iltis - an integrated workplace with safety- · iltis - an integrated workplace with safety-related...

ILTIS - an integrated workplace with safety-

related functions for rail-operation management

N. Rowden

Siemens Integra Verkehrstechnik AG,

Industriestrasse 42, CH-8304 Wai Use 11 en, Switzerland

Abstract

The design of a modern railway control and supervisory system which usesstandard off-the-shelf components is described. Particular emphasis is given tothe aspects concerning safety, availability and ease of use, describing theunique solutions the designers utilised in satisfying the system requirements.

Abbreviations

CTC centralised traffic control

LAN local area network

MM I man/machine interface

OSF Open System Foundation

1 Introduction

The conlrol and supervision of u wil\\ay netwoik .equires the tcquisilion andpio\isii,n of all data relating to the state of the tivck\ within the area of respon-sibility. T(. accomplish this. CTC (centralised tralhc control) computers storeand pmciss information, \\hich \ received fiom the local interlocking and re-morcK contrnlJed stations. They enable a simple and c\act o\er\ie\\ of alltnnr: iiio\ t \n i^fs in the conti(4Jed urea to i^c pre^i rxcc' u hie ^ta1i(x;-.y.i\.;ri

A ("1'* \\stcri has 1'ircc basic runci-cn-. i c

Transactions on the Built Environment vol 18, © 1996 WIT Press, www.witpress.com, ISSN 1743-3509

474 Computers in Railways

i. routing trainsii. controlling individual elementsiii. blocking/clearing the routes for train trafficiv. blocking/clearing the operation of pointsv. emergency commands to override the interlocking in the event

of a break-down,vi. etc.

2. the automation of train traffic:i. tracking trainsii. automatic routingiii. transferring train-position information to a higher-level man-

agement centre

3. the display of train information for passengers

Existing CTC systems and their previous generations have generally beendeveloped piecemeal, based on ad hoc requirements of a customer's needs andloosely-coupled together over a LAN (local area network). Every computer inthe network is usually dedicated to fulfilling a particular task within the CTCsystem, e.g. a computer dedicated to tracking trains, another dedicated to thedisplay of train information, etc. The station-master is then confronted with aworking-environment, in which commands to the control system have to be is-sued via one of the several terminals available to him, each terminal beingcontrolled by a particular CTC computer. In addition to the ergonomic disad-vantages of these CTC systems, there are also inherent disadvantages in thedesign caused by:

• duplication of resources such as printers, one of which needs to beconnected to each computer to register errors, and

• duplication of configuration data— Although this in itself is not a problem, there is a danger of in-

consistencies appearing in the data unless tight controls arebuilt in to prevent it.

ILTIS has been designed from scratch as a totally integrated CTC system,based on the experiences of developing previous systems. Instead of dedicat-ing computers to a particular function, the CTC functions are freelydistributable within the available computers. No computer is dedicated to oneparticular task (see Figure 1).

The station-master's workplace is based on a work-station with a singlePC-keyboard and a pointing device (e.g. a mouse). Currently, an ILTIS systemcan handle upto 20 workplaces although this number could be increased at anytime, if needed. Depending on the size on the target installation and the num-ber of functions that a station-master needs to carry out, each work-station cancontrol upto 6 full-graphic, colour screens.

All data-flow in the system is over the LAN, making it accessible to everycomputer connected to the LAN. Information to and from the interlockings istransmitted directly over the LAN. Similarly, peripheral devices which utiliseserial interfaces (such as printers and the system clock) communicate with theLAN through a terminal server. This characteristic enables each computer inthe system to take over the functionality of another computer in the event of


Computers in Railways 475

hardware problems.

ILTIS work-station

Interlocking

Figure 1 : Typical ILTIS installation

2 Man/machine-interface

Probably the most important component of a CTC system is its MMI(man/machine interface). It is of the utmost importance that the MMI can pro-vide clear, concise information concerning the state of the interlockings, andenable the station-master to issue error-free commands quickly and efficiently.This has been achieved in ILTIS by conforming to the OSF/Motif™ and X-Window standards. This has also simplified development and ensured that thesystem is not tied down to a particular hardware architecture. This ease ofportability permits the customer to benefit from a broad choice of future hard-ware platforms.

Display InformationThe station-master has, depending on the system configuration, a number ofgraphic displays available to him. Using standard window techniques, variouswindows are accessible to provide clear presentations of the state of the totalsystem and allow any necessary modifications to the system to be made. Thesewindows can be displayed when required and removed from the screen whenthey are no longer needed, facilitating rapid access to target windows.

