[Go Up], [Go On].

1.3.1. Overall System Architecture

SSI is a multicomputer system with two panel processors, a diagnostic processor, and three central interlocking processors which operate in repairable triple modular redundancy. Higher-order control devices such as route planning and automatic route setting computers are not part of SSI, but they can be interfaced with the system.

The central interlocking processors are responsible for executing all signalling commands and producing correct system outputs, and operate in TMR to ensure high availability and single fault tolerance in the presence of occasional hardware faults. These are the safety critical elements of SSI. A TMR system has been implemented for hardware reliability: each subsystem is identical, and runs identical software. All outputs are voted upon, redundantly in each interlocking processor, and the system is designed so that a module will be disconnected in the event of a majority vote against it---SSI will continue to operate as long as the outputs of the remaining modules are in agreement. A replacement module is updated by the two functioning modules before being allowed online. (In the sequel we usually refer to the central interlocking processors collectively as the SSI, or the Interlocking.)

The panel processors are responsible for tasks which are not safety critical such as interfacing with the signal control panel, the display, and other systems such as automatic route setting computers. These processors are run in duplex `hot standby' for reasons of availability. The diagnostic processor is accessible from a maintenance terminal (the technician's console) through which the system's performance and fault status can be monitored, and whereby temporary restrictions on the Interlocking's behaviour can be introduced. In the latter case this is a provision for temporarily barring routes, locking points, or imposing other restrictions that are not directly under the control of the signal operators (for example, at times when there is a need for track maintenance).

A central feature of SSI is that the controlling computer is directly connected to track-side equipment by means of a duplex data highway carrying discrete signalling information (cf. Figure 1.2). Track-side functional modules (TFMs) interface with signals and points to provide power switching under microprocessor control. Here, duplication of the hardware has been designed to ensure safe response to failures, but not fault masking: the TFM will set its outputs to the most restrictive state (e.g., signals at red) whenever a fault is detected or the duplicated control paths are found to diverge. One points module may be connected to two to four point switches, and can report up to four track circuit inputs. A signal module is usually connected to one signal and several nearby track circuits, but is flexible enough for any other desired function.


[ssi-io]
Figure 1.2: Schematic overview of the main features of SSI.

The operation of Solid State Interlocking is organised around the concept of a major cycle. During this period the central interlocking will address each of the track-side functional modules, and expect a reply from each in turn. A maximum of 63 TFMs can be connected to one SSI, and the major cycle is consequently divided into 64 minor cycles. In the zeroth cycle data are exchanged with the diagnostic processor. In each minor cycle the central interlocking will decode one incoming message (or data telegram) from the data highway, and process one outgoing command telegram.

The cable conveying messages to and from the central interlocking is a screened twisted pair carrying relatively high signal levels. Cribbens discusses in detail the performance requirements for this vital component of the system: the minimum refresh rate for the TFMs, the necessity of real-time encoding and decoding of transmitted data, the geographic extent of the interlocking area and the need for an acceptable range without the need for repeaters (circa 15 km), are all factors that contribute to the design. A data rate of 20k bits per second has been adopted, and a cyclic polling strategy implemented to ensure early detection of communications breakdown at either end of the link. The data path is duplicated and TFMs and central interlocking are designed to tolerate single faults on the line---detected through missed or corrupted messages. In each addressing cycle 25 bits of message data are padded with five parity bits to form a truncated (31,26) Hamming code which is transmitted in Manchester encoded biphase form. TFMs are configured to reply immediately upon receipt of a message from the central interlocking. Cribbens argues convincingly that the SSI transmission system is highly secure.


[Go Up], [Go On].
Matthew Morley, Edinburgh. Date: 29 November, 1998