RailUK Forums
RailUK Forums > UK Railway Forums > Infrastructure & Stations

Click to buy your tickets through RailUK Booking engine

Reply
 
Thread Tools
Old 19th May 2017, 09:46   #1
zaax
Member
 
Join Date: 8 Oct 2015
Posts: 58
Default triple redundancy

When building an important computer system triple redundance is built in. ie three processors normal working together but one can do the job of three if the others break down.

Is this the same with the railway signalling system?
zaax is offline   Reply With Quote
Registered users do not see these banners - join today!
Old 19th May 2017, 10:02   #2
ComUtoR
Established Member
 
Join Date: 13 Dec 2013
Location: UK
Posts: 3,272
Default

You sneeze and the system breaks.

Leaf mulch can prevent a track circuit from operating.

I think you need to define further about 'redundancy' being built in. The system will tend to fail safe so when a set of points fail they fail on a specific direction and that will interlock with other points and signals. That is a form of redundancy I suppose.
__________________
The Death Knell of the Guards sounded
and lo, the forums rejoiced.
ComUtoR is offline   Reply With Quote
Old 19th May 2017, 10:05   #3
Joseph_Locke
Established Member
 
Joseph_Locke's Avatar
 
Join Date: 14 Apr 2012
Location: Within earshot of trains passing the one and half mile post
Posts: 1,237
Default

Quote:
Originally Posted by zaax View Post
When building an important computer system triple redundance is built in. ie three processors normal working together but one can do the job of three if the others break down.

Is this the same with the railway signalling system?
In SSI there are three duplicated systems - three entirely separate Zilog Z80B processors in fact - and two of these must agree before the system takes action. In this case a complete failure of one processor subsystem can be tolerated, but not two.

I'm not sure how CBI achieves its SIL compliance - you should remain on the platform and await the arrival of an interlocking technologist.
__________________
Signatures are limited to two unfunny lines. Your signature also contains too much humour. Please edit it to make it brief, remove the humour and try again.
Joseph_Locke is offline   Reply With Quote
Old 19th May 2017, 10:58   #4
MarkyT
Established Member
 
MarkyT's Avatar
 
Join Date: 20 May 2012
Location: Torbay
Posts: 1,814
Default

The successors to SSI are Westlock and Smartlock and these also use a similar technique but with more modern hardware. Not sure about other suppliers, although SSI and it's derivatives almost completely dominate the mainline market. Note the triple redundancy only applies to the central interlocking modules, not the distributed trackside function modules (TFM) that have only duplicated processors. A failure to agree in a TFM will result in a signals at red shutdown for that module but will only affect the small quantity of trackside equipment that one module interfaces to. No more than two signals or two sets of points usually.

Last edited by MarkyT; 19th May 2017 at 11:04.
MarkyT is offline   Reply With Quote
Old 19th May 2017, 12:38   #5
edwin_m
Veteran Member
 
Join Date: 21 Apr 2013
Location: Nottingham
Posts: 10,325
Default

SSI actually has hardware to shut down the processor that disagrees with the other two and if only two remain to shut down both if they disagree. This is done by blowing a fuse I think. The data links between the processor and the trackside are also duplicated for reliability, but the data on each link is digitally encoded so it won't do anything unsafe if it is corrupted or, for example, connected to the trackside equipment for a different interlocking.
__________________
These opinions are mine alone, unless anyone happens to agree with me.

Last edited by edwin_m; 19th May 2017 at 12:39.
edwin_m is offline   Reply With Quote
Old 19th May 2017, 12:41   #6
Bletchleyite
Veteran Member
 
Join Date: 20 Oct 2014
Location: Up and down the south WCML (mostly)
Posts: 17,792
Default

Quote:
Originally Posted by zaax View Post
When building an important computer system triple redundance is built in. ie three processors normal working together but one can do the job of three if the others break down.

Is this the same with the railway signalling system?
Provided it fails safe, there isn't really much need other than for reliability - "all trains stop now" is a safe if annoying failure outcome.

An Airbus's control systems are different - the plane can't just stop if there is a failure.

