WESTRACE NETWORK COMMUNICATIONS

ADVANCED INTERLOCKING TECHNOLOGY

Charles R Page, BSc Elec/Electron, MBA Tech Mgmt, FIRSE
Director of Marketing & Sales
Wayne McDonald, BE (Elec), FIRSE
Manager Technology & Training
Invensys Rail Systems Australia—Westinghouse Signals Australia Division

SUMMARY
New WESTRACE Solid State Interlocking systems utilise powerful, industry-standard, Information Technology
networks for most of its vital and non-vital communications. Standard protocols, through off the shelf communica-
tions hardware, provide unprecedented flexibility in designing large, complex, interconnected vital interlocking
systems. Serial communications paths, previously the most vulnerable parts of a system can be integrated into a
simple, redundant network. These networked connections open up new possibilities for hierarchical interlocking
systems while simultaneously giving flexible control powerful diagnostics.
This paper overviews the basic WESTRACE solid state interlocking and explains how railways can benefit from
transferring the vital data over networked communications to provide the maximum total system availability.

1. INTRODUCTION this according to safe application data designed by

Signal Engineers to generate vital parallel outputs (eg
The world’s leading railways are almost universally
to signals and point contactors, relays), vital serial
turning to solid state interlocking for new and renewal
output (eg block circuits) and non vital indications.
signalling projects. Their flexibility, ease of modifica-
tion and advanced control and diagnostic features
make them ideally suited to meet the business needs
of the modern railways.
WESTRACE is one of the solid state interlockings
available from the Invensys Rail Systems group. It is
our most popular model and is well suited a wide
range of small to large installations. The world’s first
revenue service WESTRACE was installed on a pas-
senger and freight line at Dry Creek in South Australia
in 1990. WESTRACE has continually evolved to
increase logic capacity, enhance its functionality and
add new features.
The latest enhancement, the WESTRACE Network
Communications (WNC) model, was released in mid
2002, with 10 installations being commissioned in
Europe as of mid 2003 and many more in the design
phase. This paper describes the WESTRACE WNC
system and highlights how this modular interlocking
solution helps deliver safe, flexible and reliable signal-
ling services to the railway.
This paper will use the term WESTRACE rather than Figure 1: Typical small WESTRACE Installation
WESTRACE WNC for convenience.
2. WESTRACE OVERVIEW Unusually, WESTRACE is complemented with fully
WESTRACE is a modular solid state interlocking that integrated, non-vital logic processing, diagnostics and
provides all the standard features expected of such a communications.
system, as well as several unusually advanced fea- The huge non-vital logic capacity frees the vital logic
tures. It takes vital parallel inputs from local track of all but essential vital tasks and is typically used for
equipment (point detection, track circuits, relays, etc), route setting, route availability checking, panel
vital inputs from nearby interlockings (eg block cir- processing and sometimes alarm monitoring. Addi-
cuits) and non vital controls and logically manipulates tional features and logic constructs that cannot be

IRSTE Seminar, New Delhi Page 1 of 10 14th - 15th June 2003

Copyright Invensys Rail Systems Australia Limited 2003
Charles R Page & Wayne McDonald
Westinghouse Signals Australia
executed in vital logic ease the design. Any logic state
can be transferred between the vital and non vital
logic.
Comprehensive diagnostics timestamp and record
every vital and non-vital change of logic state.
All WESTRACE vital, non vital and diagnostic com-
munications are by default routed using industry
standard UDP/IP (a subset of TCP/IP) over an
industry standard 10 BaseT Ethernet port. Serial links
can also be used where Ethernet is not practical.
These features are described in more detail later in
this paper.
WESTRACE’s inherent power and flexibility has
allowed it to be applied in several related applications.
The WESTECT Automatic Train Protection (ATP)
system uses the standard WESTRACE platform as its
heart. A trackside Encoder that transmits data to the
train informing it of signal states is simply a
WESTRACE with an additional module. The
WESTECT ATP On Board Computer is also
WESTRACE based.
WESTRACE’s inherent vital telemetery has been
used without the associated logic to safely communi-
cate relay states over both radio and PCM channels,
including as a vital Token Block interface system.
Some railways, such as in the UK, have particularly
complex requirements of level crossing control.
WESTRACE has been configured as a flexible level
crossing controller, with many standard crossing con-
figurations built in.
WESTRACE forms a key part of Invensys Rail’s pilot
line ERTMS systems.
