- Email: [email protected]
Computers replacing safety relays in railway signalling
Digi tal Computer Applications to Process Con trol, Van © IFAC and orth-Holland Publishing Company (1977)
auta Lemke ,ed.
A5-3
COMP TERS REPLACI, G SAFETY RELAYS I' RAIL AY SIG:ALLI 'G Analysis of different methods, description of and experience from two applications. LME first Interlocking and ATC system containing computers. Robert 1athson Signalling Systems Department Telefonaktiebolaget L 1 Ericsson Stockholm, Sweden
During 40 years safety relays have been the predominant technology in practical use for railway signalling systems with fail-safe demands. During the last two - three years computers have been introduced for vital functions. To fulfil fail-safe requirements different methods have been used to overcome the non-asymmetric fail-function of electronic components and systems. This paper will cover some different methods and evaluate them. As a result an approach to achieve a fail-safe computer system will be suggested. In a computer system for vital functions the information is processed twice by two independently designed and executed program versions in the same computer resulting in a safe and economic solution. The first LME computerbased interlocking plant is now being delivered and the experience of the development work is covered. Modern Automatic Train Control (ATC-) system is now equipped with microcomputers. Experience from development and field tests of an intermittent ATC-system is summarized. The two projects make it evident that general, standard computers can be used for fail-safe systems, if care-ful adaption of fail-safe design philosophy is maintained. BACKGRO
When looking into the hierarchical structure of a Railway Signalling System all sub-systems are not subject to fail-safe requirements. 10dern signalling systems are now being built up by using one control centre for a whole area including one or several lines with many remotely controlled stations or line sections. This control centre is called a CTC-centre, Centralized Traffic Control-centre. See figure 1.
D
Process control in Railway Signalling Applications has during 40 years employed electromechanical safety relays. The fundamental reason for that is the fact that very rigorous fail-safe requirements are formulated for Railway Signalling Control Systems. The definition of a fail-safe system is that the s~stem can detect faults in itself and when this happens the system transfers itself to a more restrictive state, not to cause any dangerous situations.
All the safety requirements are fulfilled by the local interlocking and block systems. For the CTC-systems and support systems such as Train Describer System, T.JS and Program Controlled Train Leading Systems, PTLS there are no fail-safe requirements, and consequently those systems can be designed without any special problems using electronics or computers. This has also been the case during the last decade.
This way of thinking has always been an integral part of the design work for all safety signaling systems. As an easily demonstrable example of the failsafe principle one can look upon pure mechanical interlocking systems which still are in use. In such a system the semaphores are controlled by wires. If a wire is cut off the semaphore with the help of gravit will fall to a stop signal aspect. The detection and the transfer to a more restrictive state is built into the system applying generally adapted fail-safe design methods. When designing electromechanical interlocking s ste s, so-called safety rela s are used in the fail-safe circuitry. Here the fail-safe requirement is fulfilled either with mechanical and/or energy redundancy i.e. the construction of the relays is ver robust and it is so used in the circuitr that the idle position of the relay is interpreted as the restrictive state.
FIGURE 1 321
322
CO IPLTERS REPLACL'G SAFETY RELAYS L' RAIL\ AY SIG.'ALLL'G
But" hy have not until recently electronics or computers been used for safety system application ? The reason is that el ctronic components like transistors and diod s hav no asymmetric failure mode. ~hen a failur occurs in a transistor it can either be shortcircuited or interrupted or only degraded, i.e. out of control. So for a complex system with many integrated circuits, including a hug number of transistor functions, it is totally impossible to analyze all possibl failures and their consequences, det ct th m and tak such measures that the system always will be transferred to a r strictive state. hen studying litterature for electronic and computer systems used in other applications such as aircraft industry, process control, nuclear power control system et . most systems are qualified as very reliable syst ms sometimes with a high degree of redundan y in order to achieve a high rate of system "uptim (availability). Very few articles touch upon the fail-safe philosophy which is so predominant in Railway Signalling Applications. f1
\ ith careful adaption of conv ntional fail-safe design principles it is, however, possible to emplo computers for vital functions such as Interlocking Systems and Automatic Train Control (ATC). These two applications will be discu sed in this paper as well as methods and experiences from the design work at LM Ericsson. DIFFERE.'T 1ETHOD CO fPCTER SYSTEH
TO ACHIE E A FAIL-SAFE
As said bove standard integrated circuits, like TTL, CNOS or other circuitry technologies cannot be us d as the only type of component when designing a fail-safe system. Sp cial fail-safe electronics hav been developed where each circuitr~ element is fail-safe, mainly based upon the closed circuit principl . An aLtive si nal, uch as a pulse train through the whole system ha to be alive otherwise th whole system will be transferred to a more restricti t te. For economic reason very fe s~stems have been developed based upon this t chnolohy. This type of technology turns out to be expensi e co pared ~ith conventional relay systems, and for mor complex task~ the yst m ~ill be too unreliable hecaus f th m U1t of circuit involved. Perhaps a odernizel type with high d gree of inte ration can be a 'apted to specific, si pIe tasks. 0 ified approach, ~ith a r duced amount 0 ircuits, oul be to e i n a special failsafe co puter ~her hoth th CPC a d the memor: are desi ned in a fail-safe manner u. in or in tanee the abo e escribe techno1 'g_'. This .olution ha. tour knm.v'ledge not been practically tested exc pt f r so e labor~ t r' xperi.ent at the Cni ersitv of T hnolo ' i n \ a r s Cl \,' •
A
AS-3
Anoth r and more practical solution is to use standard general computers fulfilling the failsafe requirements partly by a system-based approach and partly by adding fail-safe conventional components for external, comparison ircuitry. Special system solutions and conventional fail-safe practice must be adapted to the system. The benefits are high reliability with a good price/performance wh n using standard computers manufactur d in long series and with well tested hardware and software. A computer system is, when considering fail-safe aspects, compared to a hardware electronic system more or less in its way of operation based upon the so call d closed circuit principle. The most critical and c mplex subsystem in a computer, the CPU, is incorporated in many calculations of different tasks, it is so to say timeshared by many cal ulation functions. I.e. nearly the same set of instructions are activated when calculating all the conditions necessary for sending out vital information as can be activated for calculating the conditions for a ba kg round real-time watch-dog. A fault occuring in many of the main parts of a computer has consequently not only impact on the vital output information such as giving full speed aspect to the optical signals. Such a fault will, in the majority of cases, have a very destructive impact on many oth r calculations and will "wildly" announce its existance. This is a fundamental difference compared with hardware solutions where a defected component has a more isolated effect. The above described positive characteristic of a computer is not enough to obtain a fail-safe system. Special arrangements must be adapted. I.e. a disturbance or a defected component in a critical part of the memory can cause a restrictive output information to be transferred into a non-restrictive output information. This change of information cannot be filtered by any supervision circuitry as long as the faulty output information is formally correct. Redundancy must be adapted to avoid hardware faults or disturbanc s. \va .' 0 f a chi e vi n g f ail - s a fer e dun d an c y i s to doubl the comput rs nd add an external failsafe comparator 10 ic. Se fi ure 2.
One
To achieve a high avai labi lity for a \ ital s'stem, the s.'stem has to be doubled again \-?ith a back-up sYstem. To avoid flur computer, th total 'ste is reduced to a three computer . y~ t \.. i t h ma j 0 r i t Y e 1 e c tin:Y b_' ex t ern a 1 circuitrY.
