Software development-arkiv - Prover - Engineering a Safer World

Prover PSL 6.0 released – Reachability obligations along with HLL and sHLL simulations are new features

Nicolas Aucouturier — Sun, 30 Mar 2025 14:35:09 +0000

We are excited to announce the release of Prover PSL 6.0, bringing powerful new capabilities to streamline your verification workflow and enhance proof efficiency. This latest version introduces advanced debugging capabilities and new proof coverage features — designed to tackle even the most demanding verification challenges.

What is new in Prover PSL 6.0?

Reachability obligations – a new way to strengthen verification

Prover PSL 6.0 introduces reachability obligations, a new type of verification check that complements traditional proof obligations. This feature allows you to verify whether specific states can be reached in your model, helping to refine system validation and efficiently identify edge cases. (Requires an add-on)

HLL and sHLL simulation in Why tool

Now, you can simulate HLL and sHLL models directly in the Why Tool. This integration enables step-by-step execution, making it easier to debug, analyze counterexamples, and validate expected behaviors — all within a unified environment. (Requires an add-on)

Enhanced proof analysis with coverage and profiling

Prover PSL 6.0 introduces two new analysis options for greater proof transparency:

A proof coverage analysis to identify which parts of your model are covered during verification, allowing you to optimize proof efficiency.

A profiling and performance optimization feature to gain insights into computational bottlenecks by tracking solver workload distribution.

Greater flexibility with -move for softening constraints

A new command-line switch allows you to dynamically move constraints, proof obligations, and other model elements between different HLL sections. This flexibility helps refine proof strategies and understanding of your model without modifying the core model structure.

With Prover PSL 6.0, you gain enhanced debugging, deeper proof coverage insights, and improved solver performance—all designed to push your formal verification process to the next level.

Upgrade to Prover PSL 6.0 today and elevate your formal verification process!

Inlägget Prover PSL 6.0 released – Reachability obligations along with HLL and sHLL simulations are new features dök först upp på Prover - Engineering a Safer World.

Prover PSL 5.10 is here – faster than ever!

Jesper Carlström — Tue, 08 Oct 2024 07:15:57 +0000

Prover PSL, the leading model checker used for formal verification in the rail and metro signaling domain, is now even faster. The performance release Prover PSL 5.10 brings 28 % increased speed on average, measured on our test cases from the rail and metro domain. We know of no model checker that performs better!

We have also introduced a new kind of parallelization of the powerful model checking strategy IC3, leading to substantial reductions in proof times. We saw runtime reduction from 111 seconds to just 1 second in one case, and an average speedup factor of 3.2 on other cases we measured.

We are proud to provide you with the best tools possible. Please let us know what you think when you have tried Prover PSL 5.10.

Inlägget Prover PSL 5.10 is here – faster than ever! dök först upp på Prover - Engineering a Safer World.

Prover Certifier now EN 50716-compliant T2 tool for SIL4 applications

Jesper Carlström — Wed, 02 Oct 2024 06:48:09 +0000

Prover Certifier is the leading sign-off verification tool that allows you to automatically produce complete safety evidence for your signaling logic using formal verification.

We are proud to announce that Prover Certifier has now been certified by TÜV NORD as a CENELEC EN 50716-compliant T2 tool for SIL 4 applications. This means that it fulfills the toughest requirements for verification and validation tools for safety-critical systems with railway applications in the European Union. The rail and metro industry is moving to this new standard, which is replacing the way-side standard EN 50128 but also covering rolling stock applications.

EN 50716 is a clear improvement over EN 50128. Model-based development and verification is encouraged more than before: “Models can also reduce the need for certain activities, particularly when using formal proofs.”. Formal Methods are now highly recommended for all kinds of software.

With the release of version 1.4, we meet the complex requirements of the rail and metro domain. Besides introducing the new norm compliance, several improvements have been included in this release. Prover Certifier continues to be EN50128-compliant as well.

Inlägget Prover Certifier now EN 50716-compliant T2 tool for SIL4 applications dök först upp på Prover - Engineering a Safer World.

LCF – For data exchange between humans and machines

Jesper Carlström — Tue, 18 May 2021 14:42:20 +0000

Last week we gave away our innovation Layout Configuration Format (LCF), to help infrastructure managers transition from drawings to structured data. You will find the specification on HAL.

Rail and metro managers all over the world are currently struggling with the same challenge: to move from a drawing-oriented view of data to a modern approach of structured data in databases. Everyone is asking the same question: how can we ensure that the data we put in those databases is correct?