Edit: Though other more knowledgeable posters on this matter have confirmed it is indeed used.
__________________
Neil

Last edited by Bletchleyite; 19th May 2017 at 12:43.
Bletchleyite is offline   Reply With Quote
Old 19th May 2017, 14:17   #7
edwin_m
Veteran Member
 
Join Date: 21 Apr 2013
Location: Nottingham
Posts: 10,325
Default

Quote:
Originally Posted by Bletchleyite View Post
Provided it fails safe, there isn't really much need other than for reliability - "all trains stop now" is a safe if annoying failure outcome.

An Airbus's control systems are different - the plane can't just stop if there is a failure.

Edit: Though other more knowledgeable posters on this matter have confirmed it is indeed used.
Indeed. In aviation it's probably more important that a system keeps working even if it isn't quite doing the right thing - the pilot can usually compensate. For a railway signalling system if it can't be guaranteed to do the right thing it shouldn't do anything. Doing the wrong thing may not be evident to anyone until too late, and could have catastrophic results.
__________________
These opinions are mine alone, unless anyone happens to agree with me.
edwin_m is offline   Reply With Quote
Old 19th May 2017, 15:13   #8
snowball
Established Member
 
Join Date: 4 Mar 2013
Location: Leeds
Posts: 3,163
Default

I assume it's no use trying to triplicate the unit that compares the outputs of the triplicated processors.
snowball is offline   Reply With Quote
Old 19th May 2017, 16:48   #9
MarkyT
Established Member
 
MarkyT's Avatar
 
Join Date: 20 May 2012
Location: Torbay
Posts: 1,814
Default

Quote:
Originally Posted by edwin_m View Post
SSI actually has hardware to shut down the processor that disagrees with the other two and if only two remain to shut down both if they disagree. This is done by blowing a fuse I think. The data links between the processor and the trackside are also duplicated for reliability, but the data on each link is digitally encoded so it won't do anything unsafe if it is corrupted or, for example, connected to the trackside equipment for a different interlocking.
It's a kind of enhanced Mexican standoff in classic SSI. Each of the three MPMs (main processor modules) has some built in hardware for checking it's own output in comparison to the two others. If the outputs differ the minority module attempts to blow it's own fuse if it's capable. The other two modules are also hardwired to be able to kill the dissenting module and both will attempt this if they detect a disagreement. The two remaining modules, if they survive the shoot out, are capable of running the railway alone but alarms are generated to summon technical assistance, as if any further disagreement is detected by either module, both are eliminated and the interlocking shuts down. Signals go to red. Points are immobile.

Central Interlocking - Duplicated for safety, triplicated for reliabiliy.

Trackside Datalinks - Duplicated for reliability. A and B links are also preferably fed along the trackside from nodes at opposite ends of the scheme so even if both cables are cut midway all trackside objects remain connected to the interlocking by one or the other link. Similar architecture is preferred for equipment power supplies.

Trackside Function Modules (Distributed I/O) - Duplicated for safety alone. As to reliability, failure of one module in an interlocking otherwise fully functional is considered acceptable.

Other Control Centre Equipment - Systems usually contain duplicated boards or modules for reliability.
MarkyT is offline   Reply With Quote
Old 19th May 2017, 16:49   #10
rf_ioliver
Member
 
Join Date: 17 Apr 2011
Posts: 470
Default

Quote:
Originally Posted by zaax View Post
When building an important computer system triple redundance is built in. ie three processors normal working together but one can do the job of three if the others break down.
Quick rough answers:

If you are specifically referring to redudancy, then in the simplest system all three processors will perform the same job and then voting circuitry will ensure that the "correct" result is given in the case one processor fails.

You can get redundancy in other ways, eg: providing over capacity as might be done in certain "cloud" scenarios etc. Anyway, there are many, many forms of system redundancy. I think in your example however you're referring to a parallel processing system in which load can be shared - that's different case to fault-tolerance which is really the case for railways.

There are a number of issues in such systems, this article gives a good overview of the most famous of these: https://en.wikipedia.org/wiki/Byzantine_fault_tolerance

Then someone mentioned avionics and fail-safe. In a simple system, eg: a signal, then if something fails then the system fails to a safer state, eg: if a yellow bulb fails in a 4-aspect signal then either no signal is shown or only a single yellow is shown, both of which are more restrictive then a double yellow.

