The initial project, started in 1993, was a cooperative effort between NASA, US&S and Odyssey Research Associates. The result of this first years work was a formal mathematical model of a railway switching network, defined in two levels. The top most level of the model provides the mechanisms for defining the basic concepts; track, switches, trains and their positions and control liners of a train (i.e. how far down the track it has clearance to travel.) The second level is a formalization of the standard scheme used in railroad control, the block model control system. A proof that the fixed block control system is ``safe'' with respect to the top level model has been completed. Models of US&S proprietary control schemes were also formulated.
The European formal methods community has addressed safety properties of certain components of railroad control systems, but the work there has typically been at lower level. The cooperative work with US&S is unique in that a high level model of a railroad system has been described and used to analyze the safety of various control schemes.
The next phase of the collaborative effort will concentrate on formal modeling and analysis of the fault-tolerant core of US&S's next generation fail-stop control architecture.