When data checking consisted of carefully reviewing a drawing, it was obvious what had to be done: the drawing must agree with reality and be clear enough to avoid misunderstandings. When approved, the drawing would be the basis for construction. Everyone who needed the data would look at the same drawing and therefore have exactly the same view as the reviewer had when the drawing was approved.

With structured data it is a different story. The data is not represented as a drawing but stored in a database. Reviewing it requires some way to retrieve and visualize the data, and it cannot be ensured that all consumers of the data will have the same view as the reviewer. The process also raises important safety concerns: can we trust the tools that the reviewer uses to visualize and approve the data?

Formats such as RailML have been put forward as standards for data exchange between computer systems. RailML does its job, but being based on xml, RailML files are hopeless for humans to review.

We therefore designed LCF. It is a data exchange format that can be read by both humans and machines. It was designed to fulfill some important criteria:

Pure text – allows simple trusted software to be used for reading on screen or printing.
Well defined – enables computer interpretation without ambiguity.
No clutter – makes it easy for humans to read.
Compact – saves the reviewer from getting lost in thousands of lines.

So why are we giving this away? Well, the purpose of a data exchange format is to exchange data, and as such it needs to be available to everyone. We look forward to a world where lots of tools speak fluent LCF with each other. With trusted structured data, formal methods will thrive, and the benefits of formal methods to automate and digitize rail control systems are what we truly care about.

Inlägget LCF – For data exchange between humans and machines dök först upp på Prover - Engineering a Safer World.

Introducing Prover Studio

Jesper Carlström — Mon, 10 May 2021 09:48:41 +0000

I am proud to present Prover Studio, an integrated development environment for formal specifications. I must admit, we should have done this years ago. It’s astonishing really that we did not. Here is the story.

We established the concept of Prover Trident quite some time ago. The idea is simple: divide signaling software production in three phases.

Formal specification. Capture your signaling design principles in formal logic.
Formal development. Use your formal specification and your configuration data to build a model of a signaling system. Investigate it using simulation and verification and finally generate revenue-service ready code from the model.
Formal sign-off verification. Use an independent program to formally verify that all safety requirements are fulfilled and generate the safety evidence.

To aid the second phase we developed Prover iLock, and for the third phase we developed Prover Certifier. But we never offered any product for the first phase, until now, although we always stressed that the first phase is where you spend most of the time. Ironic, indeed. There is a simple explanation why it took so long for us to understand the importance of providing a good development environment. Formal specifications are written in plain text files, and there are lots of text editors out there already. Creating formal specifications requires a lot of thinking, but producing the file itself is easy, when you have decided what to write.

However, when we investigated more thoroughly how users spend their time, it was clear that the process of writing formal specifications could be simplified a lot. When a specification grows large, it becomes increasingly difficult to remember what is already in there. Therefore, it becomes increasingly important with good support for navigation, to find which functions have been implemented already for a particular object and how they are defined, to understand where a certain function is used, to find dead code, et cetera. Specification can consist of hundreds of files for complex applications, so all kinds of help in finding things and getting an overview of what you have is appreciated. We created Prover Studio to provide all this, as well as on-the-fly syntax checks of more advanced immediate semantic checks that help discovering errors early.

During formal specification writing, Prover iLock is repeatedly used to check the specification and to try it on concrete examples. It is quite common to find an error in the specification by using Prover iLock’s simulator or code viewer, for example. In such cases, it is convenient to be able to quickly open the relevant file and find the line that needs to be changed. To make it possible to open the relevant piece of specification from Prover iLock we need to provide our own editor and integrate the tools.

The first version of Prover Studio was realized as an extension to Visual Studio Code. Our users told us that Prover Studio makes a great difference already. We intend to keep Visual Studio Code as the framework for Prover Studio’s editing and navigation capabilities, but also expand Prover Studio beyond what Visual Studio Code can offer, with features such as graphical representation of logic.

Inlägget Introducing Prover Studio dök först upp på Prover - Engineering a Safer World.

New webinar on Signaling Design Automation

Gunnar Smith — Fri, 09 Apr 2021 13:12:30 +0000

Prover is strengthening its Signaling Design Automation solution with the introduction of the software Prover Studio. Prover Studio is a logic editor that increases the efficiency when formalizing specifications, the first step in our Prover Trident process. We have developed a new webinar series that will present the complete process from specification to revenue service signaling applications that are formally verified for safety.

With Prover Trident interlocking design can be done efficiently, with guaranteed safety. During this new webinar we will demonstrate how the signaling design will be developed step by step.

During the webinar you will learn:

How to write formal specifications with a modern and customized editing tool
How to create an interlocking application software using automatic generation of code
How to investigate the resulting logic using simulation tools
How to formally verify that the generated code meets the safety requirements

You can download the recorded webinar here.

