Verification and Validation

Predictive Maintenance of Railway Point Machines

2012-01-21T19:53:00.000-08:00

From the desk of

Sandeep Patalay

PredictiveMaintenance of Railway
Point Machines

Sandeep Patalay

Senior SystemsEngineer, CMC Ltd

Abstract— The railway points(switches) are vital component of any Railway Interlocking system. Regularmaintenance of points is required to keep them in operating condition. Presentmaintenance of points involves frequent inspection by maintenance staff and isnot fool proof. Currently Electronic Monitoring systems are available whichonly logs the event and does not give any predictive analysis about the healthof the points subsystem. This paper discusses a new approach for maintenanceand diagnosis of railway points which is capable of remote monitoring and isintelligent enough to give predictive maintenance reports about the railwaypoint’s health. This reduces the effort and huge costs in reducing manualmonitoring and also it fool proof avoiding accidents. Distributed datagathering and centralized data processing methods have been discussed that notonly report the fault but also give predictive measures to be taken by thefield staff to avoid catastrophic failures.

Introduction

Railways traverse through the length andbreadth of our country covering 63,140 route kms, comprising broad gauge(45,099 kms), meter gauge (14,776 kms) and narrow gauge (3,265 kms). Themost important part of the railways to carry out operations like safe movementof trains and communications between different entities is Signalling. TheRailway signalling is governed by a concept called Interlocking. The maincomponent of the interlocking is the Railways Points consisting of DCelectrical motors to switch the rails to a different route. Thesevast and widespread assets to meet the growing traffic needs of developingeconomy is no easy task and makes Indian Railways a complex cybernetic system.The current mechanism in place to maintain the railway points are completelymanual and requires large pool of maintainers to check the validity of thepoint machine and the related point infrastructure regularly, this processemployed is neither cost effective nor fool proof. By employing the traditionalmethod of manual maintenance, the rail operators do not have any prior warningfor replacement or repair of points. The discussion in this paper mainlyfocuses on development of a system that not only monitors the points remotelywithout manual intervention, but also diagnosis the problem in the point thussaving human lives and huge manual maintenance costs. Themotivation for developing a predictive maintenance system for Railway Points isas follows:

To use an array of sensors to monitor all relevant parameters, in order to provide advanced warning of degradation prior to railways points failure.

To provide predictive maintenance reports about the point machines to the maintainers.

To provide continuous monitoring at both local and centralized locations.

To provide an automated archival record from which broad trends can be extracted from the entire railway asset base.

To provide, in the event of a catastrophic failure, the immediate past history to identify the cause.

Railway Points Structure

The following Figure 1 describesthe architecture of railway points in operation.

Figure 1

Points, or switches as they are known, allow arail vehicle to move from one set of rails to another. They are a ‘digitaloutput device’ in that there are only two acceptable states for the point to beset in, ‘normal’, and ‘reverse’. Movement is carried out by way of a gearedmotor, which actuates the stretcher bar. Location or state detection is made bya two-position, polarized, magnetic stickcontactor. A signal is fed back from these switches to the signal box where allpoint directions are controlled and monitored. The snap-action switches at theend of the stroke stop the machine and help brake the motor to help reduce anyimpact at the end of the travel. Two stretcher bars (Figure 1) make surethat the switch rails remain the correct distance apart – this can vary betweeninstallations depending on the curvature of the main rails, and the speed limitof that section of the track. There are usually two stretcher bars for eachpoint machine. Any fault in this mechanism like poorly securing of the bolts holdingthese stretcher bars, loose bolts etc. may lead to deadly accidents.

Proposed PredictiveMaintenance System Architecture

The proposed architecture of PredictiveMaintenance System (PMS) for Railways points is discussed below using the Figure2

Figure 2 Architecture of PMS

Sensors are used to measure Voltage, Current,load and temperature of Point Motor. The Throwing load sensor is used tomeasure the stress in the operating rod of the point machine. The sensor valuesare read on real time basis by the wayside device and sent to a centrallocation for analysis. The wayside device uses GSM/GRPS network to transmitthis data to a central location. The Central Station analyzes the data in realtime and makes predictions on the point machines and stores them in to adatabase. The status of any point machine can be viewed using any internetbrowser in the central station. The Local station maintainers can view the databy logging in to the web server using any internet browser. Basedon the Current consumption, the load sensor values and the point motortemperature, predictions are made for the maintenance or replacement of thePoint Motors. The central location is a Web server based architecture, whereanyone with a Web browser can login and see the details.

Data processing andanalytics

The system has a database of current and loadcharacteristics of good working railway points. This data is used as areference for processing real time data received from the wayside units. Thefollowing figures show the current (i) and load sensor values plotted againsttime during point machine operation.

Figure 3 Current Characteristics

Figure 4 Load Force Characteristics

Data ProcessingTechniques

Various Signal Processing Techniques areavailable for analysis of real time data described below:

1) DataCluster method – This involves recording the characteristics of a parameter ofa subsystem under different simulated conditions and then using this as areference to validate the real time data. This method is different fromtemplate matching, since it not entirely based on matching the plottedcharacteristics.

2) Templatematching – Entails comparing complete data sets with pre-recorded examples ofdata resulting from known fault conditions. The method can be used effectivelyin some circumstances, provided a representation of the data that produces gooddiscrimination between pattern classes can be made. However, this requires asubstantial amount of experimentation with different transformations of thedata sets to find such distinctions, and would be a computationally intensiveprocess.

3) Statisticaland decision theoretic methods – Matches are made based on statistical featuresof the signal. For example, the mean and peak-to-peak value are evaluated foreach vector, and plotted in feature space, whereby different patterns aredistinguishable because they form clusters for each class that are located apartfrom the fully functioning case.

4) Structuralor syntactic methods – Involves deconstructing a pattern or vector intostructural components, to enable comparisons to be made on more simple,sub-segments of data rather than a complete vector. Mathematically, thesemethods are similar to fractal-based compression routines.

The method that was of specific interest tothis project was to use a data clustering methodology where a database of goodmeasurements as well as load sensor data readings under various simulatedfaults in the laboratory on some specimen railway points is stored andthen the real time load sensor data is plotted against it. This generates veryunique clusters of data points which represent each type of fault.

By applying the above techniques, we getclusters of fault data. We have found that these data clusters are unique inthe sense that these represent different types of faults.

Figure 5 Force Data Clusters

Types of faults detectable

Tight lock on reverse side (sand on bearers both sides) – Refers to the lock which holds the point in position after it has changed direction. This lock prevents the point from moving out of position because of vibration.

A 12-mm obstruction at toe on normal side – Simulates a piece of ballast impeding point motion between the toe of the switch rail (the mobile section of rail), and the stock rail.

Back drive slackened off at toe end on LHS – The drive to the midpoint of the switch rail is only loosely connected to the stretcher bar. The stretcher bar holds the mobile rails a fixed distance apart.

Back drive slackened off at toe end on RHS – Similar to the above.

Back drive tightened at heel end on RHS – Similar to the above.

Back drive tightened at heel end on LHS – Similar to the above.

Diode snubbing block disconnected – An electrical fault.

Drive rod stretcher bar loose on RHS – Connecting bar between the switch rails is loose. A dangerous fault.
Operational contact slackened off by four holes – Applies to the contact for detecting when the point has completed motion.

Dynamic Analysis of Safety Critical Systems

2011-09-24T17:20:00.000-07:00

From the desk of
Sandeep Patalay

Background: The dynamic analysis of the safety critical software is an important phase of the Independent Verification and Validation of the system. The EN 50128 has detailed the methods that shall be used for this phase of the verification life cycle. This phase is so critical to the project output that it demands meticulous planning and organization. Here we discuss the dynamic analysis methods suggested by the CENELEC standards for SIL 4 software.

Boundary Value Analysis

The aim of this method is to remove software errors occurring at parameter limits or boundaries. The input domain of the program is divided into a number of input classes. The tests should cover the boundaries and extremes of the classes. The tests check that the boundaries in the input domain of the specification coincide with those in the program. The use of the value zero, in a direct as well as in an indirect translation, is often error-prone and demands special attention:

Zero divisor;
Blank ASCII characters;
Empty stack or list element;
Null matrix;
Zero table entry.

Normally the boundaries for input have a direct correspondence to the boundaries for the output range. Test cases should be written to force the output to its limited values. Consider also, if it is possible to specify a test case which causes output to exceed the specification boundary values. If output is a sequence of data, for example a printed table, special attention should be paid to the first and the last elements and to lists containing none, 1 and 2 elements.

Error Guessing

The aim of this method is to remove common programming errors. Testing experience and intuition combined with knowledge and curiosity about the system under test may add some uncategorised test cases to the designed test case set. Special values or combinations of values may be error-prone. Some interesting test cases may be derived from inspection checklists. It may also be considered whether the system is robust enough. Can the buttons be pushed on the front-panel too fast or too often? What happens if two buttons are pushed simultaneously?

Error Seeding

The aim of this method is to ascertain whether a set of test cases is adequate. Some known error types are inserted in the program, and the program is executed with the test cases under test conditions. If only some of the seeded errors are found, the test case set is not adequate. The ratio of found seeded errors to the total number of seeded errors is an estimate of the ratio of found real errors to total number errors. This gives a possibility of estimating the number of remaining errors and thereby the remaining test effort.. The detection of all the seeded errors may indicate either that the test case set is adequate, or that the seeded errors were too easy to find. The limitations of the method are that in order, to obtain any usable results, the error types as well as the seeding positions must reflect the statistical distribution of real errors.

