Applied Mathematical Sciences, Vol. 10, 2016, no.

49, 2429 - 2436

HIKARI Ltd, www.m-hikari.com
http://dx.doi.org/10.12988/ams.2016.65208

Modeling of Railway Networks

Using Timed Automata
Dieky Adzkiya

Department of Mathematics
Institut Teknologi Sepuluh Nopember, Surabaya 60111, Indonesia

Alessandro Abate

Department of Computer Science

University of Oxford, Wolfson Building, Parks Road, Oxford OX1 3QD, UK

Copyright c 2015 Dieky Adzkiya and Alessandro Abate. This article is distributed un-
der the Creative Commons Attribution License, which permits unrestricted use, distribution,
and reproduction in any medium, provided the original work is properly cited.

Abstract
We model a railway network with synchronization feature using
timed automata (TA). The procedure consists of two steps: first, each
train in the railway network is modeled as a TA; then, the final model
is obtained by taking the parallel composition of all TA obtained in the
first step.

Mathematics Subject Classification: 68Q60, 03B70

Keywords: railway networks, timed automata

1 Introduction
Timed automata (TA) [3] are a modeling framework for a wide range of real-
time systems, such as in web services [15], audio/video protocols [10], bounded
retransmission protocols [7], collision avoidance protocols [1, 13] and commer-
cial field bus protocols [8]. Originally, TA has been defined as a Büchi automa-
ton containing finitely many states extended with real-valued variables mod-
eling clocks. In order to restrict the behavior of the automaton, constraints
2430 Dieky Adzkiya and Alessandro Abate

on the clock variables are used. Furthermore Büchi accepting conditions are
used to enforce progress properties. A simplified version called timed safety
automata has been introduced in [12] to enforce progress properties using lo-
cal invariant conditions. In this work, we use timed safety automata and refer
them as TA for simplicity (cf. Definition 2.1).
Several modeling frameworks have been used to model railway networks,
e.g. Petri nets [9], cellular automata [14], TA [6] and max-plus-linear (MPL)
systems [4, 11]. The TA model developed in this work is different with [6]. The
authors of [6] discuss a TA model of a railway control system, which controls
access to a bridge for several trains. In this work, we develop a TA model
of a railway network with synchronization between several trains. This opens
up the application of techniques in TA for analyzing railway networks. Let us
remark that this work is related with [2], which proposes a formal approach to
analyze a railway network modeled as MPL systems.
As mentioned in the previous paragraph, we propose to model a railway
network with synchronization features using TA. The procedure to build the
TA consists of two steps. In the first step, each train in the railway network is
modeled as a TA. Then, the TA model of the entire railway network is obtained
by taking the parallel composition of all TA obtained in the first step.

2 Preliminaries
2.1 Timed Automata
As discussed in the Introduction, a TA can be used to model a wide range
of real-time systems. A TA is a directed graph extended with real-valued
variables (called clocks) that model the logical clocks.
Clock constraints (i.e. guards on edges and location invariants) are used
to restrict the behavior of the automaton. A clock constraint is a conjunctive
formula of atomic constraints of the form x ./ n or x − y ./ n for x, y ∈ C,
./∈ {≤, <, =, >, ≥} and n ∈ N. We use B(C) to denote the set of clock
constraints. Moreover we denote the power set of a set C by 2C .
Definition 2.1 A timed automaton TA is a sextuple (L, `0 , Act, C, E, Inv)
where L is a set of finitely many locations (or vertices); `0 ∈ L is the initial
location; Act is the set of actions; C is a set of finitely many real-valued clocks;
E ⊆ L × B(C) × Act × 2C × L is the set of edges; Inv : L → B(C) assigns
invariants to locations. The location invariants are restricted to constraints of
the form: c ≤ n or c < n where c is a clock and n is a natural number.
The semantics of a TA are defined as a transition system where a state
consists of the current location and the current value of clocks. There are two
types of transitions between states: delay for some time (delayed transition) or
Modeling of railway networks using timed automata 2431

take an enabled edge (discrete transition). Each edge is labeled with a guard,
an action and a reset. The guard is described as a clock constraint (∈ B(C)).
An edge can be taken when the value of clocks satisfies the guard associated
with the edge. A subset of all the clocks (∈ 2C ) may be reset to zero when
a discrete transition is taken. Finally each edge is associated with an action
(∈ Act). The set of actions is used for synchronous communication between a
pair of TA. It is done by hand-shake synchronization using input and output
actions [5]. The input and output actions are denoted by di ? and di ! for i ∈ N,
respectively. An action that can be taken independently of other actions is
called internal action, denoted by *. When there is a single TA, all actions are
internal because synchronous communication is not possible.