Inlägget New webinar on Signaling Design Automation dök först upp på Prover - Engineering a Safer World.

Time to start offering AI-tuned proof tactics to the world!

Amanda Öberg — Thu, 03 Dec 2020 13:18:42 +0000

The time is ripe for “productifying” our work on AI-tuned proof tactics. A few weeks ago we made the first release of our AI-guided fine-tuning toolset, also known as PSL fine-tuner, for broader internal use. Our ambition is that fine-tuning of PSL proof tactics could be offered as part of Prover Cloud Apps in the near future. In fact, we have already contacted some customers to establish collaborations in order to shape this potential new service.

AI-tuned proof tactics are part of the R&D project on AI-powered formal verification that we started back in Spring 2019, and that is being generously partially funded by Vinnova (Sweden’s Innovation Agency). Make sure you read the first and second blog posts of these series.

Up to 100x faster induction proofs

Back in March we reported astonishing speed ups of up to 60x, but in the meantime we have found cases where induction proofs become even 100x faster after fine-tuning! An otherwise 4-day run becomes a 1-hour run using the right proof tactic.

We obtain such specialized proof tactics by learning from smaller versions of properties, and we then expect the tactics to generalize to the actual (larger) properties of interest. We have observed that these “smaller versions” can be obtained in different ways. In particular, for CBTC systems that are divided into multiple zone controllers (ZC), it is possible to train on the smaller ZC and the obtained proof tactics typically work well for the larger ones. We have also confirmed experimentally that proof tactics continue to work after successive iterations of the same system.

This may be of special interest to those of you developing CBTC systems. If you use our AI-tuning technology early in the development phase, you could benefit from significantly faster proving times for the years to come.

On-the-fly fine-tuning of BMC

For bounded model checking (BMC) we have managed to take this a step further, and we don’t require offline training on smaller versions of properties. We are able to fine-tune the BMC of a property on-the-fly. The BMC completes faster (up to 10x faster in our experience so far), and you also get the tuned proof tactic to use for subsequent regression runs.

Let us know if you have a hard verification problem that you would like us to try this technology on!

Inlägget Time to start offering AI-tuned proof tactics to the world! dök först upp på Prover - Engineering a Safer World.

Automated signaling systems design using Prover Trident

Gunnar Smith — Thu, 30 Apr 2020 09:16:49 +0000

In our previous blog post, we looked at some of the challenges commonly faced in delivery of rail control projects and proposed a remedy: the use of detailed and clear requirement specifications that enables automated development and more efficient safety verification. We will now take a closer look at this process for signaling systems design and how it is implemented with Prover Trident for automation. Our vision is that delivery of rail control systems shall be standardized, with:

Clearly defined requirements as generic principles, used with automation tools
Efficient management of new/changed requirements during life cycle
Automated development gives efficient, safe and predictable results
Safety acceptance based on sign-off verification against the Infrastructure Managers safety requirements
Computing components (hardware) that easily can be replaced with other brands (future proof); open interfaces enable product replacements

We recommend that the Infrastructure Managers provide tender specifications that separate life cycles of the hardware and software and encourage the use of automated development processes and formal safety verification. The suppliers are then well equipped to apply a signal systems design process, to meet the expectations of the Infrastructure Managers, and to maximize business benefits:

Speed: Increase delivery capacity, and ensure that delivery schedules are met
Safety: Provide safety verification with 100% coverage, that is easy to repeat
Savings: Reduce dependency on labor-intense, error-prone, manual development processes

A signaling systems design solution

Prover’s implementation of the signaling system design process is called Prover Trident. A three-pronged process that automates development, test and safety verification:

Formal specification, defining a generic application (GA) for the signaling principles, as formalized requirement specifications in the PiSPEC language.

Automated development, using Prover iLock to configure, generate, simulate and formally verify the application software for specific applications (SAs).

Sign-off verification, using Prover Certifier to create CENELEC EN50128 SIL 4-compliant safety evidence for the application software based on formal verification.

Prover Trident is a complete development process for generation, test and verification of revenue service signaling software, but it can also be used for prototyping in the requirement capturing phase, to simulate and test different requirements both at component and system levels.

Benefits of a solution for signaling systems design

The main benefits of using Prover Trident for automated development and safety assessment of interlocking application software are:

Significantly reduced engineering effort and time to market.
Significantly reduced life cycle costs, with efficient management of requirement changes during the life cycle of the system (maintenance).
Efficient CENELEC EN50128 SIL 4 compliance in safety assessment.
Predictable project schedules, with high quality deliveries.
An efficient, automated process for producing SA safety case, based on formal verification.
Reduced dependency on a single supplier; it is easy to use the same design solution and process for multiple interlocking platforms. Avoids vendor lock-in and increases competition.