Performance Modelling

The aim of the method is to ensure that the working capacity of the system is sufficient to meet the specified requirements. The requirements specification includes throughput and response requirements for specific functions, perhaps combined with constraints on the use of total system resources. The proposed system design is compared against the stated requirements by:

Defining a model of the system processes, and their interactions,
Identifying the use of resources by each process, for example, processor time, communications bandwidth, storage devices etc),
Identifying the distribution of demands placed upon the system under average and worst-case conditions,
Computing the mean and worst-case throughput and response times for the individual system functions.

For simple systems, an analytic solution may be possible whilst for more complex systems, some form of simulation is required to obtain accurate results. Before detailed modelling, a simpler ’resource budget’ check can be used which sums the resources

requirements of all the processes. If the requirements exceed designed system capacity, the design is infeasible. Even if the design passes this check, performance modelling may show that excessive delays and response times occur due to resource starvation. To avoid this situation engineers often design systems to use some fraction (e.g. 50 %) of the total resources so that the probability of resource starvation is reduced

Equivalence Classes and Input Partition Testing

The aim of this method is to test the software adequately using a minimum of test data. The test data is obtained by selecting the partitions of the input domain required to exercise the software. This testing strategy is based on the equivalence relation of the inputs, which determines a partition of the input domain.

Test cases are selected with the aim of covering all subsets of this partition. At least one test case is taken from each equivalence class. There are two basic possibilities for input partitioning which are:

Equivalence classes may be defined on the specification. The interpretation of the specification may be either input oriented, for example the values selected are treated in the same way or output oriented, for example the set of values leading to the same functional result; and
Equivalence classes may be defined on the internal structure of the program. In this case the equivalence class results are determined from static analysis of the program, for example the set of values leading to the same path being executed

Structure Based Testing

The aim of this method to apply tests which exercise certain subsets of the program structure. Based on an analysis of the program a set of input data is chosen such that a large fraction of selected program elements are exercised. The program elements exercised can vary depending upon the level of rigour required.

Statements: This is the least rigorous test since it is possible to execute all code statements without exercising both branches of a conditional statement.
Branches: Both sides of every branch should be checked. This may be impractical for some types of defensive code.
Compound Conditions: Every condition in a compound conditional branch (i.e. linked by AND/OR is exercised).
LCSAJ: A linear code sequence and jump is any linear sequence of code statements including conditional jumps terminated by a jump. Many potential sub-paths will be infeasible due to constraints on the input data imposed by the execution of earlier code.
Data Flow: The execution paths are selected on the basis of data usage for example a path where the same variable is both written and wrote.
Call Graph: A program is composed of subroutines which may be invoked from other subroutines. The call graph is the tree of subroutine invocations in the program. Tests are designed to cover all invocations in the tree.
Entire Path: Execute all possible path through the code. Complete testing is normally infeasible due to the very large number of potential paths.

The Computer Based Interlocking Architecture

2011-09-17T10:00:00.000-07:00

From the desk of
Sandeep Patalay

The ComputerBased Interlocking Architecture

The Solid state Interlocking systems for Railways shouldensure the following:

Fail safety
Availability
Reliability
Maintainability

Architecture and methodology

Generally following three types ofredundancy techniques are used for achieving fail-safety in the design ofsignaling systems:

Hardware Redundancy –In this case, more than one hardware modules of identical design with commonsoftware are used to carry out the safety functions and their outputs arecontinuously compared. The hardware units operate in tightly syncronised modewith comparison of outputs in every clock cycle. Due to the tightsyncronisation, it is not possible to use diverse hardware or software. In thismethod, although random failures are taken care of, it is difficult to ensuredetection of systematic failures due to use of identical hardware and software.

Software Redundancy –This approach uses a single hardware unit with diverse software. The twosoftware modules are developed independently and generally utilize inverteddata structures to take care of common mode failures. However, rigorous selfcheck procedures are required to be adopted to compensate for use of a singleHardware unit.

Hybrid Model - Thehardware units have been loosely syncronised where the units operate inalternate cycle and the outputs are compared after full operation of the twomodules. Therefore, it is no more required to use identical hardware andsoftware. Although the systems installed in the field utilize identicalhardware and software, the architecture permits use of diverse hardware andsoftware. Moreover, operation of the two units in alternate cycles permits useof common system bus and interface circuitry.

To ensure theabove said points hardware and software is designed accordingly. There arevarious techniques to meet the above said requirements as discussed below:

Table1:Existing Failsafe Methods employed in Design of Computer Based InterlockingSystems

Method Name	Method of Implementation	Type of Errors Detected	Practical Problems with the Method
Time Redundancy	The same software is executed on the same hardware during two different time intervals (Refer: Figure 5: Time Redundancy)	Errors Caused by transients. They are avoided by reading at two different time Intervals	Single hardware Fault leads to Shut down of the System. This method is not used since software faults are not completely found in validation. And the Self diagnostics employed for checking of hardware faults is not complete.
Hardware Redundancy	The same software is executed on two identical hardware channels (Refer: Figure 6: Hardware Redundancy)	Hardware faults are detected since outputs from both the channels are compared. And single hardware fault does not lead to shut down of the system	Software faults are not detected since the same software is running on two identical hardware channels. Software Faults at design stage are still not detected.
Diverse Hardware	Identical Software is Executed on Different hardware Versions (Refer: Figure 7: Hardware Diversity)	Hardware Design faults at the Initial stage are Detected	Software Faults at the design stage are still not detected
Diverse software	The different software versions are executed on the same hardware during two different time intervals (Refer: Figure 8: Software Diversity)	Software Faults at design stage are detected	Even though the software is diverse, they are executed on the single hardware channel; single hardware fault leads to Shut down of the system.
Diverse software on redundant hardware	The different software versions are executed on two identical hardware channels (Refer: Figure 9: Diverse software on redundant hardware)	Software Faults at design stage are detected and single hardware faults does not lead to system shut down	Hardware faults at the design stage are not detected.
Diverse software on diverse hardware	The different software versions are executed on two different hardware channels (Refer: Figure 10: Diverse software on Diverse Hardware)	Software Faults and Hardware Faults are detected at the design stage.	This methods is rarely used, Since design complexity involved is high

CENELEC Standard: Faults and Effects

2011-09-11T09:35:00.000-07:00

From theDesk of

SandeepPatalay

CENELEC Standard: Faults and Effects

Effects of single faults

It is necessary to ensure that thesystem/sub-system/equipment meets its THR in the event of single random fault.It is necessary to ensure that SIL 3 and SIL 4 systems remain safe in the eventof any kind of single random hardware fault which is recognized as possible.Faults whose effects have been demonstrated to be negligible may be ignored.This principle, which is known as fail-safety, can be achieved in several differentways:

1) Composite fail-safety

With this technique, each safety-related function isperformed by at least two items. Each of these items shall be independent fromall others, to avoid common-cause failures. Non-restrictive activities areallowed to progress only if the necessary number of items agree. A hazardousfault in one item shall be detected and negated in sufficient time to avoid aco-incident fault in a second item.

2) Reactive fail-safety

This technique allows a safety-related function to beperformed by a single item, provided its safe operation is assured by rapiddetection and negation of any hazardous fault (for example, by encoding, bymultiple computation and comparison, or by continual testing). Although onlyone item performs the actual safety-related function, thechecking/testing/detection function shall be regarded as a second item, whichshall be independent to avoid common-cause failures.

3) Inherent fail-safety

This technique allows a safety-related function to beperformed by a single item, provided all the credible failure modes of the itemare non-hazardous. Any failure mode which is claimed to be incredible (forexample, because of inherent physical properties) shall be justified using theprocedure defined in Annex C. Inherent fail-safety may also be used for certainfunctions within Composite and Reactive fail-safe systems, for example toensure independence between items, or to enforce shut-down if a hazardous faultis detected.

Whichever technique or combination of techniques is used,assurance that no single random hardware component failure mode is hazardousshall be demonstrated using appropriate structured analysis methods. Thecomponent failure modes to be considered in the analysis shall be identifiedusing the procedures defined in Annex C.

In systems containing more than one item whosesimultaneous malfunction could be hazardous, independence between items is amandatory precondition for safety concerning single faults. Appropriate rulesor guidelines shall be fulfilled to ensure this independence. The measurestaken shall be effective for the whole life-cycle of the system. In addition,the system/sub-system design shall be arranged to minimize potentiallyhazardous consequences of loss-of-independence caused by, for example, a

Systematic design fault, if it could exist.

Detection ofsingle faults

A first fault (single fault) which could be hazardous,either alone or if combined with a second fault, shall be detected and a safestate enforced (i.e.: negated) in a time sufficiently short to fulfill thespecified quantified safety target. Demonstration of this shall be achieved bya combination of Failure Modes and Effects Analysis (FMEA) and quantifiedassessment of Random Failure Integrity.

In the case of Composite fail-safety, this requirementmeans that a first fault shall be detected, and a safe state enforced, in atime sufficiently short to ensure that the risk of a second fault occurringduring the detection-plus-negation time is smaller than the specifiedprobabilistic target. In the case of Reactive fail-safety, this requirementmeans that the maximum total time taken for detection-plus-negation shall notexceed the specified limit for the duration of a transient, potentially hazardous,condition.

Effects of multiple faults

A multiple fault (for example, a double or triple fault)which could be hazardous, either directly or if combined with a further fault,shall be detected and a safe state enforced (i.e.: negated) in a time sufficientlyshort to fulfill the specified safety target. A suitable method, for exampleFault Tree Analysis (FTA), shall be used to demonstrate the effects of multiplefaults. The techniques used to achieve detection-plus-negation of multiplefaults within the permitted time shall be shown, including supportingcalculations.

