Signaling systems-arkiv - Prover - Engineering a Safer World

COTS – A key enabler of open signaling

Sara Månsson — Wed, 10 Dec 2025 11:50:00 +0000

From closed systems to open standards

Across the railway industry, many infrastructure managers are still operating relay-based signaling systems. They work – but maintaining them is costly, spare parts are disappearing, and the expertise required to service them is becoming harder to find. At the same time, demands for higher capacity, improved safety, and faster modernization are growing. Increasing train traffic, automation initiatives, and stricter safety standards are accelerating this transformation.

To move forward, the industry needs to shift from proprietary, vendor-specific systems to open and standardized architectures. This is the foundation of open signaling – which promotes interoperability and vendor independence for the next generation of railway signaling systems. At the heart of this transformation lies COTS – Commercial Off-The-Shelf components.

What COTS means for railway signaling

COTS refers to standard, industrial components – such as PLCs or I/O systems – that are already available on the market. The term originates from the software industry and refers to ready-made, industrial solutions that can be integrated with minimal customization. Unlike proprietary hardware developed for a single supplier’s platform, COTS enables signaling systems to be built on open, accessible technology.

For the railway sector, this brings several advantages:

Flexibility: Hardware can be replaced or upgraded without redesigning the entire system.
Vendor independence: Infrastructure managers are no longer locked into one supplier.
Cost efficiency: Using standard components reduces lifecycle and procurement costs.
Scalability: Systems can be deployed and adapted more easily across networks.

But more importantly, COTS is not just about cost or convenience – it’s what makes open signaling technically and commercially possible.

Prover’s role – safety through formal methods

Using COTS in signaling introduces new opportunities, but also new challenges. Especially when it comes to how safety is demonstrated. If signaling hardware becomes open and interchangeable, and the signaling principles are moved to software, then much of the safety validation must move to software too.

Experience from modernization projects shows that using digital twins is an effective way to manage this transition. Digital twins allow infrastructure managers to test, validate, and verify the principles behind new COTS-based systems before deployment – ensuring full safety integrity throughout the process. Prover’s use of formal methods, i.e., mathematical proof-based verification, ensures that safety-critical software behaves exactly as intended, regardless of the underlying hardware platform.

With this approach, operators can safely adopt COTS-based systems while maintaining the same rigorous safety assurance as in traditional, proprietary systems.

Migration: from relay to open architecture

For many infrastructure managers, the journey starts with migration. Moving from aging relay-based systems to COTS-based platforms is often the first practical step toward open signaling.

A concrete example is the Stockholm Metro modernization, where Prover and partner Cactus introduced COTS-based PLCs while retaining existing relay interlockings. Using a five-step migration process supported by digital twins, the project achieved a smooth transition to a modernized architecture – reusing proven logic and ensuring safety through formal verification. This approach reduces risk, ensures continuity, and creates a future-proof foundation for digital evolution. Read more about Relay Signaling Migration here.

Open signaling – a shared vision for the industry

Open signaling is not a product; it’s a concept and a way of thinking. By combining open interfaces, standardized hardware (COTS), and formally verified software, the railway industry can build signaling systems that are:

Software-driven, through verified logic
More efficient, through shared standards
More sustainable, through reduced lifecycle complexity

Prover’s contribution to open signaling is to make this vision practical – transforming safety-critical verification into a digital, automated process that supports an open and innovation-driven railway ecosystem. Read about the Open Signaling Initiative here.

Shaping the future of railway signaling

COTS is more than a hardware choice, it’s a catalyst for change in railway signaling modernization. It enables the shift from closed, proprietary systems to open, future-proof architectures where flexibility, safety, and innovation coexist. Together with open signaling principles, COTS paves the way for a modern and future-ready railway infrastructure. And with Prover’s expertise in safety verification and signaling software, the industry can move forward with confidence – building signaling systems that are open, interoperable, and safe by design.

Inlägget COTS – A key enabler of open signaling dök först upp på Prover - Engineering a Safer World.

Prover and BHEPL Partner to Bring Signaling Design Automation to India

Johanna Pihl — Thu, 27 Nov 2025 09:10:00 +0000

At Prover, we are proud to announce our strategic collaboration with BHEPL (Bharat Heavy Engineering Private Ltd) to introduce advanced Signaling Design Automation solutions to India’s rapidly expanding railway sector.

Empowering the Future of Indian Railways

India is undertaking one of the world’s largest railway modernization initiatives, with KAVACH — the nation’s indigenous Automatic Train Protection (ATP) system — at its core. Through this partnership, Prover and BHEPL will focus on automating data preparation and verification for KAVACH deployments, enabling suppliers to streamline engineering workflows, reduce manual errors and improve overall safety.

