RAMS Requirements in Electronic

Interlocking Design
28/10/2021

INTRODUCTION

Any interlocking system must meet international standards for rail systems and
offer the highest levels of safety, reliability and availability . The main function of an
interlocking system , as a generic product, is to guarantee the safe operation of the
train, avoiding route or itinerary conflicts, while controlling external objects (track
devices), such as signals or points (control and checking ) and the exchange of
adequate information is established between the interlocking system and other
signaling systems, such as the detection systems for the occupancy of the track
section or the level crossings.

Furthermore, these systems must be able to be adapted to be used both in other

generic and specific applications, controlling the movements of trains in accordance
with the operational requirements of the railway administrations.

The interlocking based on electronic systems ( ENCE ) is the type of system

interlocking most widely used today. It is the successor to relay interlocking,
although the latter are still very much in force today. The interlocks ENCE have
larger capacity, use more compact equipment, consume less energy, are more
flexible and achieve better performance. Many rail facilities are being upgraded with
ENCE smodern lines that are being deployed around the world.

In this article we detail, from the point of view of RAMS , the main characteristics of
modern interlocking systems and explore how effective processes and techniques
should be applied for the deployment of this type of system.
 ARCHITECTURE OF LATEST GENERATION INTERLOCKING SYSTEMS

To achieve maximum flexibility in terms of possible installations, and since each

railway system has its own requirements, interlocking systems must use a modular
architecture. This also greatly facilitates any future changes or updates to a given
system. The interlocks must be able to interact with different types of signaling and
railway control systems (ATP, ERTMS, TMS, interlocks different technologies, etc.).

There are different types of possible hardware architectures depending on the

needs of a specific network: centralized and distributed architectures . Today, most
vendors offer flexible solutions that can support both options depending on the
type of installation: simple or complex designs.

The architectures centralized , used in simple designs with a small amount of

equipment and where there are short distances between the locking electronic and
control equipment. In complex designs, the large amount of cabling required would
mean high costs where this architecture would no longer make sense.

The distributed architectures are typically used for complex installations with lots of
equipment and where there are large distances between the locking electronic and
control equipment. In this type of configuration, external object controllers are
linked to central interlocks , each of which controls a set of track equipment.
Compared to a centralized architecture , the distributed architecture has the
following main advantages: Cost savings in cabling, less construction space required,
easy to install and maintain.

Finally upstream, the interlocks can have centralized controls (normally in Control
Centers, CTC), Local Videographic Controls or even local controls on the track. The
management of priorities among them will be relevant according to what is
established by the operation of the line or installation.
 RAMS DESIGN REQUIREMENTS FOR INTERLOCKING SYSTEMS

The safety assessment of electronic interlockings or any other subsystem of

railway signaling ( CMS system , control-command and signaling ) is based on a set
of international reference standards ( CENELEC EN 50126, EN 50128 and EN 50129
), mandatory standards for the European railway industry and, specifically, for
signaling systems or CMS . The hardware and software of safety-critical systems
must be subject to a strict verification and validation process , carried out by an
independent team ( EN 50126 ). During the safety analysis, all possible dangerous
situations must be identified. Hardware and software must take into account the
elimination of all these identified hazards.

Safety analysis of a CMS system as an interlock can be performed using qualitative

or quantitative methods, but more often, a combination of both is used. Qualitative
approaches focus on the question What must go wrong for such a system hazard
to occur? While quantitative methods aim to provide estimates of probabilities, rates
and severity of consequences.

The most common methods used to perform interlocking system safety analysis
are based on failure modes and effects analysis (FMEA) and failure tree analysis
(FTA) . All identified situations are recorded as hazards in a Hazard Log . This
document is intended to be used throughout the life cycle of the system, from
conception to decommissioning and disposal.

The main objective of using the FMEA and FTA methodologies is to identify all the
possible failure modes of the system and, for each of its components, describe the
effects of those failures and assign a probability of occurrence . These can also
include failures caused by human error and causes originating from external events.
This procedure is part of the hazard analysis and risk assessment specified by EN
50126 . This standard establishes the concepts, methods, tools and engineering
techniques that will be applied during the useful life of the systems to guarantee the
achievement of a defined level of safety integrity of rail traffic. at one point.

To achieve this quality of service , the following practices should be applied:

 Risk analysis : identification of all dangerous situations, the probability of their

occurrence and the consequences of those dangers.

 Achieve rail RAMS requirements : control of factors influencing RAMS over the
life of the system ( EN 50126 ).

 Ensure compliance with the specified safety integrity level (SIL) . In order for
an interlocking system to be certified, it must also meet the specifications of
the EN 50129 standard , which defines the requirements for the acceptance
and approval of safety-related electronic systems in railway signaling . This
standard is in line with other related CENELEC standards that must also be met:
EN 50126 for hazard analysis and risk assessment processes, EN 50159 for
communication of safety-related data, and EN 50128 for software
requirements .

