Appendix A. Glossary

The three glossaries in the pages that follow are intended to aid the reader by filling out some of the details omitted from the general discussion in the Introduction, and in Chapter 2. The entries are grouped according to the following conventions:
Glossary of railway signalling terminology, describing the main components of the railway and the control system;
Glossary of Solid State Interlocking terminology, describing the central notions that are mainly specific to this kind of signal control system;
Glossary of Geographic Data terms, describing the organisation and purpose of the entities in the geographic database.
The reader may benefit simply from reading these pages through in a linear fashion on the first occasion.

Glossary of Railway Signalling Terms

The aspect displayed by a signal depends on the tracks in advance (they should be clear of traffic, and all points should be locked, before a green aspect is displayed) and in the rear. For example, a signal at green should not be reset to red if there is a train within sighting distance of the signal---otherwise the driver may be unable to halt the train before reaching the signal. Approach locking is the interlocking function that maintains the route locking while a train is approaching.

See route release.

Traffic indication displayed by a signal. For semaphore signals this is indicated by the position of the arm---vertical (and thus not visible) meaning proceed, horizontal (and often accompanied by a red warning lamp) meaning halt. An intermediate diagonal position was introduced to permit traffic to proceed with caution (and expect to halt at the next signal). Modern power lamp signals often have four aspects: red, yellow, double yellow, and green. Intermediate flashing yellow aspects introduce further speed indications.

See also signal.

This is the track section in which a train will be standing when facing a signal at red. By analogy with a ship's berth in harbour, it is the `berth' for all routes onward from the signal.

A visual display at the signal control centre indicating the current status of railway network. A schematic plan of the railway will be illuminated to indicate which routes are set and to show the current position of trains. Other indications display the on/off state of signals, and sometimes the position in which points switches are detected. Modern technology has introduced video display units to replace `mosaic' control panels, but the principles of operation are the same. Operators issue commands at the panel to reconfigure the network and route trains to their destinations. Points can be moved independently by moving a points key switch on the panel; routes are set by pressing buttons at the entrance and exit signals (in that order), and released by pulling the entry signal button.

See panel requests and route setting.

Control tables list the locking conditions for each route in the interlocking. Each route has an entry that specifies which track circuits must be clear before the entry signal can be turned off (including overlaps, and overlaps associated with conflicting routes). The control table also specifies the required orientation of the points along the route, and specifies which signals control access to conflicting routes (which should be on before the route is set). Some railway authorities and providers of signalling equipment have abandoned the control table as the means of specifying routes---due to the difficulty of verifying that the route locking conditions are adequate.

A configuration of points that permit trains to cross between parallel tracks. The points at either end of the crossover are usually coupled together so that they may only move in unison.

See point switch.

A section of track where two lines cross without the possibility of allowing traffic to switch between lines. The area marked out between the four rails is trapezoidal, hence the name!

As a noun, a generic name for the signal control system as a whole. Interlockings may be of several types: ground-frame interlockings operated mechanically, relay-based systems with electromechanical controls, and computer controlled or `solid state' interlockings. When capitalised, Interlocking always abbreviates Solid State Interlocking in the main text.

A term used for the logical relationships between physical entities in the railway such as points, signals, track circuits, and so on. In SSI, this is programmed in the Geographic Data; in relay-based interlockings this is hardwired into the relay circuitry, and in ground-frame interlockings it is manifest in the mechanical linkages between physical components.

A separate proving circuit is built into power lamp signals to check that the selected aspect is in fact drawing current---this will be the case unless both the main and auxiliary filaments in the lamp are broken. Lamp proving therefore offers a positive indication that the selected signal aspect is being displayed.

Main signals (as opposed to repeaters, etc..) act as the exit signal for routes up to the signal, and the entrance signal for all onward routes. The overlap track section (and circuit) lies immediately beyond the signal. The overlap is not strictly part of the route up to the signal, but while the signal is on it should be kept clear of other traffic to afford protection against a train inadvertently overrunning the signal. The overlap track circuit is distinct from the (full) track circuit in advance of the signal.

See also swinging overlaps.

This is a switch on the signal control panel that allows the signal operator to lock the points semi-permanently in normal or reverse position. The centre setting for the points key releases control of the points to the interlocking.

See also points data, points memory.

Points are mechanical devices in the railway to change the path that trains may take through a junction. The switch positions are called normal and reverse respectively, the former usually referring to the mainline, the latter to the branch. An electrical contact is used to detect---i.e., to give a positive indication---that the points are lying in the position to which they have been called by the interlocking. When a route is set the points along it will be locked (logically, but also physically clamped) to prevent their being moved again before the train has passed.

