Automatic Verification of Parametric Specifications with Complex Topologies

The focus of this paper is on reducing the complexity in verification by exploiting modularity at various levels: in specification, in verification, and structurally. For specifications, we use the modular language CSP-OZ-DC, which allows us to decouple verification tasks concerning data from those concerning durations. At the verification level, we exploit modularity in theorem proving for rich data structures and use this for invariant checking. At the structural level, we analyze possibilities for modular verification of systems consisting of various components which interact.We illustrate these ideas by automatically verifying safety properties of a case study from the European Train Control System standard, which extends previous examples by comprising a complex track topology with lists of track segments and trains with different routes.

💡 Research Summary

The paper presents a comprehensive framework for the automatic verification of parametric specifications, emphasizing modularity at three distinct levels: specification, verification, and system structure. At the specification level, the authors adopt CSP‑OZ‑DC, a language that integrates three orthogonal concerns—process interaction (CSP), data modeling (OZ), and timing constraints (DC). By separating data from duration aspects, the language enables independent reasoning about each facet, reducing the overall proof burden.

In the verification layer, the work exploits modular theorem proving tailored to rich data structures such as lists, maps, and trees. The authors define dedicated transition axioms for list operations (insertion, deletion, lookup) and employ automatic induction to generate invariants. These invariants are then discharged by a combined SMT‑based prover, allowing the system to automatically verify complex data‑centric properties without manual lemma crafting.

Structural modularity is achieved by decomposing the system into components—track segments, signals, and trains—each described as an independent CSP module with explicit communication channels. Local invariants are proved for each component, and compositional reasoning ensures that these local guarantees lift to global safety properties, such as “no two trains occupy the same track segment simultaneously.” Interface contracts between modules are formally specified, so changes in one component have limited impact on the rest of the system.

The methodology is demonstrated on a realistic case study derived from the European Train Control System (ETCS) standard. Unlike prior examples that used simple linear tracks, this study models a complex topology comprising multiple intersecting track lists and trains following distinct routes. The track is represented as a list of segment objects, each carrying identifiers and physical attributes; trains are objects with position, speed, and route information. The combined model contains hundreds of transition rules and dozens of safety invariants. Using the proposed toolchain, all invariants are automatically discharged within roughly one hour, and the tool identifies potential collision scenarios that can be corrected during design.

Experimental results confirm that the three‑fold modular approach scales to realistic, safety‑critical systems. The paper concludes by outlining future directions, including extending the framework to richer real‑time logics, handling dynamic topology changes, and integrating probabilistic reasoning for fault tolerance. Overall, the work advances the state of the art in automated verification by showing that careful modularization across specification, proof, and architecture can make the verification of complex parametric systems both feasible and efficient.