ISSUES IN TPWS (ETCS-LEVEL 1) OPERATIONS ON SOUTHERN RAILWAY

2011-09-03T19:11:00.000-07:00

Back Ground: TPWS (Train Protection and Warning System), term used by Indian Railways, It applies to the ETCS Level 1 concepts and the UIC/UNISIG specifications. It does not, in Indian terms, apply to the UK implementation that is based on different technology.

The TPWS project on Southern Railway installed in the Chennai Central/ Chennai Beach – Gummidipundi section of Chennai division was commissioned on 2nd May 2008 on 4 EMU rakes to begin with. The works on the balance 37 rakes were progressively completed in the next few months. Presently all the 41 rakes proposed to be provided with TPWS on-board equipments are functional. The TPWS track side equipments in the section were fully provided, commissioned and made functional right from the date of commissioning.

Problems: This TPWS project based on the European Train Control System (ETCS) Level-I system faced many hurdles during the initial installation, proto-type testing, obtaining the required clearances from RDSO and CRS. The major problems noticed during initial revenue service included

1. On-Board system not booting.

2. On-Board system going into System failure (SF) during booting.

3. SDMI ( Simplified Driver Machine Interface) going blank.

4. Speed display bouncing on the SDMI leading to braking.

5. Brake application in the rear non-driving motor coach on run.

Corrective Actions Taken by Railways:

1. Intermittent BTM failure: - Analysis revealed that there was antenna impedance mismatch. The standing wave ratio (SWR) was found more than the tolerance limit of 1.2 to 1.4. Interference from EMI was also suspected. There was problem in communication between the onboard computer (OBC) and BTM. The corrective actions for these problems included modifying the existing antenna protection cover and providing copper braided shields for the Tx-Rx cable between antenna and BTM and for the COTDL and PROFIBUS cable between OBC and BTM. The BTM configuration files were also modified

based on some internal parameters.

2. Error in Train Interface Unit: - Analysis revealed that there was problem in communication between some modules of the OBC and now screened twisted pair cables have been introduced to protect the signals from external noise and EMI.

3. Error in Speed Sensor: - To improve the performance of the Odometric system, the signal cables between OBC and speed sensors have been provided with copper braided shield firmly connected to the coach body. To suppress the noise in the 110V DC voltage derived from the motor coach battery, a filter has been provided at the input point of the OBC. The traction control relay has been shifted outside the OBC cubicle to reduce EMI. To improve earthing of the motor coach body, a 50 sq mm copper cable is to be connected between the EMU body and its bogie.

4. Back EMF from the EB & EP relay coils: - To cover come this problem, the relay coils and EB valve solenoid coils to be terminated with 180/200V MOVRs and the body of EB & SB relays to be firmly connected to the coach body.

5. EB application in rear coach:- To overcome the problem of application of EB in the rear coach while running, the brake interface circuit has been modified to bypass the EB when the TPWS system in the sleeping mode (SM) i.e., when the cab is not the driving one.

6. SDMI Blanking:- To overcome the problem of SDMI blanking, its software has been upgraded. Apart from this, the OBC-SDMI communication cable connector cover which was earlier plastic has been changed to metallic. The OBC-SDMI communication cable and the SDMI power supply cable have been shielded with copper braids firmly connected to the coach body. A filter has been provided at the 110 VDC input point of the SDMI to suppress the ripples in the power supply.

(Source: IRSTE)

India advances high-speed studies

2011-09-01T19:24:00.000-07:00

Indian Railway Construction Company (Ircon) has appointed Mott MacDonald to carry out a pre-feasibility study on a 993km high-speed line from Delhi to Agra, Lucknow, Varanasi, and Patna.

Mott MacDonald will identify key issues for the development of the project including environmental impacts and assessment of viable technologies. It will also analyse operational and business requirements, including ridership, capital cost, cost-benefit analysis, and development of a planning and implementation schedule.

The project is part of the Indian Government's Vision 2020 long-term national development plan, which envisages four high-speed projects in separate areas of the country, all implemented as public-private partnerships.

A pre-feasibility study on the Ahmedabad - Mumbai - Pune route was recently presented to the Railways Board, and puts the cost of this 634km line at Rs 560bn ($US 12.7bn). Western Railway says trains will operate at up to 350km/h to provide an Ahmedabad - Mumbai journey time of around two hours, compared with 7h 5min by Shatabdi train at present.

Originally these proposals covered only the 555km Mumbai - Ahmedabad section, although the Maharashtra government has lobbied for Pune to be included.

Instresting Old Videos about Computer Based Interlocking

2011-08-30T19:05:00.000-07:00

Part1

Part2

CENELEC Safety Integrity Requirements

2011-08-21T14:02:00.000-07:00

FailSafe and Fault Tolerant Railway Systems

2011-08-06T14:49:00.001-07:00

(Click here to view this article in Fullscreen)

Vision and Potential for Future Signalling Stratergies

2011-08-06T12:48:00.000-07:00

(Click here to view this article in Fullscreen)

The Current Status of Signal Control Systems and Research and Development

2011-08-06T12:39:00.000-07:00

(Click here to view this article in Fullscreen)

Tool Support for Checking Railway Interlocking Designs

2011-08-06T12:37:00.000-07:00

(Click here to view this article in Fullscreen)

Software Safety:Where is the Evidence?

2011-08-06T12:07:00.000-07:00

(Click here to view this article in Fullscreen)

High Speed Rail in 2010-2 (Courtesy: UIC)

2011-07-30T20:14:00.000-07:00

High Speed Rail in 2010 (Courtesy: UIC)

2011-05-08T15:22:00.000-07:00

Courtesy: UIC

Predictive maintenance of Railway Point/Switch Machines

2011-05-07T11:52:00.000-07:00

Heavy Haul Braking using Electronically-Controlled Pneumatic (ECP) brakes

2010-11-25T13:34:00.001-08:00

GLOBAL demand for Australian coal and iron-ore is driving an expansion of heavy-haul railroading. Some of the heaviest trains in the world operate in extremely challenging conditions with consists of up to 240 wagons hauling iron-ore, magnetite and coal from the interior to ports on the coast. Australia's largest mining companies are equipping their new fleets with electronically-controlled pneumatic (ECP) brakes for increased safety and efficiency. The same is happening in Brazil and South Africa.

ECP braking requires a wire trainline to transmit electronic brake signals along the consist to apply brakes, rather than using air pressure changes in the brake pipe. Wagons receive the signal and brake simultaneously, rather than sequentially over a period of up to 2 minutes, as can be the case with pneumatically-controlled brakes. The result is more precise braking and train handling, reduced in-train forces, and shorter, faster stopping. Moreover, since the brake reservoirs are charged continually, the train can recover and get back to line speed very rapidly after a stop. Five heavy-haul railways - Fortescue Mining Group (FMG), BHP Billiton, Rio Tinto, Pacific National and Queensland Rail have adopted or are currently running ECP brakes in Australia.

The benefits of ECP brakes include reduced stopping time, shorter stopping distance, reduced wear on equipment, and quicker re-start after stopping. Results from real-world testing on both moderate and steep gradients, presented by Mr Jim Forrester of Norfolk Southern at the 2010 National Coal Transportation Operations and Maintenance Conference, showed significant improvements in all of these areas.

On moderate gradients, ECP-equipped trains ran at 10% higher speeds than non-ECP trains. Nonetheless, stopping distances were 404.8m on average, 36% less than a train equipped with conventional brakes. Stopping time was similarly shorter: 49 seconds versus 71 seconds. The trains resumed normal speed in 25% less time - a depleted tramline requires handbrakes to be set throughout the train while re-charging, and then released before the train is ready for movement.

Results were even better on steep gradients. From the same initial speed, the train stopped in 297.5m, 53% shorter than a conventional train. Stopping time was 46 seconds, versus 88 seconds for the conventionally-braked train. The ECP train resumed normal operating speeds much faster, in 2min 25s versus 1h 23min 33s for the conventional train, because the conventional train had to set its parking brakes while on a gradient.

A key benefit of the networking of the train is simplified diagnostics. The brakes on each wagon now report electronically to the locomotive, enabling in-cab reporting and troubleshooting rather than on-foot, wagon-by-wagon testing. NYAB has developed a Tramline Integrity Locomotive Test (Tilt) device which accesses the Tramline Communications Controller (TCC) diagnostics to make it easier to test trainline functions.

All of these elements are coming into play in Australia as more and more ECP-equipped trains come on line moving ore and coal from the mines to the ports, and out into the world market. South African and Brazilian railways are also taking part in the move to ECP braking. The early results reward the efforts to pioneer electronic braking to bring more and better information to the driver and more efficiency to the heavy-haul railway industry worldwide.

Rail Track Maintainance Prediction

2010-11-25T13:19:00.001-08:00

In general, rail life is analysed segment-by-segment with each based on the optimum length required for effective analysis and specific track and traffic conditions. The segments are assumed to be homogeneous in that the rail life and certain key parameters will be the same for the entire segment. The rail fatigue life forecasting algorithm uses Weibull analysis techniques to predict defect growth rates and future defect levels. Studies have shown that rail develops fatigue defects as a function of the cumulative traffic that passes over it, in addition to factors such as axleload, wheel-rail contact, and rail metallurgy and cleanliness. The rate of defect formation and accumulation with traffic has been shown to follow a Weibull distribution, which is in the form of a logarithmic relationship. Thus, as the rail ages, the expected rate of defect occurrence increases significantly, corresponding to the logarithmic nature of the Weibull equation. Since complete fatigue and tonnage data is not always available, effective models, such as RailLife, employ a hierarchy of analysis approaches, which are directly related to the actual amount of available data. The output of the algorithms is an annual forecast of defect rate (defects/km/year) and cumulative defects for each segment, together with the forecast life of the rail. Rail life forecasts are based on user defined rail replacement criteria which are usually characterised by the number of defects, particularly fatigue related defects, which occur within a defined period of time, usually a year. This is the point at which it is most appropriate to replace the rail.

