Modelling Safety Monitors of Safety-Critical Railway Systems by Formal Methods

Condition monitoring or safety monitor is a cost-effective safety protection technique which is widely used in safety-critical industries, such as nuclear plants and aerospace operation. The adoption of safety monitor offers continuous or real-time safety protection at a high level of diversity and its implementation is relatively simple and thus cost-effective for safety verification and validation. In practice, the safety monitors are practical to improve the overall system safety because: 1) Safety monitors are generally small and do not normally have complex algorithms; 2) Safety monitors normally involve checking the essential safety features/properties of the large safety-critical railway systems during their operations; 3) Safety monitors are often independent of existing systems. It can be taken as an add-on safety feature and it is physically and functionally separated from the existing systems, which boosts the reliability of the system. In general, the safety monitors of safety-critical railway systems must achieve the same level or higher level of the integrity and safety required by the monitored systems. Formal method approach provides a traceable and accountable approach to understand, plan and manage safety of safety-critical railway systems, and is an effective technique to improve the overall system safety and reliability. Safety monitors normally have many safety properties in logic condition forms need to be satisfied, and it is the domain that formal methods are good at and should be applied to. This paper discusses a development process to utilise the formal methods to improve the safety and quality of safety critical railway systems. A simple example on railway signalling is then given to demonstrate the application of formal methods in safety-critical transport system.