This document discusses safety concepts and practices in railway signalling. It covers fail-safe principles, redundancy techniques, and self-check methods used to ensure safety in signalling systems. The key points are: 1) Signalling systems are designed to be fail-safe, meaning any failure will result in a safe reaction by defaulting to the lowest energy state. This is achieved through mechanical and electrical designs. 2) Microprocessors are not inherently fail-safe, so redundancy and self-checks are used to monitor for faults and ensure safe operation. Techniques include dual hardware, triple modular redundancy, and watchdog timers. 3) Railway interlocking systems are designed so that running signals cannot be lowered unless routes are set

1. Safety Concept &
Practices in Signalling
Presented by
Shiv Mohan
ATC&S Manager
Serco Dubai Metro

2. Signalling and Safety Systems
Point
machine
Point machine
Axle counting
Intermittent
automatic train control
system EUROBALISE
Intermittent
train control
system
Control room
Computer room
Continuous
automatic train
control system
Continuous
automatic train
control system
Axle counting
Interlocking
S- bond

3. Signalling Overview
A T O
A T S
A T P I S
Safety Layer
Automatic Train
Supervision
Interlocking
Automatic Train
Operation
Automatic Train
Protection

4. What is Fail Safety?
 Failures- whether Equipment or Human
 - can be minimized
 -but can not be eliminated
 Therefore, steps are required to be taken to ensure that there
is no unsafe effect of failure
 Signalling Systems are designed in such a way that every
Failure has a safe Reaction
 This is called Fail – Safe Principle

5. Fail – Safe Principle
 Fundamental principle of design of Signalling
system is:
 --- safe state corresponds to the lowest energy level
 --- to keep the system in a permissive state, constant
energy/effort should be applied
 This ensures that due to any inadvertent situation or
failure,the system comes back to the state of lowest
energy—ie. Safe Sate

6. Normal system
design
Fail safe Signalling
System design
Equipment
Failure Equipment
Failure
Safe
reaction
Unsafe
reaction
Safe
reaction
Unsafe
reaction

7. Fail - safety
 Fail – safe Principle is adopted in the design of all
signalling systems- mechanical, relay based as well
as software based systems
 Example- Semaphore Signal
 -Mechaniical design is such that”stop” aspect is the stable state
 -Constant Force required to keep required to keep the signaling “
proceed” aspect.
 Signal returns to “stop” aspect in case of breakage of transmission wire
or any other failure.

8. Fail – Safety-Examples
 Signalling Relays:
 -Stable state- Dropped (Maintained by gravity/spring
action)- safe state
 - Red signal aspect controlled by Relay-” dropped”- which
is lowest energy state.
 - permissive aspect controlled by Relay –”picked up”
 - Constant current required to maintain the relay in “picked
Up”

9. Software Based Systems
 Software based Signalling systems require
repeated positive action to be taken to be
taken by- both,software as well as hardware
to keep it in permissive state.
 Disruption of this positive action due to any
failure results into reversion of the system to
safe state.

10. Microprocessor and other
component
 Disadvantage
 Are not fail safe
 Don’t have well
defined failure modes
 Are not reliable enough
to meet 10-9 unsafe
failures/our. They are
approx. 10-5 to 10-6

 Advantage
 Speed
 ability to perform
complex task
 Miniature size
 Low price

11. Then How is Safety Achieved?
 Employ more resources than required
(redundancy)(both hardware & software)
 Self check procedures to detect a fault within
given time period dt such that prb. Of
occurance of a fault within dt is <10-9
 watchdog timers

12. What is Redundancy?
 Redundancy:
 Is the use of additional resources(whether hardware or
software) than required for the normal functioning of the
system
 The additional resources should be configured judiciously to
obtain max. advantage in terms of safety and reliability
 The amount and type of additional resources and its
configuration will depend on the safety and reliability
requirements.

13. OR
UNIT 1
UNIT 2
PF =P2 , PWSF =2P
AND
UNIT 1
UNIT 2
PF = 2P , PWSF =P2
PF =Probability of failure
PWSF =Prob.of wrong
side failure
Safety Availability
This Will not increase safety

14. Types of redundancy
 Dual hardware redundancy
 Dual hardware redundancy with 100%
standby
 Triple modular redundancy(TMR)
 Software redundancy-single hardware

15. Dual hardware Redundancy
(2 oo2)
Assumption : both units of hardware will not fail
simultaneously
comparator
Unit 1
Unit 2
PF = 2P, PWSF = P2

16. Dual HW red+100% standby
(2-2oo2)
Subsystem1
Subsystem 2
OR
Unit1/A
Unit 2/A
Unit 1/B
Unit 2/B
Comparator A
Comparator B
PF =4P2
PWSF = 2P
2

17. Triple Modular Red.(TMR)
(2oo3)
Asmpn: 2 units will not fail simultaneously
Unit 1
Unit 2
Unit 3
PF = 3P2
PWSF =3P2
Majority voter

18. Software redundancy- single
hardware
Assmpn: independent Softwares will react
differently for a HW fault
Software A
Software B
comparator
Single hardware

19. Self Check & Watchdog timers
 Periodical check of microprocessor,
buses,memory, peripheral especially input
circuits
Watchdog timers-within specified time
window if command is not received then
system goes to safe state.

20. Essentials of Interlocking
(as per indian railway SEM)
 It shall not be possible to take ‘OFF’ a running signal, unless all points
including isolation are correctly set, all facing points are locked and all
interlocked level crossing are closed and locked against public road for the
line on which the train will travel including overlap.
 After the signal has been taken ‘OFF’ it shall not be possible to move any
points or lock on the route, including overlap and isolation, nor to release
any interlocked gates until the signal is replaced the ‘ON’ position.
 It shall not be Possible to take ‘OFF’ at the same time, any two fixed
signals which can lead to any conflicting movements.
 Where feasible, points shall be so interlocked as to avoid any conflicting
movement.