Rail grinding management software is used to manage the removal or control of rail surface defects and to maintain the rail profile, which in turn affects both rail fatigue and wear rates. Research has shown that rail grinding is extremely effective in reducing the rate of fatigue defect development and extending the rail life. Control of the wheel-rail interface through grinding has also been shown to be effective at reducing the rate of rail wear. Software tools are used to manage, plan, and monitor rail grinding and management of the rail profile. This includes comparison of actual and desired rail profile or template (Figure 3) and the development of a curve-by-curve grinding plan, which defines the number of grinding passes, pattern, and grinding speed.

Rating system for Safety Critical Systems based on various attributes such as Reliability, Availability, Maintainability, Etc...

2010-09-30T19:52:00.001-07:00

We all know that Safety Critical systems are Categorized based on the Tolerable Hazard Rates (THR), which assigns them a safety integrity level (SIL). I think the next level of rating of these systems shall be based on the other attributes besides safety, since many products meet the SIL level but have different architectures and RAM data, this kind of rating will provide the vendors the comfort in choosing the right product for the environment they intend to deploy these systems. The main attributes that form as input to the rating criteria shall be:

1. System Architecture
2. Reliability
3. Availability
4. Maintainability
5. Historical Safety Record
6. System Complexity
7. Ease of Usage
8. Expandability of the system
9. Fault Tolerance
10. Cost
11. Cost of Maintenance Etc...

Railway Signalling using Wireless Sensor Networks

2010-07-10T18:56:00.001-07:00

Railway Signalling is safety critical domain, where still traditional technology is in use. There are many reasons for using traditional technology; one of the main reasons being the proven Safety performance of the older systems (Relay Based). As the rail traffic is increasing and with higher speed of trains there is an acute need for modernization of Railway Signalling Technology. Even with the advent of Microprocessor based technology, the problems have not been solved. The current railway signalling technology involves huge amount of physical wiring used to receive inputs and drive outputs to the field functions, which is very difficult to maintain and up-gradation of this infrastructure is every signal engineer's nightmare. This paper proposes the use of Wireless sensor networks in Railway Signalling domain which combines the Ground base signalling and the On–Board Signalling using customized routing algorithm, which is suitable for high Speed Railway Traffic which reduces the physical wiring to the bare minimum by applying distributed architecture to the field functions which are connected by Wireless Network.

The most important part of the railways is to carry out operations like safe movement of trains, this is achieved by Signalling. The Railway signalling is governed by a concept called Interlocking. Many interlocking system still in use follow either relay based technology or the Microprocessor based technology called Electronic Interlocking System (EIS). Relay based systems are very huge in size and have cumbersome wiring to perform operations. The advent of Electronic Interlocking systems reduced the relays and wiring to some extent, but still uses traditional copper cabling to be connected to the field functions such as signals, Track Detection equipment, points (Switches). In modern signalling systems, the signal and switch status needs to be sent to the On-Board Computers in the locomotives, this involves traditional radios connected to the wayside field functions that communicate this information to the OBC. This involves laying out track loops or balises that send this information to the OBC, these loops are venerable to climatic conditions such as ballast resistance, water flooding during rains, etc. Due to the failsafe nature of these systems the cabling has to be redundant, this results in large maze of complex wiring that is very difficult to maintain and upgrade. There is need to upgrade the existing Railway Signalling Infrastructure and addition of new technologies like failsafe wireless communications which shall combine both the ground based signalling (Interlocking Systems) and the Locomotives (On Board Computers of the train) which directly leads to simple distributed architecture which are highly maintainable and easy to upgrade in future.

Safety Integrity Levels

2010-07-03T20:23:00.000-07:00

Real Time Data Processing Techniques

2010-05-20T18:17:00.001-07:00

Various Signal Processing Techniques are available for analysis of real time data relative to reference data:

Data Cluster method – This involves recording the characteristics of a parameter of a subsystem under different simulated conditions and then using this as a reference to validate the real time data. This method is different from template matching, since it not entirely based on matching the plotted characteristics.

Template matching – Entails comparing complete data sets with pre-recorded examples of data resulting from known fault conditions. The method can be used effectively in some circumstances, provided a representation of the data that produces good discrimination between pattern classes can be made. However, this requires a substantial amount of experimentation with different transformations of the data sets to find such distinctions, and would be a computationally intensive process.

Statistical and decision theoretic methods – Matches are made based on statistical features of the signal. For example, the mean and peak-to-peak value are evaluated for each vector, and plotted in feature space, whereby different patterns are distinguishable because they form clusters for each class that are located apart from the fully functioning case.

Structural or syntactic methods – Involves deconstructing a pattern or vector into structural components, to enable comparisons to be made on more simple, sub-segments of data rather than a complete vector. Mathematically, these methods are similar to fractal-based compression routines.

Principles of Train working and need for Signalling

2010-05-19T20:19:00.000-07:00

All over the world Railway transportation is increasingly used, as this mode of transport is more energy efficient and environmentally friendly than road transportation. Trains move on steel rail tracks and wheels of the railway vehicle are also flanged Steel wheels. Hence least friction occurs at the point of contact between the track & wheels. Therefore trains carry more loads resulting in higher traffic capacity since trains move on specific tracks called rails, their path is to be fully guided and there is no arrangement of steering. Clear of obstruction as available with road transportation, so there is a need to provide control on the movement of trains in the form of Railway signals which indicate to the drivers to stop or move and also the speed at which they can pass a signal. Since the load carried by the trains and the speed which the trains can attain are high, they need more braking distance before coming to the stop from full speed. Without signal to be available on the route to constantly guide the driver accidents will take place due to collisions.

There are basically two purposes achieved by railway signalling.

1. To safety receive and dispatch trains at a station.

2. To control the movements of trains from one station to another after ensuring that the track on which this train will move to reach the next station is free from movement of another train either in the same or opposite direction. This Control is called block working. Preventing the movement from opposite direction is necessary in single line track as movements in both directions will be on the same track.

Apart from meeting the basic requirement of necessary safety in train operation, modern railway signalling plays an important role in determining the capacity of a section .The capacity decides the number of trains that can run on a single day. By proper signalling the capacity can be increased to a considerable extent without resorting to costlier alternatives.

THE COMPUTER BASED INTERLOCKING SYSTEM ARCHITECTURE

2010-04-18T11:05:00.001-07:00

Generally following two types of redundancy techniques are used for achieving fail-safety

in the design of signaling systems:

Hardware Redundancy – In this case, more than one hardware modules of identical design with common software are used to carry out the safety functions and their outputs are continuously compared. The hardware units operate in tightly syncronised mode with comparison of outputs in every clock cycle. Due to the tight syncronisation, it is not possible to use diverse hardware or software. In this method, although random failures are taken care of, it is difficult to ensure detection of systematic failures due to use of identical hardware and software.

Software Redundancy – This approach uses a single hardware unit with diverse software. The two software modules are developed independently and generally utilize inverted data structures to take care of common mode failures. However, rigorous self check procedures are required to be adopted to compensate for use of a single Hardware unit.

Hybrid Model - The hardware units have been loosely synchronized where the units operate in alternate cycle and the outputs are compared after full operation of the two modules. Therefore, it is no more required to use identical hardware and software. Although the systems installed in the field utilize identical hardware and software, the architecture permits use of diverse hardware and software. Moreover, operation of the two units in alternate cycles permits use of common system bus and interface circuitry.

There are two methods of programming the SSI for a particular station, namely – Geographical Programming & Free-wire Programming. Most of the SSI systems adopt geographical programming where Control Table of the station is fed to the SSI system. This gives great relief to the user as he is not required to make the circuit diagram, data for any station can be programmed very easily. However, this method does not provide flexibility in terms of change of interlocking practice or interlocking rules. Adoption of change in interlocking practice of a particular railway requires changes to be made in the executive software and entails revalidation of the software. On the other hand, Free-wire programming, which requires circuit diagram to be prepared for each station and programmed into the EPROM as Boolean expressions, provides total flexibility as any given circuit can be programmed without touching the executive software. The price, however, is to be paid in terms of preparation of circuit diagram for each station.

Need of Electronic Interlocking System (EIS) for Indian Railways

2009-07-19T14:41:00.001-07:00

Indian Railway is in acute need of Electronic Interlocking System for many reasons. The design and the verification process of these signalling systems needs to be inline with the (European Standards) CENELEC standards, which over the time have proven their usefulness in dealing with vital equipment. Apart from all these, the Indian railway has its own needs, which are quite different from other countries. There has to be indigenous solution to these problems. The below points try to describe the attributes of an indigenous developed EIS

To improve the safety standards and increase the revenue by increased line speeds.
To invest less in maintenance of signalling infrastructure and thereby increase the profits.
To decrease the installation and commissioning time compared to RRI.
To give the flexibility in changing the software, whenever there is change in the yard layout.
To give flexibility of centralized control from operations control centre , instead of localized control panels
To decrease the burden on operators and maintenance staff by giving warnings about the signalling equipment due for replacement.
To give more flexibility for the maintainer to sit at his desk and monitor the yard.
To eventually move from localized operations to Computer aided dispatch systems (CAD)
To support a supervisory control centre, to look at movement of trains.
To support coded track circuits in future for ATP operations in locomotive.
To eliminate the use of separate data and event loggers.
To support the interface to web browsers to supervisory activities.
To eventually support CAB signalling to communicate with trains.
To support delivery of automated messages to control centers in case of device malfunctions.