Leveraging Prover iLock, BHEPL will customize and automate the generation of essential datasets such as RFID tag layouts, control tables, gradient plans and other key KAVACH project deliverables. These activities, traditionally performed manually over several weeks, can now be completed in a fraction of the time with higher accuracy and consistency.

Extending Automation to Metros and Beyond

Our collaboration extends beyond KAVACH. Prover and BHEPL are actively working with metro operators, Indian Railways, and signaling suppliers to explore broader automation opportunities — ranging from interlocking design to CBTC (Communication-Based Train Control) software development. Together, we aim to accelerate the deployment of safe, efficient, and digitally–verified signaling systems across India.

A Shared Commitment to Safety, Reliability, and Efficiency

“India’s railway modernization drive presents an incredible opportunity to showcase how automation and formal methods can enhance safety, reliability and cost efficiency,” says Gunnar Smith, Chief Product Officer at Prover. “BHEPL’s strong engineering expertise, combined with our globally proven automation tools, is a powerful combination for achieving these goals.”

Sudhir Reddy, Director at BHEPL, adds:
“By partnering with Prover, we aim to bring world-class automation and verification capabilities to Indian Railways and metro systems. This collaboration aligns perfectly with India’s vision for a digitally transformed rail ecosystem. The automation tools and products we are co-developing with Prover will be a significant technological advancement for Indian Railways.”

Introducing Prover iLock for KAVACH: Generative-AI–Driven Design Document Automation for Indian Railways

Prover and BHEPL are launching a Generative AI-powered solution, based on Prover iLock, designed specifically for automating signaling and KAVACH engineering documentation.

This solution, co-engineered with BHEPL, uses Generative AI, formal methods and rule-based validation to:

Generate, verify and standardize complex signaling documents

Interpret datasets such as SIPs, TOCs, gradient plans and RFID tag layouts

Produce RDSO-compliant outputs automatically

Reduce engineering cycle times from weeks to hours

With adaptive learning models tailored to Indian Railways, Prover iLock understands and evolves with:

National railway standards

KAVACH-specific data structures

Interlocking principles

RFID-based control logic

This enables Prover iLock to function not only as a documentation tool but also as a simulation, verification and validation environment capable of:

Virtual testing of KAVACH configurations

Simulating interlocking behavior

Verifying tag placement logic

Ensuring fail-safe operation before field implementation

These capabilities significantly reduce on-site testing time and accelerate certification.

Upcoming CBTC Automation Module

Prover and BHEPL are finalizing a CBTC design automation module, marking a major advancement for India’s metro signaling ecosystem. By integrating Prover’s proven formal verification technologies, the CBTC extension will automate the generation and verification of:

Zone Controller and ATS control logic, including routing rules, interlocking behavior and operational constraints

Movement authority and speed profile logic, consistent with moving block or quasi-moving block CBTC principles

Interface and communication message definitions, ensuring correctness of onboard-trackside and ATS-DCS interactions

This automation significantly reduces manual engineering effort, enhances functional safety and accelerates delivery of highly reliable, digitally verified CBTC systems – supporting India’s transition toward a fully automated, safety-assured metro network.

About Prover

Prover is a global leader in signaling design automation and formal verification, helping rail operators and suppliers deliver safe, certifiable signaling systems faster and more efficiently. Our tools are deployed worldwide to automate the design, verification and validation of rail control systems.
Learn more at www.prover.com.

About BHEPL

BHEPL (Bharat Heavy Engineering Private Ltd) is an Indian engineering company specializing in railway signaling, electrification and automation. With a strong presence in national infrastructure projects, BHEPL delivers end-to-end solutions to Indian Railways and metro systems, contributing to India’s ongoing modernization efforts.
Learn more at www.bhepl.com.

Inlägget Prover and BHEPL Partner to Bring Signaling Design Automation to India dök först upp på Prover - Engineering a Safer World.

CentraleSupélec students taste Signal Design Automation

Johanna Pihl — Tue, 25 Nov 2025 07:20:19 +0000

Another year working with the talented students of CentraleSupélec in Paris during an intensive week of railway system engineering using the latest Prover tools.

Exploring the interlocking’s full lifecycle

Our goal was to help them explore the entire lifecycle of a railway interlocking system, from layout design and safety requirements to formal verification and testing, all supported by Prover Studio and Prover iLock. The challenge was to build a complete railway line with 7 interlockings, prove the safety of the line, and simulate the behaviour of the whole system.