A5-3
CO.1PUTERS REPLACL'G SAFETY RELAYS I: RAIL AY SIG 'ALLL'G
Computer
Computer
1
:2
323
Input to process Hot stand by
Computer 1 r stricti e ~.----output
non-restricth e output FIG 'RE 2
Fo r such a T.IR- sy tern (Trip le Hodula r Redundancy) the total system reliability (availability) will not be improved be ause the vot r system ( xt rnal comparators) may contribute heavily to th system unreliability. This is especially the case for smaller computer systems such as systems with microcomput rs. Only special techniques can r duc the unreliability of the ot r. /1/. Such a system has also th r disadvantag when considering systematical hardware and softwar errors. ftwar Also if three comput rs are used rr rs an caus a lot of troubl The soft"ar is n rmall_' duplic ted in 0 thr parat packages ne for ch comput r but all packource and a s ar tablished from the am with the sam proc dur " \vith all possibiliti s of er ating rrors. Anoth r achi v totall in on
FIG RE 3
The two different program versions ar d ~elop d b' two different programming team . The B program will xecut r versed and inv rted data and will us registers, fil s, output and input ports with addresses of in erted rd r. This method of arran ing registers files for ital param t rs and variable as well as th internal repres ntation of each information el ment nsure. a safe protecti n against hardv"rare and soft~are errors as w 11 as all possibl disturbances. hard\ ar
1
full'
output infor a-
faults, caused b: de ected et ct d b cause the
324
AS-3
CO lPUTERS REPLACL C SAFETY RELAYS L' RAILWAY SIC 'ALLI C
An electrical disturbance which interferes in a two computer system can cause the same change of critical information in the two identical systems and the fault will not be detected. When all information is represented and executed in a totally different way by program A and B in a one computer conc pt, the dangerous influence from such a disturbance is also eliminated. When using computers in fail-safe systems software reliability questions will come to light. For hardware electronic systems well developed reliability calculation and prediction models are available. Refined test procedures and fault detection methods are also in existence. Software reliability calculati ns and prediction models as well as methods for the designing and testing of software seem to need further development compared with the corresponding technique for solely hardware system. In Sweden a survey study concerning software quality has been performed /2/ which states the need for further scientific research in this field and gives advice for the design of software adapting all modern methods such as modular design, structuring techniques, control of software quality etc. All these methods ought to be used when designing reliable software. It is very important that a complex software system can be divided into smaller modules, which can be separately and carefully tested with an intelligent choice of test cases. During the design and test period software failure events must be collected, classified into different failure modes and used for software reliability prediction purposes /3/ /4/. To achieve a fail-safe software system other means must be used. The above mentioned method of structuring the whole computer system, with an A and B program and with an external comparison, makes the system insensitive to software errors in a effective way if the program versions are independently and separately programmed. The probability of getting the same output failure from both program versions is regarded as negligible. Such a situation requires firstly that two errors have been built into the same module of the two ctifferent program versions and secondly that these two errors cause the same output information. The basic common specification must however, be carefully examined, because mistakes in this common source can influence both program versions. The specification is, however, so written that it can be easil understood by different categories of people, especially those who have a good knowledge of all traffic and safety requirements. This last described method of structuring a fail-safe computer system has been adapted to two different Railway Signalling Applications
in Sweden, a Computerized Interlocking system for large railway stations and a microcomputer based Automatic Train Control system. COMPUTER BASED I'TERLOCKI C SYSTE1 The basic objectives of an interlocking syst m are to facilitate and protect train mov ment between signals within a station area. Cp to now modern interlocking systems have be n d signed based on safety relays. As the requirements imposed on relay interlocking systems became more sophisticated and the logic thus became more 8nd more complex, problems arose in connection with the design and alteration of these systems. At large stations the amount of equipment (relays) will become more expensive in the future as compared with semiconductor electronics which permit substantial cost reductions. When using computers together with a transmission system, the logic circuitry can be centralized at large stations and on sections of the line. This would result in further cost reductions. Such a computer-based interlocking system could easily be expanded for use with automatic train dispatching systems, train number systems and centralized traffic control systems if these systems already incorporate compute s. L 1 Ericsson has now in cooperation with the Swedish State Railways developed such a computerbased interlocking system, designated JZS 750. The hardware configuration of JZS 750 is shown schematically in figure 4.
--------,
C011PCTER BA ED I TTERLOCKI G SYSTE!'vl JZS 750
Interlocking computer
Interlocking computer hot stand-by
CE TTRAL EQUIP!'vlE T
I
I
I I
I Control and indication system
I I I
I .J Concentrators
A5-3
CO IP TERS REPLACL'G SAFETY RELAYS I' RAIL AY SIG. ALLI G
The basis of the system is made up of the two interlocking systems, A and B. The control the interlocking of the station independently of each other. The results of the calculations of th A and B systems are compared in ext rnal comparators, one for each object such as signals, point machines etc. in the station ar a. The comparators are built up of safety rela s (type JRF) and located in so called c ncentrators.
325
has a memory of 28 k words (16 bit). Figure 5 shows the computer configuration of JZS 750. The two central processing units are provided with direct computer-to-computer communication and can thus check ach other. Both of the CPU:s can be connected to the redundant I/O bus system, to which the peripherals are also connected.
Th information about th situation in th station area requir d for th A and B systems in order to make th ir cal ulations, is receiv d as A and B information from the concentrators. The interlocking systems work cyclically with a cycle time of one second, i.e. the information is collected and processed and th results c mpared every second. EXTER:\A L
The objects in the station ar a are connected with th concentrators by multi-wire cables. Data coded with high redundancy are transmitted between the central computer equipment and the concentrators via a transmission system. The information is transmitted serially and with a speed of 2400 baud. The concentrators are spr ad out in the station area and a large amount of cable can be saved.
The operation of the station is carried out from keyboards and the status of the station is indicated to the operators on colour video scre ns. This control and indication system is controlled b another two (mini) computers. The control system includes certain automatic functions in order to relieve the operator of routine duties. The computers used for th interlocking calculations are LI Erics on CAC 1610 computers. The CAC 1610 is a powerful real-time omputer speciall' designed for data communication, production and traffic control and t lephone networks. It is a 16 bit word machine and the cycle time for the processor is 2,2 sec. The CAC 1610 ha 256 true priority levels in hard are which means that the programmer has 256 irtual computers at his disposal. It also ha a torage prote tion, in hardware, which full' protects each pro ram from using areas not assigned to it. For this application a 160 k-word e ory in each computer is needed for a railwa station with 800 objects. The control and indication s stem is housed in two separate PDP 11/05 computers. Each PDP 11/05
bus
-{- 1--
~'l3SY
I
BC'
Du to the requirement that the installation must always function without interruptions, th re is a second interlocking computer. This stand-by computer takes over the work in one second if necessary, without interruption of the traffic, whenever the first computer fails. The stand-by computer can also be employed for t sts, especially when connecting new objects.
I/o
Y TE 1
~
TEMiSL"B y
a
IVlUEO Dl
I
TE~
I
lJ
I
PLAY
Isy. TEM L
I
--.J
FIGURE 5
Each object in the station area has two areas in the computer memory (one in each of the twu interlocking sections), where all information referring to the object is stored. The logic used for interlocking, i.e. the formal calculation process according to the interlocking rules and regulations, is arranged in a number of logic blocks, one for each type of object. That is a common program module-rs-shared by all obiects of a given type. The only items provided individuall for each object are dedicated data areas in the computer memor . ..lostl the logic block design is based on Boolean equations. The equations are written in a subset of FORTRAK. All other programs are \ ritten in l6l0-ASSEMBLER with adaption of structured programmin techniqu s. Each logic block is de ignat d to handle all .ituations which can be encountered for the t 'pe of object in question. The control and indication s stem for JZ 750 is built with video screens displa'in the ~tation area in the for of a schematic track net~ork, where the status of the ari us obj cts, i.e. signals, points etc. is indicated by s mbols and colours.
