Importance of Software Testing in Safety of Railway Interlocking Systems Poushali Pal AMIEEE, M. Tech in Information Technologies Test Automation Lead at Wipro Technologies

Introduction The Railway Signaling apparatus must be arranged in a pre-calculated and defined manner to prevent conflicting paths for Train movements through a Junction. Movement authority can be given depending on conditions of field elements e.g. track circuit or Axle counter, points, signal lamp indications, level crossing gates and siding. This arrangement is called Interlocking – where a green signal cannot be given to a Train unless the consequent route is proven safe. Multiple Safety guidelines are to be followed when generating Selection Tables for decision making.

Points, Track-circuits, Level-crossing Gates, Crank handles, Control Keys for Siding, Route Indicator signals and Station Master’s Panel – must work in tandem to create a Safe route for the Train to pass. The interlocking safety logic is realized by control tables – a set of rules to be followed. Below, is a State-Transition Diagram:

Selection Table - Example Double Line Yard with loop lines

Selection Table for Double Line Yard with loop lines

Software Modules in Railway Interlocking Route Controller Module Signal clearance module Input Data Read Module Output Data Read Module Point Read Module Panel Read and Indication Module Vital Power Killing Module Diagnostic Module Self-Diagnostic Module Watchdog timer. POST – Power on Self-Test

Algorithm for Computer-Based Interlocking Check for Authorization of Panel Operation by scanning for SM Key inserted Check for Signal Request, scanning Signal Buttons inputs Check for Route Request by scanning Route Button inputs Check positions of Points in Route and Overlap. Lock Points in desired position Check for any Route Cancellation Request, scanning Cancellation Button input Check for Conflicting Route preselected, if any Check Track Sections for Free in Route and Overlap Check for Released Route after Last Train  Check for Crank Handle inserted and Locked Check for Level Crossing Gate Locked in Route and Overlap Check for Siding Normal Check for glowing of Aspect of Signal Ahead Set Route and then Hold Route Check for non-glowing of Conflicting Rote Indicator Lamps Clear Signal for desired Route Release Route sequentially, after Train passes the Signal.

Safety-Specific Checks on Data Cyclic Redundancy Check (CRC): Uses Polynomial division. Simplest form: Parity Check. Bit Matching: Port A takes normal input. Port B takes reversed and complemented input. Output at B is reversed and complemented again and then compared to that of A. See-Saw Mode: Two processors read same input and process alternately. Undesirable / erroneous data can only affect either. Feedback Mode: All outputs fed back to inputs for a double check.

Diagnostic Module Self-Check and Redundant Processor Check. Redundant Processor Check compares the Outputs of the Redundant Processor Data with Self Outputs. Self-check performs following checks: RAM Check ROM Check I/O Check Data Loop and Address Bus Check Self and Inter-Processor Communication Module Self-Diagnostic Module Watchdog timer Alarm Display Module Shutdown Management Module

Hazard Analysis The following activities are to be performed during hazard analysis: Define the System Identify Hazards – perform functional analysis Classify and Assess Hazards – develop preliminary list of possible Hazards Establish Hazard Control Baselines by identifying existing ones. Identify Contributory Hazards, Initiators and their potential outcomes or effects Perform Hazard ranking according to Risk and Severity. Develop recommendations to resolve Hazards Perform Hazard Tracking follow-up till Closure.

Software FMEA Procedure FMECA for Railway Interlocking Software

FTA for Railway Interlocking Software Fault Tree Analysis FTA for Railway Interlocking Software

Safety Standards to be followed CENELEC EN-50128 Safety Integrity Levels (SIL) As per CENELEC standard 50128 for (SIL 4) equipment, formal proof, probabilistic testing, static analysis, dynamic analysis and testing traceability matrix are highly recommended.

Software Testing Methodologies to use Unit Testing Software Module Integration Testing System Software Integration Testing Hardware-Software Integration Testing Software Tests – Goals and Objectives Compliance with Functional Requirements. Repeatability, validated with balanced space-time complexity. Ability to perform Static and Dynamic Analyses and Cause- Effect Diagrams. Software Quality Assurance – against systematic faults. Enable Defect Tracking and Management.

Diagnostic Module Tests RAM Test: Testing during Power on Self-Test would be to write Data to each Memory Location and read them back. Mismatch is reported. ROM Test: ROM is divided into many 2K Locations, for each of which, CRC is calculated and compared with the pre-computed CRC. Mismatch is reported. CARD Presence Test: Checks for the Presence or Absence of the Cards in the Motherboard Slots using binary notation (0 or 1).

Conclusion A hybrid testing approach consisting of combination of the aforementioned testing methodologies coupled with the benefits of Automation and compliance with Safety Standards like CENELEC EN- 50128 and SIL could create a baseline for an Automated Testing Framework for Computer Based Railway Interlocking which would ensure Safe, Tested and Standardized system that has minimal risk and hazards.

Thank you!