3. WIDELY ACCEPTED AND PROVEN IN SERVICE
WESTRACE has become one of the worlds most
popular solid state interlockings since its introduction
in 1990. Over 1,000 installations are now in operation
including several very large installations with multiple
WESTRACEs.
It has been applied to almost every conceivable type
of railway; on mainline and subway systems, in freight
and passenger service as well as in both dc and ac
(up to 25 kVac) electrified territory.
It has gained safety approval, and is in use, in the fol-
lowing countries;
• Australia • Germany
• Indonesia • Ireland
• Malaysia • New Zealand
• Norway • Philippines
• Portugal • Romania
• Spain • Thailand
• United Kingdom
IRSTE Seminar, New Delhi
Copyright Invensys Rail Systems Australia 2003
WESTRACE Network CommunicationsAdvanced Interlocking Technology
Each and every railway feels the need to conduct its
own safety assurance of the system. Some of these
have been extremely rigorous and onerous. Inde-
pendent safety assurance consultants, recognised
industry safety experts and railway staff have audited
and reviewed the thorough in-house safety assurance
program that has always been integrated throughout
each phase of the development lifecycle.
WESTRACE safety architecture is based on
• appropriate development environment
• appropriate development processes and tools
• comprehensive diversity (and where possible, di-
versity between hardware and software)
• demonstratable fault negation (and anti-de-nega-
tion) systems
• comprehensive testing of memory, hardware and
stored data
WESTRACE either uses inherently vital hardware or
at least two diverse processes to ensure the system
integrity. Different software programs using diverse
code independently evaluate the logic and compare
the result. All system data is both stored and commu-
nicated in diverse forms—all the way from the input
modules, through processing, to the output modules
and the results are compared at each phase. All vital
modules continually check themselves, cross check
each other and the VLM (including the correct opera-
tion of the processors) to ensure error free and totally
safe operation.
It is particularly interesting to note that WESTRACE
has passed some of the most demanding safety
approval processes in the world, such as those of BR-
RailTrack-Network Rail, London Underground and
the EBA in Germany.
It has been assessed as compliant with RIA23,
CENELEC EN50128, EN5029 and other recognised
safety standards.
Invensys Rail member company Westinghouse Rail
Systems of the UK has just been awarded a £850M
contract for the resignalling of approximately two
thirds of the whole of the London Underground
network using WESTRACE. London Underground is
one of the world’s busiest metro systems. They
already have extensive experience of this system as
it is in use on the Central and Jubilee Lines and is cur-
rently the only solid state interlocking of its type
approved by London Underground.
WESTRACE also fully complies with the RDSO
standard for solid state interlockings for use on Indian
Railways
WESTRACE continues to undergo continual improve-
ment and evolution since its introduction to increase
its capacity, do more and be easier to use. This evo-
Page 2 of 10 14th - 15th June 2003
Charles R Page & Wayne McDonald
Westinghouse Signals Australia
lution rather then revolution approach maintains the
basic system architecture and therefore the maximum
backward compatibility to preserve a railway’s invest-
ment in the large installed base. The evolution
includes
• major increases in logic capacity
• specialist input and output modules to interface with
coded track circuits, WESTECT, etc
• enhanced diagnostics
• addition of non vital logic processing
• communications, especially the IP based network
communications
• design, testing and maintenance tools
Unchanged modules can continue to be used with the
new modules. A relevant case occurred in mid 2002
when the first ever WESTRACE, installed at Dry
Creek in South Australia in 1990, was significantly
expanded to meet new operational requirements. In
the process, the size of the installation approximately
doubled. All the existing input and output modules
from the original installation were re-used in the new
application. We were also able to transfer the original
application logic for use as the starting point for the
upgraded system.
4. THE MODULAR INTERLOCKING
WESTRACE is a modular interlocking. Every installa-
tion requires the Vital Logic Module (VLM) and the
non-vital logic, communication and diagnostic module
(NCDM), as well as a power supply module. Other
modules are added as necessary to provide the
required quantity and type of inputs or outputs.
Most systems need only one type of input module and
one or two types of output module.
The Vital Parallel Input Module (VPIM) is the general
purpose input module. It detects the presence of 50
Vdc from external detection circuits or existing relays
(eg track relays). Twelve fully isolated input circuits
are provided per VPIM module. Two inputs may be
combined in anti-parallel to detect polarised inputs.
The Vital Relay Output Module (VROM) is the general
purpose output module, sourcing 50 Vdc outputs to
drive point contactors, Q relays or similar. Eight
isolated outputs are provided per VROM module.
