A calculus of hazard for railway signalling

Interlockings-systems which control railway signals-are modeled as situated automata holding in memory an image of their trackside environment. Interlocking functionality is generic, but each interlocking consults a geographic database which specifies the topography of its environment. A `calculus o hazard' comprising a theory of trackside geography and generic state of trackside environments is set up using a predicate calculus based on incidence relations. The calculus is sufficiently expressive for the articulation hazard defence rules-which are obtained from a typical IEC fault modes and effects analysis (FMEA)-free of area-specific reference. Safety of an interlocking is formulated as an NP-complete proof problem expressing the invariance of a set of hazard defence predicates of the calculus. A scaleable approach to this proof problem is developed by representing a signalling area as a set of weakly interacting localities of low combinatorial complexity. The approach uses Galois connection tools borrowed from formal concept analysis