.I
AS-3
326 i':a,'h ,1perat,Q- Lksk is cquippc,i \,'ith t\,',l \·idl'l' S L' r l' L' IlS and k l:' Yb, ) a r d s. Un L' \' i J tC',' S l' r l' L' n pr l' s c n t s a p i L tu r t=' ,) f t IlL' l' n t i r L' s t Cl t i ,)11 ~1 r le' ; 1. [ h L' l' t h L r dispL1YS parti;l1 ;In..'as. Sl'L' fi~urL' 6.
L'L'npll'x B",'lean lLl~ic \,'hi,'h is nl.'L'eSS~ll-y ii1 ~111 il1tL)j-l'lckin~ system I"r L1r~e railh'~1Y stati')l1s. Un a c~)C 660U a simuldti,ll1 system has hlJcn implemcl1tt'd h"hl'l-l' the L:l\I1Vl'rf!.Jti,1Il ,)f intL'rL),'kin:.c.: c:l1C1..d:ltil 1 ns has bccn testl'd as \\"L'll as thL' ,-'l)rrl'clnl'ss llf the BL'(11e;111 lL l ,'.:.2,il'. Fl'l- thL' SySll'nl t l' S t ;11 1 fie 1dun its a 11 d t I' a i 11 I1h 1 \ ' e I1h,: 11 t s h Cl \' L' bCl'l1 simulatL'd il1 a third L\C 1610.
r h l (' l! 11 t r l11 ~ lJl cl i 11 d i l' a t i " 11 S YS t cm 1L lS b L' L' 11 US L' d t,! :1l1t, l r.1atic:l11y ~enl'Llte L"lnfliL'tin,~ LI"ain 1-,)utc ,',!mm:llhis :lJ1L1 lhl' bl'h(1viL l Ur Llf the interl,),·kin:.c.: cumputl'l-S has bCl'l1 l'!~~l'd and an~Jl~'i:L'd 1 11 S II L' h sit U~1 t i u 11 S • .\S:l part uf thl' fail-s,lfe ,lJl:Jlysis 'If thL) syst l:' m, ne \\' S l! f l h' (1 re f ail u r l' p red i c t i u 11 mLld e 1s h Cl v e bel' n d cv e 1 Cl P (' d h' i t 11 the 11 e 1 p ,! f ex t ern:l 1 L' ;.;. p l' r t s / 4 /. T c) he ab 1 e t n u s l' t h L' S emu cl c 1 s , S L1 f t \,'.1 re fa i 1 u r L' eve n t s h a v e b l' en c, 1 lIe c t e d ciuril1~ the h'h"le dL'sif!.n al1d test periud for 1 :1 t e I' S tat i s tic a 1 Cl n a 1 y s is . ..\rTO:L-\TIC TR\I\ CO\TROL -
FIGCRE
(j
T 11 e U \. e r d 1 1 pi l' tu r l' s 11 l1h' S the ~ (' n l:' r :11 1 d Yl' ut,! f t h L' S tat i L! n are a an J the C1I r n:' n t t r a f f i L' sit u a tilll1. The inf,!rmati,)n dispLlyed herL' L'llnsists l! f est ab 1 i s 11 e cl t r a i n r l)u t cs, II C cup i c cl t r a eke i 1-cuits, train arrivals etc. The Cllrrcct time anci any aL1nns that I1,l\'c bl'l'n issued ,1rc ,1lSL) slwh·l1. IhL' pal-ti,d picture displays dctai1L'J inf,)rmatill n a h " u t par t Cl f t h l' S tz1 t i l 'Jl, S l' 1 e c t l' cl by t h C , 'P l' r ,1 t ,) r. 1 his i:1 f II niL1 t i l' n i ne 1u ~ e s t h e s t at u s 'If .1] 1 ,'i)il',~ts in ttL1t are,l ,IS \,'cll as the desi:.:.:,n3ti":1 ,'f cerL1i:l ,l[l]L'l'tS. 1')\' issllin~ Cl sJh'l'i;ll l,'7":lr',i:hi, tllL' l'pt:Llt,'I- ,';1:1 ,)btain ;11phan II ;~,l' r 1 C i: 1 f ,', 1-::, J. t i ,' ;1 ab,' u t t tHe' S t ~l t 1..J S f the SyStlT;l. TIll' ,'pl'r,lt"l- l',':ltr,)ls l;1l' S\'StL'T;l \·i
,'i,
SL'l'ti.,:'.s. ,Hlt:'.,':'l 1:; t::el't..
it i, 1S
ll:'.l
~l,:,:).';:r,: i~
1,'>'
t"
Le
S,'~~L
,·,':'.t~-,<
l:ll'
use'C.; L req1..lt'st t::L' S'Ll:->sc'cti,':;s.
"Pl'Lil,'~- ,:L'S~
~,~~'..:-:-.,:'. eqL:1p:'~L:;t
\\-ritt:~-s ~~7:--: :-:--.~;'~:~L~·~il..' t~lPL'~
L'quipT;~t::'.t,
Sl:C.'~;
as t::pe:-,"'r :'':It.~ rt:i.:..:.i~tl-:iti,-~:l
l\PPLIC\TIO\
.-\ut'lmatic Train CClntn)l system (ATe) can be defined as a system tlut enables informatiul1 vi tal f II r the run n i n g Cl f a t r Cl i n to bet r
..\
;;:.',-:e1'll ATC-systc;;:
nl:::l~'L' r
.'l ch']:11;t.? 1 s t"
J
J
. . ,~ C \" c· 1. " p~; l.' :'.:.. pr,' j E' C t f u 1 ,: :l ...: ',': L' ,;.~' L' :; l' ',,' i:'. a:'. i I': S t ~ ~ a tic.':-; per i l' ~ 1,'1' t:'.l.' G":":ll':'.:)Ul-~ i:ltL'I-:,'c~i:'..c.: pL~:;t. This Cd:; ':J l.' l- e ;: :2 :- c.i e c.! :: S pi} c.' t p l- ...' j L ,'t he c.' <1 use i t is, as l~:l- ;lS \,"f' k:,:,-".,·, thl.~ \'l.'r\' Iirst :111-c,-'~put cri z L'~: i:l t L' r L' l" ~ i :-;;:.. Di 11 L' re:l t si eu la t i l' n 7"::etL,'cis 11~1\'C bL'C':'. useL; le' full \" tc'st the YC1'~"
;':,'Llec, transr:1issiol1 tCc.'h:l"L''':y based UP":I hi~:ler ,';ll'i-ier frequencies ir:1p1iL's hi~h i;;1c'r~atiL'n capacity e\'en fc~r inten'71ittent (Jisc'lntinu"us) train ,'"nt1'"l syster:1. This inL'r!'1ati,'n is
A5-3
327
CU:-1PL"TERS REPLACI\G SAfETY RELAYS 1\ IVd1.h'AY 51G\A1.Ll\C
P rL' (~ (' S sed an J s t l~ r l' d l ~ nth c t l' a i n a n cl c: i s pia y cd in the Jriver-5 C<:lb as Ln1g as it 1'l'm:1il1s valid. If the Jl-ivl'r t.Jils tll resp,)l1d t,) a ,'l)mmaI1J issueJ by tile s~'stl'm tl..l sl()\,' dl..)\,'n llr st"p, al1 aut 0 mLt t i L' bra k l' Lt P P 1 i eat ion h' ill be i nit i a t L' J . T il le' i 11 f l~ I-m a t i l' n i s t ran s fer red f n,m t 11 e \,' Lt Ys i d l' t II t 11 le' t r a i 11 \,,11 e n t 11 (' t r a i n p;l ss e s ,) v e 1- ;1 P air o f b l' d l' l~ n s 1() cat e J bet \,' e l' 11 the r ail s a t t 11 l' i nf l) 1'111;1 t ill 11 t r a 11 s f \c' 1- III 1 i 11 t s. j> air s are us l' cl f l) r maximum sl'l..'urity, increased infl)l-matilJn ,'apal..'ity anJ autl..Jmat iL' se1 L'l,til)n (~f t raffie di rcctil..)I1. Antennas I..)n the engil1e underframl' pick up till' beacon infl)1'mati,~n, \,'hil..'11 is evaluated il1 a micn 1 -computer abuard thl' tr3in. See figurl' 7.