We began by introducing the fundamentals of railway signalling and explaining what an interlocking is. Equipped with this knowledge, the students first debugged an existing interlocking system following fundamental signalling principles by using formal verification.
Once confident, they defined and verified new safety requirements, created test cases, and implemented a manual release feature, addressing design, safety, and testing aspects within a single, integrated workflow.

Impressive Progress and Collaboration

We extend our warmest thanks to the CentraleSupélec students for their commitment and enthusiasm throughout the week. They impressed us with how quickly they are handling our tools, modelling language, and dealing with the complexities of the railway domain. Special thanks also go to Idir Ait Sadoune and the teaching team for renewing their trust in us again this year.

At Prover, we firmly believe that introducing formal methods and signalling engineering to the next generation of engineers is essential for building safer and more reliable railway systems. We look forward to seeing these talented students again, in the railway industry or the field of formal verification, as they help engineer a safer world.

Inlägget CentraleSupélec students taste Signal Design Automation dök först upp på Prover - Engineering a Safer World.

Formal Safety Verification – How to deliver 100% safe and compliant rail control systems without time delay

Johanna Pihl — Fri, 14 Nov 2025 11:32:20 +0000

The challenge of verifying safety in complex rail systems

Imagine a train weighing thousands of tons, moving at 200 km/h – and hundreds operating simultaneously across a network, guided only by software and signals. When everything works as intended, operations are seamless. However, if something goes wrong, the consequences can be catastrophic, including lives at risk, infrastructure damage, and service disruption.

Over the past decades, railway control systems have grown increasingly complex. Testing and manual reviews remain essential, but they can no longer ensure full coverage. The number of possible system states is simply too vast. In many cases, billions of combinations that no test suite could ever exhaust. Traditional methods show the existence of bugs, not their absence.

A new era of railway safety verification

Formal Safety Verification (FSV) is a breakthrough approach that utilizes mathematical proof to ensure a system meets its safety requirements in every possible state. Instead of relying on selected test cases, engineers use models and automated verification tools to prove that no unsafe scenarios can occur exhaustively.

Prover’s Solution Formal Safety Verification makes this process industrially viable. It integrates proven formal methods with efficient tooling to verify complex rail control systems at scale, across all Safety Integrity Levels (SIL 0-4) and in compliance with CENELEC standards EN 50716, EN 50126, EN 50128, and EN 50129.

How safety is usually handled

In EN 50126, safety is an independent process that starts with the identification of all potential hazards that can affect your system. Then, provided the likelihood of these risks is high enough, some mitigation is added as an extra requirement to the development of the system, with a dedicated SIL level.

For instance, a function of the control system will be tagged as SIL4, and the means to address this criticality is to develop this function following the EN 50716 process, with testing and reviews, and even formal proof to verify that the requirements are correctly implemented. The safety case then collects evidence that the whole process covers these risks, by the book.

From traditional testing to formal proof

Traditional verification relies heavily on reviews and test campaigns that are both labor-intensive and prone to human error. Engineers spend valuable time ensuring coverage and tracking potential corner cases: test scenarios are based on the experience or imagination of the test team.

Formal Safety Verification changes the paradigm. Instead of ensuring that the requirements are implemented as they should be, the new process begins with the hazards themselves, utilizing a model of the system design in a formal language to create a digital twin of the control system. Automated model checkers then verify that the model fully satisfies all hazards, independently of their mitigation. If issues exist, they are presented as high-level scenarios, such as train movements or route conflicts, enabling engineers to pinpoint and resolve potential hazards early.

The result: complete coverage, faster verification cycles, and certified safety evidence generated automatically.

Introducing Prover Diagnostic

At the heart of Prover’s solution lies Prover Diagnostic – a packaged, hazard-based formal verification tool that identifies and eliminates potential safety risks before deployment.

Prover Diagnostic integrates:

Safety properties, derived from system hazards (e.g., collision or derailment scenarios).
Environment models define real-world constraints, such as the behavior of wayside components (e.g., switch machines), train movement logic, and operational procedures.
Formal system models, automatically generated or imported from existing design data.

Together, these components form a rigorous verification process in which hazardous states are either proven impossible or clearly reported for review. Prover Diagnostic ensures 100% coverage, a feat no test-based approach can match.

Proven in leading railway projects

Formal Safety Verification isn’t theoretical – it’s field-proven for many years.

Stockholm Metro uses Prover’s formal methods for both computerized and relay-based interlockings, supported by digital twins for system-level modeling. The approach enables competition among signaling suppliers, reduces lifecycle costs, and ensures consistent safety assurance across upgrades.
RATP (Paris Metro) applies hazard-based formal verification using Prover tools to validate CBTC systems from multiple suppliers.
Alstom, one of the world’s largest rail suppliers, integrates formal methods with Prover PSL and Prover Certifier in its global verification process, enabling exhaustive, automatic safety demonstrations from design through implementation.