Routes are definite paths between pairs of signals---at least on British railways, other railway authorities often define routes in different ways. Main routes are defined between consecutive pairs of main signals; warner routes coincide with main routes, but permit traffic to proceed only under caution (i.e., the entrance signal will typically not display a green aspect); call-on routes have a very specific function: to allow an engine to be coupled to a train---since to achieve this one must violate the safety principle that only one train may occupy a track section at once.

Before a signal can be turned off, an onward route must be set. In the first instance, this involves checking that the availability conditions for the route in question are met---e.g., to check that no conflicting route is currently set; then the route must be locked so that subsequent actions taken by the interlocking do not change these conditions. Secondly, the route must be proved---the control system expects a positive indication that the points along the route are detected in the required positions, for example. Finally, the entrance signal can be turned off, but the aspect displayed will depend on the class of route, the aspect displayed by the next signal, and other factors.

See panel request, route release and route memory.

Under normal conditions a route, having been set, will be released automatically once a train passes the entrance signal. This switches the signal back on. As it proceeds the route is released behind the train---e.g., once it is clear of a set of points they can be unlocked and subsequently moved in setting another, previously conflicting route. Otherwise, a route may be cancelled by the signal operator (usually in order to set an alternative route) but then the approach locking conditions must be met.

See approach locking, sub-route release.

A scheme plan is a detailed drawing of the railway layout, in a diagrammatic form, that identifies all of the physical components of the interlocking. In particular all signals, points, track sections and track circuits will appear on the plan. Train control tables and Geographic Data are derived from the scheme plan.

See also control table.

Early type of signalling device, beloved of enthusiasts. The arm on the signal post is operated against a heavy counterweight so that effort is required to lift the arm to the vertical position. Should the mechanical linkage between signalbox and signal break, the weight will drop the arm to the horizontal position. By convention the horizontal position means stop! The semaphore is a simple, gravity operated, fail-safe device.

Signals control the linear movements of trains, and can give a speed indication to drivers by displaying one of a variety of aspects. A signal is on when it displays the red aspect, meaning halt; it is off otherwise, giving drivers permission to enter the track section ahead. Signals themselves may serve a variety of purposes: main signals for normal traffic control; route (or junction) indicators may warn drivers to slow down due to a diversion ahead; shunt and subsidiary signals have specialised functions in closely monitored situations. Signals are capable of displaying multiple aspects: two-aspect main signals will display either red or green aspects; two-aspect repeaters (intermediate signals between the entrance and exit signals) will normally display yellow or green aspects, but not red. Most modern signal installations on mainline railways use three or four aspect colour signals, with flashing yellow aspects for finer speed control.

If there are facing points in the overlap track section there may be a choice of overlap. For route(s) up to the signal it may not matter which overlap is selected in setting the route, but routes in the network beyond the signal may be unavailable because they conflict with the chosen overlap. Under careful control it is possible to swing the overlap---that is, to select another one---some time after the route has been set. Swinging overlaps is not an inherently safe activity (some railway authorities have outlawed the practice!) because this involves releasing the first overlap before setting the second. In particular, the points in the overlap will be `undetected' whilst they are moved from one position to the other, and consequently the signal should come on (display the red aspect), but this would be unsafe if a train where within sighting distance.

The track circuit is the primary safety device in the railway. Track circuits are always identified with a track sections, though there may be several electrically isolated track circuits in a single track section in a complex network. A track circuit is used to detect the presence of a train in the section. A voltage is applied across the rails, which may be detected to indicate that the section is clear. When a train is present the voltage between the rails drops due to the short circuit, and this registers the section occupied at the control centre. Track circuits fail on the safe side since a faulty circuit will indicate the presence of a train.

An identified section of the railway line that is controlled by a signal. The primitive components (segments, or parts) from which track sections are assembled are points, diamond crossings, and plain track. Track sections are electrically isolated from one another.

Glossary of SSI Terminology

The data highway is a bidirectional communications link between the central interlocking processor and the track-side functional modules. The data highway is operated at the rate of 20 k bits per second and uses a screened twisted-pair, duplicated for reasons of fault tolerance.

The interlocking processor is mainly responsible for the safe operation of the railway network. This is usually referred to as the SSI in the main text (occasionally Interlocking, but then always capitalised, in the interests of avoiding terminological monotony). The central interlocking processors operate in (repairable) triple modular redundancy to achieve high levels of hardware reliability, and to afford fault tolerance. Each submodule is identical, running identical software and having identical copies of the Geographic Data, but independent RAM devices.