What is ERTMS - Introduction

2009-05-16T16:41:00.000-07:00

The European Railway Traffic Management System (ERTMS) is a major industrial project developed by six UNIFE members – Alstom Transport, Ansaldo STS, Bombardier Transportation, Invensys Rail Group, Siemens Mobility and Thales – in close cooperation with the European Union, railway stakeholders and the GSM-R industry.

ERTMS has two basic components:

ETCS, the European Train Control System, is an automatic train protection system (ATP) to replace the existing national ATP-systems;
GSM-R, a radio system for providing voicGSM-R, a radio system for providing voice and data communication between the track and the train, based on standard GSM using frequencies specifically reserved for rail application with certain specific and advanced functions.

ERTMS aims at replacing the different national train control and command systems in Europe. The deployment of ERTMS will enable the creation of a seamless European railway system and increase European railway's competitiveness.

Why does Europe need ERTMS?

Currently there are more than 20 train control systems across the European Union. Each train used by a national rail company has to be equipped with at least one system but sometimes more, just to be able to run safely within that one country.

Each system is stand-alone and non-interoperable, and therefore requires extensive integration, engineering effort, raising total delivery costs for cross-border traffic. This restricts competition and hampers the competitiveness of the European rail sector vis-à-vis road transport by creating technical barriers to international journeys. For instance, the Thalys train sets running between Paris-Brussels-Cologne and Amsterdam have to be equipped with 7 different types of train control systems, which brings considerable costs.

A unique train control system for Europe and beyond

As a unique European train control system, ERTMS is designed to gradually replace the existing incompatible systems throughout Europe. This will bring considerable benefits to the railway sector as it will boost international freight and passenger transport.

In addition, ERTMS is arguably the most performant train control system in the world and brings significant advantages in terms of maintenance costs savings, safety, reliability, punctuality and traffic capacity. This explains why ERTMS is increasingly successful outside Europe, and is becoming the train control system of choice for countries such as China, India, Taiwan, South Korea and Saudi Arabia.

By making the rail sector more competitive, ERTMS helps to level the playing field with road transport and ultimately provides significant environmental gains.

Bombardier Unveils First Contactless Tram

2009-01-28T12:18:00.001-08:00

In a bid to improve energy use and create a more aesthetically pleasing railway, Bombardier has introduced its first completely contactless and catenary-free operating tram. The new train, which uses a contactless power supply and no overhead power lines, incorporates Bombardier's PRIMOVE inductive power transfer technology as well as the integrated MITRAC Energy Saver, which provides cost reductions by recharging energy. Director of advanced technology development at Bombardier, Dr Carsten Struve, said that unique technology used in the tram would provide energy savings and eradicate ugly overhead power lines. "The catenary-free operation offers an entirely new prospect, particularly for trams operating in historic city centres where impressive cityscapes can now exist unencumbered by visual pollution from overhead lines," Struve said. "Combined with the new Bombardier MITRAC Energy Saver technology, the PRIMOVE system can also save additional energy." The PRIMOVE technology system uses principles found in transformer technology with electric power components hidden under the vehicle and beneath the tracks to produce energy for the tram's operation. This makes the system easier to install, eliminates the effect of weather conditions, reduces wear on component parts, and allows the tram to operate with lower noise levels and fewer emissions. The vehicle is equipped with pick-up coils underneath the vehicle, which are connected to the tram's traction system through a cable. The vehicle is only energised when the connected ground segments are fully covered by the vehicle, ensuring safe operation in areas such as pedestrian zones. The MITRAC energy saver uses a pair of innovative capacitors, which store the energy released each time the vehicle brakes and reuse it during acceleration or operation. The system, which attaches to the tram's roof, been proven to save up to 30% of energy, reducing emissions as well as costs. The PRIMOVE technology system is part of the BOMBARDIER ECO4 portfolio of technologies launched by the company last year.

Challenges in using Wireless Sensor Networks in Railway Signalling

2009-01-24T11:39:00.000-08:00

The use of Wireless Sensor Networks in a safety critical Domain like Railways signalling poses challenges in implementation and Operation. Some of the issues and challenges are discussed in this chapter.

Sensor network communications must prevent disclosure and undetected modification of exchanged messages. Due to the fact that individual sensor nodes are anonymous and that communication among sensors is via wireless links, sensor networks are highly vulnerable to security attacks.

The gateway nodes are prone to failures just like any sensor node, and they consume significantly more energy since they transmit over longer distances compared with sensor-to-sensor links. Failure of a Gateway node results to catastrophic results because, there not information regarding the yard status to the base station

Sensor nodes have limited computing power and memory sizes. This restricts the amount of intermediate result a node can hold, also the type of data processing algorithm on a Sensor node.

Signals detected at physical sensors might have errors. Malfunction sensors might repeatedly generate false signals, also there could be bias caused by the placement of the sensor.

Sensor Nodes, Driver Node and Gate Way node have to work in High EMI Environment. Since sensor networks can be deployed in different situations, wireless medium can be greatly affected by noisy environments, and thus the signal attenuates in regard to the noise. Note that an adversary can intentionally interfere and cause enough noise to affect the communication. It is vital to ensure that communication is on time to respond to emergencies.

Wireless sensor networks at times may add delay in sending data to the base station due to the routing algorithms, etc, but Railway Signalling is very time critical job, any delay in receiving the data leads to Catastrophic results.

If a sensor node fails due to a technical problem or consumption of its battery, the rest of the network must continue its operation without a problem. Researchers must design adaptable protocols so that new links are established in case of node failure or link congestion. Furthermore, appropriate mechanisms should be designed to update topology information immediately after the environment changes so as to minimize unnecessary power consumption.

The network should be scalable and flexible to the enlargement of the network's size. The communication protocols must be designed in such a way that deploying more nodes in the network does not affect routing and clustering. Rather, the protocols must be adapted to the new topology and behave as expected. In other words, the network must preserve its stability. Furthermore, introducing more nodes into the network means that additional communication messages will be exchanged, so that these nodes are integrated into the existing network. This must be done in a way that a minimum number of messages need to be exchanged among the sensor nodes, and thus battery is not wasted unreasonably.

As in Wireless Sensor Networks Both Ground based signalling (Way Side Signalling) and On-Board Signalling (Cab Signalling) get merged, so there is the complexity of linking the ground based control laws to the inputs received from the On-Board Sensors in the train

Design and development of failsafe, fault tolerant and energy saving network routing algorithms is a complex design

State Machine Basics

2009-01-11T15:20:00.000-08:00

Automatic Train Protection (ATP)

2008-11-22T19:32:00.001-08:00

Signalling used on high density metro (or subway) routes is based on the same principles as main line signalling. The line is divided into blocks and each block is protected by a signal but, for metros, the blocks are shorter so that the number of trains using the line can be increased. Originally, metro signalling was based on the simple 2-aspect (red/green) system as shown above (click for full size view). Speeds are not high so three-aspect signals were not necessary and yellow signals were only put in as repeaters where sighting was restricted.

Many metro routes are in tunnels and it has long been the practice of some operators to provide a form of enforcement of signal observation by installing additional equipment. This became known as automatic train protection (ATP). It can be either mechanical or electronic.

The London Underground, for example, uses both types on its lines, depending on the age of the installation. The older, mechanical version is the train stop, the electronic version depends on the manufacturer. The trainstop consists of a steel arm mounted alongside the track and which is linked to the signal. If the signal shows a green or proceed aspect, the trainstop is lowered and the train can pass freely. If the signal is red the trainstop is raised and, if the train attempts to pass it, the arm strikes a "tripcock" on the train, applying the brakes and preventing motoring.

Electronic ATP involves track to train transmission of signal aspects and (sometimes) their associated speed limits. On-board equipment will check the train's actual speed against the allowed speed and will slow or stop the train if any section is entered at more than the allowed speed.

The Overlap

If a line is equipped with a simple ATP which automatically stops a train if it passes a red signal, it will not prevent a collision with a train in front if this train is standing immediately beyond the signal. There must be room for the train to brake to a stop. This is known as a "safe braking distance" and space is provided beyond each signal to accommodate it. In reality, the signal is placed in rear of the entrance to the block and the distance between it and the block is called the "overlap". Signal overlaps are calculated to allow for the safe braking distance of the trains using this route. Of course, lengths vary according to the site; gradient, maximum train speed and train brake capacity are all used in the calculation.

This diagram (left, click to enlarge) shows the arrangement of signals on a metro where signals are equipped with trainstops (mechanical ATP) and each signal has an overlap whose length is calculated on the safe braking distance for that location. Signals are placed a safe braking distance in advance of the entrances to blocks. Signal A2 shows the condition of Block A2, which is occupied by Train 1. If Train 2 was to overrun Signal A2, the raised trainstop (shown here as a "T" at the base of the signal) would trip its emergency brake and bring it to a stand within the overlap of Signal A2.

Overlaps are often provided on main line railways too. In the UK, it is the practice to provide a 200 yard (185 m) overlap beyond each main line signal in a colour light installation. In the US, the overlap is considered so important that a whole block is provided as the overlap. We will see more about this in Automatic Train Protection below.

