THE APPLICATION OF DISTRIBUTED ARCHITECTURES ON VITAL INTERLOCKING SYSTEMS

Dwayne Allan B Eng (Hons), PGradCert (Railway Signalling), AMIRSE, MIEAust, CPEng Siemens Ltd.

SUMMARY
Distributed control systems have their heritage in manufacturing, process or other forms of dynamic systems in which the control of sub-systems is distributed throughout the system but controlled by one or more programmable logic controllers (PLCs) in a central location. This philosophy is often applied in process environments with equivalent SIL requirements to railway signalling systems. This paper will outline the use of distributed architectures in a railway signalling context, in particular the system flexibility and resultant changes in system design and requisite cost implications for railway authorities when used as vital interlocking systems. Sample system layouts using traditional and distributed architectures will be reviewed as well as the benefits and limitations of the each system application. The advancements in PLC technology its application in safety-critical systems will be reviewed. The open data communications functionality and the streamlined programming techniques used as part of industrial automation applications will be outlined. How these advancements and techniques are used in a railway signalling interlocking application will also be discussed. In particular, the use of function blocks and function calls to create a library of signalling principles will be addressed. An overview of the significant benefits of applying industrial automation philosophies to railway signaling projects will be provided. The impact of these benefits on the Total cost of Ownership of distributed architecture systems using industrial automation technology will also be discussed.

1.

INTRODUCTION

Process control is a generic term commonly applied to describe a system for maintaining the output of a process within defined limits. Modern systems that provide process control are predominately based on distributed architectures utilising industrial automation components, in particular, Programmable Logic Controllers (PLCs) and distributed I/O modules. The aim of this paper is to show how a railway signalling system, via its distributed infrastructure, lends itself to control by distributed architectures. The benefits of applying this philosophy along with the adoption of industrial automation components will be demonstrated. The paper will also provide an overview of these industrial automation components and their application in a railway signalling context. The impact on the Total Cost of Ownership when adopting this philosophy and technology will also be explored.

In a manufacturing or process control sense logic controllers use inputs from sensors, switches and operator commands etc to control desired outputs or actions, such as starting or stopping an electric motor. Historically, logic control was implemented via relay interfaces. Programmable Logic Controllers (PLCs) are now predominately used in place of relay controlled systems. Feedback controllers on the other hand, whist potentially using the same sensors and switches as in a logic control system, output the control commands as a variable signal to maintain a process within a defined operating range. An example of this would be controlling the flow of a fluid in a pipeline by varying the flow through a controlled valve. This paper will focus on logic control as it is more aligned to the context of Railway Signalling.

3.

PROGRAMMABLE LOGIC CONTROLLERS

2.

CLASSES OF CONTROL SYSTEMS

Systems that provide process control can be in the form of logic (or sequential) and feedback (or linear) controllers.

Programmable Logic Controllers (PLCs) are programmable microprocessor-based devices used in process control applications. PLCs differ from general purpose computers by the number and type of I/O ports they provide and by their I/O scan rate. They are also designed for applications within industrial environments. Programming of the early PLCs was via ladder logic. This is essentially a program language which closely resembles the diagrammatic structure of relay circuits.
22 July 2011 Page 1 of 8

IRSE Australasia Technical Meeting: Adelaide

IRSE Australasia

The application of distributed architectures on vital interlocking systems

This had the distinct advantage of reducing the training requirements for programmers due to the similar logic philosophies of ladder and relay circuits. One of the most significant advancements that the PLC brought was the communications functionality. A standard PLC will have built in communications capability. The communications protocols used are generally open protocols such as Profibus, Modbus, TCP, Profinet IO etc. The addition of the communications functionality was integral to the advancement of Distributed Architectures in the process control environment. Recent developments in PLCs have seen the introduction of safety PLCs for use in safety-critical applications.

improved availability microcomputer.

via

the

redundant

controller

Centralised controllers are also typically high cost options; however in the correct application they can be cost effective.

4.

CONTROL SYSTEMS IN A RAILWAY SIGNALLING CONTEXT

A railway signalling system and in particular the interlocking is essentially a dynamic process control whereby a movement authority is not provided to a driver unless the route to be used is safe. To achieve this; inputs (i.e. track occupancy, points detection, opposing signals etc) and outputs (i.e. point operation, signal aspects etc) are collected and processed to ensure that the required prerequisites for the intended route have been satisfied. The processing is in accordance with the railway authoritys signalling principles via the application programming.

5.

