Вы находитесь на странице: 1из 22

Failsafe and Fault Tolerant Systems Application to RAILWAY SIGNALLING

SANDEEP PATALAY

Contents
1. Introduction.. 3

2. Requirements of Solid State Interlocking Systems... 5

3. Types of Methods applied in software for Interlocking... 11

4. Analysis of Failures of Solid State Interlocking Systems. 11

5. Proposed Architecture of Interlocking Systems13

6. Research done in this area16

7. References..18

Prelude Embedded System: An Embedded system is a combination of hardware and software to do a specific job, unlike a general purpose computing system like a PC even though having good amount of hardware and software is not an embedded system because it does not do a specific function. The Hierarchical Arrangement of Embedded Systems is shown below in FIG0

Embedded Systems

Non-Real Time Systems

Real Time Systems

Hard Real Time Systems or Mission Critical Systems

Fail Safe Systems

Fault Tolerant Systems

3 Dimensional View of Embedded Systems plotted against Fail safety, Fault Tolerance and Response time

Fault Tolerance Fault Tolerant Systems

Fail Safe Systems

Fail Safety

Non-Real Time Systems Response Time

Definitions Real Time System: A Real time System is an Embedded System, Which operates on current data and not on saved data. Hard Real Time System or Mission critical System: A real-time computer system must react to inputs from controlled object and from the operator. The instant at which a result must be produced is called a deadline. If by missing a firm deadline a catastrophe could happen, then the deadline is called hard. A real-time computer system that must meet at least one hard deadline is called a hard real-time computer system or a safetycritical real-time computer system. Railway Interlocking System: A railway interlocking system controls the traffic in a railway station, and between adjacent stations. The control includes train routes, shunting moves and the movements of all other railway vehicles in accordance with railway rules, regulations and technological processes required for the operation of the railway station. Interlocking Logic: A term used for the logical relationships between physical entities in the railway yard such as points, signals, track circuits, and so on. In SSI, this is programmed in the Software; in relay-based interlocking this is hardwired into the relay circuitry, and in ground-frame interlocking it is manifest in the mechanical linkages between physical components. Ground-frame interlocking: An Interlocking System When built using mechanical linkages between Levers (Physical Entities) is called Ground-frame interlocking System. Route Relay Interlocking System (RRI): An Interlocking System When built completely using Electro mechanical relays is called as Route Relay Interlocking System.

Solid State Interlocking System (SSI): An Interlocking System When built using Electronics replacing traditional Mechanical Levers and Electro mechanical relays is called as Solid state Interlocking System. Reliability: The reliability can be defined as the ability of an item to perform a required function under stated conditions for a stated period of time. Redundancy: The existence of more than one means of accomplishing a given function. Each means of accomplishing the function need not be necessarily identical. Hardware (Software Diversity): Two or more different Versions of Hardware (Software) working in a system to achieve a same result. Failure: The termination of the ability of an item to perform a required function. Maintainability: The ability of an item, under stated conditions of use, to be retained in, or restore to, a state in which it can perform its required function, when maintenance is performed under stated conditions and using prescribed procedure and resources. The ability of an item (Under combined aspects of its reliability,

Availability: period of time.

maintainability, and maintenance support) to perform its required function over a stated

Introduction
A railway interlocking system controls the traffic in a railway station, and between adjacent stations. The control includes train routes, shunting moves and the movements of all other railway vehicles in accordance with railway rules, regulations and technological processes required for the operation of the railway station.

Need for solid state Interlocking System: In traditional RRI (Route Relay Interlocking) systems the interlocking logic is implemented through electromechanical relays. In a typical four road station the number of relays used to implement this type of logic would in the order of 1000 relays and wiring is so complex that the time taken to install and commission a RRI is very long. The testing of the system requires the total station to be setup and testing done during normal train operation. The maintenance of RRI systems is costly and complex. So the need for a better system which would reduce the number of relays and maintenance was needed. In SSI system the relays used to implement the interlocking logic in RRI would simulated by software variables and only the final Output driving relays to the field functions are needed, so the number of relays is reduced to of the total RRI relays. The Installation time is also greatly reduced to 1/5 of the RRI installation time and the testing can be simulated and be done even at the factory. Thus the need for a SSI System aroused. The electronics blocks are not often used for the railway's interlocking equipment at this time. The safety function in the railway's application was always based on the gravitational attraction (e.g. by relays or mechanical signals) for the stop-signals and on the mechanical pull or on the big value of the electrical current for the permit signal. It is very difficult to prove that the interlocking equipment with the electronics blocks can be safe. The railway operators are afraid of these blocks unreliability and dangerousness. Since the electronic blocks were successfully used in the space program, the railway operators have accepted to use these blocks in railway's interlocking equipment. New 7