These projects demonstrate the maturity and scalability of Formal Safety Verification in real-world railway environments. In many cases, the process reveals and allows for the correction of critical bugs missed by traditional testing.

Formal Safety Verification: a summary of the benefits

100% safety requirement coverage – mathematically proven, not sampled.
Early detection of design issues – reducing rework and project delays.
Certified safety evidence – supporting compliance with international standards.
Reduced testing and review effort – accelerating delivery while improving reliability.
Field-proven solution – trusted by leading metros, railways, and signaling suppliers worldwide.

Ready to prove safety with certainty?

Formal Safety Verification empowers rail engineers to deliver provably safe systems – faster and with complete confidence.

Watch the on-demand webinar to learn how Prover’s solution works, explore real-world case studies, and see how formal methods can transform your railway safety verification process.

Watch the webinar recording

Inlägget Formal Safety Verification – How to deliver 100% safe and compliant rail control systems without time delay dök först upp på Prover - Engineering a Safer World.

Launch of the Open Signaling Initiative

Jesper Carlström — Thu, 15 May 2025 15:55:41 +0000

RECORDED WEBINAR

Signaling systems

Recorded on June 11, 2025

The Open Signaling Initiative redefines how rail and metro signaling systems are developed, deployed, and maintained.

Signaling systems are today delivered as closed systems that have made customers dependent on the supplier for decades. When support and maintenance agreements expire, it is not uncommon that the whole system needs to be replaced, at high costs and with long service interruptions. Open signaling changes this paradigm entirely.

Inspired by the modularity and flexibility of earlier relay-based systems, and by open systems in domains such as IT/ICT, open signaling reintroduces freedom and adaptability into modern rail and metro signaling. It promotes open, modular, and interoperable architectures where independent components from different suppliers can seamlessly work together.

Agenda:

Introduction to the Open Signaling Initiative
Key principles for open signaling
Prover's contribution to open signaling
The roles in open signaling projects
How to become a part of the movement and the ecosystem

Yes please, send me the recording!

Speakers

Jesper Carlström
COO and Open Signaling Lead at Prover

Inlägget Launch of the Open Signaling Initiative dök först upp på Prover - Engineering a Safer World.

How to successfully migrate existing interlocking systems to an Open Signaling solution

Mats Boman — Mon, 10 Mar 2025 11:02:17 +0000

ONDEMAND WEBINAR

Signaling systems

Recorded on April 9, 2025

Overcoming challenges with automation & digital twins

Interlocking systems based on relays and mechanics have reliably powered railway operations for decades, but with expertise disappearing and spare parts becoming scarce, the urgency to modernize is growing. While these systems may remain in use far beyond 2030, the risk of operational disruptions and compatibility challenges is increasing. How can rail operators ensure a smooth and secure transition to modern signaling solutions?

This webinar explores how Signaling Design Automation, digital twins, and formal methods can simplify the migration process in controlled steps. Our experts explain the step-by-step approach to transitioning from relay-based systems to an Open Signaling solution that minimizes risks, reduces costs, and ensures compliance.

Agenda:

Common barriers preventing migration and how to overcome them
Recommendation for how to take your first steps toward migration
How to do a migration in controlled steps enabling an Open Signaling solution
Examples of successful migration projects
Q&A with the experts

Yes please, send me the recording!

Speakers

Mats Boman
VP Business Development at Prover

Benjamin Blanc
Solutions Manager at Prover

Inlägget How to successfully migrate existing interlocking systems to an Open Signaling solution dök först upp på Prover - Engineering a Safer World.

Simplified interlocking application engineering with Prover iLock for NEAT’s GeminiX platform

Gunnar Smith — Mon, 03 Jun 2024 08:59:29 +0000

Prover and NEAT are together demonstrating the benefits of using the Prover iLock tool suite for engineering interlocking applications executed on NEAT’s GeminiX platform. GeminiX is a SIL-4 generic product consisting of a real-time OS, redundant CPUs, and I/O modules. Prover iLock is a desktop tool for producing fully documented, tested and verified application software for railway signaling systems.

The demonstration includes:

The Prover iLock process for generating the interlocking logic from generic specifications and graphical configuration data, with
- simulation-testing based functional testing,
- formal safety verification, and
- generation of C-code for execution on the GeminiX platform.
Execution on the GeminiX platform:
- cross-compilation and execution of the generated C-code using a dedicated SIL-4 task on GeminiX-OS,
- configuration of I/O, and
- connection to Prover iLock for real-time hardware in the loop testing, with visualization of generated test cases and manual interaction.

