triple redundancy

Discussion in 'Infrastructure & Stations' started by zaax, 19 May 2017.

  1. zaax

    zaax Member

    Messages:
    69
    Joined:
    8 Oct 2015
    When building an important computer system triple redundance is built in. ie three processors normal working together but one can do the job of three if the others break down.

    Is this the same with the railway signalling system?
     
  2. ComUtoR

    ComUtoR Established Member

    Messages:
    3,615
    Joined:
    13 Dec 2013
    Location:
    UK
    You sneeze and the system breaks.

    Leaf mulch can prevent a track circuit from operating.

    I think you need to define further about 'redundancy' being built in. The system will tend to fail safe so when a set of points fail they fail on a specific direction and that will interlock with other points and signals. That is a form of redundancy I suppose.
     
  3. Joseph_Locke

    Joseph_Locke Established Member

    Messages:
    1,356
    Joined:
    14 Apr 2012
    Location:
    Within earshot of trains passing the one and half
    In SSI there are three duplicated systems - three entirely separate Zilog Z80B processors in fact - and two of these must agree before the system takes action. In this case a complete failure of one processor subsystem can be tolerated, but not two.

    I'm not sure how CBI achieves its SIL compliance - you should remain on the platform and await the arrival of an interlocking technologist.
     
  4. MarkyT

    MarkyT Established Member

    Messages:
    2,001
    Joined:
    20 May 2012
    Location:
    Torbay
    The successors to SSI are Westlock and Smartlock and these also use a similar technique but with more modern hardware. Not sure about other suppliers, although SSI and it's derivatives almost completely dominate the mainline market. Note the triple redundancy only applies to the central interlocking modules, not the distributed trackside function modules (TFM) that have only duplicated processors. A failure to agree in a TFM will result in a signals at red shutdown for that module but will only affect the small quantity of trackside equipment that one module interfaces to. No more than two signals or two sets of points usually.
     
    Last edited: 19 May 2017
  5. edwin_m

    edwin_m Veteran Member

    Messages:
    10,992
    Joined:
    21 Apr 2013
    Location:
    Nottingham
    SSI actually has hardware to shut down the processor that disagrees with the other two and if only two remain to shut down both if they disagree. This is done by blowing a fuse I think. The data links between the processor and the trackside are also duplicated for reliability, but the data on each link is digitally encoded so it won't do anything unsafe if it is corrupted or, for example, connected to the trackside equipment for a different interlocking.
     
    Last edited: 19 May 2017
  6. Bletchleyite

    Bletchleyite Veteran Member

    Messages:
    20,839
    Joined:
    20 Oct 2014
    Location:
    Up and down the south WCML (mostly)
    Provided it fails safe, there isn't really much need other than for reliability - "all trains stop now" is a safe if annoying failure outcome.

    An Airbus's control systems are different - the plane can't just stop if there is a failure.

    Edit: Though other more knowledgeable posters on this matter have confirmed it is indeed used.
     
    Last edited: 19 May 2017
  7. edwin_m

    edwin_m Veteran Member

    Messages:
    10,992
    Joined:
    21 Apr 2013
    Location:
    Nottingham
    Indeed. In aviation it's probably more important that a system keeps working even if it isn't quite doing the right thing - the pilot can usually compensate. For a railway signalling system if it can't be guaranteed to do the right thing it shouldn't do anything. Doing the wrong thing may not be evident to anyone until too late, and could have catastrophic results.
     
  8. snowball

    snowball Established Member

    Messages:
    3,595
    Joined:
    4 Mar 2013
    Location:
    Leeds
    I assume it's no use trying to triplicate the unit that compares the outputs of the triplicated processors. :D
     
  9. MarkyT

    MarkyT Established Member

    Messages:
    2,001
    Joined:
    20 May 2012
    Location:
    Torbay
    It's a kind of enhanced Mexican standoff in classic SSI. Each of the three MPMs (main processor modules) has some built in hardware for checking it's own output in comparison to the two others. If the outputs differ the minority module attempts to blow it's own fuse if it's capable. The other two modules are also hardwired to be able to kill the dissenting module and both will attempt this if they detect a disagreement. The two remaining modules, if they survive the shoot out, are capable of running the railway alone but alarms are generated to summon technical assistance, as if any further disagreement is detected by either module, both are eliminated and the interlocking shuts down. Signals go to red. Points are immobile.

    Central Interlocking - Duplicated for safety, triplicated for reliabiliy.

