MASA-Method: CPN for Safety Verification

• MASA-Method is a systematic CPN-based modeling approach for safety-critical railway interlocking verification, integrating automated route setting and fail-safe flank protection.
• It employs advanced CPN features such as transition priorities, inhibitor arcs, and reset arcs to reduce state-space size and prevent deadlocks.
• Empirical evaluations demonstrate scalability improvements, with significant state-space reductions when applying automated route canceling and flank protection measures.

The MASA-Method is not itself directly named or defined in the listed research papers, but it is clear from paper (Vanit-Anunchai, 2014) that the approach embodies a set of modeling and analysis best practices implemented via Coloured Petri Nets (CPNs), augmented by specific automatism and formal constructs to facilitate large-scale, safety-critical system verification—specifically railway interlocking tables. The methodology systematically translates complex tabular specifications (logical interlocking rules) into executable Petri net models, incorporates operational automatism to minimize analysis artifacts, and exploits advanced tool features to control state space growth and semantic precision.

1. Architectural Structure of the CPN-Based Model

The MASA-Method organizes the system model in a hierarchical CPN structure, centering on two pivotal pages:

• UserCommand: Encodes the logic for route set/cancel operations in response to controller commands; principal places are TrackPool, SignalPool, PointPool, RouteNormal, and auxiliary configuration and locking places.
• Move_Track_to_Track: Models all legitimate train movement patterns, including straight progression, signal passage, and turnout traversal.

Model places are typed with the following color sets:

• Tracks: $$\mathtt{TrackPool} = \langle tid: \mathtt{TrackID}, pos: \mathtt{TRSTATE} \rangle$$.
• Signals: $\mathtt{SignalPool} = \langle sid, aspect \rangle$.
• Points: $$\mathtt{PointPool} = \langle pid: STRING, pos: \mathtt{POINTPOS}, lock: BOOL \rangle$$.
• Routes/free/conflict: $\mathtt{RouteNormal}$, $\mathtt{Config}$, intermediate and auxiliary locking places.

Transitions implement all key route and movement operations—route initialization, setting, locking, resetting for deadlock, track movements, and point crossings.

Color set and binding definitions are realized in ML/LaTeX style; for example: $$\begin{array}{l} \mathtt{colset\ TrackID = STRING;} \ \mathtt{colset\ TRSTATE = union\ noTrain\ |\ TrainUP\ |\ TrainDOWN;} \ \mathtt{colset\ POINTPOS = union\ normal\ |\ reverse;} \ \mathtt{colset\ BOOL = bool;} \ \mathtt{colset\ ROUTEID = STRING;} \end{array}$$ Arcs use standard multiset expressions and may employ ML functions for conditions—e.g., require_track_clear(r), which returns the multiset of unoccupied tracks for a route.

2. Advanced CPN Constructs: Priorities, Inhibitors, Reset Arcs

The MASA-Method leverages three constructs in CPN Tools v4+ to ensure precise orchestration and reduction of state space interleaving:

• Transition Priorities: Numeric labels prio T = n enforce a deterministic firing regime so that, for example, all point-locking transitions execute to completion before any cancellation or new route setting is initiated. Only transitions of maximal priority among all enabled may fire.

  Example:

  prio SetNormalLock = 8; prio RouteSetting = 5; prio CancelRouteSetting = 0;

• Inhibitor Arcs: Used to prevent concurrent route settings. For instance, the presence of a token in RouteSuccess? inhibits firing of SetRoute until the route-setting sequence concludes.
• Reset Arcs: Enable transitions (e.g., CancelRouteSetting) to clear all lock-tokens in intermediate places atomically, eliminating partial or failed route settings that could cause unproductive deadlock.

Each construct is natively supported and visually represented in CPN Tools, facilitating execution and verification control.