They can be wired in anti-parallel to drive polar cir-
cuits.
Signals may be directly driven by the Vital Lamp
Output Module (VLOM). This module can directly
drive 110 Vac LED or transformer coupled incandes-
cent signals (including those with filament changeo-
ver relays). The module has an integral steady or
flashing aspect control with all flashing outputs from
an interlocking synchronised. The VLOM incorpo-
rates both hot filament proving and cold filament
IRSTE Seminar, New Delhi
Copyright Invensys Rail Systems Australia 2003
WESTRACE Network CommunicationsAdvanced Interlocking Technology
checking. This enables it to check lamp circuits, re-
gardless of whether the aspect is currently energised.
The cold filament checking pulse is so short that it
won’t produce a visible output from a de-energised
aspect.
The VROM and VLOM outputs incorporate a Graceful
Degradation feature. If a fault is detected in an output
circuit it is safely disabled but the remainder of the in-
terlocking continues operating normally. A fault bit is
cleared and this may be used in the logic. Graceful
degradation limits the impact of any failure to the
directly affected area—most of the railway continues
operation until the fault is repaired.
Each WESTRACE uses between one and four, 6RU
high 19 inch housings that are normally installed into
a 19 inch rack. The VLM and NCDM must be installed
at the right side of the top housing but other modules
can be installed anywhere. Only the number of
housings required to contain the modules required for
an installation need be provided.
The WESTRACE design has paid particular attention
to immunity to both conducted and induced electro-
magnetic interference. The housing itself is fully
shielded and all circuits entering or leaving the enclo-
sure pass through carefully designed isolation filters.
High immunity to interference is not just a matter of
shielding and filtering. It is a system issue that
involves many disciplines. Therefore the WESTRACE
system documentation includes the appropriate rec-
ommendations on primary protection, earthing and
cabling that ensure it is always applied in ways that
maintain this high inherent immunity.
WESTRACE is successfully operating in many areas
of extremely high incidence of lightning, such as
central Java in Indonesia and Northern Queensland
in Australia. These installations demonstrate the ex-
tremely reliable operation of a correctly installed
system. Recently there have been several cases
where lightning has struck near a location where a
WESTRACE has been installed alongside other solid
state interlocking technologies. The high immunity of
the WESTRACE was then impressively demonstrat-
ed as it was the only unit to continue operation unaf-
fected.
The system has been designed for use over an
extended temperature range of up to 70 °C ambient.
Air conditioning of the equipment room or location
case is not a requirement. For example, in Indonesia
and Malaysia we have successfully provided a total of
123 WESTRACE installations and none of the equip-
ment is in an air-conditioned environment.
Overall, this extensive in service experience has
resulted in an exceptionally reliable design. For
example, as of the date of this paper all of the 60
WESTRACE systems installed in Malaysia have been
Page 3 of 10 14th - 15th June 2003
Charles R Page & Wayne McDonald
Westinghouse Signals Australia
continuously operated for over 18 months without a
single failure of WESTRACE equipment of any kind.
5. WESTRACE SYSTEM CAPACITY
A common question is, “How powerful is
WESTRACE, how much railway can it control?”.
That is often a difficult question to answer because it
depends on a local signalling practice. For example,
it depends upon the complexity of the signalling prin-
ciples of the railway and whether the tracks are bi-di-
rectional. However, a general sense of its capacity
can be gained from the following vital statistics.
A single VLM can handle;
• 3,357 Internal Vital Latches (relay equivalents)
• 300 Internal Vital Timers
• around 1,800-2,600 rungs of vital logic, with up to
50 relay equivalent ‘contacts’ in each rung.
The non-vital logic has about 10 times this capacity.
This is typically sufficient processing capacity for 175-
200 Routes.
Processing capacity is only part of the answer and
there is a physical limitation in the 4 available
housings for input and output modules. Up to 28 input
and output modules can be used across 4 housings.
Larger systems may use multiple racks of
WESTRACE, often with all the processing executing
in a single VLM. This keeps all the interlocking logic in
one processor and eliminates the ‘cross-boundary’
issues that would complicate the design if the logic
were distributed across several processors. It simpli-
fies design and maintenance, and minimises
response time. It may also be used, as described
later, to segment the railway for availability.
WESTRACE has features that makes it particularly
simple to link multiple systems together. To under-
stand how this is done we will now describe some of
the wide range of available interlocking configura-
tions.
