VDM-RT Interlocking Model Clause Samples

VDM-RT Interlocking Model. The VDM-RT interlocking controller is in essence a finite automaton whose state is determined by the configuration of five relays R1-R5, each corre- sponding to a particular route being activated (locked). A fundamental safety property is that two different routes can only be activated simultaneously if their paths do not intersect. Moreover, signals and point switches have to be set consistently with the activated routes at any given time. To capture the core algorithmic behaviour of the interlocking system, we in- troduce a variable Relay to record the state of relay switches as a boolean vec- tor. The interlocking software controller is then modelled by virtue of a cyclic executive that periodically performs the following sequential tasks: 1. Activate (lock) routes requested by a telecommand. 2. Deactivate routes once a train has passed through them. 3. Adjust railways switches consistently with the enabled routes. 4. Set signals consistently with the enabled routes. The sequential program logic that performs the locking of routes (task 1) is included in Fig. 6. We note that hwi is a VDM++ object that provides the hardware interface (inputs and outputs) of the controller. For locking (1) to occur, a telecommand must have been issued that re- quests the respective route; this is achieved by the condition on the bit vector TC that cumulatively records the telecommands recorded by all three telecommand stations. The constraints on Relay ensure that locked routes are non-intersecting, so that trains can pass without crossing each others’ paths. Lastly, we have additional constraints on the CDV signal that ensure that the track segments of the route to be locked are not still occupied by a previous train. Where there is contention of two trains requesting intersect- ing routes, the sequential program logic ensures that one of them is given precedence to proceed, while the other has to wait.