FIGCRE 8
00 Safety signalling installation FIGCRE
The si:.:na1 rel..'eiveJ by the trainb,)rne equipme:1t fr"m the beacon c,'nstitutes l'ne c'f the parar:1 e t e r S p r 1.'. C e s sed h y a t r 3 i n b L' r n e mic r II - Cl' mput er. S i g n d 1 s f r l' r:; L-l. C h II r:t e t e r san J mCl n u a 1 s \,' i t ch e s re g is t er in g s u c h t h i n g s 3 S the 1 e:1 g t h L) f t h C train dnd hight:"st perr.:itted speed c,~n5titute (' the r par 3. met e r s " 11 the b Cl s i s 1.'. f \,' hi,' h the computer outputs visu31 cab signal displays. audible alarPols and brake c(lm;.,anl..is 3S required. See figure 8.
The message transmitted by a beaclln c,~nsists uf f i ve e i g h t bit \,' l) r cl s. The fir s tan d the 1 a s t \,' l1]- d s e l' v e 0 n 1y t (I i J e n t i f y the beg inn i 11 g and the end l)f the I11l'SsagL', \,'11i le the thrl'e \,'ul'ds i n b L' t \,' cc n Cl r r y the i n t ell i g e 11 c e. The t l) tal infllrmation capacity l)f the system depenJs l)11 the use r - s s L' cur i t y re qui rem en t 5. The 1e S s i n f LJ r ma till nth a t i s car r i L: cl b y the 8 bit \,'l) r cl s , the more is left fur redundancy and thus security and vice versa. \'lrmally a special Hanuninf:c () dei sus e J \,' i t h a ha mm in g d i s t a n(' e 0 f f 1..1 Ur .
/6/. Other security features are included, such as pro g r a mm e cl mC) nit () r i n g () f the t r a i n b ()r net ran s mitter, receiver anJ tachometers. The trainborne Cl~mputer is based upl'n a busL' r i en t e cl mic r (I - C l~ mput e r h' i t h Cl C pr t y P e I n t c' I 808 (). h'i t h a bus -l 1 r i en t e cl s t r u c tu r e the s ~' 5 t e IT. is mllre versatile tl) ('hanges and extcnSi,)nS t 11 an \,' 11 e n b u i I t \,' i t h a d e cl i cat e cl 11 a r cl h" are l ~ r i en t L' d s l~ I uti" 11. T11 l' S Ys t em i s b u i 1 t up ~ n t r1 L' fl'n"7lt?l- clesl..'ribed l"'Ih'c'pt ,'f havinf: t"',, pr,~gr:J.r:lS in t he same l"'1~1puter and \,'i th an,~thcr Cl)r.lputcrs y s t c IT. a s b .3 C k - up t , ~ i n (' n:, a s (' t " t 3 1 s y s t cm ;1\":1 i 1 nbi lit y. l
The t\"l~ prl'g1'aT:1s. A ;lnci B, e\'ery 100 :-:1S "PU:"71P" ,-'ut inf,'rmati,'n tt) the train: "Inhibit :J.1ar::: ,-~r inhibit emer::en,-'), brake ,~f the train". If l'ne pl-(~grar., fai 1 s. the a I ar:-:1 L'r the ~)rakc h,i l ] bt' 3"ti\'atc'u. Ttlt' sane \,'i11 happen \,'he:1 the frt.'quent 1\' perL 1 rr:;eJ l'l..l:.;paris"I1 beth'een trH: p r l' C e s S i 11::':' (~f the t h",' P r l' :z r a P.l s. A a n ~ B. f ail s . 1,\'it[1 thl.' use ,1£ t[1e fail-safe 1..,,'I1L'C'pt :L.i\'iI:f.: th',' iI1depe:~dent pr",:.:ra:,:,s i:1 ,'cc C":-:1puter ~lr:': furtr1fT:"71I'rt? r:;Cl~il'.;': frequc~:1t c,~:':'.pal-is,':, bet'.,'ee:: c:11,'uI3ted subresults, i:~flu,eI1cc lL':':, distul-t'a Ih' e s. ha r Gh' are fa u 1 t s, Gr i \' er i I, put :,:" i s t a k cs et,'. L'311 be .]\,,-,il..:e,-:. The t,'ta1 \'"lu:"71c '-'! trle pr,'::rar:-: iliCludi:1;:'::\ a:i-: B p r ,-' t-:. r Cl ~ , c "l:1 P a 1- i S L' n p rc' ;.. r a:.: s e t c. i s ab ,-' u t 1~ ~ 8-bit \,'c'rds. \'ita1 parts c,f the system ~1(1\'C' bee n ex ten si \" e 1 y tt'S t e d f,' r se \' er <3 1 yea r s .
CO lPGTERS REPLACL'G SAFETY RELAY
328
The transmission system has been tested under se er nvironmental conditions including snow, water, ic , iron ore in the track and on the trainborn antenna as \ell as under s v re electrical disturbance conditions, as nearl continuous arc on the pantograph. Such a long test period is n ed d for a system in this tough environment. The micro-computer has successfully b en xposed to th same electrical environmental conditions. To withstand the influ nce from disturbances many measures have b en taken, the computer system has, for instance, b en galvanically isolated by opto-coupl rs. The whole system has now b en t sted for a long period in trains running in normal traffic operation conditions on a commuter traffic line south of Stockholm. CO CL SIO. The suggested fail-saf computer configuration with two totally different program versions in one computer is an effective way to fulfil the fail-safe requirements by a system-ba ed approach. It is our experience that when designing a fail-safe computer system, it must not only be safe, it must also be so designed that the safety is easy to d monstrate and prove. \ ith the introduction of computers in fail'-safe s stems, it has been possible, within rea onable cost mar ins to increase the system availability by using a back-up computer system, enabling the maintenance of full performance even when a fault occurs. This will have a positive impact on the railway transportation capacity. REFERE:CES /1/ .. akerly, John F, Department of Electrical Engine ring and Computer cience, tanfor Cni er it" California "Reliability of mi rocomputer s terns usin t rip 1e mo du 1a r red undan c., 19 76" 7
/2/
Th
Technical Cni ersit Quality). En 1976". (In Swedish)
/3/
n 'ersson H Peira L trandber L 1 Ericsson Telephone Compan , tockholm, ~e en "A stud.' 0 0 t\o:are Re 1 iabi 1i ty th International Teletraffic Con ress, elbourne 19 6" l.
L" RAIL\..AY SIG:ALLL'G
A5-3
/f / Ha1lendal, G, Hedin, A, Ostrand, A, D partment of telecommunication networks and systems, The Royal Institut 0 Technology, Stockholm, Sweden "A model for softwar reliability pr dicti n for ontrol computers, Sep. 1975" /5/ B rg von Linde, 0, L 1 Ericsson Tel ph ne Company, Stockholm, Sweden "Fail safe computer syst m" Int rnal L lE Report, 1976 (not y t publish d) /6/ Stern r, Bengt J, w dish tate Railways, Stockholm, Swed n "Hammingkoden (8,4) - n gudagava °t den moderna signalsakerhetstekniken, Jarnvagst knik, 197 " ( n Swedish)
auta Lemke ,ed.