6. INTERLOCKING CONFIGURATIONS
Many of the interlocking configurations rely on the ef-
fective network communication architecture that
allows multiple vital and non-vital, high capacity, com-
munications sessions to be established between in-
terlockings and the associated control and diagnostic
systems. A subset of the configurations is possible
using serial point to point or point to multi-point com-
munications although these are mostly retained for in-
terface to legacy or hard wired systems.
6.1 Communication Network
WESTRACE uses the network to exchange most of
the vital and non-vital data in the system. This is a
IRSTE Seminar, New Delhi
Copyright Invensys Rail Systems Australia 2003
WESTRACE Network CommunicationsAdvanced Interlocking Technology
powerful and flexible feature that opens up many pos-
sibilities and some of these are discussed below.
The network is based on the industry standard UDP/
IP protocol (a subset of TCP/IP selected used to
comply with safety restrictions), over 10 BaseT
Ethernet with a RJ45 connection. All data is coded
and fully protected against all forms of corruption,
delay or transformation during transmission. The vital
data messages containing the true and complement
data and CRCs are assembled and checked in the
VLM and simply encapsulated in an IP packet by the
NCDM for transport. Non vital data and diagnostic IP
packets are assembled in the NCDM. All data can
transferred over industry standard networks using
industry standard IT hardware. Good network design
will usually include network segmentation and redun-
dant routing paths and can utilise existing infrastruc-
ture. High bandwidth links is generally not required
outside a local area and typically a 64 kb/s circuit is
adequate for multiple interlockings along a railway.
Proper separation should be maintained for vital data
and we recommend physically restricting the access
from an organisation’s general network. Some data
may be made more widely available via an appropri-
ately safety rated firewall that can also prevent
network congestion from external sources.
Each WESTRACE can simultaneously run 16 vital
and 16 non vital communication sessions.
6.2 Stand-alone interlockings
The most basic WESTRACE configuration is a stand-
alone interlocking as shown in Figure 2:
(via WAN)
WESTRACE
VLM6 NCDM
VPIMs VROMs VLOMs
Adjacent
VPIMs VROMs VLOMs
WESTRACE
(via WAN)
Railway Signalling Equipment
Figure 2: Standalone Ineterlocking showing network
connections to the signalling environment
Remote or local controls and indications are ex-
changed over a serial link with external non-vital I/O
to interface a push button local panel (not shown) or
over the network with a PC based control panel or a
remote (CTC) control centre. Logic can be configured
in the NCDM to handle all local and remote control, so
that control authority can be passed between the
systems as required or under fault conditions. Indica-
Page 4 of 10 14th - 15th June 2003
Charles R Page & Wayne McDonald
Westinghouse Signals Australia
tions are sent to all control points but the logic
ensures that control is only accepted from one.
The network is used to interface local and remote di-
agnostic systems.
Vital data (eg block information) may be exchanged
with adjacent interlockings over the network.
6.3 Linked WESTRACE systems
The vital communications over the network become
particularly powerful, yet simple, where multiple
WESTRACEs need to be connected for capacity or
distributed input and output purposes.
The most common application is within a single
station area to link a master WESTRACE containing
interlocking logic to one or more ‘dumb’ WESTRACEs
that don’t contain active logic. These are then called
Object Controllers and only the central WESTRACE
with the logic is referred to as an Interlocking. There
may also be links to adjacent interlockings for block
working. Figure 3:shows an example of a master
WESTRACE and 4 object controllers. Only the prime
sources of control and diagnosis are not shown for
simplicity.
WESTRACE
VLM6 NCDM
Optional Hot Standby
VLM6 NCDM VLM6 NCDM VLM6
VPIMs VROMs
VROMs VLOMs VPIMs VROMs
VROMs VLOMs VPIMs
VPIMs VLOMs VPIMs VLOMs VPIMs
Railway Signalling Equipment
Figure 3: A WESTRACE Central + Object Controller
system
This technique may be used to expand input and
output capacity but it is a powerful cost saving feature
as well. The central WESTRACE can now be located
conveniently, perhaps in existing accommodation or
where maintenance access is best. The Object Con-
trollers can be in the same place. However, they can
also be fitted closer to the equipment under control,
such as in trackside location cases or other conven-
iently located accommodation. By putting the Object
Controllers close to the relevant equipment, consider-
able savings can be realised by reducing cabling and
IRSTE Seminar, New Delhi
WESTRACE Network CommunicationsAdvanced Interlocking Technology
the associated trenching costs. As the interlocking
logic is all located centrally, this approach doesn’t
increase the complexity of the logic design.