The safe function of the generated application logic (C-code) can be formally verified with the SIL-4 T2 sign-off verification tool Prover Certifier, certified by TÜV Nord.

The demonstration has been set up in NEAT’s lab, with the GeminiX hardware connected to Prover iLock via a communication link, to provide simulation of wayside objects and a control panel, as shown in this video:

https://www.prover.com/wp-content/uploads/2024/05/NEAT-PROVER-1.mp4

Highlights of the GeminiX platform include:

A complete Platform Documentation Package and Application Conditions, which describe and certify the compliance for applications up to SIL4 according to the EN50126/128/129 and IEC61508 standards.
A HW 2oo2 diverse reference architecture, that can be made redundant for reliability.
A real-time OS-like environment, GeminiX–OS, certified as a SIL4 Generic Product on its own and also certified several times into clients’ products. It is independent from the specific hardware, and includes its own complete Documentation Package.
A VHDL Source Code, which implements diagnostic routines and generic I/O, independent from the specific hardware, certified as a SIL4 Generic Product.
Several Reference Designs, implemented using different CPUs (Intel, AMD, ARM, …) and different bus architectures.

Signaling Design Automation with Prover iLock is a more efficient approach to develop rail control software, rooted in an engineering process based on formal methods, modelling, and automation. In addition to enhancing the development process, it also paves the way for standardization and more open system, something that is key to drive down the long-term costs for rail control. With a development process that is not tied to a specific signaling vendor, the rail infrastructure managers can get in control of the life-cycle of their systems, and can address issues such as obsolescence with more flexibility. The combination of Signaling Design Automation with the GeminiX platform is a good example of how these benefits can be realized for an interlocking system.

Prover and NEAT will showcase their joint solution later this year at InnoTrans and you are also welcome to request a demonstration online or onsite. Please come visit NEAT and Prover at InnoTrans in Berlin, September 24-27, 2024. You will find NEAT in Hall 27, stand 140 and Prover in Hall 3.2, stand 130. Looking forward to seeing you there!

To learn more about signaling design automation with Prover iLock please visit www.prover.com, and more information on the GeminiX platform is available at www.neat.it or www.geminix.com.

How safe and efficient are your rail control systems? Let’s find out!

Inlägget Simplified interlocking application engineering with Prover iLock for NEAT’s GeminiX platform dök först upp på Prover - Engineering a Safer World.

How to ease the transition to a modern signaling system

Amanda Öberg — Wed, 15 Mar 2023 10:21:43 +0000

The life cycle of your relay-based interlocking system has come to an end. Now what?

For many infrastructure managers, the desire to embrace the digital age with the freedom and possibilities a computer-based interlocking (CBI) system can offer is clear. But making the decision to actually go through with the transition can be less straightforward. After all, it is never a small undertaking to upgrade an interlocking system, let alone switch to a completely new type of system. Luckily, there is a solution that can help ease the transition while giving you more control over the entire system development process—from writing specifications to commissioning and maintenance.

Why upgrade to a computer-based interlocking system?

When it comes time for a system upgrade, it can often feel like the easiest route would be to upgrade the current relay-based interlocking (RBI) system. And many do, for good reasons. RBI systems are simple, reliable, and have been proven in use for a long time. However, they can also hold you back.

Among other limitations, RBI systems have a limited amount of memory which restricts the kind of functionality that can be added to modernize and keep up with changing system needs. Additionally, because relay is an old technique that is becoming less and less common, it can become difficult to access the resources needed to continue running a RBI system in the future—both in terms of spare parts and people who possess the necessary competence and education. There are also challenges related to the system upgrade transition itself. In order to write requirements for your new system, as an infrastructure manager, you must first understand how the current system works and, unfortunately, documentation for older RBI systems is either incomplete or missing.

Pros and cons of RBI systems

Pros	Cons
Reliable	Limited functionality
Proven in use for a long time	Documentation can be missing or insufficient
Simple	Competence hard to find or not available
Long life cycle (40 – 60 years)	Spare parts not manufactured anymore or hard to come by

CBI systems, on the other hand, can help you break free from the limitations and challenges of RBI systems. Although there are some drawbacks to consider. CBI systems have shorter life cycles compared to RBI systems, 20-25 versus 40-60 years. They can also introduce increased complexity if used incorrectly. However, all in all, the benefits of upgrading to a CBI system far outweigh the drawbacks.