Generic and specific applications

In the context of Prover Trident, a Generic Application (GA) refers to a set of general signaling principles and requirements, formalized in the PiSPEC language. The GA is structured the following way:

Object Model (OM), the specification of the objects, including their parameters and interfaces.
Generic Application Configuration (GAC), generic definition of configuration formats.
Generic Design Specification (GDS), the design requirements to implement.
Generic Safety Specification (GSS), the safety requirements to verify.
Generic Test Specification (GTS), the test cases to simulate for testing the functionality (positive behavior) of the specific applications.

These specifications are developed in natural language versions (typically English) and formal versions. The formalization is done in the PiSPEC language, with additional configuration scripts implemented in the Python scripting language.

The GA is used to automatically develop specific applications (SAs), for instance an interlocking system for a given signal location. With the GA in place the effort to develop an SA is reduced to a simple configuration task, either directly using the GUI of Prover iLock or by importing the configuration from an existing database.

Functional testing, safety verification and code generation is then fully automated, and the full process, including configuration, doesn’t have to take more than a few hours. During the GA development, Prover iLock is used to validate the requirements on a set of typical SAs, in an iterative and test-driven approach.

Demonstration of application engineering with Prover iLock

Interested in learning more about Prover Trident, and how Prover iLock is used to develop revenue service interlocking software? Sign up for our webinar ‘Demonstration of an Interlocking Design Automation Solution’, or watch a shorter recorded product demonstration here.

Inlägget Automated signaling systems design using Prover Trident dök först upp på Prover - Engineering a Safer World.

More efficient rail control projects using signaling design automation (SDA)

Gunnar Smith — Tue, 28 Apr 2020 06:00:08 +0000

The delivery of rail control projects often suffers from high costs, unpredictable schedules and delays. Moreover, the life cycle of modern, computerized, signaling systems is often shorter than those of traditional relay-based systems, with higher maintenance costs. At the same time the need for new, more advanced rail control systems is growing, to optimize the use of existing, congested, infrastructure and to meet the demands from an increasing number of passengers. This situation drives the need for more efficient ways to deliver and ensure safety in Rail Control Projects.

In this series of three blog posts on the subject we call Signal Design Automation, we will take a look at the reasons for this situation, present a solution and finally look at a case study where a Signal Design Automation process has been successfully applied in a real-life project.

Expectations and challenges in rail control projects

The successful delivery of a rail control system should meet the following typical expectations from the Infrastructure Manager:

Improved interoperability and reliability, supporting system upgrades
1st delivery of the system shall be on time and have the correct functionality
Efficient safety assessment for guaranteed safety
Reduced life-cycle cost
- Individual sub-systems should be separated with clear interfaces, providing flexibility in extending the overall life cycle
- Support for change of requirements and functionality over time

Unfortunately, this is often quite far from the reality, and Infrastructure Managers (IM) are instead faced with signal modernization projects that:

Requires multiple deliveries before the correct functionality can be demonstrated
Safety Assessment is time consuming and largely done at late, critical stage in the rail control project
Exceeds budgets and are delayed
Locks the Infrastructure Manager to the same vendor for a long time, making maintenance and upgrades costly

In our experience, there is a number of root causes to this situation, both at the Infrastructure Manager side and on the supplier side. Naturally, suppliers may not benefit from delivering systems with open interfaces between sub-components and, if they are not required to do otherwise, they will happily stick to proprietary systems, enabling the supplier to dictate the conditions when the Infrastructure Manager is looking for an upgrade or component replacement. Here the Infrastructure Managers must drive the shift to industry standards and open interfaces and indeed there are initiatives in this direction, such as EULYNX, in which thirteen European Infrastructure Managers are working together to define standard interfaces for interlocking systems.

Meeting the expectations in rail control project delivery

A key factor to success in any project is that the stakeholders can agree on the requirements, i.e. what is to be delivered, and that it is easy to validate that a delivery meets the requirements. In many tender specifications, the technical requirements formulated by the Infrastructure Manager are kept vague. Either as a deliberate strategy to give the supplier freedom to bid with the most cost-efficient solution, or since the requirements, and their importance, are not fully understood by the procuring organization.

