Formal proofs for the NYCT line 7 (Flushing) modernization project

Main -> DEPLOY Success Stories -> Transportation-4

Short Description


The New York City subway Line 7 (Flushing) modernization project consists in in-stalling a Communication Based Train Control (CBTC) system and updating the existing interlocking system. The CBTC system is designed and installed by THALES Toronto. The main benefits of this modernization will be a reduced headway, signals and track circuits simplification, and extended routing possibilities, for instance in case of track failures.

The New York City Transit authority (NYCT) decided to include formal proofs at system level as part of the safety assessment for this project. The French SME ClearSy is responsible for these proofs, using the Event-B method. In this success story, we summarise the methodology applied to obtain these formal proofs and the conclusions so far.

Benefits

 * The process of building the models helps in managing the large number of documents and drive discussion with designers about WHY the system is safe.
 * More specifically, important assumptions / rules / properties for demonstrating safety are made explicit, precisely formulated and structured
 * Producing strong evidence and deep understanding that the system is safe: systems can work without safety evidence (and without proofs), but we never know the risks until accidents occur !

Limitations

 * Large effort required: total workload is 4 experts (B + railways/CBTC) and sums up to more than 2 man.year up to October 2012

Elaboration
The full story will be available in this paper

As a result of the formalisation and proof process, "No collision" and "no overspeed" proofs could be produced with the following key characteristics:


 * Anybody could read the proof,
 * maybe discuss some assumption validity in the actual system;
 * but NEVER doubt that properties are logically deduced from these assumptions


 * From a customer point of view, the project produced evidence that the system is safe
 * Not only because good reputation of the system’s supplier
 * Not only because independent experts say it is safe
 * Using a reasoning that can be re-checked at any time


 * The evidence using logics were validated by a formal tool (B proof)

Specific DEPLOY Contributions
N/A

Further work
The work is expected to finish in October 2012.