3. Embedded Automatic Route Setting and Cancelling Logic

To further minimize operational artifacts (spurious deadlocks), the MASA-Method embeds procedural automatism:

• Automatic Route Setting: A function approach_set(r) detects train presence at the approach track of a route, triggering a set command only when a train justifies the route's activation. This behavior matches real-world operational protocols, where route setting is event-driven rather than manually commanded in arbitrary state.
• Automatic Route Cancelling: If route setting cannot complete due to failure conditions (locked points or occupied flank tracks), the lowest-priority CancelRouteSetting fires, resetting lock tokens and freeing the system for alternate routing attempts. This abides by the controller's intent to withdraw impossible commands automatically.

This mechanism substantially reduces the incidence of "safe deadlocks"—states with no collision risk but halted progress—by only pursuing routing that is operationally tipified.

4. Capturing Fail-Safe Flank Protection Semantics

The MASA-Method explicitly models fail-safe constraints (flank protection), which ensure that adjacent tracks/points not involved in the primary route are themselves locked in a safe configuration, precluding the possibility of an off-route incursion (e.g., due to a signal overrun).

Constraint expressions added to the route-setting operation: $$\mathit{require\_flank\_track\_clear}(r),\quad\mathit{require\_flank\_point\_normal}(r)$$ acquire all relevant flank tracks and enforce point positions and locking via predicates. Flank protection is implemented as additional preconditions on transitions, not as independent error-handling transitions, maintaining compositional and operational clarity.

Verification scans for reachable markings where multiple trains occupy conflicting tracks—if none are reachable, safety is established.

5. State-Space Analysis and Experimental Results

The workflow undergoes exhaustive state-space generation in CPN Tools. Key metrics from analysis include:

• Reduction in state-space size with MASA constructs and automatism:
  • Without flank protection: 187,016 nodes, 288,549 arcs, 12 seconds runtime, 43 terminals.
  • With flank protection: 71,469 nodes, 73,655 arcs, 8 seconds, 17 terminals.
  • Previous models for similar cases ran for nearly ten hours and generated an order of magnitude more states.
• Deadlock suppression: The number of terminal markings with no accessible accident is vastly lower after introducing automatic functions; all collision-prone markings remain unreachable in all tested scenarios.
• Scalability: State spaces for case studies (platforms, alternate configurations) scale from ~2,000 to ~76,000 nodes and were analyzed within five hours on modest hardware (2.3 GHz CPU, 3.5 GB RAM).

6. Modeling Practices and Methodological Lessons

Empirical evaluation led to formalized best practices defining the MASA-Method, applicable to CPN modeling of large, safety-critical logical systems:

• Embed standard operational procedures (e.g., automatic setting/cancelling) to eliminate artifacts, ease formal analysis, and reflect physical operation.
• Exploit advanced CPN features (priorities, inhibitor/reset arcs) to prune non-safety-relevant concurrency, further mitigating combinatorial growth.
• Implement fail-safe requirements as constraint predicates rather than extending transition sets, simplifying the error-domain's proof structure.
• Adopt a two-phase verification protocol: first, analyze without flank protection to uncover logical errors; second, re-add flank protection for full safety closure.
• Instrument hypothetical collisions (e.g., signal overruns) by temporary removal of safety tokens in the configuration, prompting the tool to expose deficiencies in flank constraint coverage.

7. Significance, Context, and Impact

The MASA-Method, as exemplified by vanit-Anunchai et al. (Vanit-Anunchai, 2014), demonstrates that complex, operationally rich interlocking specifications can be translated into faithfully executable formal models. The approach leverages the algorithmic and semantic power of Coloured Petri Nets while containing state explosion and irrelevant deadlocks by fusing process automatism, formal tool constructs, and rigorous safety logic. The method is generalizable to other safety-critical domains requiring rigorous process and configuration interaction modeling, scalable verification, and fail-safe guarantees. This framework supports both rapid prototyping (design phase) and exhaustive verification (acceptance phase) and is adaptable to new operational constraints via incremental ML routines without perturbing core net structure.