Although other solid state interlocking technologies
can appear to approximate to this approach, the flex-
ibility of WESTRACE makes it so much easier. The
unusually large processing capacity ensures that the
central WESTRACE can handle more Object Control-
lers before having to resort to splitting the logic across
additional interlockings and introducing boundaries.
The networked architecture permits a particularly
simple single point interconnection approach over
industry standard media rather than using multiple,
proprietary, point to point links with associated line in-
terfaces.
This Object controller approach can also be
combined with another outstanding WESTRACE
feature to provide an even more cost effective
solution as described below.
6.4 WESTRACE Hot standby Systems
Hot standby is an integral feature of WESTRACE. It is
not an application engineered feature and no location
specific logic design is required. The Hot Standby
option only needs to be selected in the configuration
and the configuration logic prepared as normal.
Hot Standby, as an integral feature, has been subject-
ed to the same rigorous design and safety approval
process as the rest of the design. This is important as
bolt-on hot standby can introduce a safety risks.
The WESTRACE hot standby system connects two
WAN to
other WESTRACEs separate, identical, standard WESTRACE systems
by high speed fibre optic links. The VLM and NCDM
each have separate fibre optic connections. The off-
NCDM VLM6 NCDM
line system is completely updated with an identical
VROMs VPIMs VROMs
VROMs VLOMs
VROMs VLOMs
VLOMs VPIMs VLOMs
image of every internal logic state once every
processing cycle. Even the software version in use
and the interlocking unique address is checked during
the update. There is no possibility of the two available
systems being out of correspondence at any time.
There is no possibility of both interlockings have safe
but different logic states due to slight differences in
timing for reading inputs (this situation that could give
an unsafe result on changeover cannot occur with
WESTRACE)
Figure 4:shows a typical connection of a hot-stand-by
WESTRACE. The remote or local control do not have
to be duplicated and are omitted from this drawing for
simplicity. Typically, they would connect to the switch
shown.
Page 5 of 10 14th - 15th June 2003
Copyright Invensys Rail Systems Australia 2003
Charles R Page & Wayne McDonald
Westinghouse Signals Australia
High speed optical fibre links
WESTRACE WESTRACE
VLM6 NCDM
VPIMs
VPIMs VROMs
VROMs VLOMs
VLOMs
Railway Signalling Equipment
Contacts optional
Allow separation of off line system
Figure 4: Hot Standby Connection
One system is biased on-line at start up by system
configuration. A switch is normally installed that
allows a technician to permit automatic changeover,
inhibit changeover or request changeover. Each
system monitors the other and will effect a changeo-
ver if the on-line system fails or if requested and the
off-line system is available.
A system changeover will take between one and two
processor cycles with the off-line system taking over
with identical outputs to the former on-line system—
true hot stand-by.
The off-line system receives all the same inputs as
the on-line system and is fully operational, complete
with its internal diagnostics. If the off-line system
develops a fault this is flagged to the diagnostic
system in the same way as the on-line unit.
The off-line system can read inputs but its outputs are
disabled and cannot drive loads. Many installations
also use relay contact isolation between the main and
stand-by systems to permit independent testing of the
off line system and additional isolation of between the
two systems from potential dangerous transients in
the field.
The expense of hot-stand-by is hardly justified if both
systems are likely to fail from the same electrical dis-
turbance.
The off-line system can be powered down for mainte-
nance or upgrade. If it is just for maintenance, then
the repaired system can powered up again and seam-
lessly brought back into stand-by. The on-line system
need never be interrupted and the railway operates
non-stop.
If a logic change or I/O modification has been made,
to the off-line system, then the same change must
then be made to the on-line system before they can
work as a hot-stand-by pair. However, this approach
still allows upgrade work to be undertaken more
quickly with the absolute minimum of system down
time.
IRSTE Seminar, New Delhi
WESTRACE Network CommunicationsAdvanced Interlocking Technology
No additional hardware is required to link two
standard WESTRACEs as a hot-stand-by pair apart
from the optional relays, the manual control switch,
the associated wiring and the fibre optic update cable.
Standard network techniques are used to provide
VLM6 NCDM
separate and isolated network connections to each
WESTRACE.
VPIMs
VPIMs VROMs
VROMs VLOMs
VLOMs
There are different options of implementing hot stand-
by for an installation comprises a central WESTRACE
interlocking and one or more Object Controllers.