Track-Circuited Overlaps

Nothing in life is as simple as it seems and so it is with overlaps. A line which uses overlaps and has close headways could have a situation as shown here (click for full size view) where the train in the overlap of Signal A1 has a green signal showing behind it. Although it is protected by Signal A2 showing red, the driver of Train 2 may see the green signal A1 behind Train 1 and could "read through" or be confused under the "stop and proceed" rule.

So, where there is a possibility of a green signal being visible behind a train, overlaps are track circuited as shown left. Although there is no train occupying the block protected by Signal A1, the signal is showing a red aspect because the train is occupying the overlap track circuit. This will give rise to two red signals showing behind a train whilst the train is in the overlap.

Automatic Train Protection

To adapt metro signalling to modern, electronic ATP, the overlaps are incorporated into the block system. This is done by counting the block behind an occupied block as the overlap. Thus, in a full, fixed block ATP system, there will be two red signals and an unoccupied, or overlap block between trains to provide the full safe braking distance, as shown here (click for full size view). As an aside, remember that, although I have shown signals here, many ATP equipped systems do not have visible lineside signals because the signal indications are transmitted directly to the driver's cab console (cab signalling).

On a line equipped with ATP as shown above, each block carries an electronic speed code on top of its track circuit. If the train tries to enter a zero speed block or an occupied block, or if it enters a section at a speed higher than that authorised by the code, the on-board electronics will cause an emergency brake application. This is the system used by London Underground for the Victoria Line from 1968 - the first fully automatic, passenger carrying railway ( more information here). It was a simple system with only three speed codes - normal, caution and stop. Many systems built since are based on it but improvements have been added.

ATP Speed Codes

A train on a line with a modern version of ATP needs two pieces of information about the state of the line ahead - what speed can it do in this block and what speed must it be doing by the time it enters the next block. This speed data is picked up by antennae on the train. The data is coded by the electronic equipment controlling the track circuitry and transmitted from the rails. The code data consists of two parts, the authorised speed code for this block and the target speed code for the next block. The diagram below shows how this works.

In this example (left), a train in Block A5 approaching Signal A4 will receive a 40 over 40 code (40/40) to indicate a permitted speed of 40 km/h in this block and a target speed of 40 km/h for the next. This is the normal speed data. However, when it enters Block A4, the code will change to 40/25 because the target speed must be 25 km/h when the train enters the next Block A3. When the train enters Block A3, the code changes again to 25/0 because the next block (A2) is the overlap block and is forbidden territory, so the speed must be zero by the time train reaches the end of Block A3. If the train attempts to enter Block A2, the on-board equipment will detect the zero speed code (0/0) and will cause an emergency brake application. As mentioned above, Block A2 is acting as the overlap or safe braking distance behind the train occupying Block A1.

Operating with ATP

Trains operating over a line equipped with ATP can be manually or automatically driven. To allow manual driving, the ATP codes are displayed to the driver on a panel in his cab. In our example below, he would begin braking somewhere around the brake initiation point because he would see the 40/25 code on his display and would know, from his knowledge of the line, where he will have to stop. If signals are not provided, the signal positions will normally be indicated by trackside block marker boards to show drivers the entrances to blocks.

If the train is installed with automatic driving (ATO - Automatic Train Operation), brake initiation for the reduced target speed can be by either a track mounted electronic "patch" or "beacon" placed at the brake initiation point or, more simply, by the change in the coded track circuit. Both systems are used by different manufacturers but, in both, the train passes through a series of "speed steps" to the signalled stop.

When the first train clears Block A1, the codes in Blocks A2, A3 and A4 will change to the next speed up and any train passing through them will receive immediately a new permitted speed and a new target speed for the next block. This allows an instant response to changing conditions and helps to keep trains moving.

Distance-to-Go

The next stage of ATP development was an attempt to eliminate the space lost by the empty overlap block behind each train. If this could be eliminated, line capacity could be increased by up to 20%, depending on block lengths and line speed. In this diagram, the train in Block A1 causes a series of speed reduction steps behind it so that, if a following train enters Block A6, it will get a reduced target speed. As it continues towards the zero speed block A2, it gets a further target speed reduction at each new block until it stops at the end of Block A3. It will stop before entering Block A2, the overlap block. The braking curve is shown here in brown as the "standard" braking curve.

To remove the overlap section, it is simply a question of moving the braking curve forward by one block. The train will now be able to proceed a block closer (A5 instead of A6) to the occupied block, before it gets a target speed reduction. However, to get this close to the occupied block requires accurate and constant checking of the braking by the train, so an on-board computer calculates the braking curve required, based on the distance to go to the stopping point and using a line map contained in the computer's memory. The new curve is shown in blue in the diagram. A safety margin of 25 metres or so is allowed for error so that the train will always stop before it reaches the critical boundary between Blocks A2 and A1. Note that the braking curve should reduce (or "flare out") at the final stopping point in order to give the passengers a comfortable stop.

Speed Monitoring

Both the older, speed step method of electronic ATP and "distance-to-go" require the train speed to be monitored. In Fig 8 above, we can see the standard braking curve of the speed step system always remains inside the profile of the speed steps. The train's ATP equipment only monitors the train's speed against the permitted speed limit within that block. If the train goes above that speed, an emergency brake application will be invoked. The standard braking curve made by the train is not monitored.

For the distance-to-go system, the development of modern electronics has allowed the brake curve to be monitored continuously so that the speed steps become unnecessary. When it enters the first block with a speed restriction in the code, the train is also told how far ahead the stopping point is. The on-board computer knows where the train is now, using the line "map" embedded in its memory, and it calculates the required braking curve accordingly. As the train brakes, the computer checks the progress down the curve to check the train never goes outside it. To ensure that the wheel revolutions used to count the train's progression along the line have not drifted due to wear, skidding or sliding, the on-board map of the line is updated regularly during the trip by fixed, track-mounted beacons laid between the rails.

Operation with Distance-to-Go

Distance-to-go ATP has a number of advantages over the speed step system. As we have seen, it can increase line capacity but also it can reduce the number of track circuits required, since you don't need frequent changes of steps to keep adjusting the braking distance. The blocks are now just the spaces to be occupied by trains and are not used as overlaps as well. Distance-to-go can be used for manual driving or automatic operation.

Systems vary but often, several curves are provided for the train braking profile. This example shows three: One is the normal curve within which the train should brake, the second is a warning curve, which provides a warning to the driver (an audio-visual alarm or a service brake application depending on the system) and the third is the emergency curve which will force an emergency brake if the driver does not reduce speed to within the normal curve.

Why doesn't everyone use distance-to-go? Partly because the systems used by many operators were installed before distance-to-go became available. Also, some operators require the safety margin, particularly in the US where they insist on an extra margin, known as the "lurch" factor, to allow for a train which decides to "motor" instead of "brake", as once happened in San Francisco.

Computer Based Interlocking Systems

2008-01-18T04:02:00.000-08:00

Challenges faced by Computer based Interlocking Systems

The wiring from the field object such as Signals, Points and tracks to the SSI Rack is still done using Copper cables which amounts to huge costs
The hardware reliability and availability factor is low compared to the system availability given by RRI
The fail safe mechanisms employed in processor based equipment is not standard and often get untested during V&V activities
Lack of formal methods in developing the control algorithms (Interlocking Logic)
Lack of domain Knowledge in Signalling and Traditional Route Relay Interlocking Systems, This creates a technological gap between the software programmers and the Domain consultants. This leads to Errors in software, which might lead to unsafe failures of the system
Extending the working scope of the Interlocking systems for monitoring and other non-Interlocking functions, which leads to degraded performance of the system
Employing Non-Formal Interlocking principles instead of traditional RRI Principles leads to software complexity. For Ex: The Geographical method needs every system that is installed for new Yard needs validation, which is not practicable.
Since the software and hardware is so complex, complete test of the system is not possible and most of the faults are revealed at the field Installation stage or during normal working of the system in field.
The software is to be changed for every yard, the software structure should be in a generic form, but we seldom see a generic form and at this stage errors creep in.
The lack of standardization in the railway working principles and the core Interlocking principles, the software developers are forced to do changes in the software for every yard in Different railway zones.
Increase in the complexity of the software leads to difficulty in testing, since most of the Interlocking systems are sequential machines they are error prone and are very difficult to test.

With Increasing speed of trains, there needs to be a direct communication with the on board computer of the train (Engine), so that there is less human involvement and thus less human errors. But Interlocking systems are mostly not capable of sending commands to the on board computer of the train (Engine).

Any queries mail me at sandeep.patalay@cmcltd.com

DISCLAIMER "The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you"

Relay Interlocking

2008-01-03T03:15:00.000-08:00

Historical Overview of V&V of Relay Interlockings:

In the past relay interlockings were designed, installed and tested not only under the responsibility of a railway company but were actually carried out by the staff of this railway company. The people involved were educated and trained within the company, often by a training institute which also belonged to this same company. There was on the job training with a strong ‘father to son’ relationship and it took many years before an engineer was given the final responsibility of testing an installation. Common practice was that people required at least 7 to 10 years experience before they were allowed to take this responsibility. There was no official certification of engineers; it was well known who had the capability and experience to be responsible for such a job.

The design of a relay interlocking was carried out by a group of engineers and under the responsibility of an independent senior engineer a complete verification of the design took place. For these activities a set of design rules was available, which hardly changed for decades. After the approval of this design the installation was built on site, after which all wires and components were checked. After the completion of the installation, a test was carried out where not only the behaviour of the installation itself was tested, but also the correspondence with the outside elements (signals, point machines, track circuits, ATP-code, level crossings, bridges etc.) was checked.