RAILWAY SIGNALLING SYSTEM ARCHITECTURES

Architectures for vital Railway signalling interlocking systems can be separated into three categories; centralised, decentralised, and distributed. These types of architectures are distinguishable not only by their architecture, but also by the functionality of the system. The following sections will provide an overview of the various architectures in a railway interlocking application.

5.1

Centralised Architectures

Figure 1: Sample centralised architecture A summary of the respective advantages and disadvantages of centralised architectures are shown below. Advantages: Can control many elements in complex interlocking applications Large control distances (some examples of over 6km) Maintenance / fault rectification of the interlocking in a centralised location Limited interlocking equipment located in the trackside environment

Centralised architectures have their heritage on railways with dense population centres such as those found predominately in Europe. These systems generally have a large amount of controlled equipment as part of the interlocking system and the distribution of the controlled equipment is usually over long distances (refer to Figure 1). For these applications, large and powerful controllers are employed. Since a single controller is responsible for a large amount of equipment, the reliability of these systems is paramount. The field equipment is hard-wired to the controller. A failure of the controller in a centralised architecture has dramatic and significant effects on the availability of the signalling system. For this reason, the controllers used in centralised architectures are nearly always two out of three systems. A typical centralised controller comprises three identically programmed microcomputers, identically structured, command-synchronised, but independent of one another. This provides the requisite safety functionality whilst providing a measure of
IRSE Australasia Technical Meeting: Adelaide

Disadvantages: Significant amount of copper cabling required to connect to the field equipment High availability requirements of the controller, therefore high unit cost

22 July 2011

Page 2 of 8

IRSE Australasia

The application of distributed architectures on vital interlocking systems

5.2

Decentralised Architectures

Decentralised architectures in railway signalling applications were, in the main, developed for long narrow networks i.e. freight and ore lines. The architecture of decentralised systems is one whereby many controllers are used to individually control smaller groups of elements. Each single controller is located near the equipment (refer to Figure 2). Often there is no traditional cabled connection between the controllers. Communication between the controllers is limited and typically, in a North American application for example, achieved via coded track circuits. Since multiple controllers are responsible for smaller groups of equipment, the reliability of these systems is often not as high a requirement as in centralised systems. A failure of a controller in a decentralised architecture will mostly be confined to the immediate area of control and possibly the adjacent controllers. The controllers used in decentralised architectures are typically single microprocessors running diverse software to provide a two out of two system. This provides the requisite safety functionality but can compromise the availability of the system. Decentralised controllers are typically a low unit cost option for railway signalling applications. The respective advantages and disadvantages of decentralised architectures are essentially the converse of a centralised architecture. A summary is shown below. Advantages: Lower availability requirements of the controller, therefore lower unit cost Limited amount of copper cabling required to connect to the field equipment Figure 2: Sample decentralised architecture

Disadvantages: Limited number controller of controlled elements per

5.3

Distributed Architectures

Reduced control distances for the field equipment (i.e. potentially many controllers required) Maintenance / fault rectification of the interlocking is dispersed along the trackside Substantial quantity located trackside of interlocking hardware

Distributed architectures in railway signalling applications are relatively new developments. With this type of architecture a controller is responsible for a defined control area. However, as opposed to a centralised system, the controller is not hard-wired to the field elements. Distributed Input/Output (I/O) modules are connected to the controller via a communications system. The distributed I/O modules provide the connection to the field elements (refer to Figure 3). The sample architecture provided in Figure 3 demonstrates a system using three controllers. Depending on the complexity of each controlled area, this could in reality be achieved using one controller. The controllers used in distributed architectures are predominately the same structure as those used in decentralised architectures i.e. single microprocessors running diverse software. This raises the question regarding reliability and availability. If one decentralised style controller is responsible for potentially a similar number of elements as a centralised controller, surely availability is a concern. This is where the industrial automation world comes to the fore. A significant feature of industrial PLCs is their reliability. End users of PLC based automation systems include companies such as the Ford motor company. When

IRSE Australasia Technical Meeting: Adelaide

22 July 2011

Page 3 of 8

IRSE Australasia

The application of distributed architectures on vital interlocking systems

PLCs are controlling entire factories for these companies, they demand, and receive reliability from their controllers. Railway signalling systems with distributed architectures have the closest alignment of the three described in this paper to the current applications in the industrial automation world. As discussed earlier in Section 4, safety PLC technology is now applied in safety-critical applications. A failure of a controller in a distributed architecture will ultimately have the same outcome as that of a centralised architecture system, however the high reliability of the controller used somewhat mitigates this eventuality. Failure of the distributed I/O, whether that be the entire I/O unit or discrete modules will however be localised to the relevant field equipment.

