Requirements-arkiv - Prover - Engineering a Safer World

How to establish quality specifications in the tender phase of your rail control project

Anders Linden — Fri, 24 Mar 2023 13:09:42 +0000

Of all the steps involved in the tendering process for railway signaling systems, writing the specifications that you will later hand over to suppliers is one of the most consequential when it comes to determining how smooth and successful the rest of your project will be.

Here, we will explain how you can succeed in establishing quality specifications at the start of your rail control project by developing a digital twin using formal methods.

Why having quality specifications in the tender phase matters

Clearly specifying your needs, requirements, and expectations is a critical first step in the tendering process. Any errors or omissions in your specifications will have an impact on the later steps in the tendering and development process. And since they were introduced early and discovered late, such errors will be costly to correct.

Common specification issues:

Incomplete: Specified requirements fail to mention necessary parts of the system or lack sufficient details
Inconsistent: Specified requirements are contradicting, making realization impossible
Incorrect: Specified requirements are simply wrong

Taking the time to ensure your specifications are as complete, consistent and correct as possible—not to mention easy to read and understand by suppliers—will help you avoid these issues and prevent the delays and increased costs associated with fixing them later on.

A digital twin makes it possible to validate requirements and spot specification issues upfront

Taking the initiative to create a digital twin at the start of your rail control project before tendering begins enables you to formulate and evaluate more clear and precise requirements for your rail control system. It will also help you ensure that these requirements can be realized in an actual system, and that they are verifiable.

Beyond the tendering process, a digital twin can advantageously be used throughout the lifecycle of your rail control system to reduce costs related to upgrades or the addition of new features during the maintenance phase.

Benefits of using a digital twin during tendering:

Simplified procurement processes
More efficient validation and verification process
Reduced risk of misunderstandings and project delays
More predictable delivery schedules and costs
Less time needed for costly on-site tests
Minimizes the risk of error discovery late in the procurement process
Easier to accurately gauge whether systems comply with requirements

How to develop the digital twin using formal methods

The digital twin is best developed in an iterative, test-driven, and agile process consisting of three basic steps. Using formal methods enables the development of specifications, digital twins, and actual systems, through the use of a set of automation tools and processes called Signaling Design Automation (SDA). Being formal, such methods offer enough detail in order to be analyzed for completeness, consistency, and correctness.

1. Gather and analyze input
The process starts with an analysis of the needs and information available, which helps define the test and safety requirements on a high level. Tender requirements, use cases, legacy systems, applicable standards, interfaces, rules, regulations, and project scope all provide input to this task.

2. Formulate requirements and define the object model
Formulate the test and safety requirements in natural language using an Object Model that defines the objects in the system and how they interact. The test and safety specifications are then used to define the design specification, for the implementation of the system. The specifications are formalized so that they can be interpreted by automation tools for configuration, design, implementation, testing, and verification.

3. Configure your applications and validate the requirements
Specify the configuration data that will be used to create instances, or Specific Applications, of the Object Model. The formalized requirement specifications are then validated with formal verification and simulation using the Specific Applications. Specifications are then updated based on these results, in an iterative and agile process.

Questions? Book a meeting with us to learn more about how to secure high quality specifications for your rail control project.

How safe and efficient are your rail control systems? Let’s find out!

Inlägget How to establish quality specifications in the tender phase of your rail control project dök först upp på Prover - Engineering a Safer World.

Developing specifications with digital twins

Gunnar Smith — Mon, 30 May 2022 13:37:36 +0000

Requirements

Requirements in rail control projects are essential for ensuring safety and reliability. These requirements define what the system must do and how it must behave. To ensure high-quality requirements, we use formal methods and simulation to validate them. This involves creating a digital twin of the existing and future system, which is used for formal verification and testing.

In this guide you will learn:

A simplified procurement processes
Reducing the risk of misunderstandings and project delays
More predictably delivery schedules and costs
An efficient validation and verification process

Yes please, send me the guide!

Table of Content

Introduction
The importance of quality specifications
Using digital twins in the tender process
How to develop specifications using digital twins and formal methods
Case study

Introduction

How to get your rail control project off to a better start

Advancing the digital transformation is the key to meeting demands for efficient rail transportation, and one important enabler of this is the uptake of new fundamental technologies such as digital twins. In this guide, we focus on how the specification phase of rail control projects can be improved by using formal methods and digital twins. Getting the specifications right from the start, already at the tendering phase, will help you avoid costly specification missteps and, ultimately, carry out a more successful rail control project.

What’s a digital twin and how does it benefit the rail sector?