You can get variations of this, eg: circuitry which ensures that a red is shown for any failure.

The main point here is to get a system to fail *gracefully*. For example, in Airbus the general principle is that the system under failure returns more and more control, gracefully, to the pilot, eventually leaving the pilot with full control. And yes, Airbus aircraft can be flown fully manually.

One interesting point to note is that in such systems pretty much everything is done to avoid the system giving up and handing all control over to a human at once.

Big topic to discuss, if you have anything specific let me know by PM or reply here,

t.

Ian
rf_ioliver is offline   Reply With Quote
Old 19th May 2017, 20:56   #11
mark-h
Member
 
Join Date: 14 Jan 2015
Posts: 101
Default

Quote:
Originally Posted by Bletchleyite View Post
An Airbus's control systems are different - the plane can't just stop if there is a failure.
I think Airbus have the critical soft/firmware programmed by 3 different companies to reduce the risk of a bug causing an issue.

Three processors running the same software would give the same (wrong) responce if there was a code issue.
mark-h is offline   Reply With Quote
Old 19th May 2017, 21:32   #12
najaB
Veteran Member
 
Join Date: 28 Aug 2011
Location: Scotland
Posts: 14,064
Default

Quote:
Originally Posted by mark-h View Post
I think Airbus have the critical soft/firmware programmed by 3 different companies to reduce the risk of a bug causing an issue.

Three processors running the same software would give the same (wrong) responce if there was a code issue.
That does then introduce the problem of three different but equally valid solutions to the same set of inputs, initial condition and desired outcome. For example, if you're at FL20 and want to go to FL25 one program might calculate the minimum time solution while another calculates minimum fuel and the third does something somewhere in between.

I don't know about Airbus, but in other applications the three computers have to run identical software for the majority voting system to work. There will be a fourth, completely isolated backup system running a different code stack which takes over in the case of a system freeze/crash on the main computers.

Edit to add: Whatsmore, three different code stacks makes bugs *more* likely rather than less as that's three times as much code to test and validate.
__________________
Favourite saying: "There's no difference between theory and practice. In theory."

Last edited by najaB; 20th May 2017 at 00:55.
najaB is offline   Reply With Quote
Old 19th May 2017, 21:35   #13
asylumxl
I has this many monies..
Established Member
 
asylumxl's Avatar
 
Join Date: 12 Feb 2009
Location: Hiding in your shadow
Posts: 4,238
Default

Quote:
Originally Posted by Joseph_Locke View Post
In SSI there are three duplicated systems - three entirely separate Zilog Z80B processors in fact - and two of these must agree before the system takes action. In this case a complete failure of one processor subsystem can be tolerated, but not two.

I'm not sure how CBI achieves its SIL compliance - you should remain on the platform and await the arrival of an interlocking technologist.
Amazing how prolific Zilog Z80 variants still are!
__________________
This is not the signature you are looking for...
asylumxl is offline   Reply With Quote
Old 19th May 2017, 22:39   #14
edwin_m
Veteran Member
 
Join Date: 21 Apr 2013
Location: Nottingham
Posts: 10,325
Default

Quote:
Originally Posted by asylumxl View Post
Amazing how prolific Zilog Z80 variants still are!
Now you mention it, they are actually Motorola 6800 variants in SSI not Z80 - even older I think!
__________________
These opinions are mine alone, unless anyone happens to agree with me.

Last edited by edwin_m; 19th May 2017 at 22:42.
edwin_m is offline   Reply With Quote
Old 20th May 2017, 00:52   #15
asylumxl
I has this many monies..
Established Member
 
asylumxl's Avatar
 
Join Date: 12 Feb 2009
Location: Hiding in your shadow
Posts: 4,238
Default

Quote:
Originally Posted by edwin_m View Post
Now you mention it, they are actually Motorola 6800 variants in SSI not Z80 - even older I think!
Makes perfect sense I suppose. Stability is one of the most important qualities of an embedded system and the software/hardware combo must be pretty stable by now!
__________________
This is not the signature you are looking for...
asylumxl is offline   Reply With Quote
Reply

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT +1. The time now is 03:32.
Powered by vBulletin® Version 3.8
© RailUK Forums 2005 - 2017