Instead of mechanical interlocking relays, modern CBI systems utilize interlocking computer software. This requires a shift in thinking. Since you are developing a computer program, you don’t have to restrict yourself to mimicking the setup of the old relay system. A CBI system offers greater capacity and freedom to build the system and functionality you want. Documentation and competence are more readily available. CBI systems can also be verified for meeting safety requirements using modern tools.

Pros and cons of CBI systems

Pros	Cons
Modern – interlocking computer software instead of mechanical interlocking relays	Increased complexity if used incorrectly
Increased functionality	Shorter life cycle (20 – 25 years)
Can be verified with modern tools
Documentation and competence available
Increased capacity

Easing the transition using a digital twin

If you have decided to go ahead and upgrade to a CBI system, the challenge remains of how to make the transition as smoothly as possible without interfering with your existing system or disrupting traffic. The solution? Creating a digital twin. Encompassing your entire infrastructure—from stations, rolling stock, and signals, to the coordinating IT systems—a digital twin is a virtual, interactive replica of your physical system, asset or process, including its real-time characteristics and behaviors.

When it comes to determining how successful the transition to your new CBI system will be, writing clear specifications for the development of your new system is a critical first step. Any errors or omissions in your specifications will have a negative impact on the later steps in the tender and development process and, ultimately, determine whether or not you get the system you want. A digital twin will help you gather the input you need to write more accurate specifications from the start, and gain greater control over your system, from development and delivery to ongoing maintenance.

Gain system control and unlock new possibilities

Having a digital twin model of your current interlocking system will enable you to get the input you need to understand how your current system behaves, and specify requirements for the new system. You may decide to program the future system to act exactly the same, or perhaps you will decide to make improvements and remove any oddities present. You may even decide to add brand new functionalities.

Prior to deciding on system specifications, your digital twin allows you to play around and test different functionalities and scenarios without interfering with the real physical system. If you are lacking any documentation, you can use the digital twin as a tool to conduct reverse engineering and fill in any information blanks. Once you are clear about how you want your new system to work, you can extract clear system requirements from the digital twin in the form of an object model describing all objects and their relations, inputs and outputs, and internal states.

After your chosen supplier has delivered the system, you can compare it against your digital twin model to verify that they have in fact developed a CBI that behaves according to your specifications and system requirements. During the implementation phase, your digital twin model can also prove useful for training purposes, helping ensure that employees are onboard with the new system too. And once the system is ready and in service, the digital twin will enable you to maintain a detailed system overview and facilitate maintenance with greater ease.

Case study: Developing a digital twin for the Stockholm Metro

To understand what making the transition from a RBI to CBI system might look like in practice, we can recommend looking at a real life example. When it came time for the Stockholm Metro to upgrade their rail control system, they contacted us at Prover to assist with the transition. We created a digital twin for their current system and worked incrementally, testing to replace a part of the total system with the new system. Because we had the digital twin, we could do it with minimal interference. This case study was mainly focused on the technical aspects. Doing the replacement for real will require verification, validation, and assessment according to EN 50126.

Would you like to know more? Read the full case and step-by-step process.

How safe and efficient are your rail control systems? Let’s find out!

Inlägget How to ease the transition to a modern signaling system dök först upp på Prover - Engineering a Safer World.

How to develop rail control software with signaling design automation and digital twins

Gunnar Smith — Fri, 23 Dec 2022 13:22:42 +0000

Signaling systems

Signaling systems are a critical component of rail control infrastructure, ensuring the safe and efficient movement of trains. These systems use a combination of hardware and software to monitor train movements and communicate information to operators, enabling them to make informed decisions in real-time. With advanced features such as automatic train control and predictive maintenance, signaling systems are essential for modern rail networks. Read about our work below.

In this guide you will learn:

What is Signaling Design Automation
How to overcome costly barriers in rail control projects
Using Digital Twins in the Specification Process
Developing Rail Control Software with above tools

Yes please, send me the guide!

Table of Content

Introduction
Signaling Design Automation and why You Need It
Benefits of Signaling Design Automation
Digital Twins in the Specification Process
Developing Rail Control Software with Digital Twins and SDA
Case study: Roslagsbanan
Recommendations

Introduction

There is an easier route to rail control software development

In the endeavor to develop rail control software that meets demands for efficient rail transportation— both now and in the future— many of today’s infrastructure managers find themselves impeded by a number of frustrating roadblocks. These include long and unpredictable schedules, a general lack of control over systems, and dominant industry issues such as the current oligopoly of system suppliers.

Recognize these challenges?

As overwhelming as they may be, there is a solution that you as an infrastructure manager can use to overcome them and finally take control over your rail control software development projects. That solution is Signaling Design Automation (SDA) and Digital Twins, and they make it easier to procure, develop and maintain your system software while remaining adaptable to future possibilities.

