- (BASEBAND) DATA HIGHWAY
The data highway is a bidirectional communications link between the
central interlocking processor and the track-side functional
modules. The data highway is operated at the rate of 20 k bits per
second and uses a screened twisted-pair, duplicated for reasons of
- CENTRAL INTERLOCKING
The interlocking processor is mainly responsible for the safe
operation of the railway network. This is usually referred to as
the SSI in the main text (occasionally Interlocking, but
then always capitalised, in the interests of avoiding terminological
monotony). The central interlocking processors operate in
(repairable) triple modular redundancy to achieve high levels of
hardware reliability, and to afford fault tolerance. Each submodule
is identical, running identical software and having identical copies
of the Geographic Data, but independent RAM devices.
See also geographic data.
- COMMAND TELEGRAM
Command telegrams convey signalling controls to the equipment at the
track-side. Eight control bits are bundled together with sender and
receiver address and diagnostic data with five parity bits to form a
truncated (31,26) Hamming code which is transmitted in Manchester
encoded bipolar form, adding a second layer of error protection. The
eight command bits are set up by commands in the Geographic Data.
See output telegram data.
- CONTROL INTERPRETER
The SSI is a data-driven control system. In this thesis, the control
interpreter (often, just `the control') is the name given to the
generic software running in the SSI, sometimes referred to as the
`interlocking functional program' by other authors. This software
interprets the Geographic Data, and it is this behaviour of the
program that is of most interest in this thesis. The control
interpreter has other functions, but all interlocking functions are
encoded in the data except for a few very simple operations
`hardwired' into the interpreter for the sake of efficiency.
See also interlocking
geographic data and the
discussion in Sections 1.3.2
- DATA TELEGRAM
The Reply telegrams from track-side equipment to the SSI are encoded
according to the same format as command telegrams. Data telegrams
relay the inputs from detection devices in the track-side equipment
to the central interlocking (lamp proving, points detection and
track circuit inputs, for example). These inputs are typically
copied directly to the internal state.
See input telegram data.
- GEOGRAPHIC DATA
These data specify the logical relationships between the components
of the railway, encoding the signal control functions of the
Interlocking. Stored in EPROM (60 k bytes of which are allocated,
20 k bytes of these required to hold the generic SSI software) the
Geographic Data configure each SSI installation. Data and program
together achieve the required signalling function---setting a route,
releasing an overlap, and so on---but the data themselves can be
considered a program that operates on a state that is composed of
the collection of all control variables defined for the interlocking
(one for each point switch, track circuit, etc.).
state and control
interpreter, and Appendix
A.3 where different classes of data are described.
- GEOGRAPHIC DATA LANGUAGE
is a specialised design notation used by signal engineers to encode
the interlocking logic. This simple language of assignment, sequence
and conditional statements is general enough to code all signalling
functions, but it is enriched by `specials' designed to shorten the
minor cycle execution time. Specials are directives to the
interpreter to carry out simple functions efficiently---such as
copying an input telegram bit to memory, for example.
See SPECIALS, and Section 2.3.
- INTERLOCKING FUNCTIONAL
While its main function is that of interpreting Geographic Data, the
generic SSI software also: initiates all communications with
track-side functional modules; encodes and decodes all outgoing and
incoming telegram data; performs single fault recovery; implements
the TMR voting mechanism and shutdown procedure; implements the
inter-SSI communications protocol; interfaces with the panel and
diagnostic processors, and implements all startup routines. The
interlocking functional program occupies about 20 k bytes of EPROM.
The program is referred to as the control interpreter
throughout the main text.
- INTERNAL DATA LINK
The internal data link is a separate communications channel to
provide inter-SSI communications. There will usually be more than
one SSI at a single control centre, 30 of which may be connected to
one IDL, but the current technology is limited so that an SSI can
send (and receive) only up to 15 eight-bit messages. The IDL is
primarily used for setting routes across SSI boundaries, and for
controlling signals or points in the fringe area.
- IDL TELEGRAM
Telegrams sent over the internal data link convey two kinds of
information. When used to carry status information between the two
interlockings, each bit in the telegram is interpreted
individually---like data telegrams received over the baseband data
highway. In these circumstances the individual bits are used to set
up dummy signal or track circuit memories in the receiving
interlocking. The other use for IDL telegrams is to carry
request codes, as part of the remote route request
protocol. The eight-bit telegram is interpreted as an integral
request code which causes the receiving SSI to execute a specific
interlocking function from the PRR data file. IDL telegrams can
serve one, and only one, of these two purposes.
request, and remote route
- INTERNAL STATE
The internal state of the SSI represents the current status of the
railway---in the main text this is usually referred to as the
image of the railway. A collection of control variables are
defined and held in RAM: up to 256 track circuit memories are
allocated, with 64 points and 128 signals, together with logical
control variables for routes, timers, sub-routes, and other binary
flags. These data represent 1,216 bytes of `live' memory upon which
the Geographic Data and control interpreter operate.