2.2 Railway Networks

In this paper, we adopt the railway network and its synchronization mechanism
discussed in [11, Section 0.1]. The railway network consists of a number of
stations connected by several circuits. A circuit can be divided into one or
more tracks. Each track contains zero or more trains. Two circuits can be
synchronized in a station. In this case, we define the same departure time
from the station for all trains in those circuits.

2 1 2 3

Figure 1: A simple railway network [11, Figure 0.1].

In order to illustrate the railway networks considered in this paper, we use

the example in Figure 1. This railway network has two stations connected by
three circuits (left, middle and right). The left and right circuits consist of one
track, whereas the middle one consists of two tracks. There is one train placed
in each track. The number near each track represents the travel time of the
track. In this network, the left and middle circuits are synchronized in station
1, whereas the right and middle circuits are synchronized in station 2.
2432 Dieky Adzkiya and Alessandro Abate

3 Construction of the TA Model for the Rail-

way Network
In this section, we discuss a procedure to construct a TA model of a given
railway network. The procedure consists of two steps. In the first step, each
train in the railway network is modeled as a TA. Then, the TA model of
the railway network is obtained by taking the parallel composition of all TA
(obtained in the first step).
Let us discuss the procedure to construct a TA from a train. We denote
m as the number of trains. Furthermore in the railway network, there are n
stations that are denoted by s1 , . . . , sn . The time needed using a train to travel
from si to sj is denoted by ti,j for i, j ∈ {1, . . . , n}. Notice that each train is
assigned to a circuit. Each circuit is indexed with a unique natural number for
identification purposes. Furthermore every circuit is also denoted by a sequence
of stations connected by arrows, i.e. sc(1) → sc(2) → · · · → sc(n0 ) → sc(1) where
c(1), . . . , c(n0 ) ∈ {1, . . . , n}. The synchronization SyncC is formally defined as
an n-tuple (SyncC1 , . . . , SyncCn ) where SyncCi is a set containing two circuit
indexes for i ∈ {1, . . . , n}. As an example, the synchronization for the railway
network in Figure 1 is SyncC = ({1, 2}, {2, 3}).

Definition 3.1 The TA generated by a train assigned to j-th circuit sc(1) →

sc(2) → · · · → sc(n0 ) → sc(1) where the synchronization happens in stations
SyncS ⊆ {1, . . . , n0 } is given by (L, `0 , Act, C, E, Inv):
Sn0 Sn0 −1
• L= i=1 {sc(i) } ∪ i=1 {gc(i),c(i+1) } ∪ {gc(n0 ),c(1) };

• `0 = sc(1) ;
(
S {dc(i) !}, if j = max SyncCc(i)
• Act = {∗} ∪ i∈SyncS
{dc(i) ?}, if j = min SyncCc(i)

• C = {x};
(
Sn0 −1 (gc(i),c(i+1) , x = tc(i),c(i+1) , ∗, {x}, sc(i+1) ), if i ∈
/ SyncS
• E= i=1
(gc(i),c(i+1) , x = tc(i),c(i+1) , ∗, ∅, sc(i+1) ), if i ∈ SyncS
(
(gc(n0 ),c(1) , x = tc(n0 ),c(1) , ∗, {x}, sc(1) ), if i ∈
/ SyncS
∪
(gc(n0 ),c(1) , x = tc(n0 ),c(1) , ∗, ∅, sc(1) ), if i ∈ SyncS
(sc(i) , x = 0, ∗, ∅, gc(i),c(i+1) ), if i ∈
/ SyncS