What to expect from this guide

In this guide, we will run through the basics of how you, as an infrastructure manager, can use SDA and Digital Twins to develop rail control software. You will learn about the advantages of using these tools and how to use them in practice to gain the benefits in your software project. Finally, we will put all of our learnings into perspective with a real-life case study example, and then provide you with some recommendations you can move forward with. Let’s begin!

Fill out the form to read the full guide.

Inlägget How to develop rail control software with signaling design automation and digital twins dök först upp på Prover - Engineering a Safer World.

What’s preventing us from overcoming complexity in rail signaling?

Mats Boman — Wed, 30 Nov 2022 09:26:19 +0000

Is safety built on history? Or are we creating a system that is too complex? Do we still need to learn from the past or is it time to look at new ways to manage our systems?

In my opinion, it is high time we adapt to the future and take action to remove old barriers and ways of managing our systems. In many places, rail systems have been operational for several decades and the system evolution has not kept up with the rest of the society. We are stuck with old technologies and methods for managing our systems. With time, we lose knowledge of our existing systems and risk losing control. Control that we try to reclaim by adding another layer of functions that enforce a new safety barrier.

Complexity has been snowballing since the beginning of rail history

Rail transport has been developing over the course of almost 200 years and it is still based upon the same foundation it started with: metal wheels against metal rails. It is a successful means of transportation in terms of energy and capacity, which also benefits the environment.

Railways have traditionally been introduced locally; that is, one stretch of rails at a time and with no or little interaction between them. However, the demands of today’s systems are completely different and initiatives, like ERTMS (European Rail Traffic Management System), are now being driven across the world to harmonize our railways and rail control systems. A task that requires finding our way through the mounting complexity which is threatening to derail our progress toward the digital age.

Even as the demand for greater harmonization and an integration of the rail system as a whole rises, the complexity of rail control systems continues to increase. Responsibility for the rail system is shared within the industry, and there is a clear conflict between traditional subsystem management and the need to achieve higher system level effects through modernization or digitalization.

The situation is so long gone that we cannot refer to one standard system, nor can we agree on what the next generation should look like. I’ve been working in the railway industry for over 20 years and my experience, together with countless discussions, leads me to believe that there are only three objects/components that we can agree upon: we have a train, a wayside, and a traffic management system. Opening any one of these “Pandora boxes” will create confusion—leading to questions like, ‘which components belong where, and what behaviors does each part have?’ The inside of these boxes have been shown to be specific to each system locally. This is one reason for the complexity that exists today, and remains a barrier we must overcome before we can manage our systems.

Symptoms of complexity

For an outsider, complexity in rail signaling is difficult to understand. Especially considering the easy task of automating the movement of a container on a fixed route in 2D when we, at the same time, live in a world of self-driving cars and autopilots in airplanes. But for us inside the industry, it is easier to decode.

Complexity in rail signaling is, in many ways, evidenced by continuous delays and budget overdrafts; for instance the continuous delayed introduction of ERTMS and termination of metro signaling contracts in e.g. Stockholm, Helsinki, London and Edmonton.

Upgrades and renewals of rail control systems often become overly complicated when new systems are to be integrated with existing subsystems. Unknown dependencies are discovered too late in renewal projects—or, even worse, during operation—and the loss of control is a fact. The complexity has been underestimated from all positions and by all actors.

The traditional management, with a linear mindset, does not have the necessary prerequisites to manage the uncertainties that come with complex systems, hopefully the need for new methods to meet our challenges is starting to be recognized.

The problem with governing a rail control system managed by old and new methods

The stepwise localized evolution of rail control systems has introduced a number of different technologies in small steps. Often, these technologies are shaped by experiences from the past and the requirement that the new system “behaves in the same way as before, but better.” This approach necessitates that one proves that the new system behaves just like the old one, which should be demonstrated using the same methods and techniques that have always been used. This is an understandable demand considering that rail control is a safety system; since we know that our existing system is safe, it is assuring to be able to turn back and recognize the old system in the new. For instance, today, it is still requested that computerized systems should be visualized as electrical relay systems because this is how it has always been done and is what can be understood.

As a result, we are now creating a governing system that is managed by both old and new methods. This further drives complexity and costs. It also restricts the positive effects that we would potentially get from a new system if it were allowed to utilize its best techniques and methods. As an example, in the railway field we still speak of computable power as a limitation. Hence, have we, in any way, allowed the computerized optimization of our systems?