See also geographic data.

Command telegrams convey signalling controls to the equipment at the track-side. Eight control bits are bundled together with sender and receiver address and diagnostic data with five parity bits to form a truncated (31,26) Hamming code which is transmitted in Manchester encoded bipolar form, adding a second layer of error protection. The eight command bits are set up by commands in the Geographic Data.

See output telegram data.

The SSI is a data-driven control system. In this thesis, the control interpreter (often, just `the control') is the name given to the generic software running in the SSI, sometimes referred to as the `interlocking functional program' by other authors. This software interprets the Geographic Data, and it is this behaviour of the program that is of most interest in this thesis. The control interpreter has other functions, but all interlocking functions are encoded in the data except for a few very simple operations `hardwired' into the interpreter for the sake of efficiency.

See also interlocking functional program, geographic data and the discussion in Sections 1.3.2 and 1.4.

The Reply telegrams from track-side equipment to the SSI are encoded according to the same format as command telegrams. Data telegrams relay the inputs from detection devices in the track-side equipment to the central interlocking (lamp proving, points detection and track circuit inputs, for example). These inputs are typically copied directly to the internal state.

See input telegram data.

These data specify the logical relationships between the components of the railway, encoding the signal control functions of the Interlocking. Stored in EPROM (60 k bytes of which are allocated, 20 k bytes of these required to hold the generic SSI software) the Geographic Data configure each SSI installation. Data and program together achieve the required signalling function---setting a route, releasing an overlap, and so on---but the data themselves can be considered a program that operates on a state that is composed of the collection of all control variables defined for the interlocking (one for each point switch, track circuit, etc.).

See internal state and control interpreter, and Appendix A.3 where different classes of data are described.

is a specialised design notation used by signal engineers to encode the interlocking logic. This simple language of assignment, sequence and conditional statements is general enough to code all signalling functions, but it is enriched by `specials' designed to shorten the minor cycle execution time. Specials are directives to the interpreter to carry out simple functions efficiently---such as copying an input telegram bit to memory, for example.

See SPECIALS, and Section 2.3.

While its main function is that of interpreting Geographic Data, the generic SSI software also: initiates all communications with track-side functional modules; encodes and decodes all outgoing and incoming telegram data; performs single fault recovery; implements the TMR voting mechanism and shutdown procedure; implements the inter-SSI communications protocol; interfaces with the panel and diagnostic processors, and implements all startup routines. The interlocking functional program occupies about 20 k bytes of EPROM. The program is referred to as the control interpreter throughout the main text.

The internal data link is a separate communications channel to provide inter-SSI communications. There will usually be more than one SSI at a single control centre, 30 of which may be connected to one IDL, but the current technology is limited so that an SSI can send (and receive) only up to 15 eight-bit messages. The IDL is primarily used for setting routes across SSI boundaries, and for controlling signals or points in the fringe area.

Telegrams sent over the internal data link convey two kinds of information. When used to carry status information between the two interlockings, each bit in the telegram is interpreted individually---like data telegrams received over the baseband data highway. In these circumstances the individual bits are used to set up dummy signal or track circuit memories in the receiving interlocking. The other use for IDL telegrams is to carry request codes, as part of the remote route request protocol. The eight-bit telegram is interpreted as an integral request code which causes the receiving SSI to execute a specific interlocking function from the PRR data file. IDL telegrams can serve one, and only one, of these two purposes.

See panel request, and remote route request.

The internal state of the SSI represents the current status of the railway---in the main text this is usually referred to as the image of the railway. A collection of control variables are defined and held in RAM: up to 256 track circuit memories are allocated, with 64 points and 128 signals, together with logical control variables for routes, timers, sub-routes, and other binary flags. These data represent 1,216 bytes of `live' memory upon which the Geographic Data and control interpreter operate.

One major cycle is 64 minor cycles. A maximum of 63 TFMs may be attached to each SSI, the zeroth minor cycle being used for diagnostic purposes and updating the SSI with commands from the technician's console. A major cycle is 64 minor cycles in duration irrespective of the actual number of TFMs attached, with a lower limit of 608 ms, and an upper limit that should not exceed 1,000 ms. During a major cycle all flag operations data will have been processed once, as will all input and output telegram data, and all timers will have been adjusted once. Timers are only accurate to ± 2 s, and cannot be updated more than once a major cycle.