• The Interlocking WESTRACE could be a hot-stand-
by unit with no local input and output and the Object
Controllers could be single units (non hot-stand-
by).
• Critical inputs and outputs could be driven directly
from the hot-stand-by interlocking with the remain-
der driven from non hot stand-by object controllers.
• Some or all of the Object Controllers themselves
could be hot-stand-by units. Any combination is
possible. As much or as little hot-stand-by input and
outputs justified can be provided.
This flexibility can be very cost effective. One
approach is to only provide hot-stand-by inputs and
outputs for the main lines through a multi-track
station, either directly from a hot-stand-by interlocking
or via a hot-stand-by Object Controller. The loops
could be controlled by a separate, non hot-standby,
Object Controller. This can save costs on the loop
lines whilst providing the highest possible availability
to the more important main lines. Alternatively, the
Object Controllers could be judiciously connected
each to a separated part of the trackside so that a
failure of a single Object Controller would not prevent
running trains through the controlled area.
7. DIAGNOSTIC TOOLS
Users can select basic and enhanced diagnostic fea-
tures. A WESTRACE NCDM stores the most recent
2.5 Lakh events in a circular buffer. This information
can be accessed by a text based program using a
Laptop PC over a local serial port or the network. The
same computer can set local parameters, clear
buffers and request communication status.
A dial up connection allows password protected
access to diagnostic information from standard tele-
phone lines or even from a mobile phone. A remote
maintainer could investigate a fault beforehand,
confirm its nature and arrive equipped with any nec-
essary spares or tools. It also allows WESTRACE to
call a fault centre when a fault occurs or periodically
to report faults.
Users can obtain more information in an easily used
format with a separate Windows based tool called
MoviolaW. Moviola is Spanish for ‘Replay’. A PC is
used at each site to log the data from one or more
WESTRACEs, via the network (or one of the serial
Page 6 of 10 14th - 15th June 2003
Copyright Invensys Rail Systems Australia 2003
Charles R Page & Wayne McDonald
Westinghouse Signals Australia
ports.) Each interlocking change of state is stored as
it is received. A new file is created every few days
(user configured). Files older that 30 days are deleted
or separately archived.
Users can configure the PC displays to show:
• track diagrams with signal, point and track occu-
pancy status shown by colour and shape;
• state of any nominated latches or inputs in the
system in a separate window
• status of selected (DOS wildcards are supported)
mnemonics (eg all points) in a separate window
• all or selected mnemonic changes of state on a
cycle by cycle basis in a separate window
• Reports on selected mnemonics (eg the number of
changes for a set of points) in the logged period
• A diagram of the housing showing each of the
modules—the module will be shown in red if it is
faulty.
• english text messages describing any configured,
external failures (eg, lamp fail, loss of detection)
MoviolaW can also execute logic to generate alarms.
Figure 5: Typical MoviolaW screen
Presenting the data in the form of a graphical track
plan is extremely powerful, especially when combined
with the report generation facility. It assists the main-
tainer to quickly and accurately understand what is
going on. This is particularly useful when some faults
may be external to the interlocking, such as those
caused by lost points detection or bobbing track cir-
cuits. With the track plan view, the maintainer can
clearly see the relationships between what is happen-
ing in the field and the interlocking’s response.
MoviolaW normally displays current (real time) data
but can also be requested to display and replay any
of the stored data (while continuing to log real time
data). The user has a ‘VCR’ type control to select a
start time to examine and then replay forward or back-
wards at fast, normal or slow speed.
IRSTE Seminar, New Delhi
Copyright Invensys Rail Systems Australia 2003
WESTRACE Network CommunicationsAdvanced Interlocking Technology
The underlying database is in standard Microsoft
Access format and can be separately analysed if re-
quired.
The graphical view coupled with the advanced
logging and replay features has made MoviolaW a
useful tool for investigating incidents such as Driver
passes a signal at Danger. The relationship between
the track circuit and the signal aspect can be clearly
seen and understood by all. Even the simple exercise
of showing this to just a few drivers can create a no-
ticeable improvement in driving practices and culture
across the whole fleet.