Over the course of the evolution, we have tried to keep up with new technology and formulate new regulations, oftentimes not daring to remove old regulations that someone else put there before us for some unknown reason. All without managing or even understanding the consequences, including conflicts between new and old regulations. Again, this is understandable given that rail control is a safety system. But now complexity arises from the mixture of interwoven techniques and methods for a system that has been under evolution for decades and with components that, in many cases, are 50 years old. By tradition, it has always been safe to add requirements, but what is the process for removing requirements? It is unsafe and non-existent. And so, we add more requirements and, eventually, more complexity.

Unfair competition between new and existing technology

All of this leads to an unfair competition between new and existing technology. It is not required that existing technologies be proven to meet the latest regulations. Rather, they are proven in use via the “grandfather clause” and are evaluated using old measures.

To exemplify, let’s compare the modern elevator with the paternoster lift (the one without doors that never stops at floors, necessitating that you jump out). The paternoster lift will win when it comes to moving people compared to a modern elevator that stops to let people off. But, of course, it comes with a safety risk that we no longer accept today. A similar situation applies to railways. Still, we have old rail control systems in place that allow for much tighter train movements than would be allowed in any new system from a safety standpoint. Hence, while a new system might be safer, it could actually be a downgrade in terms of train capacity in dense locations. This is the case for the new ERTMS L2 versus existing ATP, due to calculations of braking curves.

This is one factor to consider in the calculation of cost efficiency when comparing an old system with a new one. The long system lifecycle of rail control systems will, locally, make comparison with the last historical introduction of a rail control system unfair.

With an unfair comparison, the business case for replacement or upgrades is not so attractive compared to lifetime extensions and maintenance. Again, we drive complexity by not keeping up with new technology or methods. In many instances, we have rail control systems with outdated technology that are managed only by a handful of senior, sometimes retired, experts and with few incitements for the new generation to learn about. Renewing systems can often be the last way out—an exit path forced by the aging of knowledge or technology.

Compared to modern computerized rail control systems, older mechanical or electrical systems have a longer lifecycle. We can see this is true just by calculating the individual components. In fact, this is what we often do and what we compare for an upgrade project. Just by calling it an upgrade or renewal “project”, we place ourselves in a corner. A project has, by definition, a start and an end. A project to be released and taken into revenue service on a specific day and with the target to meet one installation and only once. We tend to forget about the long life of a rail system and enforce all efforts to meet project oriented goals.

In almost all cases, new rail systems are more computerized than existing systems in revenue service. The railway has historically been treated as a construction or building. Naturally, the first mechanical or relay rail control system was managed under the construction process and related regulations. Our new computerized and embedded systems are still, in many cases, introduced under the same construction regulations instead of software principles.

The introduction of new rail control systems is often done in conjunction with extensions of tracks or other building upgrades. Signaling can become a smaller subproject that is managed as part of the rest of the building construction project. In comparison, construction parts and buildings can often come with essentially larger costs and with much more visible effects. The rail control system is expected to just adapt and work accordingly. The project team, with its suppliers, will strive to drive their processes in order to optimize towards this one installation and deadline. All efforts are at stake and focused on the original requirements, with little flexibility to adapt to new system needs or technology that have been invented over the often long project period of 10+ years, given the case that the project planning and requirements were formulated far earlier. Again, complexity presents a barrier to smaller sequential releases over time.

It’s time to remove barriers and adapt to the future

The above synopsis of the tangle we currently find ourselves can, of course, be seen as a rallied or naive simplification. But the reality is that we tend to focus more on the project at hand than its total lifecycle, both in terms of money and resources. Complexity is not taken into account and is hard to address using traditional methods. And in our failure to address it, the increasing complexity creates more vulnerability instead of robustness.

Is safety built on history? Or are we creating a system that is too complex? Do we still need to learn from the past or is it time to look at new ways to manage our systems? In my opinion, it is high time we adapt to the future and act to remove old barriers and ways of thinking.

Technology used to be a limitation. We are used to constructing our railways from technology. This is not (or should not) be the case anymore. Both fantasy and our reluctance to adapt to new technology are our limitations. Technology is used to execute the functionality of a rail system. Improving and optimizing the system functionality should be the key for future developments.

After all, we cannot compete with history if we are stuck with history.

About the author

Mats Boman has been working in the railway industry since 1999. His career started at Prover and, after switching gears to drive a consulting business within rail control system management and then serve as the CEO of the rail engineering company STHK, he recently returned to Prover as the Vice President of Business Development. Mats has a master’s degree in computer science from Uppsala University.

How safe and efficient are your rail control systems? Let’s find out!

Inlägget What’s preventing us from overcoming complexity in rail signaling? dök först upp på Prover - Engineering a Safer World.