The minor cycle is the basic execution cycle during which the SSI will process and issue one command telegram, and receive and process one reply telegram (from the TFM addressed in the previous minor cycle). Other required activities during the minor cycle include the processing of 1/64th of the commands in the FOP data file, and updating 1/64th of the approach locking, track circuit and elapsed timers in the interlocking. If these actions can be completed in under 9.5 ms the SSI will process one panel request, if any are pending. The minor cycle has a minimum duration of 9.5 ms, and should be no longer than 30 ms otherwise track-side modules may interpret the gaps in the communications as failures of the baseband data highway and enter the failure mode of operation.

A `mode 1' (2 or 3) startup is chosen by heuristics in the initialisation software. A `mode 1' startup is the most severe, necessitating a reset of the entire contents of RAM: all bits are cleared to zero except the technician's controls and the elapsed timers whose contents are set to one. This initial state means that all routes are unset, all sub-routes and sub-overlaps are locked, and all timers are stopped; also, all technician's controls are applied, points are neither controlled normal nor reverse, and track circuits are undefined. Moreover the processing of panel requests is suspended while the system is brought up-to-date by incoming data telegrams, and while technician's controls are released manually from the technician's console. A `mode 2' startup involves a similar reset, but preserves the technician's controls, and the system restarts automatically after a four minute suspension in processing panel requests. A `mode 3' startup also preserves the status of route memory, and allows an immediate restart.

See also technician's console, internal state, and Appendix A.3.

The panel processor handles non-critical duties such as handling commands issued at the control panel (or automatic route setting computer) and passing them over to the interlocking processor, and updating the display. Panel processors are operated in duplex `hot standby'.

Signalling commands issued at the signal control panel are either route requests, route cancellation requests, or panel key requests (to move points `manually'). The panel processor converts these into a stream of inputs to the SSI---but because both panel processors are normally operational, the SSI receives and executes two copies of each request. These are stored by the central interlocking in a ring buffer of bounded size, and processed during minor cycles which are otherwise completed in under the minimum minor cycle time. At most one panel request will be served in any minor cycle.

See also minor cycle and route request data.

Routes that straddle interlocking boundaries require special treatment since two (or more) Interlockings must cooperate to set them up safely. When the Interlocking controlling the entrance signal receives a panel request for such a route, it issues a remote route request via the internal data link to the Interlocking controlling the tail portion of the route. Only if an acknowledgement to this remote request is received from the other Interlocking (within a prescribed period of delay) will the first Interlocking go ahead and lock the route.

See Section 1.4.

The technician's console allows close monitoring of the internal state of several Interlockings at a signal control centre, and the online diagnosis of faults in the signalling equipment, etc.. The technician's console also allows one to impose (temporary) restrictions on the behaviour of the interlocking, by applying so-called technician's controls. These can be applied to routes (so that they are unavailable, and requests for them always fail), to track circuits (so they always appear occupied, irrespective of the actual state), to points (so they can be disabled in either the normal or reverse position), and to signals (to override the lamp-proving input from the TFM). Of these, only the `availability bit' in route memory is accessible from the Geographic Data---so that an alternative route can be selected perhaps.

These devices interface with the track-side signalling equipment. Two types of module are provided: one to drive signal aspects and detect lamp proving inputs, etc.; the other to drive points and detect their position contacts. Either type of module can report track circuit inputs. Both signal and points modules have identical interfaces to the baseband data highway, and are configured to respond to a command telegram with an immediate reply (data) telegram. Track-side functional modules provide power switching under duplicated microprocessor control---duplication here, as elsewhere in SSI, being designed to mask single faults and to drive the outputs to a safe state when unrecoverable faults are detected.

Glossary of Geographic Data Terminology

64 bytes of RAM are reserved for 64 timers which may be used for any purpose in the Geographic Data---but they are usually associated with communications with other interlockings and swinging overlaps. Timers count seconds, to an accuracy of ± 2 s, upwards from zero to the `sticking' value of 254. Timers are `stopped' by setting their contents to 255: elapsed timers are stopped and started from the Geographic Data, but incremented by the control interpreter at most once a major cycle.

An evaluation set is a labelled block of tests on data variables which may be referenced in any context where a test is valid (but reference and label must be in the same data file).

See also specials.

An execution set is a labelled block of arbitrary conditional code which may be referenced in any context where a command is valid (but reference and label must be in the same data file).

See also specials.