A5-3
COMP TERS REPLACI, G SAFETY RELAYS I' RAIL AY SIG:ALLI 'G Analysis of different methods, description of and experience from two applications. LME first Interlocking and ATC system containing computers. Robert 1athson Signalling Systems Department Telefonaktiebolaget L 1 Ericsson Stockholm, Sweden
During 40 years safety relays have been the predominant technology in practical use for railway signalling systems with fail-safe demands. During the last two - three years computers have been introduced for vital functions. To fulfil fail-safe requirements different methods have been used to overcome the non-asymmetric fail-function of electronic components and systems. This paper will cover some different methods and evaluate them. As a result an approach to achieve a fail-safe computer system will be suggested. In a computer system for vital functions the information is processed twice by two independently designed and executed program versions in the same computer resulting in a safe and economic solution. The first LME computerbased interlocking plant is now being delivered and the experience of the development work is covered. Modern Automatic Train Control (ATC-) system is now equipped with microcomputers. Experience from development and field tests of an intermittent ATC-system is summarized. The two projects make it evident that general, standard computers can be used for fail-safe systems, if care-ful adaption of fail-safe design philosophy is maintained. BACKGRO
When looking into the hierarchical structure of a Railway Signalling System all sub-systems are not subject to fail-safe requirements. 10dern signalling systems are now being built up by using one control centre for a whole area including one or several lines with many remotely controlled stations or line sections. This control centre is called a CTC-centre, Centralized Traffic Control-centre. See figure 1.
D
Process control in Railway Signalling Applications has during 40 years employed electromechanical safety relays. The fundamental reason for that is the fact that very rigorous fail-safe requirements are formulated for Railway Signalling Control Systems. The definition of a fail-safe system is that the s~stem can detect faults in itself and when this happens the system transfers itself to a more restrictive state, not to cause any dangerous situations.
All the safety requirements are fulfilled by the local interlocking and block systems. For the CTC-systems and support systems such as Train Describer System, T.JS and Program Controlled Train Leading Systems, PTLS there are no fail-safe requirements, and consequently those systems can be designed without any special problems using electronics or computers. This has also been the case during the last decade.
This way of thinking has always been an integral part of the design work for all safety signaling systems. As an easily demonstrable example of the failsafe principle one can look upon pure mechanical interlocking systems which still are in use. In such a system the semaphores are controlled by wires. If a wire is cut off the semaphore with the help of gravit will fall to a stop signal aspect. The detection and the transfer to a more restrictive state is built into the system applying generally adapted fail-safe design methods. When designing electromechanical interlocking s ste s, so-called safety rela s are used in the fail-safe circuitry. Here the fail-safe requirement is fulfilled either with mechanical and/or energy redundancy i.e. the construction of the relays is ver robust and it is so used in the circuitr that the idle position of the relay is interpreted as the restrictive state.
FIGURE 1 321
322
CO IPLTERS REPLACL'G SAFETY RELAYS L' RAIL\ AY SIG.'ALLL'G
But" hy have not until recently electronics or computers been used for safety system application ? The reason is that el ctronic components like transistors and diod s hav no asymmetric failure mode. ~hen a failur occurs in a transistor it can either be shortcircuited or interrupted or only degraded, i.e. out of control. So for a complex system with many integrated circuits, including a hug number of transistor functions, it is totally impossible to analyze all possibl failures and their consequences, det ct th m and tak such measures that the system always will be transferred to a r strictive state. hen studying litterature for electronic and computer systems used in other applications such as aircraft industry, process control, nuclear power control system et . most systems are qualified as very reliable syst ms sometimes with a high degree of redundan y in order to achieve a high rate of system "uptim (availability). Very few articles touch upon the fail-safe philosophy which is so predominant in Railway Signalling Applications. f1
\ ith careful adaption of conv ntional fail-safe design principles it is, however, possible to emplo computers for vital functions such as Interlocking Systems and Automatic Train Control (ATC). These two applications will be discu sed in this paper as well as methods and experiences from the design work at LM Ericsson. DIFFERE.'T 1ETHOD CO fPCTER SYSTEH
TO ACHIE E A FAIL-SAFE
As said bove standard integrated circuits, like TTL, CNOS or other circuitry technologies cannot be us d as the only type of component when designing a fail-safe system. Sp cial fail-safe electronics hav been developed where each circuitr~ element is fail-safe, mainly based upon the closed circuit principl . An aLtive si nal, uch as a pulse train through the whole system ha to be alive otherwise th whole system will be transferred to a more restricti t te. For economic reason very fe s~stems have been developed based upon this t chnolohy. This type of technology turns out to be expensi e co pared ~ith conventional relay systems, and for mor complex task~ the yst m ~ill be too unreliable hecaus f th m U1t of circuit involved. Perhaps a odernizel type with high d gree of inte ration can be a 'apted to specific, si pIe tasks. 0 ified approach, ~ith a r duced amount 0 ircuits, oul be to e i n a special failsafe co puter ~her hoth th CPC a d the memor: are desi ned in a fail-safe manner u. in or in tanee the abo e escribe techno1 'g_'. This .olution ha. tour knm.v'ledge not been practically tested exc pt f r so e labor~ t r' xperi.ent at the Cni ersitv of T hnolo ' i n \ a r s Cl \,' •
A
AS-3
Anoth r and more practical solution is to use standard general computers fulfilling the failsafe requirements partly by a system-based approach and partly by adding fail-safe conventional components for external, comparison ircuitry. Special system solutions and conventional fail-safe practice must be adapted to the system. The benefits are high reliability with a good price/performance wh n using standard computers manufactur d in long series and with well tested hardware and software. A computer system is, when considering fail-safe aspects, compared to a hardware electronic system more or less in its way of operation based upon the so call d closed circuit principle. The most critical and c mplex subsystem in a computer, the CPU, is incorporated in many calculations of different tasks, it is so to say timeshared by many cal ulation functions. I.e. nearly the same set of instructions are activated when calculating all the conditions necessary for sending out vital information as can be activated for calculating the conditions for a ba kg round real-time watch-dog. A fault occuring in many of the main parts of a computer has consequently not only impact on the vital output information such as giving full speed aspect to the optical signals. Such a fault will, in the majority of cases, have a very destructive impact on many oth r calculations and will "wildly" announce its existance. This is a fundamental difference compared with hardware solutions where a defected component has a more isolated effect. The above described positive characteristic of a computer is not enough to obtain a fail-safe system. Special arrangements must be adapted. I.e. a disturbance or a defected component in a critical part of the memory can cause a restrictive output information to be transferred into a non-restrictive output information. This change of information cannot be filtered by any supervision circuitry as long as the faulty output information is formally correct. Redundancy must be adapted to avoid hardware faults or disturbanc s. \va .' 0 f a chi e vi n g f ail - s a fer e dun d an c y i s to doubl the comput rs nd add an external failsafe comparator 10 ic. Se fi ure 2.
One
To achieve a high avai labi lity for a \ ital s'stem, the s.'stem has to be doubled again \-?ith a back-up sYstem. To avoid flur computer, th total 'ste is reduced to a three computer . y~ t \.. i t h ma j 0 r i t Y e 1 e c tin:Y b_' ex t ern a 1 circuitrY.