Earlier CTC systems used screens onto which information defining the



state of the interlockings was displayed as a collection of semi-graphic sym-bols. This severely restricted the amount of information that could be dis-played onto a single screen. Even average-sized stations would be forced to beplaced onto two screens.

system ZN/zi zugdaten FIA clelsmelder Glider Konflguratltm--•; DEFAULT

Hllfe I 01,02,96 08:39;

Central messagemanager

Detailed view Command pop-upmenu

Overview

Figure 2 : ILTIS workplace

Using X-Windows, ILTIS is in a position to manipulate full-graphic, col-our symbols. Much more information can therefore be concentrated onto a sin-gle screen, reducing the need to split stations over several screens. Indeed, us-ing standard window technology, several stations can be displayedsimultaneously onto one screen (see Figure 2). When necessary windows canbe readily overlaid by the user on top of each other. The interlocking states canbe displayed in both an overview format and a detailed view format.

• An overview format provides all pertinent information from theinterlockings and the automation functions that is crucial for effi-cient train management. Additional, less-relevant information canbe quickly displayed within the window on demand, when needed.

• The detailed view format shows fuller, symbolic information of all



station-elements including any faults or defects. Again more pre-cise, less-relevant information (e.g. complete element names) canalso be displayed on demand. Detailed view displays can often bedispensed with in smaller installations where it is usually possibleto display all the necessary information within an overview format.

The display of the interlocking state information is uniform for each type ofinterlocking, whether it be a relay-based interlocking or an electronic inter-locking.

All important messages in the system are displayed by a central messagemanager in a window containing four sections dedicated to:

• operating requests,

• operating messages,

• faults, and

• system messages.

It is also possible to configure individual messages so that they are emphasisedwith an audio tone. Once the message has been noted, it can be acknowledgedor cancelled by the station-master.

CommandsCommands are issued via the mouse without any keyboard being involved.This not only increases the speed at which commands can be sent, but also re-duces the chances of executing any incorrect commands through typing errors.

Interlocking commands are issued by pointing the cursor at the target ele-ment with the mouse. With a single mouse-click, a pop-up menu displays thecommands which are currently valid for that element. The available com-mands are not only determined by the element type (i.e. if it is a barrier, or amain signal, etc.) but also by its current dynamic state. It would, for example,be meaningless offering a command to open a particular barrier, if that barrierwere already open.

Once a command has been selected, it is displayed in a text format withinthe window. The station-master has then to acknowledge this command with asingle mouse-click before the system allows the command to be executed bythe interlocking.

As a further improvement in the efficiency of command execution, a dou-ble mouse-click on a target element will automatically present for executionthe most often used action for that target element (e.g. for points, this could bea change-over command).

Commands that require two or more target elements (e.g. setting routes)can be defined in one of two possible ways, i.e.

1. The most usual method is to point the mouse cursor at the first target ele-ment. By depressing the relevant mouse key and then dragging the cur-sor to point to the second target element before releasing the mouse key,the complete command can be defined.

2. With a single mouse-click on the first target element, a pop-up menu isdisplayed from which the desired command can be selected. The com-



mand can then be completed with a single mouse-click on the secondtarget element. A second pop-menu allows the station-master to definethat the selected element should be used as the second target element.

SafetyIn certain installations, it is necessary to be able to by-pass the inherent safetyof an interlocking to provide an uninterrupted service even in the event ofhardware faults and break-downs. In these installations, it is essential that aCTC system is able to fulfil certain safety-related functions, i.e.

• it has to ensure that the station-master does not make life-endangering decisions based upon faulty information presented tohim by the CTC system,

• it has to ensure that so-called critical commands (i.e. the commandswhich by-pass the safety of an interlocking) cannot be inadver-tently executed, and

• critical commands have to be correctly executed.

In previous generations of CTC systems, it was often necessary to integratespecialised hardware into the system design to ensure that the necessary safetyrequirements were satisfied. For example, a usual design would be to processthe interlocking state information over two independent channels, i.e. usingtwo transmission lines, with two computers processing the input so that itcould be presented in a visual format by storing it in two separate videomemories. The transmitted data from the interlocking would contain additionalinformation to allow error detection. A specialised computer, which had beenmethodically proven to function correctly, would then be used to display thetwo sets of visual information alternately in short cycles onto a screen. Anydiscrepancies in the data sets would result in a blinking effect on the screen.