    Trackside Datalinks - Duplicated for reliability. A and B links are also preferably fed along the trackside from nodes at opposite ends of the scheme so even if both cables are cut midway all trackside objects remain connected to the interlocking by one or the other link. Similar architecture is preferred for equipment power supplies.

    Trackside Function Modules (Distributed I/O) - Duplicated for safety alone. As to reliability, failure of one module in an interlocking otherwise fully functional is considered acceptable.

    Other Control Centre Equipment - Systems usually contain duplicated boards or modules for reliability.
     
  10. rf_ioliver

    rf_ioliver Member

    Messages:
    492
    Joined:
    17 Apr 2011
    Quick rough answers:

    If you are specifically referring to redudancy, then in the simplest system all three processors will perform the same job and then voting circuitry will ensure that the "correct" result is given in the case one processor fails.

    You can get redundancy in other ways, eg: providing over capacity as might be done in certain "cloud" scenarios etc. Anyway, there are many, many forms of system redundancy. I think in your example however you're referring to a parallel processing system in which load can be shared - that's different case to fault-tolerance which is really the case for railways.

    There are a number of issues in such systems, this article gives a good overview of the most famous of these: https://en.wikipedia.org/wiki/Byzantine_fault_tolerance

    Then someone mentioned avionics and fail-safe. In a simple system, eg: a signal, then if something fails then the system fails to a safer state, eg: if a yellow bulb fails in a 4-aspect signal then either no signal is shown or only a single yellow is shown, both of which are more restrictive then a double yellow.

    You can get variations of this, eg: circuitry which ensures that a red is shown for any failure.

    The main point here is to get a system to fail *gracefully*. For example, in Airbus the general principle is that the system under failure returns more and more control, gracefully, to the pilot, eventually leaving the pilot with full control. And yes, Airbus aircraft can be flown fully manually.

    One interesting point to note is that in such systems pretty much everything is done to avoid the system giving up and handing all control over to a human at once.

    Big topic to discuss, if you have anything specific let me know by PM or reply here,

    t.

    Ian
     
  11. mark-h

    mark-h Member

    Messages:
    117
    Joined:
    14 Jan 2015
    I think Airbus have the critical soft/firmware programmed by 3 different companies to reduce the risk of a bug causing an issue.

    Three processors running the same software would give the same (wrong) responce if there was a code issue.
     
  12. najaB

    najaB Veteran Member

    Messages:
    15,366
    Joined:
    28 Aug 2011
    Location:
    Scotland
    That does then introduce the problem of three different but equally valid solutions to the same set of inputs, initial condition and desired outcome. For example, if you're at FL20 and want to go to FL25 one program might calculate the minimum time solution while another calculates minimum fuel and the third does something somewhere in between.

    I don't know about Airbus, but in other applications the three computers have to run identical software for the majority voting system to work. There will be a fourth, completely isolated backup system running a different code stack which takes over in the case of a system freeze/crash on the main computers.

    Edit to add: Whatsmore, three different code stacks makes bugs *more* likely rather than less as that's three times as much code to test and validate.
     
    Last edited: 20 May 2017
  13. asylumxl

    asylumxl Established Member

    Messages:
    4,252
    Joined:
    12 Feb 2009
    Location:
    Hiding in your shadow
    Amazing how prolific Zilog Z80 variants still are!
     
  14. edwin_m

    edwin_m Veteran Member

    Messages:
    10,992
    Joined:
    21 Apr 2013
    Location:
    Nottingham
    Now you mention it, they are actually Motorola 6800 variants in SSI not Z80 - even older I think!
     
    Last edited: 19 May 2017
  15. asylumxl

    asylumxl Established Member

    Messages:
    4,252
    Joined:
    12 Feb 2009
    Location:
    Hiding in your shadow
    Makes perfect sense I suppose. Stability is one of the most important qualities of an embedded system and the software/hardware combo must be pretty stable by now!
     
  16. Tim M

    Tim M Member

    Messages:
    15
    Joined:
    9 Jul 2016
    The WESTRACE Computer Based Interlocking (now Siemens Trackguard WESTRACE) system uses single processor using a true and complementary system to achieve safety to Safety Integrity Level 4. The Mk2 system has redundancy capabilities by duplicating both the interlocking module and the various Input and Output modules, with as the link below says hot swap capabilities.

    WESTRACE has been in service in many countries around the world for about 25 years.

    https://www.mobility.siemens.com/mo...-interlockings/trackguard-westrace-mk2-en.pdf
     

Share This Page