elapsed time: %f" % (time() - t_start))
(In the last procedure that there are trains in sections 0, 1, and 4 introduced as data.)
Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
Acknowledgments
This work was partially supported by the research projects TIN2015-66471-P (Government of Spain) and CASI-CAM S2013/ICE-2845 (Comunidad Autónoma de Madrid).
AnonymousProyecto y obra del enclavamiento electrónico de la estación de Madrid-Atocha. Proyecto TécnicoSiemens, Madrid, 1988AnonymousMicrocomputer Interlocking HilversumSiemens, Munich, 1986AnonymousMicrocomputer Interlocking RotterdamSiemens, Munich, 1989AnonymousPuesto de enclavamiento con microcomputadoras de la estación de Chiasso de los SBBSiemens, Munich, 1989VillamandosL.WinterK.JohnstonW.RobinsonP.StrooperP.van den BergL.CantT.Tool Support for Checking Railway Interlocking DesignsProceedings of the 10th Australian Workshop on Safety Related Programmable Systems2006Sydney, AustraliaAustralian Computer Society, Inc.101107BorälvA.Case Study: Formal Verification of a Computerized Railway InterlockingBjørnerD.The FMERail/TRain Annotated Rail Bibliographyhttp://www2.imm.dtu.dk/db/fmerail/fmerail/, 2005MorleyM. J.NakamatsuK.KiuchiY.SuzukiA.NegoitaM. G.EVALPSN Based Railway Interlocking SimulatorJanotaA.Using Z specification for railway interlocking safetyHansenK. M.Formalising Railway Interlocking SystemsChenX.HuangH.HeY.Automatic Generation of Relay Logic for Interlocking System Based on Statecharts2Proceedings of the 2010 Second WRI World Congress on Software Engineering WCSE2010Los Alamitos, CA, USAIEEE18318810.1109/WCSE.2010.31ChenX.HeY.HuangH.An approach to automatic development of interlocking logic based on statechartChenX.HeY.HuangH.A component–based topology model for railway interlocking systemsMontigelM.HaxthausenA. E.PeleskaJ.KinderS.A formal approach for the construction and verification of railway control systemsHaxthausenA. E.MargariaT.SteffenB.Automated generation of safety requirements from railway interlocking tablesFerrariA.MagnaniG.GrassoD.FantechiA.SchniederE.TarnaiG.Model checking interlocking control tablesProceedings of the Formal Methods for Automation and Safety in Railway and Automotive Systems FORMS/FORMAT 20102011Berlin, GermanySpringer1071152-s2.0-84868270514WinterK.RobinsonN. J.OudshoornM.Modelling large interlocking systems and model checking small ones16Proceedings of the 26th Australasian Computer Science Conference (ACSC’2003)2003Australian Computer Science Communications309316ZhouC.HansenM. R.VeloudisS.NissankeN.RavnA. P.RischelH.Duration Calculus in the specification of safety requirementsRoanes-LozanoE.LaitaL. M.An applicable topology-independent model for railway interlocking systemsRoanes-LozanoE.Roanes-MacíasE.LaitaL. M.Railway interlocking systems and Gröbner basesAkritasA. G.BuchbergerB.An algorithm for finding the basis elements of the residue class ring of a zero dimensional polynomial idealCoxD.LittleJ.O'SheaD.Roanes-LozanoE.HernandoA.AlonsoJ. A.LaitaL. M.A logic approach to decision taking in a railway interlocking system using MapleDavisM.LogemannG.LovelandD.A machine program for theorem-provingHernandoA.Roanes-LozanoE.Maestre-MartínezR.TejedorJ.A logic-algebraic approach to decision taking in a railway interlocking systemRoanes-LozanoE.AlonsoJ. A.HernandoA.An approach from answer set programming to decision making in a railway interlocking systemBrickensteinM.DreyerA.A framework for Groebner-basis computations with Boolean polynomialsAnonymousAtlas of High Speed Rail in SpainFundación de los Ferrocarriles Españoles, Madrid, http://www.ave-altavelocidad.es/AtlasAV.pdf, 2017KhanU.AhmadJ.SaeedT.MirzaS. H.On the real time modeling of interlocking system of passenger lines of Rawalpindi Cantt train station