This testing was the validation of the design; it was proven that the behaviour of the installations was in accordance to the (often implicitly) defined requirements for that location. The basis of these tests were not standardised; it was the experience and the knowledge of the senior tester in charge that assured the completeness and correctness of the test and therefore the quality of the final result.

Any queries mail me at sandeep.patalay@cmcltd.com

Design principles in Safety Technology

2007-12-30T23:17:00.000-08:00

Design principles in Safety Technology

In safety technology, several basic design principles are applied. Two of them are briefly described in the following.

Fail safe

The fail safe principle requires that upon failure of a safety relevant system or component, it enters a safe state. A main precondition for the application of this principle is the existence of a safe state. For the railway this is a state, where all trains are at standstill in a certain track. If such a state exists, technical systems can be designed to enter it when they fail. A typical example is the train protection system.. However, the fail safe principle cannot always be applied.

Safe life

A system that does not have a safe state is e.g. the airplane. Then, the safe life principle has to be applied. It requires application of redundant and high reliable components to make sure, that the system always functions.

HALT and HASS Testing: Learning to Handle the Big Guns

2007-12-28T04:46:00.000-08:00

A lack of standards for the correct implementation of the stress test techniques known as HALT and HASS has resulted in widespread confusion. When implemented correctly, HALT and HASS provide a fast, cost-effective path to greater product reliability and customer satisfaction, as well as reduced warranty costs.

Since they were first introduced in the early 1980s, Highly Accelerated Life Testing (HALT) and Highly Accelerated Stress Screening (HASS) have been successfully adopted for a host of high-performance applications, such as mission-critical avionics equipment. With their promise of quickly providing valuable information about the reliability of a new or modified design, and the ability to monitor production and prevent component variations from causing latent field reliability issues, HALT and HASS techniques are ideal for designing and manufacturing with commercial-grade components.

Both test methods use direct inject, high flow rate liquid nitrogen cooling, tens of kilowatts of heating and powerful, multi-axis broad-spectrum vibration. Although these aggressive test methods are very different from standard life testing, design verification testing (DVT) and end-of-production testing, there are no published industry standards that define these powerful test methods. Since they deploy extreme stresses designed to rapidly precipitate flaws and force them to failure, misapplications or misinterpretations of these tests can easily result in damaged products, wasted money and frustrated engineers.

HALT is used as part of the new product design process and is typically performed on pilot or pre-production units. During HALT testing, the product is subjected to increasing stresses until weak points in the design emerge. Failure modes are identified and analyzed, and the product design is modified based on the results of that analysis. A typical HALT test will take three to five days. HASS, on the other hand, is a production screen, and typically tests 100% of production units. HASS uses similar stresses to those used in HALT, but at lower levels based on the limits identified in HALT. HALT must be completed before HASS can be implemented, and HALT is the most widely used of the two tests.

HALT and DVT

Although HALT may appear similar to DVT, it has different goals, uses different stresses and provides different results. The goal of DVT is to demonstrate whether a product will function in its intended environment and meet its specifications. The purpose of HALT, however, is to subject the product to environmental overstress, effectively forcing failure modes to emerge by accelerating mechanical fatigue. HALT quickly identifies a particular product's set of failure modes by applying the same environmental stresses that occur in the field, but at much higher levels. DVT and life testing can sometimes identify those failures, but this rarely occurs because the required time and number of units in test would be extreme.

One of the most significant characteristics of HALT is that it is not a pass/fail test. There are no pre-established limits. The test concludes when product destruct limits have been reached or the engineers determine that no more useful information can be gained. A final HALT test report includes detailed data on the product's operating margin, destruct margin and design flaws, along with what the new margins will be if each of the design flaws is eliminated.

When HALT is used, it is performed before DVT, so failure modes are exposed quickly and inexpensively before DVT begins. At that point, they can be analyzed and corrected without the pressure of a looming release date. If this is not done, many products will exhibit multiple failures during DVT. This can initiate costly and time-consuming redesign/retest cycles. But as a product nears its scheduled release date, the pressure to pass DVT can be intense. Too often, dealing with these critical failures may be postponed until after product launch, resulting in even greater losses and customer dissatisfaction.

The HALT Test Method

The stresses used in HALT are applied beginning with the least destructive and ending with the most destructive. A test sequence starts with cold step stressing and proceeds to hot step, rapid thermal ramps and vibration. It ends with a combined environment of vibration and rapid thermal ramps, dwelling at both temperature extremes. Other stresses include input voltage variations, loading, clock frequency variations and mechanical loading, if appropriate. Combining stresses will often reveal failure modes that individual stresses cannot.

Each time a failure occurs it is carefully documented and, if possible, a quick work-around is identified. Testing concludes when multiple failures occur simultaneously or fundamental design or technology limits have been reached for individual and combined stresses.

The potential benefits from HALT are significant. A single failure mode, caught before it becomes an issue that requires field rework, can save millions of dollars and help maintain a company's reputation and likelihood of getting future contracts. In addition, using HALT helps DVT go smoothly, so products are more likely to be released on time.

HALT may be considered successful when DVT and product launch proceed without last-minute design changes caused by late detection of failures. Success is further characterized by a lack of field issues in the weeks and months following launch. But a successful HALT also requires other conditions. The development team must accept ownership of the process from the beginning. HALT must be applied as early as practical in the design process, and failure analysis must be fast and accurate. It is imperative that failures are not overlooked or explained away, and the product development team must apply solid judgment when deciding which failure modes to eliminate.

The vibration stress used in HALT can be another source of confusion, since it deploys a type of shaker system different from that used in DVT. The Electro-Dynamic (ED) shakers deployed in DVT can be carefully controlled to provide exactly the stimulus needed for an analysis of the product's vibration response. They provide this stimulation in only one axis at a time. In HALT, rapid fatigue, not analysis, is the goal, and Repetitive Shock (RS) systems are used. These systems (Figure 1) can stimulate a product with a much wider range of frequencies, in all three axes and the rotations about these axes simultaneously. This stimulation will rapidly drive a poor solder joint or weak mechanical connection to failure.

HASS Production Screening

Once a product has been ruggedized with HALT, the question of production testing arises. Manufacturing variations and vendor changes can mean disaster, whether in a high-dollar, low-volume product, or one to be used in critical applications where failure can be very expensive or dangerous. Companies often use long burn-in tests to reduce these risks, only to discover that burn-in failures are rare, yet warranty issues are still a problem.

This is where the HASS production screen comes in. It applies stresses similar to those used in HALT, but at substantially reduced levels, based on the limits identified in HALT for each of the applied stresses. HASS provides continuous verification that additional failure modes, resulting from manufacturing or component variations, have not crept into the product.

Unlike HALT, HASS is a pass/fail test. A HASS screen consists of a “precipitation” phase that may exceed operating limits. This is followed by a detection phase in which the stresses are reduced to within operating limits and the product is monitored for failures. The test usually requires from 30 minutes to two hours, and in many cases eliminates the need for 24 or 48 hours of largely ineffective burn-in. The potential lot-to-lot variations that have been introduced with commercial-grade components mean the risk of a component change, which could introduce a new field failure mode that would be undetected by functional testing or a few days of burn-in. HASS applies combined stresses to precipitate these failure modes and then detect them via a change in the operating margins or a hard failure.

Many engineers have expressed the concern that HASS can damage products and may actually cause field failures. However, proper implementation of the HASS Proof of Screen provides a clear understanding of screen effectiveness and ensures that there is no effect on product life or performance. Proof of Screen includes repetitive application of the HASS stress profile to a small population of production samples. HASS is only implemented after it has been proven that all “good” samples can withstand from 20 to 50 repeated HASS cycles without damage or wear.

Conclusion:

HALT and HASS chambers are expensive, but the cost is minimal compared to what many companies pay in direct costs and lost business if failures occur in the field. Furthermore, most companies approach HALT and HASS carefully, in stages. The first stage might consist of using HALT on a single new product and conducting the tests in an established commercial test lab. As more products follow and confidence increases, it may become cost-effective to purchase a chamber. After additional time and solid experience with HALT, many companies are making the move to HASS.

When designing with commercial-grade components, there is always a valid concern about potential degradation of product life and performance. With adequate training, the right equipment and a clear commitment from the organization, the powerful tools of HALT and HASS can very effectively reduce those risks.

Analysis of Failures of Solid State Interlocking Systems

2007-12-27T03:47:00.000-08:00

Lack of domain Knowledge in Signalling and Traditional Route Relay interlocking Systems, This creates a technological gap between the software programmers and the Domain consultants. This leads to Errors in software, which might lead to unsafe failures of the system
Increasing the complexity of the System by Employing distributed architecture, which is difficult to validate and verify and difficult to maintain, thus leading to very high time repair
Extending the working scope of the Interlocking systems for monitoring and other non-Interlocking functions, which leads to degraded performance of the system
Employing Non-Formal Interlocking principles instead of traditional RRI Principles leads to software complexity. For Ex: The Geographical method needs every system that is installed for new Yard needs validation, which is not practicable.
Since the software and hardware is so complex, complete test of the system is not possible and most of the faults are revealed at the field Installation stage or during normal working of the system in field.
The software is to be changed for every yard , the software structure should be in a generic form, but we seldom see a generic form and this the stage errors creep in.
The lack of standardization in the railway working principles and the core Interlocking principles, the software developers are forced to do changes in the software for every yard in Different railway zones, this is the time that errors in the software creep in.