Compliance with the following elements, listed in EN 50129, is mandatory for the
safety assessment of the system / subsystems / equipment:

 Preparation of a safety study or safety case , which contains the documented

safety evidence for the system / subsystem / equipment.

 Preparation of a technical safety report, which is technical evidence of the

safety of the design. This document is part of the safety case .

 Safety management, which includes the preparation of the safety plan, hazard
log, specification of safety requirements.

 Evidence of quality management throughout the life cycle of the system.

 Evidence of functional and technical safety .

A main part of the requirements for the design of an

interlocking system can generally be grouped into
requirements for safety , reliability , availability or
maintainability ( RAMS ).

SAFETY
An interlocking system must guarantee, very briefly, that a permissive output only
activates under permissive conditions. Otherwise, a non-permissive output must be
issued. In case of failure or inconsistent information, external objects must be moved
to the safe state, which means that, in the affected area, all signals must be in
restrictive aspects. That is why an interlock must be designed under a fail-safe logic
principle . In addition, it will not be possible to establish any route, or change any
point, automatically.

Furthermore, all safety integrity requirements specified in the applicable standards (

EN 50126 , EN 50128 and EN 50129 ) for the applicable Safety Integrity Level ( SIL )
must be met for all equipment involved.

RELIABILITY

To achieve the required reliability , the hardware platform of an interlocking system

must be well tested. In addition, the software must be based on common design
principles such as: functionality; reliability and maintainability; safety; efficiency;
usability and portability [EN 50128]. A high level of reliability and availability will
ultimately guarantee the safe and punctual operation of the trains.

The reduction of single points of failure, with special attention to communication

systems, which can even be designed redundantly, is also of special interest in this
type of equipment.

AVAILABILITY

Interlocking systems , in most cases, have a redundant architecture . Although this is

not mandatory, it is essential to achieve the expected availability for these types of
systems. Proper redundancy management is essential to ensure a safe and fault-
tolerant redundant system. Certain functionalities should be considered:

 No impact on the operation. The switching operation must be imperceptible,

which means that it cannot disturb the normal behavior of the system: it must
allow a route to be established and ensure that there are no intermittent
signals, that the points can be controlled and that there is no disturbance in the
center of control.

 Backup systems need to be continually updated so that they are ready to take
over the system at any time.

 Possibility of hot replacement of elements or modules of the system, that is,

that electrically and mechanically, allows you to replace equipment without
 having to disconnect the equipment's power supply. This allows, for example, in
a redundant system to change a module of the subsystem which is on standby
.

MAINTENABILITY

An interlocking system generally also includes a remote maintenance system to

reduce the number and duration of maintenance operations. Once again, a modular
architecture will optimize performance in terms of maintainability and availability ,
allowing part of the system to be intervened without any degradation in the
performance of the entire system.

The modular architecture of the system will optimize its

performance in terms of maintainability and availability,
allowing part of the system to be intervened without any
degradation in system performance.

LEEDEO EXPERIENCE IN RAILWAY SIGNALING SYSTEMS

RAM analysis of a Generic Hardware Platform developed to implement track and

rolling stock systems for ATP solutions and SIL4 railway signaling: FMECA, RBD,
FTA.

Safety monitoring and RAM to identify problems and gaps in the

processes that are being used to develop a SIL4 railway Control-
Command and Signaling platform .
Turnkey responsibility for the independent evaluation of system
reliability, availability, maintainability and safety (RAMS) at all stages
of the life cycle against safety integrity level (SIL4) and validation of
the system against system requirements . The RAMS evaluations
comprised functional, hazard and risk analysis for safety purposes, as
well as failure modes and effects, failure tree, reliability, availability, and
maintainability analysis. The results of the evaluation were taken into
account throughout the development of the product. The project ended
with a generic product safety case in accordance with EN 50129 .

System Validation and Verification (V&V) against a system

requirements specification to validate that the system was built to
operate under the specified conditions and that the specified
functionalities were implemented correctly . Special care was taken in
the validation of all security requirements and open points to reduce the
probability of security failures that may occur after commissioning.

Updating and improvement of a videographic software for the control

of the interlocking, for the management of establishment and
interlocking of routes as well as their possible automatic release when
the train passes.

At Leedeo Engineering , we are the ideal partner in the development of Railway

RAMS projects, providing support at any level required to RAM and Safety tasks in
accordance with CENELEC EN 50126, EN 50129 and EN 50128 regulations. Do not
hesitate to contact us
our Servicies>>

homepage>>
 RAMS Engineering Leedeo>>

+ articles on RAMS Engineering>>

Are you interested in our articles about RAMS engineering and

Technology?

Sign up for our newsletter and we will keep you informed of the
publication of new articles.

Email

Subscribe

Homepage | Services| Privacy Policy and Data Protection | RAMS engineering |

Engineering Outsourcing | Success stories | Contact | Publications | Work with us