A5-3
CO.1PUTERS REPLACL'G SAFETY RELAYS I: RAIL AY SIG 'ALLL'G
Computer
Computer
1
:2
323
Input to process Hot stand by
Computer 1 r stricti e ~.----output
non-restricth e output FIG 'RE 2
Fo r such a T.IR- sy tern (Trip le Hodula r Redundancy) the total system reliability (availability) will not be improved be ause the vot r system ( xt rnal comparators) may contribute heavily to th system unreliability. This is especially the case for smaller computer systems such as systems with microcomput rs. Only special techniques can r duc the unreliability of the ot r. /1/. Such a system has also th r disadvantag when considering systematical hardware and softwar errors. ftwar Also if three comput rs are used rr rs an caus a lot of troubl The soft"ar is n rmall_' duplic ted in 0 thr parat packages ne for ch comput r but all packource and a s ar tablished from the am with the sam proc dur " \vith all possibiliti s of er ating rrors. Anoth r achi v totall in on
FIG RE 3
The two different program versions ar d ~elop d b' two different programming team . The B program will xecut r versed and inv rted data and will us registers, fil s, output and input ports with addresses of in erted rd r. This method of arran ing registers files for ital param t rs and variable as well as th internal repres ntation of each information el ment nsure. a safe protecti n against hardv"rare and soft~are errors as w 11 as all possibl disturbances. hard\ ar
1
full'
output infor a-
faults, caused b: de ected et ct d b cause the
324
AS-3
CO lPUTERS REPLACL C SAFETY RELAYS L' RAILWAY SIC 'ALLI C
An electrical disturbance which interferes in a two computer system can cause the same change of critical information in the two identical systems and the fault will not be detected. When all information is represented and executed in a totally different way by program A and B in a one computer conc pt, the dangerous influence from such a disturbance is also eliminated. When using computers in fail-safe systems software reliability questions will come to light. For hardware electronic systems well developed reliability calculation and prediction models are available. Refined test procedures and fault detection methods are also in existence. Software reliability calculati ns and prediction models as well as methods for the designing and testing of software seem to need further development compared with the corresponding technique for solely hardware system. In Sweden a survey study concerning software quality has been performed /2/ which states the need for further scientific research in this field and gives advice for the design of software adapting all modern methods such as modular design, structuring techniques, control of software quality etc. All these methods ought to be used when designing reliable software. It is very important that a complex software system can be divided into smaller modules, which can be separately and carefully tested with an intelligent choice of test cases. During the design and test period software failure events must be collected, classified into different failure modes and used for software reliability prediction purposes /3/ /4/. To achieve a fail-safe software system other means must be used. The above mentioned method of structuring the whole computer system, with an A and B program and with an external comparison, makes the system insensitive to software errors in a effective way if the program versions are independently and separately programmed. The probability of getting the same output failure from both program versions is regarded as negligible. Such a situation requires firstly that two errors have been built into the same module of the two ctifferent program versions and secondly that these two errors cause the same output information. The basic common specification must however, be carefully examined, because mistakes in this common source can influence both program versions. The specification is, however, so written that it can be easil understood by different categories of people, especially those who have a good knowledge of all traffic and safety requirements. This last described method of structuring a fail-safe computer system has been adapted to two different Railway Signalling Applications
in Sweden, a Computerized Interlocking system for large railway stations and a microcomputer based Automatic Train Control system. COMPUTER BASED I'TERLOCKI C SYSTE1 The basic objectives of an interlocking syst m are to facilitate and protect train mov ment between signals within a station area. Cp to now modern interlocking systems have be n d signed based on safety relays. As the requirements imposed on relay interlocking systems became more sophisticated and the logic thus became more 8nd more complex, problems arose in connection with the design and alteration of these systems. At large stations the amount of equipment (relays) will become more expensive in the future as compared with semiconductor electronics which permit substantial cost reductions. When using computers together with a transmission system, the logic circuitry can be centralized at large stations and on sections of the line. This would result in further cost reductions. Such a computer-based interlocking system could easily be expanded for use with automatic train dispatching systems, train number systems and centralized traffic control systems if these systems already incorporate compute s. L 1 Ericsson has now in cooperation with the Swedish State Railways developed such a computerbased interlocking system, designated JZS 750. The hardware configuration of JZS 750 is shown schematically in figure 4.
--------,
C011PCTER BA ED I TTERLOCKI G SYSTE!'vl JZS 750
Interlocking computer
Interlocking computer hot stand-by
CE TTRAL EQUIP!'vlE T
I
I
I I
I Control and indication system
I I I
I .J Concentrators
A5-3
CO IP TERS REPLACL'G SAFETY RELAYS I' RAIL AY SIG. ALLI G
The basis of the system is made up of the two interlocking systems, A and B. The control the interlocking of the station independently of each other. The results of the calculations of th A and B systems are compared in ext rnal comparators, one for each object such as signals, point machines etc. in the station ar a. The comparators are built up of safety rela s (type JRF) and located in so called c ncentrators.
325
has a memory of 28 k words (16 bit). Figure 5 shows the computer configuration of JZS 750. The two central processing units are provided with direct computer-to-computer communication and can thus check ach other. Both of the CPU:s can be connected to the redundant I/O bus system, to which the peripherals are also connected.
Th information about th situation in th station area requir d for th A and B systems in order to make th ir cal ulations, is receiv d as A and B information from the concentrators. The interlocking systems work cyclically with a cycle time of one second, i.e. the information is collected and processed and th results c mpared every second. EXTER:\A L
The objects in the station ar a are connected with th concentrators by multi-wire cables. Data coded with high redundancy are transmitted between the central computer equipment and the concentrators via a transmission system. The information is transmitted serially and with a speed of 2400 baud. The concentrators are spr ad out in the station area and a large amount of cable can be saved.
The operation of the station is carried out from keyboards and the status of the station is indicated to the operators on colour video scre ns. This control and indication system is controlled b another two (mini) computers. The control system includes certain automatic functions in order to relieve the operator of routine duties. The computers used for th interlocking calculations are LI Erics on CAC 1610 computers. The CAC 1610 is a powerful real-time omputer speciall' designed for data communication, production and traffic control and t lephone networks. It is a 16 bit word machine and the cycle time for the processor is 2,2 sec. The CAC 1610 ha 256 true priority levels in hard are which means that the programmer has 256 irtual computers at his disposal. It also ha a torage prote tion, in hardware, which full' protects each pro ram from using areas not assigned to it. For this application a 160 k-word e ory in each computer is needed for a railwa station with 800 objects. The control and indication s stem is housed in two separate PDP 11/05 computers. Each PDP 11/05
bus
-{- 1--
~'l3SY
I
BC'
Du to the requirement that the installation must always function without interruptions, th re is a second interlocking computer. This stand-by computer takes over the work in one second if necessary, without interruption of the traffic, whenever the first computer fails. The stand-by computer can also be employed for t sts, especially when connecting new objects.
I/o
Y TE 1
~
TEMiSL"B y
a
IVlUEO Dl
I
TE~
I
lJ
I
PLAY
Isy. TEM L
I
--.J
FIGURE 5
Each object in the station area has two areas in the computer memory (one in each of the twu interlocking sections), where all information referring to the object is stored. The logic used for interlocking, i.e. the formal calculation process according to the interlocking rules and regulations, is arranged in a number of logic blocks, one for each type of object. That is a common program module-rs-shared by all obiects of a given type. The only items provided individuall for each object are dedicated data areas in the computer memor . ..lostl the logic block design is based on Boolean equations. The equations are written in a subset of FORTRAK. All other programs are \ ritten in l6l0-ASSEMBLER with adaption of structured programmin techniqu s. Each logic block is de ignat d to handle all .ituations which can be encountered for the t 'pe of object in question. The control and indication s stem for JZ 750 is built with video screens displa'in the ~tation area in the for of a schematic track net~ork, where the status of the ari us obj cts, i.e. signals, points etc. is indicated by s mbols and colours.