Sn0 −1 
∪ i=1 (sc(i) , x ≥ 0, dc(i) !, {x}, gc(i),c(i+1) ), if i ∈ SyncS and j = max SyncCc(i)

(sc(i) , x ≥ 0, dc(i) ?, {x}, gc(i),c(i+1) ), if i ∈ SyncS and j = min SyncCc(i)

Modeling of railway networks using timed automata 2433

(sc(n0 ) , x = 0, ∗, ∅, gc(n0 ),c(1) ), if n0 ∈

/ SyncS



∪ (sc(n0 ) , x ≥ 0, dc(n0 ) !, {x}, gc(n0 ),c(1) ), if n0 ∈ SyncS and j = max SyncCc(n0 )

(sc(n0 ) , x ≥ 0, dc(n0 ) ?, {x}, gc(n0 ),c(1) ), if n0 ∈ SyncS and j = min SyncCc(n0 )


• Inv(sc(i) ) = {x = 0}, if i ∈
/ SyncS

Let us describe the TA generated by Definition 3.1 in more detail. Location

sc(i) is active when the train stops at c(i)-th station. Location gc(i),c(i+1) is
active when the train is on the way from c(i)-th station to c(i + 1)-th station.
Initially, the train stops in c(1)-th station. The action di corresponds to the
departure synchronization in the i-th station, for all i. All actions are defined
as urgent, i.e. it will be taken as soon as it is enabled. The clock variable x
represents the time elapsed since the last departure. The core of the definition
is the construction of the set of edges E. The construction of E can be divided
into two parts: with and without synchronization.
First we focus on the edges with synchronization. In this case, the clock
variable is reset to zero when the train departs from a station. The output
actions are associated with the train assigned to higher circuit index, whereas
the input actions are associated with the train assigned to lower circuit index.
Notice that both trains depart as soon as those two trains have arrived in the
station. Finally when the value of the clock variable equals the travel time of
the corresponding track, the train enters the destination.
Next we focus on the edges without synchronization. In this case, the clock
variable is reset to zero when the train enters a station. After that, the train
departs immediately.
Let us construct the TA associated with the railway network in Figure 1.
First we associate a unique number to each circuit: the left, middle and right
circuits correspond to 1, 2 and 3, respectively. Then we associate a unique
number to each train: the left, bottom, top and right trains correspond to 1,
2, 3 and 4, respectively.
The TA generated by each train is depicted in Figure 2. The locations and
edges are represented by circles and arrows, respectively. The initial location
is represented by double circles. The name and invariant of each location is
located above and below the circle, respectively. The guard, action and reset
are located near the corresponding arrow. Notice that initially, the first and
third trains depart from station 1, whereas the second and fourth trains depart
from station 2.

4 Conclusions and Future Work

In this paper, we have modeled a railway network as a TA. The TA model
can be used to verify some properties of the railway network. For example, we
2434 Dieky Adzkiya and Alessandro Abate

g1,1 x == 2 s1 g2,2 x == 3 s2

x≤2 d1 ? x≤3 d2 !
s2 s2

d2 ? d2 ?
x == 3 x=0 x == 3 x=0
g1,2 g2,1 g1,2 g2,1

x≤3 x≤5 x≤3 x≤5

d1 ! s1 x == 5 d1 ! s1 x == 5
x=0 x=0

Figure 2: The TA in the top-left and top-right parts is associated with the first
and fourth trains, respectively. The TA in the bottom-left and bottom-right
parts is associated with the second and third trains, respectively.

can check whether the delay between two consecutive departures of a train is
upper bounded by a given constant. We leave it as a future work.