Advantages: Limited amount of copper cabling required to connect to the field equipment Capable of controlling many elements in complex interlocking applications Maintenance / fault rectification of the interlocking in a centralised location Large control distances (only limited by the communications system) Ability to use industrial automation technology

Disadvantages: High availability requirements for the controller Reliant on the communications system to provide reliable connection Some of trackside the interlocking hardware located

6.

INDUSTRIAL AUTOMATION IN VITAL INTERLOCKING SYSTEMS

The preceding sections have served to outline differing architectures that can be used in Railway signalling architectures. As mentioned in the distributed architecture section, industrial automation is at the forefront of distributed process control. Given the advancements in PLC technology and with their growing application in safetycritical systems, why then do railways stay on the path of bespoke technology when it comes to vital interlocking systems? A true distributed railway signalling interlocking architecture is a viable and achievable goal using industrial automation components and practices.

6.1

Safety PLCs

Safety PLCs are used in a variety of safety-critical applications. These range from simple lock-out applications, to complex process control applications associated with nuclear power stations. Safety-critical functionality is mainly implemented by safety functions in the software and firmware. The safety functions are executed by the system so that, in the case of a hazardous event, the process can be set to or kept in a safe condition. Fail-safety, in a Siemens safety PLC for instance, is achieved by use of the following features: Figure 3: Sample distributed architecture Controllers used in conjunction with distributed architectures, as with decentralised systems, are typically low unit cost options for railway signalling applications. The advantages and disadvantages of distributed architectures are shown below. coded monoprocessor safety-related software in the fail-safe CPU automatic self-testing, carried out by the operating system dual-channel processing of the distributed I/O functions fail-safe fault detection separation of fail-safe and standard single-channel peripherals high reliability of the components

IRSE Australasia Technical Meeting: Adelaide

22 July 2011

Page 4 of 8

IRSE Australasia

The application of distributed architectures on vital interlocking systems

6.1.1

Safety Microprocessor Structure

A safety PLC, and once again using the Siemens PLC as an example, uses the principle of time redundancy and diversity rather than structural redundancy to achieve the requisite safety objectives. The user programs the project specific data. Next, a second diverse redundant form of the program is automatically generated and compared with the original prior to download to ensure identical function. The safety PLC runs both programs with the results of each being compared each cycle to ensure consistency. The safety-related input signals are processed diversely and redundantly in time (refer to Figure 4). The signals A and B are processed with an AND logic operation, giving output signal C. In parallel, the complements of signals A and B are processed with an OR logic operation, giving an output signal D. Output signals C and D are then compared with one another. If D does not equal the complement of C, the CPU reverts to the stop state. If the comparison is successful, the output is set. The PLC checks that the controls are operating correctly by carrying out regular self-tests and command tests as well as a program run check.

bespoke communications protocols can also be connected to the PLC via communications mapping blocks within the software.

6.3

Software and Programming

The software structure on a safety PLC is divided into a generic part and a customer-specific part (refer to figure 5). The generic part of the software is customerindependent and comprises a library of fail-safe function blocks (F-FBs) and fail-safe Function Calls (FCs). In a railway signalling application, these F-FBs and F-FCs are essentially the signalling principles of the railway authority.

Figure 5: Software structure The F-FBs and F-FCs of the base system; Figure 4: Diversity in a Siemens safety PLC This structure is referred to as 1 out of 1 Diverse (1oo1D) structure. 1oo1D implements diverse application software on single channel hardware. contain all components involved in the process control as software elements contain software modules which feature selfcontained individual functions permit the coordination and intercommunication of distributed controllers

6.2

Data communication

The customer-specific part of the software is programmed and tested separately by the customer or integrator and comprises the configured, site specific, interlocking data. The site specific data is programmed via an element interconnection diagram using drag-and-drop functionality (refer to Figure 6).

Communication between the PLC and the distributed I/O modules in the case of a Siemens safety PLC is via PROFINET IO. PROFINET IO is a comprehensive standard for industrial automation and is based on Industrial Ethernet. PROFINET IO is used to connect the distributed equipment to the central controller directly via Industrial Ethernet. Vital functions are implemented over the communications system via PROFIsafe. The PROFIsafe protocol ensures fail-safe communication between the PLC and the distributed components. PROFIsafe relies on established standard communication components such as cables, ASICs (application-specific integrated circuits) and software packages. Communication between the controller and the HMI can be achieved through numerous, generally open source, protocols. Most communications processors have no less than eight protocols available as standard. Other
IRSE Australasia Technical Meeting: Adelaide

Figure 6: Element interconnection diagram

22 July 2011

Page 5 of 8

IRSE Australasia

The application of distributed architectures on vital interlocking systems

The element interconnection diagram is based on a geographical circuitry principle. In a railway signalling context, all elements or at least all elements useable for routes are part of the element interconnection diagram. It contains all the physical and logical elements of the interlocking area and other important information, such as: element number and element type element characteristics designation of the installation and assignment of the physical elements to the peripherals connections and detection areas of track vacancy detection devices interfaces to adjacent stations or other interlocking adjacent element relationships

diagram. Overall the high level process is that which is applied in an industrial automation application.