designed systems usually apply microprocessors. In the past mechanical interlockings were used, followed by electro-mechanical interlockings. The second half of the last century mainly relay interlockings were installed, where as in the last decade the Computer Based Interlocking appeared. The development of different interlocking technologies over the years and the migration between them (from the mechanical up to the computer based interlockings) brought new opportunities as well as new demands regarding V&V(Verification and Validation). Over the last ten years, additional issues have influenced the approach towards the V&V works: Complexity of computer based interlockings demands rigid procedures and strict requirements for verification and validation Computer based technologies allowed for a new approach towards signalling rules Computer technology allows much more functional flexibility through the software CENELEC standards have been elaborated and introduced Reorganization of the railway companies, which among other issues caused that V&V activities have been split up and assigned to independent organizations All these changes offer chances as well as threats for a professional verification and validation of interlockings. Rail signalling equipment is governed by the principles of safety, reliability and availability. The Railway operators are not confident of the electronic blocks due to various reasons. Confidence has to be built in the railway operators by employing methods that user friendly, easy to validate and total white box testing should be possible

1. Requirements of Solid State Interlocking Systems The Solid state Interlocking systems for Railways should ensure the following: 1. Fail safety 2. Availability 3. Reliability 4. Maintainability To ensure the above said points hardware and software is designed accordingly. There are various techniques to meet the above said requirements as discussed below: Table no-1: Redundancy Methods

Sno

Types of Redundancy Time

Method of Implementation

Type of Errors Detected

Practical Problems with the Method Single hardware Fault leads to Shut down of the System. This method is not used since software faults are not completely found in validation. And the Self diagnostics employed for checking of hardware faults is not complete.

The

same on

software the during

is Errors Caused two They are avoided by reading at two different time Intervals

Redundancy

executed hardware (FIG 1)

same by transients.

different time intervals

2 Hardware Redundancy

The same software is executed on two identical hardware channels (FIG 2)

Hardware fault Software faults are are since channels detected not detected since outputs they are on the two same identical

from both the software is running compared. And hardware channels. single hardware Software Faults at fault does not design lead down system to of the stage are shut still not detected.

Diverse Hardware

Identical Executed (FIG 3)

Software on

is Hardware

Software Faults at

Different Design faults at the design stage are the design stage still not detected are Detected

hardware Versions

10

Diverse 4 software

The different software versions are executed on the same hardware during two different time intervals (FIG 4)

Software Faults Even though the at design stage software is diverse , are detected since executed single channel, hardware of the system. they on are the

hardware single fault

leads to Shut down

Diverse software on redundant hardware

The different software versions are executed on two identical hardware channels (FIG 5)

Software Faults at design stage are detected and single hardware faults does not lead to system shut down

Hardware faults at the design stage are not detected.

Diverse software on diverse hardware

The different software versions are executed on two different hardware channels (FIG 6)

Software Faults and Hardware Faults are detected at the design stage.

This rarely

methods

is

used,

Complexity involved is high

11

Processor Reading at Time 1 Inputs Processor Reading at Time 2

System Outputs

Fig No: 1 Time Redundancy

Inputs

Processor 1 Identical Software and Hardware

Processor 1 Outputs System Outputs

Inputs

Processor n Identical Software and Hardware

Processor n Outputs

V O T E R

Fig No: 2 Hardware Redundancy

12

Inputs

Processor 1 Hardware 1 Identical Software

Processor 1 Outputs System Outputs

Inputs

Processor n Hardware n Identical Software

Processor n Outputs

V O T E R

Fig No: 3 Hardware Diversity

Inputs

Software 1

System Outputs

Software 2

Fig No: 4 Software Diversity

13

Inputs

Processor 1 Identical Hardware Software 1

Processor 1 Outputs System Outputs

Inputs

Processor n Identical Hardware Software n

Processor n Outputs

V O T E R

Fig No: 5 Diverse software on redundant hardware

Inputs

Processor 1 Hardware 1 Software 1

Processor 1 Outputs System Outputs

Inputs

Processor n Hardware n Software n

Processor n Outputs

V O T E R

Fig No: 6 Diverse software on Diverse hardware

14

2. Types of Methods applied in software for Interlocking

2.1 Geographical Method: In the Geographical method the input to the SSI is given as the position of the signals, points, tracks Circuits and Slots. The Interlocking is implemented based on the generic rules that no part of the track are shared by the two routes at a time, Conflicting routes should not be set at a time etc. This type of implementation requires a great knowledge of the Yard Elements and the interconnection between them. In this method the software does not have one to one relation ship to the relay circuits used for RRI and is very difficult validate, so this method has failed to create the necessary confidence in the railway operators