References
[1] L. Aceto, A. Burgueño and K.G. Larsen, Model checking via reachability
testing for timed automata, Chapter in Tools and Algorithms for the
Construction and Analysis of Systems (TACAS’98), B. Steffen, editor,
volume 1384 of Lecture Notes in Computer Science, Springer, Heidelberg,
1998, 263–280. http://dx.doi.org/10.1007/bfb0054177

[2] D. Adzkiya, B. De Schutter and A. Abate, Finite abstractions of max-

plus-linear systems, IEEE Transactions on Automatic Control, 58 (2013),
no. 12, 3039–3053. http://dx.doi.org/10.1109/tac.2013.2273299

[3] R. Alur and D.L. Dill, A theory of timed automata, Theoretical Computer
Science, 126 (1994), no. 2, 183–235.
http://dx.doi.org/10.1016/0304-3975(94)90010-8
Modeling of railway networks using timed automata 2435

[4] F. Baccelli, G. Cohen, G.J. Olsder and J.-P. Quadrat, Synchronization

and Linearity: An Algebra for Discrete Event Systems, John Wiley and
Sons, 1992.
[5] C. Baier and J.-P. Katoen, Principles of Model Checking, The MIT Press,
2008.
[6] G. Behrmann, A. David and K.G. Larsen, A tutorial on uppaal, Chapter
in Formal Methods for the Design of Real-Time Systems (SFM-RT’04),
M. Bernardo and F. Corradini, editors, volume 3185 of Lecture Notes in
Computer Science, Springer, Heidelberg, 2004, 200–236.
http://dx.doi.org/10.1007/978-3-540-30080-9 7
[7] P.R. D’Argenio, J.-P. Katoen, T.C. Ruys and J. Tretmans, The bounded
retransmission protocol must be on time!, Chapter in Tools and Al-
gorithms for the Construction and Analysis of Systems (TACAS’97),
E. Brinksma, editor, volume 1217 of Lecture Notes in Computer Sci-
ence, Springer, Heidelberg, 1997, 416–431.
http://dx.doi.org/10.1007/bfb0035403
[8] A. David and W. Yi, Modelling and analysis of a commercial field bus
protocol, In 12th Euromicro Conference on Real-Time Systems, (2000),
165–172. http://dx.doi.org/10.1109/emrts.2000.854004
[9] A. Giua and C. Seatzu, Modeling and supervisory control of railway net-
works using Petri nets, IEEE Transactions on Automation Science and
Engineering, 5 (2008), no. 3, 431–445.
http://dx.doi.org/10.1109/tase.2008.916925
[10] K. Havelund, A. Skou, K.G. Larsen and K. Lund, Formal modeling
and analysis of an audio/video protocol: an industrial case study using
UPPAAL, Proceedings of the 18th IEEE Real-Time Systems Symposium
(RTSS’97), (1997), 2–13. http://dx.doi.org/10.1109/real.1997.641264
[11] B. Heidergott, G.J. Olsder and J.W. van der Woude, Max Plus at Work–
Modeling and Analysis of Synchronized Systems: A Course on Max-Plus
Algebra and Its Applications, Princeton University Press, 2006.
http://dx.doi.org/10.1515/9781400865239
[12] T.A. Henzinger, X. Nicollin, J. Sifakis and S. Yovine, Symbolic model
checking for real-time systems, Information and Computation, 111 (1994),
no. 2, 193–244. http://dx.doi.org/10.1006/inco.1994.1045
[13] H.E. Jensen, K.G. Larsen and A. Skou, Modelling and analysis of a
collision avoidance protocol using SPIN and UPPAAL, BRICS Report
Series, 3 (1996), no. 24. http://dx.doi.org/10.7146/brics.v3i24.20005
2436 Dieky Adzkiya and Alessandro Abate

[14] K.-P. Li, Z.-Y. Gao and B. Ning, Modeling the railway traffic using cellular
automata model, International Journal of Modern Physics C, 16 (2005),
no. 06, 921–932. http://dx.doi.org/10.1142/s0129183105007613

[15] A.P. Ravn, J. Srba, and S. Vighio, Modelling and verification of web
services business activity protocol, Chapter in Tools and Algorithms for
the Construction and Analysis of Systems (TACAS’11), P.A. Abdulla and
K.R.M. Leino, editors, volume 6605 of Lecture Notes in Computer Science,
Springer, Heidelberg, 2011, 357–371.
http://dx.doi.org/10.1007/978-3-642-19835-9 32

Received: November 15, 2015; Published: July 25, 2016