Stalmarck's proof procedure is a method of tautology checkingthat has been used to verify railway interlocking software. Recently, it has been proposed [SS98] that the method has potential to increase the capacity of formal verification tools for hardware. In this paper, weexamine this potential in light of anexperiment in the opposite direction: the application of symbolic model checking to railway interlocking software previously verified with Stalmarck's method. We show that these railway systemsshare important characteristics which distinguish them from most hardware designs, and that these differences raise some doubts about the applicability of Stalmarck's method to hardware verification.

We formulate several classes of safety criteria for railway yards in terms of observable behaviour. These criteria are meant to protect trains from collisions and from derailments. We identify a number of safety criteria, and present instances of these classes for the case of the railway yard at station Hoorn–Kersenboogerd. These criteria have all been checked by means of the St˚almarck theorem prover, using a methodology from Groote, Koorn and Van Vlijmen.

We examine the application of symbolic CTL model checking to railway interlocking software. We show that the railway interlocking systems examined exhibit the characteristics of robustness and locality, and that these characteristics allow optimizations to the model checking algorithms not possible in the general case. In order to gain a better understanding of robustness and locality, we examine in detail a small railway interlocking.