MoviolaW can be accessed remotely via the network,
dedicated serial port or dial in to view or replay and
has become a very important diagnostic tool. Logged
data may be extracted over this connection for local
replay
8. DESIGN & TEST TOOLS
WESTRACE has been developed so that signal engi-
neers, who are competent to design relay based cir-
cuits, can apply the system with the minimum of
additional training. Our customers have confirmed
that typically only 5 days of system design training is
required for such staff. Additional training is only
required to fully use some of the more advanced pro-
ductivity and test tools. However the standard system
design training is entirely sufficient for a signal
engineer to design and test a WESTRACE interlock-
ing. Figure 6: overviews the design and test tools
available and the design and test process.
Figure 6: WESTRACE design and test tool
8.1 Graphical Configuration Sub-System
(GCSS)
GCSS is the primary design tool. It is a Windows
based PC program that allows the signal engineer to
Page 7 of 10 14th - 15th June 2003
Charles R Page & Wayne McDonald
Westinghouse Signals Australia
• select and place modules
• define each input or output for a module
• define the data carried over any of the serial links or
network sessions and to define the sessions
• Design the signalling logic
• Manage the design through input, check, test,
approve and maintenance phases
It uses relay equivalent design concepts including a
graphical drag and drag approach from a palette of
standard icons. This is equivalent to drawing relay
circuits using the familiar relay contact notation. PLC
style ladder logic notation is also available, the user
can switch freely between the two. Figure 7: is an
example of familiar signalling logic.
Figure 7: GCSS Logic Design Screen
GCSS also performs consistency checks to ensure
that syntactical and semantic errors such as unused
or duplicated mnemonics and configuration rule viola-
tion are detected. Full version control ensures
changes are properly authorised and controlled. Dif-
ference lists can be automatically produced to high-
light or verify any changes undertaken during a
modification cycle.Wide usage of cut and paste and
find and replace can save on design time.
It prints a graphical module layouts in the rack, link
settings and terminal allocations to assist in the con-
struction, test and maintenance of the relevant racks.
A template tool allows the user to construct a library
of standard circuits functional elements. These can
then be pasted into the design and used repeatedly.
Design aids are included to automate some of the
renaming and renumbering commonly required when
designs are re-used eg when points #13 become
points #15 all the contact mnemonics will require
changing from 13XXX to 15XXX and the tool assists
this process.
The same GCSS tool is used in a similar way to
design the integrated non-vital logic.
IRSTE Seminar, New Delhi
Copyright Invensys Rail Systems Australia 2003
WESTRACE Network CommunicationsAdvanced Interlocking Technology
8.2 Installation Check Sub System (ICS)
It is vitally important that the right version of the
correct data is installed error free in the intended
system. WESTRACE inherently checks the version
and ICS confirms what is actually in the target
WESTRACE by uploading, decompiling and validat-
ing against the source data.
8.3 Graphical Simulator (GSIM)
WESTRACE interlockings can be tested in the tradi-
tional manner, using the control panel a custom
switch panel to simulate field equipment. MoviolaW
must be used to view the internal states and assists
by giving a railway view of the testing. However, this
approach requires the actual interlocking, completed
control panel (or even CTC) and expensive, custom
made field simulation. It is relatively inconvenient and
time consuming.
GSIM is a windows based software tool that provides
• a control centre mimic diagram for controlling the
simulated railway
• a track based mimic diagram and underlying logic
to simulate field equipment (points, signals, etc)
• one or many instances of the same logic evaluation
engine as is used in WESTRACE
• optional interfaces to a WESTCAD control system
and a MoviolaW system to enable all components
to be tested together
• logging and script generation (for repeated test
setups) facilities
WESTRACE
Ladder Logic
Simulator
Operator Input
to diagram
Simulated Field
Interface
Figure 8: GSIM relationships
A signal engineer can fully functionally test an inter-
locking or a set of interconnected interlockings
through the windowed environment. The engineer
always has full visibility of the control, the track
outputs, the internal states and the field detection.
The engineer can even initiate failures of field equip-
ment to ensure safe interlocking response.
Please refer to Figure 8:.