Because of the above said reasons the Interlocking systems have failed to create the necessary confidence in the railway operators. Because of this reason the Solid state Interlocking systems have become unpopular.

If we examine broadly the reasons for failure and lack of reliability and maintainability that are forced by the designers are as follows:

Lack of standardization of interlocking principles, every railway zone has its own set of rules and principles which are conflicting with other railways, this makes the life of the developers difficult because they have change their systems settings and software accordingly.
There is no standard book or reference available describing the core interlocking principles, since these rules are only known by the people working in this domain.
Increase in the complexity of the software leads to difficulty in testing, since most of the Interlocking systems are sequential machines they are error prone are very difficult to test.

ALARP and software

2007-12-20T06:35:00.000-08:00

At one level the ALARP principle seems like common sense, and would be expected to be broadly applicable. However people have found difficulty in applying it to software (and in some other circumstances, e.g. ordnance and explosives). Why should this be?
There seem to be three related issues which make it difficult to apply the ALARP principle to software:
1. Most of the techniques we are interested in, e.g. rigorous testing, provide information about risk, they do not reduce risk (in this sense ALARP simply doesn’t apply);
2. Even if we assume we will remove faults we find by carrying out some analysis we cannot predict what these faults will be in advance – so we cannot know the benefit of applying the technique in advance so there is no prior basis to make the judgement whether or not application of the technique complies with ALARP;
3. Less obviously, there is an implicit assumption behind the ALARP principle that determining risk is cheap, but that reducing risk is expensive. This is not the case for software – finding the problems through testing, etc. is the expensive part of the process, and writing the code is only 5-10% of the cost.

Research Work in Solid state Interlocking

2007-12-20T06:29:00.000-08:00

The research in the field of solid state interlocking systems data back to 1970s, the first prototypes came in to existence in Britain in the early 80s. In India the research in this area started in the mid 80s by IIT Delhi, the project was funded by RDSO, Lucknow. Prof. Vinod Chandra and Dr. M. Verma were involved in this project. They developed a prototype in which they allocated different Safey Integrity Levels to each module so that the complexity involved in validating the whole system which has only one safety integrity level is solved. The Prototype was developed by 2/2 hardware redundancy Method.

Union switch and Signal Company developed a System with single processor with diverse software method. The Total system had a hot stand by system that would take over if one system failed. Westrace Inc, Australia has implemented the Distributed architecture of SSI where the control is distributed in the Entire Yard as apposed to Centralized Systems
Michele Banci, ISTI - CNR, Formal Methods and Tools Group Pisa, Italy has worked on the method of state charts and graphical method to implement Interlocking.
Dejan Lutovac and Tatjana Lutovac of RMIT University, Melbourne, Australia have worked on generalizing the software and working towards an Universal Interlocking System.
Peter Wigger, Institute for Software, Electronics, Railroad Technology (ISEB), TÜV InterTraffic GmbH, Berlin-Brandenburg Group has worked on the allocating Safety Integrity Level (SIL) in Railway Applications.
Radek Dobias, Hana Kubatova, Department of Computer Science and Engineering, Czech Technical University Prague have worked on the use of FPGAs in safety critical railway applications.
Kotaro Shimamura, Shin’ichiro Yamaguchi of Hitachi Research Laboratory, Hitachi Ltd have worked on fail safe hardware by using dual synthesizable processor cores which gives redundancy in the component level itself
Tomoji Kishi, Natsuko Noda of Software Design Laboratories, NEC Corporation has worked on software architecture, architecture conformance, non-functional properties,
design method, layered system for Interlocking software.

Conclusion:
It is suggested that in the complex field of Railway Signalling, where safety, availability and maintainability are the prime issues, the railway operators must be taken in to confidence and the method applied to design these systems should be reliable, validatable and should create confidence in the railway operators. The Method suggested in the paper describes the method to be employed for design and development of SSIs for safe and reliable operation.

Types of Software Interlocking

2007-12-20T06:27:00.000-08:00

2. Types of Methods applied in software for Interlocking

2.1 Geographical Method:
In the Geographical method the input to the SSI is given as the position of the signals, points, tracks Circuits and Slots. The Interlocking is implemented based on the generic rules that no part of the track are shared by the two routes at a time, Conflicting routes should not be set at a time etc. This type of implementation requires a great knowledge of the Yard Elements and the interconnection between them. In this method the software does not have one to one relation ship to the relay circuits used for RRI and is very difficult validate, so this method has failed to create the necessary confidence in the railway operators

2.2 Boolean Equation Method:
The Boolean equation method is the implementation of the traditional relay interlocking principles. In this method the relay circuits are implemented as Boolean equations, so there is one to one relation ship between the relay circuits and the software variables. Since there is a one to one relation ship between the software and the RRI Relay circuits, Railway operator can easily validate the software entrees made and this method will give him sufficient confidence.

Failsafe and Fault Tolerant Systems

2007-12-20T06:08:00.000-08:00

Embedded System:

An Embedded system is a combination of hardware and software to do a specific job, unlike a general purpose computing system like a PC even though having good amount of hardware and software is not an embedded system because it does not do a specific function.

Real Time System: A Real time System is an Embedded System, Which operates on current data and not on saved data.

Hard Real Time System or Mission critical System: A real-time computer system must react to inputs from controlled object and from the operator. The instant at which a result must be produced is called a deadline. If by missing a firm deadline a catastrophe could happen, then the deadline is called hard. A real-time computer system that must meet at least one hard deadline is called a hard real-time computer system or a safety-critical real-time computer system.

Railway Interlocking System: A railway interlocking system controls the traffic in a railway station, and between adjacent stations. The control includes train routes, shunting moves and the movements of all other railway vehicles in accordance with railway rules, regulations and technological processes required for the operation of the railway station.

Interlocking Logic: A term used for the logical relationships between physical entities in the railway yard such as points, signals, track circuits, and so on. In SSI, this is programmed in the Software; in relay-based interlocking this is hardwired into the relay circuitry, and in ground-frame interlocking it is manifest in the mechanical linkages between physical components.

Ground-frame interlocking: An Interlocking System When built using mechanical linkages between Levers (Physical Entities) is called Ground-frame interlocking System.

Route Relay Interlocking System (RRI): An Interlocking System When built completely using Electro mechanical relays is called as Route Relay Interlocking System.

Solid State Interlocking System (SSI): An Interlocking System When built using Electronics replacing traditional Mechanical Levers and Electro mechanical relays is called as Solid state Interlocking System.

Reliability: The reliability can be defined as the ability of an item to perform a required function under stated conditions for a stated period of time.

Redundancy: The existence of more than one means of accomplishing a given function. Each means of accomplishing the function need not be necessarily identical.

Hardware (Software Diversity): Two or more different Versions of Hardware (Software) working in a system to achieve a same result.

Failure: The termination of the ability of an item to perform a required function.

Maintainability: The ability of an item, under stated conditions of use, to be retained in, or restore to, a state in which it can perform its required function, when maintenance is performed under stated conditions and using prescribed procedure and resources.

Availability: The ability of an item (Under combined aspects of its reliability, maintainability, and maintenance support) to perform its required function over a stated period of time.

Software/Hardware Integration

2007-12-20T05:50:00.000-08:00

Software Hardware Integration is the process of testing the interfaces between Hardware and the associted software and also the functional behavoiur of the system. The Input document is Software Requirement Specification, Hardware Requirement Specification and Detailed design Documents.

Verification and Validation

Predictive Maintenance of Railway Point Machines

Dynamic Analysis of Safety Critical Systems

The Computer Based Interlocking Architecture

From the desk of Sandeep Patalay

The ComputerBased Interlocking Architecture

CENELEC Standard: Faults and Effects

ISSUES IN TPWS (ETCS-LEVEL 1) OPERATIONS ON SOUTHERN RAILWAY

India advances high-speed studies

Instresting Old Videos about Computer Based Interlocking

CENELEC Safety Integrity Requirements

FailSafe and Fault Tolerant Railway Systems

Vision and Potential for Future Signalling Stratergies

The Current Status of Signal Control Systems and Research and Development

Tool Support for Checking Railway Interlocking Designs

Software Safety:Where is the Evidence?

High Speed Rail in 2010-2 (Courtesy: UIC)

High Speed Rail in 2010 (Courtesy: UIC)

Predictive maintenance of Railway Point/Switch Machines

Heavy Haul Braking using Electronically-Controlled Pneumatic (ECP) brakes

Rail Track Maintainance Prediction

Rating system for Safety Critical Systems based on various attributes such as Reliability, Availability, Maintainability, Etc...

Railway Signalling using Wireless Sensor Networks

Safety Integrity Levels

Real Time Data Processing Techniques

Principles of Train working and need for Signalling

THE COMPUTER BASED INTERLOCKING SYSTEM ARCHITECTURE

Need of Electronic Interlocking System (EIS) for Indian Railways

What is ERTMS - Introduction

Bombardier Unveils First Contactless Tram

Challenges in using Wireless Sensor Networks in Railway Signalling

State Machine Basics

Automatic Train Protection (ATP)

Computer Based Interlocking Systems

Relay Interlocking

Design principles in Safety Technology

HALT and HASS Testing: Learning to Handle the Big Guns

Analysis of Failures of Solid State Interlocking Systems

ALARP and software

Research Work in Solid state Interlocking

Types of Software Interlocking

Failsafe and Fault Tolerant Systems

Software/Hardware Integration

From the desk of
Sandeep Patalay