New Distribution Paradigms for Railway Interlocking

Abstract

We discuss a new “flavour” of distributed interlocking systems, where the proper interlocking logic is allocated on cloud computers using conventional (i.e. commercial-off-the-shelf) multi-core hardware and operating systems. The servers in the cloud communicate with intelligent track elements over internet connections. Interlocking logic may even be geographically distributed on more than one server farm, introducing a new dimension of fault tolerance. This technology has been announced 2018 by Siemens Mobility, and the certification is currently underway. In this paper, it is analysed how the new distribution concept affects verification, validation, and certification. In particular, the complexity of the cloud system suggests to create a collection of scenario models instead of a single comprehensive model specifying the expected behaviour of the system. The use of scenario models is well known from the autonomous vehicle domain, but, to our best knowledge, it is the first time that this approach is also applied in the railway domain. We discuss verification-related and test-related implications of the scenario approach. In particular, solutions are proposed for determining whether a collection of scenario models is complete, and for deciding whether sufficient test coverage has been achieved for a given scenario. The material presented here is based on a collaboration between Siemens and Verified Systems International, a company specialised on verification and validation of safety-critical systems.