2.2 Boolean Equation Method: The Boolean equation method is the implementation of the traditional relay interlocking principles. In this method the relay circuits are implemented as Boolean equations, so there is one to one relation ship between the relay circuits and the software variables. Since there is a one to one relation ship between the software and the RRI Relay circuits, Railway operator can easily validate the software entrees made and this method will give him sufficient confidence.

3. Analysis of Failures of Solid State Interlocking Systems Even after employing one of the above methods to ensure fail Safety, practically Reliability and maintainability of these systems has not been proved in the Interlocking systems installed follows: worldwide. The reasons for the non reliability can be explained as

15

1. Lack of domain Knowledge in Signalling and Traditional Route Relay interlocking Systems, This creates a technological gap between the software programmers and the Domain consultants. This leads to Errors in software, which might lead to unsafe failures of the system 2. Increasing the complexity of the System by Employing distributed architecture, which is difficult to validate and verify and difficult to maintain, thus leading to very high time repair 3. Extending the working scope of the Interlocking systems for monitoring and other non-Interlocking functions, which leads to degraded performance of the system 4. Employing Non-Formal Interlocking principles instead of traditional RRI Principles leads to software complexity. For Ex: The Geographical method needs every system that is installed for new Yard needs validation, which is not practicable. 5. Since the software and hardware is so complex, complete test of the system is not possible and most of the faults are revealed at the field Installation stage or during normal working of the system in field. 6. The software is to be changed for every yard , the software structure should be in a generic form, but we seldom see a generic form and this the stage errors creep in. 7. The lack of standardization in the railway working principles and the core Interlocking principles, the software developers are forced to do changes in the software for every yard in Different railway zones, this is the time that errors in the software creep in. Because of the above said reasons the Interlocking systems have failed to create the necessary confidence in the railway operators. Because of this reason the Solid state Interlocking systems have become unpopular.

16

If we examine broadly the reasons for failure and lack of reliability and maintainability that are forced by the designers are as follows: 1. Lack of standardization of interlocking principles, every railway zone has its own set of rules and principles which are conflicting with other railways, this makes the life of the developers difficult because they have change their systems settings and software accordingly. 2. There is no standard book or reference available describing the core interlocking principles, since these rules are only known by the people working in this domain. 3. Increase in the complexity of the software leads to difficulty in testing, since most of the Interlocking systems are sequential machines they are error prone are very difficult to test.

4. Proposed Architecture of Interlocking Systems The Proposed solutions for the above discussed problems are as follows: 1. Work towards the standardization of Interlocking principles and develop generic set of Equations 2. Keep the hardware Complexity to a bare minimum so that fool proof testing of the system is achieved 3. Keep the system centralized so that complexity involved is less, this automatically improves the maintainability. 4. Most of the Solid state Interlocking Systems developed to date follow one of the method described in Table no: 1,Which is either by software voting or hardware voting, a new method in which the two different software versions are implemented on both of the Processors of the system and the processors are having the identical design, this way the functionality of both the software voter and hardware voter are met, thus the system gives additional reliability by having software voter and availability is achieved by hardware redundancy.

17

5. To date Systems have been developed to detect a fault an isolate them selves, a system hardware must be developed in such a manner that detects a fault and repairs itself or have an alternate to the faulty portion. 6. Since Each yard has its own set of Specifics, software must be developed in such a manner that only the yard specific data can be changed for every yard and the core software remains the same, so that for each system only the yard specific part of the software needs to be validated and this should be in a manner that is understood by the railway operators, so that this creates the necessary confidence in them and are sure of the entries made. 7. Today most of the Solid state Interlocking Systems use the black box testing, this is full of flaws because all the conditions in Interlocking cannot be tested with the test forms existing on present day, so a system must be developed so that a white box testing can be carried out and individual testing on the yard specific data can be carried out. 8. Software should be written in such a manner that a layman or the railway operator can make an entry in his own relay logic and this should be compiled and should generate an executable file. 9. The software should be written in such a manner that is fool proof and crystal clear that total unit testing and validation is possible. 10. The use of FPGAs is suggested wherever necessary in addition to the microprocessors used to give additional functionality and scope. By Employing the above said points the SSIs have increased reliability, availability and maintainability. This also creates necessary confidence in the railway operators that they can adopt new technologies. The Block diagram for the proposed architecture for SSI is shown in Fig: 7

