RAMS Requirements in Electronic Interlock Design
Any interlocking system must meet international standards for rail systems and offer the highest levels of safety, reliability and availability . The main function of an interlocking system , as a generic product, is to guarantee the safe operation of the train, avoiding route or itinerary conflicts, while controlling external objects (track devices), such as signals or points (control and checking ) and the exchange of adequate information is established between the interlocking system and other signaling systems, such as the detection systems for the occupancy of the track section or the level crossings.
Furthermore, these systems must be able to be adapted to be used both in other generic and specific applications, controlling the movements of trains in accordance with the operational requirements of the railway administrations.
The interlock based on electronic systems ( ENCE ) is the type of system interlocking most widely used today. It is the successor to relay interlocking, although the latter are still very much in force today. The interlocks ENCE have larger capacity, use more compact equipment, consume less energy, are more flexible and achieve better performance. Many rail facilities are being upgraded with ENCE smodern lines that are being deployed around the world.
In this article we detail, from the point of view of RAMS , the main characteristics of modern interlocking systems and explore how effective processes and techniques should be applied for the deployment of this type of system.
ARCHITECTURE OF LATEST GENERATION
To achieve maximum flexibility in terms of possible installations, and since each railway system has its own requirements, interlocking systems must use a modular architecture. This also greatly facilitates any future changes or updates to a given system. The interlocks must be able to interact with different types of signaling and railway control systems (ATP, ERTMS, TMS, interlocks different technologies, etc.).
There are different types of possible hardware architectures depending on the needs of a specific network: centralized and distributed architectures . Today, most vendors offer flexible solutions that can support both options depending on the type of installation: simple or complex designs.
The architectures centralized , used in simple designs with a small amount of equipment and where there are short distances between the locking electronic and control equipment. In complex designs, the large amount of cabling required would mean high costs where this architecture would no longer make sense.
The distributed architectures are typically used for complex installations with lots of equipment and where there are large distances between the locking electronic and control equipment. In this type of configuration, external object controllers are linked to central interlocks , each of which controls a set of track equipment. Compared to a centralized architecture , the distributed architecture has the following main advantages: Cost savings in cabling, less construction space required, easy to install and maintain.
Finally upstream, the interlocks can have centralized controls (normally in Control Centers, CTC), Local Videographic Controls or even local controls on the track. The management of priorities among them will be relevant according to what is established by the operation of the line or installation.
RAMS DESIGN REQUIREMENTS FOR INTERLOCKING SYSTEMS
The safety assessment of electronic interlocks or any other subsystemof railway signaling ( CMS system , control-command and signaling ) is based on a set of international reference standards ( CENELEC EN 50126, EN 50128 and EN 50129 ), mandatory standards for the European railway industry and, specifically, for signaling systems or CMS . The hardware and software of safety-critical systems must be subject to a strict verification and validation process , carried out by an independent team ( EN 50126 ). During the safety analysis, all possible dangerous situations must be identified. Hardware and software must take into account the elimination of all these identified hazards.
Safety analysis of a CMS system as an interlock can be performed using qualitative or quantitative methods, but more often, a combination of both is used. Qualitative approaches focus on the question What must go wrong for such a system hazard to occur? While quantitative methods aim to provide estimates of probabilities, rates and severity of consequences.
The most common methods used to perform interlocking system safety analysis are based on failure modes and effects analysis (FMEA) and failure tree analysis (FTA) . All identified situations are recorded as hazards in a Hazard Log . This document is intended to be used throughout the life cycle of the system, from conception to decommissioning and disposal.
The main objective of using the FMEA and FTA methodologies is to identify all the possible failure modes of the system and, for each of its components, describe the effects of those failures and assign a probability of occurrence . These can also include failures caused by human error and causes originating from external events. This procedure is part of the hazard analysis and risk assessment specified by EN 50126 . This standard establishes the concepts, methods, tools and engineering techniques that will be applied during the useful life of the systems to guarantee the achievement of a defined level of safety integrity of rail traffic. at one point.
To achieve this quality of service , the following practices should be applied:
- Risk analysis : identification of all dangerous situations, the probability of their occurrence and the consequences of those dangers.
- Achieve rail RAMS requirements : control of factors influencing RAMS over the life of the system ( EN 50126 ).
