[Go Up], [Go Back].

1.4.3. Implementing Remote Route Locking

With the current generation of Solid State Interlocking the number of IDL telegrams that can be used is limited to a maximum of fifteen in total. Each IDL telegram conveys eight data bits, and the Interlockings connected to the link take it in turns to transmit all fifteen bytes of data in a round-robin protocol: the transport layer is configured so that each SSI broadcasts its data at least once a major cycle (the frequency depends on the number of Interlockings connected to the link). On receipt of an IDL data packet the SSI is able to extract those bytes that are relevant to it (this address information can be computed statically, and is `burned' into EPROM when the system is installed). Since the outgoing IDL telegram will be written at arbitrary times during a major cycle it is necessary to buffer the telegrams. As a consequence the protocol as presented is far from being robust as the various uses of the request telegram can interfere with one another. If one SSI locks the inward portion of a route in response to a remote route request, the (buffered) reply telegram should not be overwritten before it can be sent. While not unsafe, in extreme circumstances this may lead to livelock, and other problems. Another reason why the protocol sketched above is not correct is that the remote route request may simply fail in the second Interlocking (West), but the first (East) has to be notified of this failure.

Such concerns introduce the need for telegram protection and timers. To implement remote route locking the designer has access to a collection of elapsed timers which may be stopped and started by commands from the Geographic Data, but which are otherwise updated by the (real-time) generic program. Note that an elapsed timer can serve both purposes if we can differentiate between a timer that is stopped, and one that is running. One timer is needed for each IDL telegram used to convey request codes to another SSI, but other control data are needed to implement the sub-route release mechanism over the boundary. The details are drawn out in Chapter 5 where safety properties of these inter-SSI communications will be examined. Until then our concern will be with the safety properties of the Geographic Data within a single SSI.


[Go Up], [Go Back].
Matthew Morley, Edinburgh. Date: 29 November, 1998