A REFINEMENT BASED APPROACH TO CALCULATING A FAULT-TOLERANT RAILWAY SIGNAL DEVICE Alistair A. McEwan & J. C. P. Woodcock Computing Laboratory, University of Kent at Canterbury, UK A.A.McEwan@kent.ac.uk, J.C.P.Woodcock@kent.ac.uk Abstract Keywords: In this extended abstract, we present a technique whereby a new, fail-safe and fault-tolerant architecture for an existing device is calculated, and verified, from an existing abstract specification. The inspiration for the architecture draws from the Byzantine Generals problem. The model is presented in Hoare’s CSP, safety properties are proved using the model checker FDR, and development is guided by the laws of Circus. The case study is Montigel’s Dwarf Signal. Safety, fault-tolerance, verification, CSP, Circus, Montigel’s Dwarf Signal 1. Introduction In this extended abstract, we show how safety critical devices employing distributed consensus approaches to compositional safety can be designed and calculated from an abstract specification, using Communicating Sequential Processes (CSP) [3, 9] and Circus [12]. A new implementation of an exist- ing device is calculated from an existing abstract specification, appealing to a well-known distributed consensus algorithm. The result is an architecture that can be shown to preserve all the safety properties of the original, and offer more fault-tolerance. Proofs are conducted using a model-checking tool. The case study used is Montigel’s Dwarf Signal [7], a track-side railway signalling device in use in the Austrian railway system. We begin by presenting relevant background. Section 2 presents a CSP model of a simple distributed consensus algorithm, followed by a description in section 3 of how a new architecture can be calculated, developed, and veri- fied; appealing to the distributed consensus algorithm. Finally, in section 4 we suggest where further improvements to the architecture may be possible, and analyse the success of the development strategy.