.I
AS-3
326 i':a,'h ,1perat,Q- Lksk is cquippc,i \,'ith t\,',l \·idl'l' S L' r l' L' IlS and k l:' Yb, ) a r d s. Un L' \' i J tC',' S l' r l' L' n pr l' s c n t s a p i L tu r t=' ,) f t IlL' l' n t i r L' s t Cl t i ,)11 ~1 r le' ; 1. [ h L' l' t h L r dispL1YS parti;l1 ;In..'as. Sl'L' fi~urL' 6.
L'L'npll'x B",'lean lLl~ic \,'hi,'h is nl.'L'eSS~ll-y ii1 ~111 il1tL)j-l'lckin~ system I"r L1r~e railh'~1Y stati')l1s. Un a c~)C 660U a simuldti,ll1 system has hlJcn implemcl1tt'd h"hl'l-l' the L:l\I1Vl'rf!.Jti,1Il ,)f intL'rL),'kin:.c.: c:l1C1..d:ltil 1 ns has bccn testl'd as \\"L'll as thL' ,-'l)rrl'clnl'ss llf the BL'(11e;111 lL l ,'.:.2,il'. Fl'l- thL' SySll'nl t l' S t ;11 1 fie 1dun its a 11 d t I' a i 11 I1h 1 \ ' e I1h,: 11 t s h Cl \' L' bCl'l1 simulatL'd il1 a third L\C 1610.
r h l (' l! 11 t r l11 ~ lJl cl i 11 d i l' a t i " 11 S YS t cm 1L lS b L' L' 11 US L' d t,! :1l1t, l r.1atic:l11y ~enl'Llte L"lnfliL'tin,~ LI"ain 1-,)utc ,',!mm:llhis :lJ1L1 lhl' bl'h(1viL l Ur Llf the interl,),·kin:.c.: cumputl'l-S has bCl'l1 l'!~~l'd and an~Jl~'i:L'd 1 11 S II L' h sit U~1 t i u 11 S • .\S:l part uf thl' fail-s,lfe ,lJl:Jlysis 'If thL) syst l:' m, ne \\' S l! f l h' (1 re f ail u r l' p red i c t i u 11 mLld e 1s h Cl v e bel' n d cv e 1 Cl P (' d h' i t 11 the 11 e 1 p ,! f ex t ern:l 1 L' ;.;. p l' r t s / 4 /. T c) he ab 1 e t n u s l' t h L' S emu cl c 1 s , S L1 f t \,'.1 re fa i 1 u r L' eve n t s h a v e b l' en c, 1 lIe c t e d ciuril1~ the h'h"le dL'sif!.n al1d test periud for 1 :1 t e I' S tat i s tic a 1 Cl n a 1 y s is . ..\rTO:L-\TIC TR\I\ CO\TROL -
FIGCRE
(j
T 11 e U \. e r d 1 1 pi l' tu r l' s 11 l1h' S the ~ (' n l:' r :11 1 d Yl' ut,! f t h L' S tat i L! n are a an J the C1I r n:' n t t r a f f i L' sit u a tilll1. The inf,!rmati,)n dispLlyed herL' L'llnsists l! f est ab 1 i s 11 e cl t r a i n r l)u t cs, II C cup i c cl t r a eke i 1-cuits, train arrivals etc. The Cllrrcct time anci any aL1nns that I1,l\'c bl'l'n issued ,1rc ,1lSL) slwh·l1. IhL' pal-ti,d picture displays dctai1L'J inf,)rmatill n a h " u t par t Cl f t h l' S tz1 t i l 'Jl, S l' 1 e c t l' cl by t h C , 'P l' r ,1 t ,) r. 1 his i:1 f II niL1 t i l' n i ne 1u ~ e s t h e s t at u s 'If .1] 1 ,'i)il',~ts in ttL1t are,l ,IS \,'cll as the desi:.:.:,n3ti":1 ,'f cerL1i:l ,l[l]L'l'tS. 1')\' issllin~ Cl sJh'l'i;ll l,'7":lr',i:hi, tllL' l'pt:Llt,'I- ,';1:1 ,)btain ;11phan II ;~,l' r 1 C i: 1 f ,', 1-::, J. t i ,' ;1 ab,' u t t tHe' S t ~l t 1..J S f the SyStlT;l. TIll' ,'pl'r,lt"l- l',':ltr,)ls l;1l' S\'StL'T;l \·i
,'i,
SL'l'ti.,:'.s. ,Hlt:'.,':'l 1:; t::el't..
it i, 1S
ll:'.l
~l,:,:).';:r,: i~
1,'>'
t"
Le
S,'~~L
,·,':'.t~-,<
l:ll'
use'C.; L req1..lt'st t::L' S'Ll:->sc'cti,':;s.
"Pl'Lil,'~- ,:L'S~
~,~~'..:-:-.,:'. eqL:1p:'~L:;t
\\-ritt:~-s ~~7:--: :-:--.~;'~:~L~·~il..' t~lPL'~
L'quipT;~t::'.t,
Sl:C.'~;
as t::pe:-,"'r :'':It.~ rt:i.:..:.i~tl-:iti,-~:l
l\PPLIC\TIO\
.-\ut'lmatic Train CClntn)l system (ATe) can be defined as a system tlut enables informatiul1 vi tal f II r the run n i n g Cl f a t r Cl i n to bet r
..\
;;:.',-:e1'll ATC-systc;;:
nl:::l~'L' r
.'l ch']:11;t.? 1 s t"
J
J
. . ,~ C \" c· 1. " p~; l.' :'.:.. pr,' j E' C t f u 1 ,: :l ...: ',': L' ,;.~' L' :; l' ',,' i:'. a:'. i I': S t ~ ~ a tic.':-; per i l' ~ 1,'1' t:'.l.' G":":ll':'.:)Ul-~ i:ltL'I-:,'c~i:'..c.: pL~:;t. This Cd:; ':J l.' l- e ;: :2 :- c.i e c.! :: S pi} c.' t p l- ...' j L ,'t he c.' <1 use i t is, as l~:l- ;lS \,"f' k:,:,-".,·, thl.~ \'l.'r\' Iirst :111-c,-'~put cri z L'~: i:l t L' r L' l" ~ i :-;;:.. Di 11 L' re:l t si eu la t i l' n 7"::etL,'cis 11~1\'C bL'C':'. useL; le' full \" tc'st the YC1'~"
;':,'Llec, transr:1issiol1 tCc.'h:l"L''':y based UP":I hi~:ler ,';ll'i-ier frequencies ir:1p1iL's hi~h i;;1c'r~atiL'n capacity e\'en fc~r inten'71ittent (Jisc'lntinu"us) train ,'"nt1'"l syster:1. This inL'r!'1ati,'n is
A5-3
327
CU:-1PL"TERS REPLACI\G SAfETY RELAYS 1\ IVd1.h'AY 51G\A1.Ll\C
P rL' (~ (' S sed an J s t l~ r l' d l ~ nth c t l' a i n a n cl c: i s pia y cd in the Jriver-5 C<:lb as Ln1g as it 1'l'm:1il1s valid. If the Jl-ivl'r t.Jils tll resp,)l1d t,) a ,'l)mmaI1J issueJ by tile s~'stl'm tl..l sl()\,' dl..)\,'n llr st"p, al1 aut 0 mLt t i L' bra k l' Lt P P 1 i eat ion h' ill be i nit i a t L' J . T il le' i 11 f l~ I-m a t i l' n i s t ran s fer red f n,m t 11 e \,' Lt Ys i d l' t II t 11 le' t r a i 11 \,,11 e n t 11 (' t r a i n p;l ss e s ,) v e 1- ;1 P air o f b l' d l' l~ n s 1() cat e J bet \,' e l' 11 the r ail s a t t 11 l' i nf l) 1'111;1 t ill 11 t r a 11 s f \c' 1- III 1 i 11 t s. j> air s are us l' cl f l) r maximum sl'l..'urity, increased infl)l-matilJn ,'apal..'ity anJ autl..Jmat iL' se1 L'l,til)n (~f t raffie di rcctil..)I1. Antennas I..)n the engil1e underframl' pick up till' beacon infl)1'mati,~n, \,'hil..'11 is evaluated il1 a micn 1 -computer abuard thl' tr3in. See figurl' 7.