A digital twin is essentially a virtual, interactive replica of a real physical system, asset or process, including its real-time characteristics and behaviors. Applied to the railway sector, a digital twin encompasses the entire infrastructure – from stations, rolling stock, and signals, to the coordinating IT systems.

Infrastructure managers as well as remote repair crews and station staff stand to benefit from having a digital twin of a railway. With access to a real-time 3D representation of the entire railway infrastructure, maintenance and repairs can be performed faster, and more proactive decisions can be made to prevent safety hazards and costly mistakes, while improving overall efficiency.

But the digital twin is also immensely beneficial when put to use early on – before a railway’s system has even been specified – to ensure the right system is built in the first place.

Using digital twins to develop better rail control systems

Creating a digital twin at the start of a rail control project, before tendering begins, enables infrastructure managers to formulate and evaluate more precise system requirements and, ultimately, procure better systems at a more reasonable price.

At Prover we recommend developing a digital twin by using a process based on formal methods and design automation. This approach minimizes the effort required for development, and provides efficient tools for the simulation, validation and verification of requirement specifications.

Suppliers can use the digital twin as input for the detailed design, using automation tools for code generation, testing, and verification, and further shortening project schedules and reducing costs. The digital twin can then be used throughout the lifecycle of the rail control system, reducing costs related to upgrades and adding new features during the maintenance phase.

What to expect from this guide

In this guide, we will run through the basics of how you, as an infrastructure manager or system buyer, can use formal methods and digital twins to simplify the requirement specification phase and generate the high-quality specifications you need to accomplish your system goals and get your rail control project off to a better start. Finally, we will put all our learnings in perspective with a real-life example. Let’s begin!

Fill out the form to read the full guide.

Inlägget Developing specifications with digital twins dök först upp på Prover - Engineering a Safer World.

Demonstration of Prover Studio

Fei Niu — Mon, 07 Jun 2021 14:15:32 +0000

DEMO VIDEO

Requirements

A quick look into our integrated development environment

This short video introduces Prover Studio, an integrated development environment for formal specifications. With support for the HLL, LCF and PiSPEC languages, it helps you manage complex specifications in a more productive way, keeping track of all your files and requirements. Used together with Prover iLock, it gives you an agile and test-driven process for developing and maintaining Generic Applications.

Agenda:

Syntax highlighting
Identification of syntax and semantic errors
Quick navigation with ‘go to definition’ and ‘find references’

Yes please, send me the recording!

Hosts

Fei Niu
Senior Developer, Prover

Inlägget Demonstration of Prover Studio dök först upp på Prover - Engineering a Safer World.

New concepts and competencies needed to meet future demand in the railway industry

Anders Linden — Tue, 04 Dec 2018 12:30:54 +0000

It is clear that there is a trend in the railway industry towards using modern tools and concepts for developing signaling solutions.

Most interlocking system projects today are developed with the following characteristics:

Errors are found late
Late changes are costly
Schedules to deliver interlocking software are long and unpredictable

There is a need to start preparing the organization and build new competencies.

Formal methods is gaining more and more momentum as a way of designing and verifying interlocking systems. The language HLL has become a de-facto standard for formal verification. The configuration data language LCF has entered as a way to store configuration data in a formal way that is reviewable as well as machine-readable.

A different approach

The process for developing new modern solutions using design automation is different from the traditional approach. The following steps is what Prover and others recommend:

Generate the generic specification
Build the specific application
Do the sign off verification

Prover has therefore set up a specific training program that is a good starting point for signaling engineers that wants to take a first step in building new modern skills. You can find more information about the training program here.

Engineers that has taken this training program can then in a next step more easily participate in new projects or help the organisation in implementing a more modern and effective process for the development and maintenance of signaling solutions.

This process normally starts with deciding to start to use formal methods as a basic foundation and then agree on a new process and decide on automation tools to support the application development.

Prover has developed other types of training programs that will be relevant during the next steps in moving the organization in to a more modern approach. You can find more information regarding other trainings that we offer here.

Inlägget New concepts and competencies needed to meet future demand in the railway industry dök först upp på Prover - Engineering a Safer World.

The structure of specifications

Daniel Fredholm — Wed, 11 Apr 2018 08:18:31 +0000

In my last post I wrote about how to write a decent specification on a quite general level. This time, I like to return to the topic, trying to be a bit more specific and tell you something about how we at Prover like to do things. In the Prover Trident Process, the specification of an interlocking is done in four parts: the object model, the generic design specification, the generic safety specification and the generic test specification.

Specifying interlocking software

What is it one needs to specify when specifying interlocking software? Basically, a specification should answer two questions: what and how. The ‘what’ part should tell you what the interlocking should do. In order words, it should specify expected behaviour. The ‘how’ part should tell how this expected behaviour is to be accomplished.