Critical commands can only be processed by the interlocking when theyare received over two independent channels. Such commands would be issuedfrom the keyboard and, after user confirmation, processed independently bytwo different CTC computers.

Although effective, this design does suffer from certain drawbacks, viz.

• The user is required to consult the display screen before he issuesany critical commands to ensure that all the displayed data is con-sistent (i.e. not blinking). Although he should not issue a criticalcommand when the system is in an uncertain state, it is not possiblefor the CTC system itself to control automatically whether the rele-vant checks have been carried out.

• The system is dependent on specialised hardware which increasescosts. Further development in the system is also restricted as thespecialised hardware is unable to develop at the same rapid pace asother hardware because of the safety constraints placed upon it.

Off-the-shelf work-stations whose application is a basic ILTIS system re-quirement, could never guarantee the required level safety needed for the de-sign of a CTC system. Work-stations incorporate too much complex, single-channelled hardware, which could never be certified as safe. In addition, thesoftware used to drive this hardware was never conceived to be applied in a



safety-critical environment.

The ILTIS system designers were therefore required to solve this problemwith an original approach if they were to satisfy the system requirements (seeRowden*). The design, which has been patented (see Pixley, Rowden and Ae-pli ), has been rigorously controlled and accepted by the Swiss national rail-ways.

ILTIS work-station

Commandcontrol

Write displayinformation

Read displayinformation

/

\

ss

Interlockingstate data

Interlocking

ILTIScomputer 1

A

MAINJ

management

/

\II

• ^

Interlockingstate data

iterlockingj

ILTIScomputer 2

k

MIRRORJ

management

Interlocking data(channel 1)

Interlocking data(channel 2)

Figure 3 : Safety-critical processing in ILTIS

The basic idea is that the interlocking data is received independently by theinterlocking management software over two channels (see Figure 3). This soft-ware, which has to run on two separate computers, executes in one of twomodes - MAIN or MIRROR. In the MAIN-Mode, the software receives datafrom the interlocking and displays them onto the work-station. This processingis single-channelled and the displayed information in itself cannot be guaran-teed to be correct.

When the station-master issues a critical command, it is at first sent to thesoftware in the MIRROR-mode. Here the command is compared with its localinterlocking data, isolating any elements that could have any influence on theexecution of the critical command. The result of this analysis by the MIRROR-software is displayed on the station-master's work-station in a text-format,high-lighting any irregularities with the expected state of the interlocking. It is



important that this information is displayed in a different format (i.e. as text)than the graphically-displayed information from the MA/Af-software to reduceany chances of misinterpretation caused by defective work-station hardware orsoftware.

The station-master has to confirm that he is in agreement with the informa-tion displayed from the MIRROR-software (with a mouse-click) before thecritical command can be carried out. The command execution software has tobe dual-channelled and therefore is processed simultaneously in the MAIN-and M/ftft0/?-software. The execution of all critical commands is logged indisk files for future reference.

This processing handles the execution of critical commands safely. Thereare however other instances when it is essential that the displayed interlockingstate information has to be correct. Often the station-master has to give verbalcommands based on the information being presented to him on the work-station, e.g. during track-maintenance. In this case, there is no command to besent to the M/ftRCM?-software for analysis. Further control therefore needs tobe built into the system. This is also undertaken by the MIRROR-softwarewhich cyclically read pixels from critical elements in the work-station displaymemory and compares its displayed state (i.e. its colour) with the expectedstate in the local interlocking state data. The station-master is informed if thereany unexpected discrepancies in the data.

LanguageAnother important characteristic of a MMI is the ability to present textual in-formation in the language of the user. This problem is particularly acute incountries like Switzerland, which boasts four national languages. It is thereforeimportant that each workplace in the CTC system is able to switch on-line tothe language of the current user. Of course, the choice of language should notbe restricted to the Latin character set, but should be able to handle the fullgamut of character sets (e.g. Cyrillic, Arabic, etc.).

Multi-language MMI was a basic design consideration in ILTIS and it is asurprisingly much under-estimated problem in software development. InILTIS, a user can not only define in which language the work-station shouldpresent text, but can also decide in which language the various log-files (e.g.system log-files, fault log-files, critical command log-files, etc.) should beprinted out.