- MAJOR CYCLE
One major cycle is 64 minor cycles. A maximum of 63 TFMs may be
attached to each SSI, the zeroth minor cycle being used for
diagnostic purposes and updating the SSI with commands from the
technician's console. A major cycle is 64 minor cycles in duration
irrespective of the actual number of TFMs attached, with a lower
limit of 608 ms, and an upper limit that should not exceed
1,000 ms. During a major cycle all flag operations data will have
been processed once, as will all input and output telegram data, and
all timers will have been adjusted once. Timers are only accurate to
± 2 s, and cannot be updated more than once a major cycle.
- MINOR CYCLE
The minor cycle is the basic execution cycle during which the SSI
will process and issue one command telegram, and receive and process
one reply telegram (from the TFM addressed in the previous minor
cycle). Other required activities during the minor cycle include the
processing of 1/64th of the commands in the
FOP data file, and updating 1/64th of the
approach locking, track circuit and elapsed timers in the
interlocking. If these actions can be completed in under 9.5 ms the
SSI will process one panel request, if any are pending. The minor
cycle has a minimum duration of 9.5 ms, and should be no longer
than 30 ms otherwise track-side modules may interpret the gaps in
the communications as failures of the baseband data highway and
enter the failure mode of operation.
- MODE 1/2/3 STARTUP
A `mode 1' (2 or 3) startup is chosen by heuristics in the
initialisation software. A `mode 1' startup is the most severe,
necessitating a reset of the entire contents of RAM: all bits are
cleared to zero except the technician's controls and the elapsed
timers whose contents are set to one. This initial state means that
all routes are unset, all sub-routes and sub-overlaps are
locked, and all timers are stopped; also, all
technician's controls are applied, points are neither controlled
normal nor reverse, and track circuits are undefined. Moreover the
processing of panel requests is suspended while the system is
brought up-to-date by incoming data telegrams, and while
technician's controls are released manually from the technician's
console. A `mode 2' startup involves a similar reset, but preserves
the technician's controls, and the system restarts automatically
after a four minute suspension in processing panel requests. A `mode
3' startup also preserves the status of route memory, and allows an
See also technician's
state, and Appendix A.3.
- PANEL PROCESSOR
The panel processor handles non-critical duties such as handling
commands issued at the control panel (or automatic route setting
computer) and passing them over to the interlocking processor, and
updating the display. Panel processors are operated in duplex `hot
- PANEL REQUEST
Signalling commands issued at the signal control panel are either
route requests, route cancellation requests, or panel key requests
(to move points `manually'). The panel processor converts these into
a stream of inputs to the SSI---but because both panel processors
are normally operational, the SSI receives and executes two copies
of each request. These are stored by the central interlocking in a
ring buffer of bounded size, and processed during minor cycles which
are otherwise completed in under the minimum minor cycle time. At
most one panel request will be served in any minor cycle.
See also minor cycle and route request data.
- REMOTE ROUTE REQUEST
Routes that straddle interlocking boundaries require special
treatment since two (or more) Interlockings must cooperate to set
them up safely. When the Interlocking controlling the entrance
signal receives a panel request for such a route, it issues a remote
route request via the internal data link to the Interlocking
controlling the tail portion of the route. Only if an
acknowledgement to this remote request is received from the other
Interlocking (within a prescribed period of delay) will the first
Interlocking go ahead and lock the route.
See Section 1.4.
- TECHNICIAN'S CONSOLE
The technician's console allows close monitoring of the internal
state of several Interlockings at a signal control centre, and the
online diagnosis of faults in the signalling equipment, etc.. The
technician's console also allows one to impose (temporary)
restrictions on the behaviour of the interlocking, by applying
so-called technician's controls. These can be applied to
routes (so that they are unavailable, and requests for them always
fail), to track circuits (so they always appear occupied,
irrespective of the actual state), to points (so they can be
disabled in either the normal or reverse position), and to signals
(to override the lamp-proving input from the TFM). Of these, only
the `availability bit' in route memory is accessible from the
Geographic Data---so that an alternative route can be selected
- TRACK-SIDE FUNCTIONAL
These devices interface with the track-side signalling equipment.
Two types of module are provided: one to drive signal aspects and
detect lamp proving inputs, etc.; the other to drive points and
detect their position contacts. Either type of module can report
track circuit inputs. Both signal and points modules have identical
interfaces to the baseband data highway, and are configured to
respond to a command telegram with an immediate reply (data)
telegram. Track-side functional modules provide power switching
under duplicated microprocessor control---duplication here, as
elsewhere in SSI, being designed to mask single faults and to drive
the outputs to a safe state when unrecoverable faults are detected.