You are on page 1of 16


Smartlock 400 (SML 400) 3

Central Interlocking (CIXL) 4-7

Trackside Interface Communications Cubicle 8-9

Support System 10 - 14

Trackside Functional Modules (TFM) 15

Emergency Signal On Control (ESOC) 15

Smartlock 400

Smartlock 400 System (SML400)

is a computer-based interlocking
(CBI) system designed specifically
as a successor to Solid State
Interlocking (SSI) for all signalling
applications in the United Kingdom.
Compared with SSI, SML400 offers:

• Reduction in number of cross-boundry

communications required due to increase in
potential size of interlocking coverage;
• A reduction in the physical size of central
interlocking equipment;
• Compatibility with current communications
• Updated facilities for the maintainer: graphical
interface, improved fault analysis;
• Improved application engineering tools for test
and incident analysis.

Initially, Smartlock 400, retains the Trackside Functional Control Systems, such as the Integrated Electronic Control
Modules (TFM) and trackside communications link that are Centre (IECC), being able to provide the required
used with SSI. connections to the IECC or equivalent network.

It can interface with a conventional signaller’s entrance/ The main elements of a typical Smartlock 400 scheme are
exit (NX) panel and is also compatible with VDU-based shown in Figure 1.

Figure 1
Main elements of a typical
Smartlock 400 Scheme.

Smartlock 400

There are three key elements to the SML400: The TICC houses the equipment responsible for interfacing
the CIXL to the TFM network. It receives input regarding the
1 The Central Interlocking (CIXL) is the heart of the state of the trackside interfaces from the TFMs and
SML400. It consists of a 2 out of 3 (2oo3) forwards these indications to the CIXL. Based on its image
platform loaded with the specific application data of the railway, the CIXL then evaluates the interlocking logic
and the interlocking software. for an individual VIXL and determines the controls to be
2 The Trackside Interface Communications Cubicle output through the TICC to all TFMs for that VIXL.
(TICC) is responsible for managing the external The Support System provides diagnostic functionalities
trackside communications networks and the such as monitoring, alarm management, event log
protocol for communication with TFMs. management, user access management and configuration
3 The Support System is composed of a Support facilities. It also provides signalling technician’s control
System Cubicle (SSC), one or more user interface functionality to start/stop (put off-line) VIXLs and apply /
PCs (client PCs) and printers. It provides all the remove restrictions to prevent signals clearing, points
necessary information and controls required by moving, routes setting etc. (mimicking those provided for
the maintainer and signalling technician for an SSI).
maintaining and controlling the signalling system.
In addition to the local clients, a remote
maintainer facility is available with connection via Central Interlocking (CIXL)
a secured Wide Area Network (WAN).
Functional Description
The CIXL is at the heart of the SML400 and is based on
The CIXL contains interlocking memory that records the Alstom’s “2oo3 Platform”, which is a general-purpose safety
current state of the railway under its control; this includes computer for railway signalling and control applications. The
functions such as signal lamp proving, point detection and interlocking software within the CIXL is general-purpose and
track section occupancy. It also stores internal interlocking is configured for:
variables such as approach locking and timing functions.
The interlocking memory states are referenced by the • Network Rail’s Generic Requirements, and
signalling logic to determine when and which controls may • The specific requirements of each signalling
be sent to the trackside devices: point movements and scheme, via the application data (this is prepared
signal aspects etc. as determined by changes of input in accordance with the scheme plan, control
states from the trackside, or requests made by the signaller. tables and other relevant input information using
SML400 allows the CIXL to be partitioned into a number of the Smartlock 400 application engineering system).
“virtual interlockings” (VIXLs) that are independent of each The CIXL manages the interface with either type of Traffic
other functionally and communicate by means of a Control System (TCS) used in the UK; that is, the CIXL
dedicated internal message mechanism. The interlocking provides direct interfaces to Panel Multiplexers (PMUXs)
memory is partitioned among the VIXLs, with any given which are required by an NX panel, and/or direct interfaces
signalling function belonging to one - and only one - VIXL. to an IECC – or similar systems supporting the same
Each VIXL has its own links to the Signaller’s control and interface e.g. Modular Control System (MCS).
display system.

Two or more VIXLs can process requests at the same time,

independently of each other, such that the CIXL is able to
work with more than one signaller at any one time. The
maximum number of VIXLs in a CIXL is 8; each is size-
limited by its trackside address space and controls a
specific group of up to 63 TFMs over its own external
communication network. When replacing an SSI scheme,
each VIXL is equivalent to one of the SSI scheme’s central
interlockings and the internal messages between VIXLs are
equivalent to the SSI’s Internal Data Links (IDLs).

The CIXL is configured with three memory cards (PCMCIA
cards) loaded with the specific application data and the
interlocking software. Additionally, each computing channel
has its own identity device. The information (scheme name,
CIXL identity and VIXL data version) loaded from the identity
devices is checked against the memory cards content.

In the event of internal failure the CIXL can change

seamlessly, and without any required intervention by
operators, to 2 out of 2 (2oo2) operation (whilst at the same
time isolating the failed module).