MaintenanceILTIS has its own maintenance software integrated into the design. When amaintenance engineer has the necessary privileges, he is able to supervise ormodify certain aspects of the running system. This is particularly useful in lo-calising any unexpected problems and for collecting information which can beanalysed at later time by the system developers.

3 Availability

The availability of a CTC system is becoming an increasingly important factor



as railway networks become more and more dependent upon them. Currentsystems usually tackle this problem by having redundant computers, whichcan be manually switched into service whenever they are needed. From experi-ence, it has been seen that this design suffers from a number of drawbacks,viz.

• The redundant computers are not in active service. When a situ-ation arises where they need to be brought into service, they them-selves could have developed technical problems which, as the re-dundant computers are dormant, have gone unnoticed.

• As each computer in the distributed system needs to have asimilarly-configured redundant computer, this effectively doublesthe number of required computers if a full stand-by capability isneeded.

In ILTIS the necessary redundancy has been built into the software design.No ILTIS task is dedicated to a particular computer but can execute on anyavailable computer in the system. In this way, ILTIS uses a technique of re-dundant software instead of redundant hardware (see Figure 4).

ILTIS computer 1

r ^\Data-BaseManager(active)

\^ J

f ^\PrinterManager(stand-by)v J

ILTIS computer 2

r "\Data-BaseManager(stand-by)\^ J

r ^\Log

Manager(active)

\^ J

LAN

ILTIS computer 3

f ^\Log

Manager(stand-by)\^ J

r ^\PrinterManager(active)

\^ J

Figure 4 : Redundant software in ILTIS

In this example, there are three ILTIS tasks (a data-base manager, a printermanager and a log manager) each running in one of two possible states (activeor stand-by) on various computers. If for any particular reason, a task on a par-ticular computer can no longer function correctly (for example when the activeprinter manager in ILTIS computer 3 is not able to communicate with itsprinter), it will automatically take itself out of service and its processing takenover by the stand-by software. Similarly, if a computer is no longer function-ing correctly, it will also automatically be taken out of service and its softwaretaken over by the corresponding stand-by software on another computer (forexample, if ILTIS computer 2 is defective, the processing will continue withILTIS computers 1 and 3, with the active Log Manager software now runningon ILTIS computer 3). All switch-overs are fully automatic and require no



user intervention.

In this way, it is no longer necessary to have redundant computers but re-dundant computer performance instead, reducing significantly the extra com-puters that need to be installed to provide full stand-by capabilities for all therunning software.

4 Configuration

The ILTIS software is completely generic. The same software runs in every in-stallation. All installation characteristics (e.g. screen layout, hardware compo-nents, etc.) are configured from data which are read from files during systemstart up. This allows ILTIS to be used in both small installations (with fewcomputers) and large installations (with many computers). ILTIS can actuallyrun on a single work-station if there are no safety aspects to be considered andif no stand-by capabilities are wanted.

A major advantage of developing a generic system, is that the safety-critical parts need only be tested once and not for each new installation, whichsignificantly reduces development effort and costs.

The generation of this data is not a trivial exercise and, as an integratedpart of the ILTIS project, user-friendly data generation software has also beendeveloped in parallel. This software ensures the data being generated is error-free, which is also an important factor in improving the safety and reliability ofthe CTC system.

5 Conclusions

Experience with ILTIS from the three installations currently in service hasshown that users adapt very quickly to their new work-environment. Throughthe integrated MMI, a user issues all commands in a standard fashion, inde-pendent of whether the command is for an interlocking or for automatic func-tions. The handling is intuitive and new users require relatively little training.

As much as possible, ILTIS has been designed to be hardware independ-ent. This offers protection against rapid changes in architecture and ensuresthat ILTIS will enjoy a long product lifetime.

1. Rowden, N.T. An integrated control and supervisory system for railwaynetworks, in Aspect 95, pp 6-9 to 6-17, Proceedings of the InternationalConference on Advanced Railway Control, London, England, 1995

2. Pixley, D., Rowden, N.T., Aepli A. Verfahren zur Gewahrleistung dersignaltechnischen Sicherheit der Benutzeroberflache einer Datenverar-beitungsanlage, German patent - DE 43 06 470 C2

3. Pixley, D., Rowden, N.T., Aepli A. Verfahren zur Gewahrleistung dersignaltechnischen Sicherheit der Benutzeroberflache einer Datenverar-beitungsanlage, Swiss patent - CH 683953 A5


iltis - an integrated workplace with safety- · iltis - an integrated workplace with safety-related...

Documents