Validation of Interlocking Systems by Testing their Models

An interlocking system monitors the status of the objects in a railway yard, allowing or denying the movement of trains, in accordance with safety rules. These rules depend on the topology of the station and hence every single delivered system obeys a particular set of rules. On the other hand, being safety critical systems, interlockings are subject to expensive certification processes. Part of these costs are due to the fact that testing has to be repeated for each delivered product; moreover, due to the complexity of such topologies, the test suites may be very large, and different for each product. In this paper we show how the problem has been addressed at the final validation stage of production interlocking systems, by extracting a model of the implemented interlocking logic from the on-target description of the topology. This model is exercised with the planned test suite. Since simulation appears to be more than an order of magnitude faster than testing the target, early discovery of bugs in the description of rules or of inaccuracies in the test suite can spare hours of rework on the target.