18

Processor 1 Inputs Software 1 Soft Ware Voter V O T E R System Outputs

Software 2

Identical Hardware

Processor n Inputs Software 1 Soft Ware Voter

Software 2

Identical Hardware

Supervisor and diagnostic Module

Fig No: 7 Proposed Architecture

19

5. Research done in this area: The research in the field of solid state interlocking systems data back to 1970s, the first prototypes came in to existence in Britain in the early 80s. In India the research in this area started in the mid 80s by IIT Delhi, the project was funded by RDSO, Lucknow. Prof. Vinod Chandra and Dr. M. Verma were involved in this project. They developed a prototype in which they allocated different Safey Integrity Levels to each module so that the complexity involved in validating the whole system which has only one safety integrity level is solved. The Prototype was developed by 2/2 hardware redundancy Method. Union switch and Signal Company developed a System with single processor with diverse software method. The Total system had a hot stand by system that would take over if one system failed. Westrace Inc, Australia has implemented the Distributed architecture of SSI where the control is distributed in the Entire Yard as apposed to Centralized Systems Michele Banci, ISTI - CNR, Formal Methods and Tools Group Pisa, Italy has worked on the method of state charts and graphical method to implement Interlocking. Dejan Lutovac and Tatjana Lutovac of RMIT University, Melbourne, Australia have worked on generalizing the software and working towards an Universal Interlocking System. Peter Wigger, Institute for Software, Electronics, Railroad Technology (ISEB), TV InterTraffic GmbH, Berlin-Brandenburg Group has worked on the allocating Safety Integrity Level (SIL) in Railway Applications. Radek Dobias, Hana Kubatova, Department of Computer Science and Engineering, Czech Technical University Prague have worked on the use of FPGAs in safety critical railway applications. Kotaro Shimamura, Shinichiro Yamaguchi of Hitachi Research Laboratory, Hitachi Ltd have worked on fail safe hardware by using dual synthesizable processor cores which gives redundancy in the component level itself

20

Tomoji Kishi, Natsuko Noda of Software Design Laboratories, NEC Corporation has worked on software architecture, architecture conformance, non-functional properties, design method, layered system for Interlocking software.

Conclusion: It is suggested that in the complex field of Railway Signalling, where safety, availability and maintainability are the prime issues, the railway operators must be taken in to confidence and the method applied to design these systems should be reliable, validatable and should create confidence in the railway operators. The Method suggested in the paper describes the method to be employed for design and development of SSIs for safe and reliable operation.

21

References: 1. TOWARDS AN UNIVERSAL COMPUTER INTERLOCKING SYSTEM by Dejan Lutovac and Tatjana Lutovac, FACTA UNIVERSITATIS (NI_S) Series: Electronics and Energetics vol. 11, No.1 (1998), 25-49. 2. Geographical vs. Functional modelling by statecharts of interlocking systems-Michele Banci 1 Formal Methods and Tools Group ISTI CNR Pisa, Italy, FMICS 2004 Preliminary Versi 3. Independent Verification and Validation1 of interlocking in the Netherlands By: P. Musters and T. van de Ven, V&V-article (version 2.2). 4. The Safety Philosophy Behind the CENELEC Railway Standards, Dr. Hendrik Schbe TV InterTraffic GmbH Institute for Software, Electronics, Railroad Technology Am Grauen Stein D-51105 Kln, Germany. 5. FPGA Based Design of the Railway's Interlocking Equipments Radek Dobias, Hana Kubatova Department of Computer Science and Engineering, Czech Technical University Prague 6. A Fail-Safe Microprocessor Using Dual Synthesizable Processor Cores Kotaro Shimamura, Shinichiro Yamaguchi. 7. Fault Tolerance in Railway Signalling System: A study of the Elektra Interlocking Systems Alexandre Denault McGill University Quebec, Canada 8. Software Design based on Architecture Conformance Tomoji Kishi, Natsuko Noda Software Design Laboratories, NEC Corporation. 9. Solid State Interlocking Systems, US & S Solutions. 10 A Fail Safe Interlocking System for Railways by V.Chandra and M.Verma. 22

Оценить