- Ensure compliance with the specified safety integrity level (SIL) . In order for an interlocking system to be certified, it must also meet the specifications of the EN 50129 standard , which defines the requirements for the acceptance and approval of safety-related electronic systems in railway signaling . This standard is in line with other related CENELEC standards that must also be met: EN 50126 for hazard analysis and risk assessment processes, EN 50159 for communication of safety-related data, and EN 50128 for software requirements .
Compliance with the following elements, listed in EN 50129, is mandatory for the safety assessment of the system / subsystems / equipment:
- Preparation of a safety study or safety case , which contains the documented safety evidence for the system / subsystem / equipment.
- Preparation of a technical safety report, which is technical evidence of the safety of the design. This document is part of the safety case .
- Safety management, which includes the preparation of the safety plan, hazard log, specification of safety requirements.
- Evidence of quality management throughout the life cycle of the system.
- Evidence of functional and technical safety .
A main part of the requirements for the design of an interlocking system can generally be grouped into requirements for safety , reliability , availability or maintainability ( RAMS ).
An interlocking system must guarantee, very briefly, that a permissive output only activates under permissive conditions. Otherwise, a non-permissive output must be issued. In case of failure or inconsistent information, external objects must be moved to the safe state, which means that, in the affected area, all signals must be in restrictive aspects. That is why an interlock must be designed under a fail-safe logic principle . In addition, it will not be possible to establish any route, or change any point, automatically.
Furthermore, all safety integrity requirements specified in the applicable standards ( EN 50126 , EN 50128 and EN 50129 ) for the applicable Safety Integrity Level ( SIL ) must be met for all equipment involved.
To achieve the required reliability , the hardware platform of an interlocking system must be well tested. In addition, the software must be based on common design principles such as: functionality; reliability and maintainability; safety; efficiency; usability and portability [EN 50128]. A high level of reliability and availability will ultimately guarantee the safe and punctual operation of the trains.
The reduction of single points of failure, with special attention to communication systems, which can even be designed redundantly, is also of special interest in this type of equipment.
Interlocking systems , in most cases, have a redundant architecture . Although this is not mandatory, it is essential to achieve the expected availability for these types of systems. Proper redundancy management is essential to ensure a safe and fault-tolerant redundant system. Certain functionalities should be considered:
- No impact on the operation. The switching operation must be imperceptible, which means that it cannot disturb the normal behavior of the system: it must allow a route to be established and ensure that there are no intermittent signals, that the points can be controlled and that there is no disturbance in the center of control.
- Backup systems need to be continually updated so that they are ready to take over the system at any time.
- Possibility of hot replacement of elements or modules of the system, that is, that electrically and mechanically, allows you to replace equipment without having to disconnect the equipment's power supply. This allows, for example, in a redundant system to change a module of the subsystem which is on standby .
An interlocking system generally also includes a remote maintenance system to reduce the number and duration of maintenance operations. Once again, a modular architecture will optimize performance in terms of maintainability and availability , allowing part of the system to be intervened without any degradation in the performance of the entire system.
The modular architecture of the system will optimize its performance in terms of maintainability and availability, allowing part of the system to be intervened without any degradation in system performance.
LEEDEO EXPERIENCE IN RAILWAY SIGNALING SYSTEMS
RAM analysis of a Generic Hardware Platform developed to implement track and rolling stock systems for ATP solutions and SIL4 railway signaling: FMECA, RBD, FTA.
Safety monitoring and RAM to identify problems and gaps in the processes that are being used to develop a SIL4 railway Control-Command and Signaling platform .
Turnkey responsibility for the
independent evaluation of system reliability, availability, maintainability and
safety (RAMS) at all stages of the life cycle against safety integrity level
(SIL4) and validation of the system against system requirements . The
RAMS evaluations comprised functional, hazard and risk analysis for safety
purposes, as well as failure modes and effects, failure tree, reliability,
availability, and maintainability analysis. The results of the evaluation
were taken into account throughout the development of the product. The
project ended with a generic product safety case in
accordance with EN 50129 .
System Validation and Verification
(V&V) against a system requirements specification to validate that the
system was built to operate under the specified conditions and that the
specified functionalities were implemented correctly . Special
care was taken in the validation of all security requirements and open points
to reduce the probability of security failures that may occur after
Updating and improvement of a
videographic software for the control of the interlocking, for the management
of establishment and interlocking of routes as well as their possible automatic
release when the train passes.
At Leedeo Engineering , we are the ideal partner in the development of Railway RAMS projects, providing support at any level required to RAM and Safety tasks in accordance with CENELEC EN 50126, EN 50129 and EN 50128 regulations. Do not hesitate to contact us