FIGCRE 8
00 Safety signalling installation FIGCRE
The si:.:na1 rel..'eiveJ by the trainb,)rne equipme:1t fr"m the beacon c,'nstitutes l'ne c'f the parar:1 e t e r S p r 1.'. C e s sed h y a t r 3 i n b L' r n e mic r II - Cl' mput er. S i g n d 1 s f r l' r:; L-l. C h II r:t e t e r san J mCl n u a 1 s \,' i t ch e s re g is t er in g s u c h t h i n g s 3 S the 1 e:1 g t h L) f t h C train dnd hight:"st perr.:itted speed c,~n5titute (' the r par 3. met e r s " 11 the b Cl s i s 1.'. f \,' hi,' h the computer outputs visu31 cab signal displays. audible alarPols and brake c(lm;.,anl..is 3S required. See figure 8.
The message transmitted by a beaclln c,~nsists uf f i ve e i g h t bit \,' l) r cl s. The fir s tan d the 1 a s t \,' l1]- d s e l' v e 0 n 1y t (I i J e n t i f y the beg inn i 11 g and the end l)f the I11l'SsagL', \,'11i le the thrl'e \,'ul'ds i n b L' t \,' cc n Cl r r y the i n t ell i g e 11 c e. The t l) tal infllrmation capacity l)f the system depenJs l)11 the use r - s s L' cur i t y re qui rem en t 5. The 1e S s i n f LJ r ma till nth a t i s car r i L: cl b y the 8 bit \,'l) r cl s , the more is left fur redundancy and thus security and vice versa. \'lrmally a special Hanuninf:c () dei sus e J \,' i t h a ha mm in g d i s t a n(' e 0 f f 1..1 Ur .
/6/. Other security features are included, such as pro g r a mm e cl mC) nit () r i n g () f the t r a i n b ()r net ran s mitter, receiver anJ tachometers. The trainborne Cl~mputer is based upl'n a busL' r i en t e cl mic r (I - C l~ mput e r h' i t h Cl C pr t y P e I n t c' I 808 (). h'i t h a bus -l 1 r i en t e cl s t r u c tu r e the s ~' 5 t e IT. is mllre versatile tl) ('hanges and extcnSi,)nS t 11 an \,' 11 e n b u i I t \,' i t h a d e cl i cat e cl 11 a r cl h" are l ~ r i en t L' d s l~ I uti" 11. T11 l' S Ys t em i s b u i 1 t up ~ n t r1 L' fl'n"7lt?l- clesl..'ribed l"'Ih'c'pt ,'f havinf: t"',, pr,~gr:J.r:lS in t he same l"'1~1puter and \,'i th an,~thcr Cl)r.lputcrs y s t c IT. a s b .3 C k - up t , ~ i n (' n:, a s (' t " t 3 1 s y s t cm ;1\":1 i 1 nbi lit y. l
The t\"l~ prl'g1'aT:1s. A ;lnci B, e\'ery 100 :-:1S "PU:"71P" ,-'ut inf,'rmati,'n tt) the train: "Inhibit :J.1ar::: ,-~r inhibit emer::en,-'), brake ,~f the train". If l'ne pl-(~grar., fai 1 s. the a I ar:-:1 L'r the ~)rakc h,i l ] bt' 3"ti\'atc'u. Ttlt' sane \,'i11 happen \,'he:1 the frt.'quent 1\' perL 1 rr:;eJ l'l..l:.;paris"I1 beth'een trH: p r l' C e s S i 11::':' (~f the t h",' P r l' :z r a P.l s. A a n ~ B. f ail s . 1,\'it[1 thl.' use ,1£ t[1e fail-safe 1..,,'I1L'C'pt :L.i\'iI:f.: th',' iI1depe:~dent pr",:.:ra:,:,s i:1 ,'cc C":-:1puter ~lr:': furtr1fT:"71I'rt? r:;Cl~il'.;': frequc~:1t c,~:':'.pal-is,':, bet'.,'ee:: c:11,'uI3ted subresults, i:~flu,eI1cc lL':':, distul-t'a Ih' e s. ha r Gh' are fa u 1 t s, Gr i \' er i I, put :,:" i s t a k cs et,'. L'311 be .]\,,-,il..:e,-:. The t,'ta1 \'"lu:"71c '-'! trle pr,'::rar:-: iliCludi:1;:'::\ a:i-: B p r ,-' t-:. r Cl ~ , c "l:1 P a 1- i S L' n p rc' ;.. r a:.: s e t c. i s ab ,-' u t 1~ ~ 8-bit \,'c'rds. \'ita1 parts c,f the system ~1(1\'C' bee n ex ten si \" e 1 y tt'S t e d f,' r se \' er <3 1 yea r s .
CO lPGTERS REPLACL'G SAFETY RELAY
328
The transmission system has been tested under se er nvironmental conditions including snow, water, ic , iron ore in the track and on the trainborn antenna as \ell as under s v re electrical disturbance conditions, as nearl continuous arc on the pantograph. Such a long test period is n ed d for a system in this tough environment. The micro-computer has successfully b en xposed to th same electrical environmental conditions. To withstand the influ nce from disturbances many measures have b en taken, the computer system has, for instance, b en galvanically isolated by opto-coupl rs. The whole system has now b en t sted for a long period in trains running in normal traffic operation conditions on a commuter traffic line south of Stockholm. CO CL SIO. The suggested fail-saf computer configuration with two totally different program versions in one computer is an effective way to fulfil the fail-safe requirements by a system-ba ed approach. It is our experience that when designing a fail-safe computer system, it must not only be safe, it must also be so designed that the safety is easy to d monstrate and prove. \ ith the introduction of computers in fail'-safe s stems, it has been possible, within rea onable cost mar ins to increase the system availability by using a back-up computer system, enabling the maintenance of full performance even when a fault occurs. This will have a positive impact on the railway transportation capacity. REFERE:CES /1/ .. akerly, John F, Department of Electrical Engine ring and Computer cience, tanfor Cni er it" California "Reliability of mi rocomputer s terns usin t rip 1e mo du 1a r red undan c., 19 76" 7
/2/
Th
Technical Cni ersit Quality). En 1976". (In Swedish)
/3/
n 'ersson H Peira L trandber L 1 Ericsson Telephone Compan , tockholm, ~e en "A stud.' 0 0 t\o:are Re 1 iabi 1i ty th International Teletraffic Con ress, elbourne 19 6" l.
L" RAIL\..AY SIG:ALLL'G
A5-3
/f / Ha1lendal, G, Hedin, A, Ostrand, A, D partment of telecommunication networks and systems, The Royal Institut 0 Technology, Stockholm, Sweden "A model for softwar reliability pr dicti n for ontrol computers, Sep. 1975" /5/ B rg von Linde, 0, L 1 Ericsson Tel ph ne Company, Stockholm, Sweden "Fail safe computer syst m" Int rnal L lE Report, 1976 (not y t publish d) /6/ Stern r, Bengt J, w dish tate Railways, Stockholm, Swed n "Hammingkoden (8,4) - n gudagava °t den moderna signalsakerhetstekniken, Jarnvagst knik, 197 " ( n Swedish)