128 bytes of RAM are allocated to flags (single bit variables). Flags include sub-routes and sub-overlaps whose states may be locked and free, and general purpose latches.

Each command in the flag operations data file (FOP data) is executed once a major cycle. One release rule is needed for each sub-route and sub-overlap, but any other data that require to be executed once a major cycle can be placed here.

One block of data is associated with each input telegram received from the track-side functional modules (in the IPT data file). The SSI is configured so that the input telegram processed in minor cycle m is the reply from the module addressed with a command telegram in cycle m-1 (modulo 64). Input telegram data update the detection bits in the image of the railway. IPT data are also specified for each telegram received over the IDL, and in the special case that these convey request codes the interpreter is configured to queue the appropriate `panel' request.

Map searches (in the MAP data file) are frequently used to decide if route release conditions are met. A map search involves a look back from a feature reference (a signal or track circuit) for evidence of an approaching train (i.e., an occupied track circuit).

The most complex interlocking logic is located in the OPT data file. One block of data is needed for each TFM addressed by the interlocking: data for points modules are simple (one just needs to drive the points to the position of the c bit in points memory) but signal aspects are interlocked with those of other nearby signals and track circuits, so setting the correct command bits in the output telegram requires a longer sequence of commands. OPT data are also needed for telegrams used to convey signal control data over the IDL.

Each input from the signal control panel corresponds to a command to be executed from the panel (route) request data (PRR data file). These data list all route requests that arrive via the IDL or from the panel processor, and all route release requests. Points `key' requests allow the operator to move points independently of setting a route over them.

See panel processor and route request data.

Points ``free to move'' data (PFM data file) specify the conditions under which points may be switched, with one set of data required for each lie of the points. PFM data may be called from other data files, particularly the PRR data in deciding route availability.

64 bytes of RAM are allocated to points memories, each of which contains two four-bit records (for the normal and reverse lie of the points). The `controlled', `detected', and `key switch' fields of each record are under Geographic Data control, the fourth is used to disable the points and is only accessed by the program (technician's control).

64 bytes of RAM are allocated to 256 route memories. Routes may be set or unset, this field being under the control of the Geographic Data: the `available' flag is used to disable a route and is only testable.

The PRR data file contains commands that are executed only on demand, when the SSI serves a panel request. Route request data specify the availability conditions, and locking conditions for each route defined in the Interlocking. Availability conditions need to check that points along the route can be moved to the required positions, and whether an opposing route is already locked---normally, it suffices to test the opposite sub-route to the first sub-route on the route in question, and the last sub-route on any directly opposing routes. The points ``free to move'' data (PFM data file) for each set of points on the route should cause the route request to fail if any route is locked over the points in the wrong direction.

See also points data.

128 signal memories are allocated, each requiring 3 bytes. Each signal memory includes an `approach locking timer' (one byte), an aspect code (three bit), and a several other control flags for deciding which aspect to display, for sequencing the distant signals, and for deciding when the signal can be turned on, and the forward route(s) released.

One sub-route is allocated to each path through a track circuit that lies on a route (so one sub-route may be part of several routes). Similarly, a sub-overlap is allocated for each path through an overlap track circuit that is part of an overlap. Sub-routes and sub-overlaps are boolean flags that may be locked or free.

These data are located in the FOP data file, and specify the conditions under which sub-routes (and sub-overlaps) can be released. Usually, the first sub-route on a route requires the route unset, and the first track circuit clear; subsequent sub-routes are `chained', requiring the previous sub-route(s) free and the track circuit clear.

Specials are directives in the Geographic Data Language that instruct the control interpreter to take short cuts in processing frequently occurring constructs. The volume of data, especially in PRR and OPT data files, can be reduced by putting common code in an evaluation set: the @ special causes the interpreter to jump to the reference. Other specials are associated with input telegrams---typically to abbreviate the actions of testing a telegram bit, and setting the corresponding memory bit appropriately. The logic that the specials abbreviate can always be expressed in the conditional language.

512 bytes of RAM are allocated for 256 track circuit memories. Each track circuit may be clear or occupied. Two single bit fields are used to give this indication, and three successive `track circuit clear' inputs must be received before the clear field is set. Each record includes an eight bit timer to record how long the track circuit has been in the current state. The Geographic Data can test the timer along with the status flags -- often used for automatic signals which revert to green after a suitable interval since the last train went through (automatic signals do not have routes associated with them in the same way as the fixed block main signals described in the main text).

[Go Up].
Matthew Morley, Edinburgh. Date: 29 November, 1998