The ‘what’ part – What the interlocking should do

Let’s begin by looking at the ‘what’ part. As we already noted, this is to tell us something about the expected behaviour of the interlocking. To put it simply, the interlocking is expected to allow trains to run in a safe way. If we look closer on this simple statement, we see that it actually contains two parts. The interlocking should allow some things (‘trains to run’) while prohibiting other things (‘in a safe way’). In terms of functionality, it thus makes sense to talk about positive functionality, the things allowed, and negative functionality, the things prohibited.

How does one specify positive functionality? This is nothing else than test cases. For example, if a route fulfills all the requirements for locking and clearing the signal at the beginning of the route, then a request of the route should result in the locking of the route and clearing of the signal. All these test cases are collected in the generic test specification.

What about negative functionality, the things prohibited? Since this is supposed to describe things that are never to happen, it is not practically possible to specify these as test cases. Instead, they are to be thought of as requirements. And since they are to ensure safety, they are actually safety requirements. A typical example could be the following: ‘If a route is locked, then all track circuits that are part of the route should be free of obstacles’. The safety requirements are written down in the generic safety specification.

The ‘how’ part – How the interlocking is to function

With the generic test specification and the generic safety specification, we now have a complete answer to the ‘what’ part of the interlocking specification. What remains is the ‘how’ part. This is done in the generic design specification. It should tell us how the interlocking is to function; how are routes to be locked, signals cleared, switches thrown and the like. In other words, the generic design specification is an implementation of all the functions that are to be present in the interlocking.

So are we done now? Well, not quite. The generic test and safety specifications tells us the expected behaviour of the interlocking, whereas the generic design specification gives an implementation of the interlocking. Hence, they all are supposed to refer to the same thing. The question that remains to be answered is how do we ensure that they do that. Consider route locking, for instance. How do we make sure that the route locking in the generic test specification, the generic safety specification and the generic design specification are all the same? This is where the object model comes into play.

The object model

The object model specifies the types of objects that are present in the interlocking. These can be concrete, representing real railyard objects like track circuits, signals, and switches. They can also be abstract, like routes and local release areas. For each object type, the object model specifies a number of things. The exact list may vary, but it typically includes inputs (which may be categorized into physical inputs and inputs from office system); important states, like ‘locked’ for routes; and outputs, including physical outputs. The main thing is that the object model provides sufficiently rich points of reference to the interlocking so that the other specifications can be written without any further data. It specifies the common concepts of the other specifications.

Although I mentioned the object model last, it is actually the part that should be developed first. Then the generic design, test and safety specifications can be developed independently and in parallel.

How safe and efficient are your rail control systems? Let’s find out!

Inlägget The structure of specifications dök först upp på Prover - Engineering a Safer World.

Modernizing the signaling system of New York City Subway

Gunnar Smith — Wed, 24 May 2017 13:14:57 +0000

The subway of New York is one of the busiest in the world, with close to six million riders on an average weekday, but it is also one of the oldest, and in large its signaling system is way past its normally expected life time. An outdated signaling systems brings delays to the traffic since it will fail more frequently, but it also adds to the overcrowding of the subway by not making the most efficient use of the existing infrastructure. With a modern signaling system, you are able to run the trains closer together, thus increasing the potential traffic volume.

The Metropolitan Transportation Authority (MTA), is well aware of this, and have begun to replace this signaling system with a state of the art Communications Based Train Control (CBTC) system. However, the challenges faced when making upgrades to a subway network that is operating 24/7 with millions of riders depending on its availability are immense, and it is difficult to move quickly enough with this urgently needed signal upgrade. The New York times recently posted a very insightful article on this matter: Key to Improving Subway Service in New York? Modern Signals.

Another concern when modernizing any signaling system, and in particular one as complex and high profile as this, is of course to maintain the highest level of safety, or in some cases to even improve it. For MTA one part of this is related to adopting state of the art developing methodologies for software controlling the signals, including the use of formal verification techniques to prove the absence of logical errors in the system. This is not only necessary to guarantee the safety, but also to speed up the safety assessment process which often is a major bottleneck in the commissioning of a new signaling system.

Prover has been working with the team responsible for the vital safety assurance for the subway signaling systems at MTA for a number of years, to define a precise set of safety principles that all new computer-based interlocking systems shall meet. These requirements have been formalized in the PiSPEC language, and the software of each commissioned system is verified against these requirements using Prover iLock Verifier, as part of the independent safety assessment.

Inlägget Modernizing the signaling system of New York City Subway dök först upp på Prover - Engineering a Safer World.