The element interconnection diagram provides the link between the actual architecture of the field equipment and the application software. Figure 7 shows the logic behind the element interconnection diagram. This example is for a point control element. The function block is represented by the square element. The functions on the left hand side of the diagram are inputs into the function block, the right had side are the outputs from the function block. The DEWEMO is one of the distributed I/O modules used by Siemens for point control. FM is the abbreviation used for track vacancy detection sections. The Spoor functions are possible routes over this set of points. The inputs to the function block are primarily these three pieces of information: From DEWEMO the detection status of the points From FM Groups the track occupancy status of relevant track sections From Spoor Functions the route information relevant to this set of points related Figure 7: Configuration parameters for a Point element If we compare the process outlined above with that of a conventional PBI application data design process, some significant differences can be highlighted. Conventional PBI application data is generally a Boolean representation of the interlocking functions described in the control tables. The data is usually written from scratch relying on the correct interpretation of the control tables and underlying signalling principles by the designer. With this method, every line of data must be thoroughly checked and independently verified prior to proceeding to the testing phase. This is required to ensure that a complete and correct interpretation of the control tables and signalling principles has been used in the preparation of the application data. This use of the element interconnection diagram and the ease of application programming it provides, allows the option of using junior signalling engineers to produce application data. This task in the conventional PBI signalling design process is generally undertaken by senior signalling engineers or at least specialist application data signalling engineers. With the Industrial Automation platform the application data could in fact be prepared by someone other than a signalling engineer, possibly external labour. The prerequisite for the industrial automation style of programming is more proficiency in the programming tools, rather than proficiency in the signalling principles of a railway authority. Another area of departure from conventional signalling process is that related to testing of the application data.
22 July 2011 Page 6 of 8

Fundamentally, these are the same pieces of information contained within a point mechanism control table. The outputs are generally to make the points move one way or the other depending on the desired route. The processing of these inputs and outputs takes place in the function block. Using the element interconnection diagram and underlying FBs and FCs provides significant time savings to the application development process. Additionally it provides uniform structures for the application data. Moreover, the function blocks are developed, tested and validated according to the CENELEC process, and form part of the overall approval. Therefore after being certified once the function blocks do not need to be certified again as part of the site specific testing. The programming principles outlined above for the railway signalling interlocking context are essentially the same as a standard safety PLC used in a non railway application. The fundamental differences between railway and non-railway are in the fail-safe function block library, which is obviously now railway signalling centric, and small changes to the element interconnection

IRSE Australasia Technical Meeting: Adelaide

IRSE Australasia

The application of distributed architectures on vital interlocking systems

A conventional PBI must undergo a principles test. Principles testing of a conventional PBI traditionally involves testing by a competent, usually senior, engineer working from first principles, not from control tables. Once again this requires an intimate and complete understanding of the signalling principles of the railway authority. Conversely, using the industrial automation principles and techniques largely removes the underlying requirement of complete understanding of the principles. As discussed earlier, the signalling principles are inherent, and unchangeable, within the generic part of the software. These rules have already been tested and validated as part of the overall interlocking system. Consequently, the principles test now becomes more a set to work test proving that all elements (i.e. routes, points, etc) are functioning correctly and as specified in the control tables. A white paper produced by Invensys Rail in the UK found that around 2/3 of the labour allocation during the implementation phase of a railway signalling project (i.e. design and testing) was undertaken by specialist design houses [1]. The Industrial Automation approach to programming and testing would surely reduce this reliance on signalling specialists during project implementation.

the safety PLC can be easily upgraded if required to provide additional processing power. The distributed I/O is also easily adapted to future expansion. As previously described, the link between the PLC and the I/O is via a communications network, not a cabled connection. Additional I/O units can be added to the interlocking system by simply providing a communication connection.

7.4

Maintainability and Spares

The diagnostic and maintenance capability of the industrial automation equipment is superior to traditional interlocking platforms. In the event of a fault, the diagnostics functions can be accessed from any location within the distributed system. This provides for flexible and rapid fault rectification. Using the industry based tools the topology of the distributed system is displayed graphically in a window. The status of each of the distributed modules is displayed within this window thereby providing pertinent information at a glance. More detailed information for each module is available from the overview window. This information includes comprehensive error details of the affected module in plain text. Additionally, the system inputs and outputs can be directly monitored from the system overview window. In terms of corrective maintenance the industrial automation platform provides hot swappable replacement of the boards and modules. This provides for rapid fault rectification with limited impact of nonaffected modules and elements.