All test inputs, internal states and outputs are contin-
uously logged. Test sequences can be recorded and
run as a script. A library of standard tests can be con-
Page 8 of 10 14th - 15th June 2003
Charles R Page & Wayne McDonald WESTRACE Network CommunicationsAdvanced Interlocking Technology
Westinghouse Signals Australia

structed making the majority of testing and test record Overview and competency based training courses
keeping automated. available (often delivered to site staff) include
GSIM is suitable for safety proof testing of the inter- • Appreciation Course (half day)
lockings when used as specified. Once tested, only • First Line Maintenance Course (5 days)
correspondence (or connectivity) testing, is required
on site. • System Design Course (5-7 days)
• Set to Work Course
The combination of GCSS and GSIM means that the
required construction and testing time on site is very • Graphical Simulator Design
short and new installations can be commissioned in a • MoviolaW Design
matter of hours. Similarly stage-works can be intro-
Design and maintenance courses are competency
duced quickly and smoothly.
based with a significant hands-on component. The
Modifications to an interlocking can be executed with training materials are of a high quality and profession-
minimum down time because the modification can be al training specialists are used to deliver the courses.
fully tested in the office. A ‘Train Your Trainer’ service is also available so that
customers can subsequently deliver training courses
Apart from potential cost savings, this also helps
to their own staff independently. Invensys Rail recom-
maintain safety. This is because all the time the inter-
mends a 1 day refresher version of the maintenance
locking is unavailable during a commissioning or
courses is because the system is so reliable that staff
stage-works the railway is likely to continue to operate
do not have the need to practice their skills.
using emergency procedures. This can introduce
many safety risks as the railway is not enjoying the full The whole aim of the tools, training and support
protection of the signalling. Keeping this time as short model is to enable customers to competently imple-
as possible reduces the risk of related safety inci- ment WESTRACE based systems without direct
dents to a minimum. support from the supplier. Of course, such support is
available if required but the customer can have a high
8.4 Training, Manuals & Support
degree of independence if desired.
WESTRACE is supported by a comprehensive set of
Part of the support available includes the provision of
user documentation that is sufficient for the design
maintenance services, and module repairs as a
and maintenance of the system. The main documents
minimum. A wide range of services can be made
include;
available as required;
• WESTRACE System overview manual
• Repair or Exchange—From a local base
• WESTRACE Application manual
• Spares on Consignment
• Graphical Configuration Sub-System manual • Guaranteed stock holdings
• Installation Check Sub-System manual
• Extended Warranties
• First line maintenance manual • Long term pricing agreements
and are supplemented by manuals for GSIM and
• Full on-site maintenance services
MoviolaW
• Any combination of the above
Describes the System
9. SUMMARY
How to
Design a WESTRACE
System Overview Manual
The interlocking is the heart of the railway. Its per-
System
formance and safety are critical to the performance
WESTRACE WESTRACE and safety of the railway as a whole. The modern
First Line Maintenance
Application Manual
Manual railway is also a business and requires cost effective-
WESTRACE WESTRACE WESTRACE
ness in everything.
WESTRACE
Installation Check Graphical Configuration Template
TemplateTool
Tool
Sub System Manual System Manual Manual
Manual How to Maintain
a System

How to use How to use

How to use
the GCS & ICS tools The template tool
the ICS tool

Figure 9: Documentation

IRSTE Seminar, New Delhi Page 9 of 10 14th - 15th June 2003

Copyright Invensys Rail Systems Australia 2003
Charles R Page & Wayne McDonald
Westinghouse Signals Australia
Figure 10: A large hotstandy WESTRACE Systems for
installation on RENFE
WESTRACE has proven itself to meet the expecta-
tions of some of the world’s most demanding railways.
• There are over 1,000 installations in operation.
WESTRACE is used and approved in over a dozen
countries around the world.
• It is cost effective to apply. Its unique features, such
as the fully networked communications, integrated
IRSTE Seminar, New Delhi
Copyright Invensys Rail Systems Australia 2003
WESTRACE Network CommunicationsAdvanced Interlocking Technology
non-vital processing and the flexibility of the hot-
standby option, create new opportunities for even
more cost effective applications.
• The advanced toolset means quicker design cycles
and less disruption to the operational railway during
stage works and commissionings.
• Well designed hot-standby features plus close at-
tention to interference immunity mean a non-stop
railway under the most demanding conditions.
• WESTRACE continues to be kept up to date with
enhanced features being released regularly.
However, maintaining the railway’s investment in
existing equipment is a priority. Backwards compat-
ibility and clear upgrade paths are intended to allow
unmodified equipment to be re-used in new
systems wherever possible.
• The system is supported by a wide range of tools,
manuals, training and other support services. Local
support from a base in India is intended.
• Most importantly for an application on Indian rail-
ways, WESTRACE complies with the RDSO spec-
ification for solid state interlockings.
It is hoped that Indian Railways will soon get an op-
portunity to experience the safety and performance of
WESTRACE and its many useful features.
Page 10 of 10 14th - 15th June 2003