A big risk with this approach is that there are a lot of implicit expectations and requirements that are not communicated with the supplier, and in the end the users may not get the system they wanted, even though it fulfills all the specified requirements. Without clear requirements it can also be difficult to understand the impact of different design solutions until the system is close to completion, at which time changes can be very costly. On the other hand, if the supplier can present the Infrastructure Manager with a clear specification, where functionality can be demonstrated with early prototyping at the start of the project, the chances of agreeing on the requirements and succeeding with the project are greatly improved.

The other option is for the Infrastructure Manager to take control of the requirements and clearly specify, already at the tender stage, exactly what is expected of the system. Then it also becomes natural to require that the systems make use of open interfaces, addressing the issues of vendor-lock in and high cost of upgrades during the life cycle. And it works the other way around too; if you already have clear definitions of the system interfaces, then it becomes natural to provide clear requirement specifications for the overall system as well.

Clearly defined requirement specifications also pave the way for automation, as the step to formalize, or implement, them in a way that can be interpreted by automation tools will be small. The coding, functional testing and safety verification that turns the specifications into revenue services software can then be done automatically from simple application configurations.

A high level of automation means that it will be less costly to implement and evaluate the impact of changed requirements and increases the chances of getting the functionality right at the first installation. The use of automated, formal, safety verification, addresses many of the issues around the safety assessment in traditional development processes and can be applied throughout the development. Finally, a Signal Design Automation solution need not be vendor specific, and thus can further help avoiding vendor lock-in, especially if it is combined with the use of standardized components and interfaces.

Formal Verification, a key to success in your rail control project

Formal Verification is a method to prove with 100% certainty that a system fulfills a given set of safety requirements. In practice this verification is automated, using computer programs that implement mathematical algorithms performing the proofs. Formal Verification is a key component to maximize the level of automation in the delivery of rail control software, as it can remove many of the manual safety review tasks typically used in traditional safety assessment processes. It is also the only manageable way to deal with the safety verification of more and more complex systems, without risk of losing the confidence in the system safety, or accelerating the verification costs and delivery times.

If you want to know more about Formal Verification you can study our recorded webinar here.

Inlägget More efficient rail control projects using signaling design automation (SDA) dök först upp på Prover - Engineering a Safer World.

Major releases of PSL and Prover iLock

Jesper Carlström — Tue, 05 Nov 2019 08:03:35 +0000

We are proud to present new major versions of two of our most important products! Thanks to all of you who provided us with feedback about your project needs. We are determined to always improve our solutions and to be the obvious choice for everyone who wants to automate their processes.

PSL 4 – model checking with floating point numbers

PSL is the fastest and most powerful model checker on the market. PSL is the core of Prover Certifier and included in Prover iLock.

Version 4 comes with support for floating point numbers, requested especially by customers who want to verify onboard systems. We also improved performance, included some new proof strategies, and provided more detailed error messages to make debugging work more effective.

Floating point numbers can surprise. Rounding errors are very difficult to discover and understand the impact of. With PSL 4 you can check that your implementation follows the IEEE 754 standard and, for example, that numbers stay within intended limits. Check out the technical blog post that our developer Lars Helander wrote. It is about a toy example but demonstrates the idea nicely.

Floating point numbers are becoming more and more important. We see them in onboard signaling systems for trains, but also in many automotive applications. It is notoriously difficult to verify correctness of floating point algorithms in general, but for several industrial applications it works just fine. We are excited to pioneer the area of floating point verification!

Prover iLock 5 – with a new layout editor and improved formal verification

Prover iLock is a complete signaling design automation solution, including code generation, simulation and formal verification. Configure it with your own formal specification of signaling principles and you are ready to produce interlocking systems by simply adding track layouts and configuration tables for the interlocking you want to produce.

Version 5 comes with a new track layout editor, which is more flexible, effective and precise. By working with track layouts for many years we have learned what really matters for efficiency and reliability. With the new layout editor, you can more easily add, remove or move tracks, signals and switches (points).

If you prefer, you can import the layout from a database and visualize it in Prover iLock. You can edit or add symbols with a vector graphics program of your choice, because symbols are now standard svg. The layout is saved in the LCF format, another Prover innovation, which allows for easy inspection of logical differences between versions, as well as for efficient data validation necessary to meet CENELEC EN50128 T3 requirements. In fact, we are excited to support the LCF format in Prover iLock, as it provides a way to store configuration data in a machine-readable form which is also easy to understand by human reviewers.

We also upgraded the model checker in Prover iLock Verifier to the fastest one on the market, our PSL 4. Prover iLock Verifier continues to provide the well-received graphical user interface for formal verification work, but you will experience a speed-up and have access to more proof strategies than before.

How safe and efficient are your rail control systems? Let’s find out!

Inlägget Major releases of PSL and Prover iLock dök först upp på Prover - Engineering a Safer World.