7.

BENEFITS
automation distributed interlocking

The benefits of applying industrial components and philosophies in architectures to a railway signalling application are numerous.

7.1

Reduced Project Implementation Time

8.

TOTAL COST OF OWNERSHIP

a systems long term benefit to an its lifecycle cost, or better stated, the Ownership (TCO). The TCO is an financial benefit of an investment to an

The industrial automation platform provides short project implementation times. This is achieved through the use of readily available hardware and parameterisable software. The software elements provide the selfcontained functions of a geographical circuitry system with a constantly growing scope of functionality. The use of pre-tested, verified and certified functions that contain the requisite signalling principles significantly reduces the requirements of principles testing. In essence the principles testing has already been performed during the creation and validation of the function blocks. The principles testing is basically replaced by functional testing of the interlocking with this technology. Labour savings, both in actual time and the grade of resource used, can be realised through the adoption of these programming and testing philosophies.

A measure of organisation is Total Cost of estimate of the organisation.

A recent white paper produced and sponsored by Invensys Rail found that around 60% of the total cost of ownership of a railway signalling system over 20 years was associated with the implementation phase of the project i.e. in the first year [1]. This includes activities such as; design, acquisition, installation, testing and commissioning. The paper goes on to compare a railway signalling system implementation phase proportionally with that in the telecoms industry. It found that, whilst having many parallels to the railway signalling industry, such as high availability, distributed physical infrastructure and combing physical assets with computing processes, the implementation costs are around 50% higher in railway signalling compared to telecoms. The reasons for this difference, as proposed by the authors, were: Technology differences and the fact that modularity of design and open interfaces do not yet exist in rail Less demand for open interfaces in the railway signalling industry That the telecoms industry taps into a much larger supplier market, which encourages innovation

7.2

Simple Configuration

Compared to traditional interlocking data development, the industrial automation process via the drag-and-drop functionality of the element interconnection diagrams provides substantial savings during the engineering phase. The used of non-signalling resources to provide application data services is a real possibility.

7.3

Scalability

Safety controllers with different levels of performance are available and can be selected on the basis of interlocking complexity. Should future expansion of the system (and subsequent increased complexity) occur,

It would seem from these factors that the telecoms industry has many parallels with the industrial
22 July 2011 Page 7 of 8

IRSE Australasia Technical Meeting: Adelaide

IRSE Australasia

The application of distributed architectures on vital interlocking systems

automation world. For instance, Industrial Automation provides modularity of design and open interfaces, the open communications protocols being the best evidence of this. Furthermore, the Industrial Automation industry has very large supplier base which provides for more competition amongst suppliers. This also fosters an increased focus on research and development to stay ahead of the competition. By virtue of the parallels between Telecoms and Industrial Automation, it could be argued that the reduced implementation phase costs that are being achieved in the telecoms industry can in fact be realised in the railway signalling field if the use of distributed architectures using industrial automation equipment were adopted. Doing so would make the TCO of a railway signalling system a more attractive investment to the stakeholders.

ACKNOWLEDGEMENTS
I would like to thank Siemens Ltd for the time and support in producing this paper.

AUTHOR

9.

CONCLUSION Dwayne Allan

Dwayne started with Queensland Railways as a cadet in the Signal and Telecommunications department in 1989. He held many roles and eventually progressed to Senior Design Engineer before leaving to join Siemens Ltd. in 2006. At Siemens Ltd., Dwayne now holds the position of Engineering Manager in the Mobility Division. In this role he is accountable for the engineering and project management of Siemens signalling works. Dwayne is also responsible for the introduction, application and technical support of the complete range of Siemens signalling products across Australia and New Zealand.

Distributed architectures, particularly those utilising industrial automation products and philosophies, are effective means to provide innovative and cost effective solutions for railway signalling systems. At the same time, these systems can provide increased system functionality, flexibility, reliability, availability, and maintainability, all with no decrease in the safety criticality of a railway signalling interlocking. Moreover, reduced TCO through the adoption of these systems and products will provide stakeholders with more attractive investments.

10. REFERENCES
1. Invensys Rail. Total Cost of Ownership of Rail Signalling Systems, Chippenham 2010

IRSE Australasia Technical Meeting: Adelaide

22 July 2011

Page 8 of 8