The CIXL contains the following components:

1 I/O subsystem 4 Fan Unit

2 Computing subsystem 5 Switches/Fuses Panel

This includes three redundant channels which 6 I/O Panel

implement the 2oo3 architecture.
7 Main Inlet Panel
3 Maintenance Panel
8 Main Power Supply Unit

Smartlock 400

Front Side


Blanking Panel


I/O Group A I/O Group B

Subrack for I/O Cabling

I/O B, SAU card #1
I/O B, SAU card #2
I/O B, SAU card #3
I/O B, SAU card #4
I/O A, SAU card #1
I/O A, SAU card #2
I/O A, SAU card #3
I/O A, SAU card #4

I/O B, EAU card #1

I/O B, EAU card #2
I/O A, EAU card #1
I/O A, EAU card #2
Debug connectors

Debug connectors
Blanking Panel

Blanking Panel


Computing Computing Computing
Channel A Channel B Channel C Subrack for
Main Processor

Main Processor

Main Processor
Blanking Panel

Blanking Panel

Blanking Panel








Channel A Channel B Channel C

MPU Serial ID Plug MPU Serial ID Plug MPU Serial ID Plug
Port Port Port

Maintenance Panel
Subrack for

Blanking Panel


I/O Ch Ch Ch I/O
Panel for
A A B C B Switches &
Fuses I/O Termination
Main PSU Supply Unit Main PSU Power Supply
#1 Subrack #2 Unit Subrack IEC Mains
Mains & Circuit
Isolating Breakers &
Transformers Primary
Earth Stud
Not to scale

Figure 2 Cubicle layout. Cable Entry

Cubicle Layout

The CIXL is implemented in a standard (19-inch the LRUs are labelled to avoid the insertion of
series) rack with an internal height measurement that incorrect equipment. Provision is made, via the front
is 37U-high, the Cubicle layout is shown in Figure 2. panel switches, for the Maintainer to actively change
the LRUs within the platform whilst it is running. The
All Line Replaceable Units (LRUs) and indicators are LRU must be powered off before any manipulation.
accessed from the front of the Cubicle; apertures for

Environment I/O Subsystem Design

The cubicle is designed for operation in the following The I/O Subsystem is based on a Dual Modular
environmental conditions: Redundant 1 out of 2 (1oo2) architecture.

• Ambient temperature variations, in the range The maintainer, is able to power on and off each I/O
from 0 to +45oC. Group.

• Non-condensing relative humidity, in the range

from 5% to 95%.

Computing Subsystem

The computing subsystem is based on a Triplicated

Modular Redundancy (TMR) architecture and each
computing channel contains 4 LRUs (see Figure 2).

The maintainer, is able to power on and off each

computing channel. This facility provides seamless
operation when carrying out maintenance.

Smartlock 400

Trackside Interface Communications Cubicle layout

Cubicle (TICC) The TICC Cubicle is contained in a standard (19-inch
series) rack with an internal height measurement that
is 37U-high. The Cubicle layout is shown in Figure 3.
The TICC houses the equipment responsible for:

• Managing the external trackside communications

All LRUs and indicators are accessed either from the
front of the Cubicle (for FE, GW and Main PS) or from
• The protocol for communication with TFMs.
the rear of the Cubicle (for LDT and DLM); apertures
There will generally be 1 or 2 TICCs per CIXL, for the LRUs are labelled to avoid the insertion of
depending on the number of Trackside Data Links incorrect equipment. Provision is made, via the front
(TDLs) required; however, this can vary depending on panel switches and the rear power distribution rail, for
the overall size of any given system. A TICC can the Maintainer to actively change the LRUs within the
support 2 or 4 data link pairs, depending on the TICC whilst it is running. The LRU must be powered
model used. off before any manipulation.

The TICC contains pairs of Gateways (GWs) and their

associated Front Ends (FEs) (with 2 FE cassettes per
FE rack), together forming what are referred to as
Trackside Functional Module Gateways (TFMGWs).
The FEs handle the interface between the CIXL
cubicle and the GWs and conduct the polling as the
bus master, whilst the GWs act as protocol
converters. The FEs are fully duplicated internally with
normal and reserve cassettes.

The TICC also contains a pair of SSI communications

modules (either Data Link Modules (DLMs) or Long
Distance Terminals (LDTs)) for each pair of GWs,
which provide the communications with the TFMs at
trackside (where the signals are received by further
DLMs and LDTs respectively, which then relay the
data to and from the TFMs). The TFMs will be either
Signal Modules (SMs) or Points Modules (PMs),
dependent on what equipment is required to be

Also contained within the TICC is a power rack

providing duplicate 48V d.c. supply to the GWs. The
incoming 110V a.c. supply is also duplicated; one for
all the equipment associated with the ‘A’ channels
and “normal” front end cassettes and one for all the
equipment associated with the ‘B’ channels and
“reserve” front end cassettes.

Rear View Side View Front View
(Door removed) (Panel Removed) (Door removed)

Front End

TFM Gateway
DLM or

Distribution Front End

TFM Gateway



110V Power
Sockets & 110V ac /
Switches 48V ac
Power Tray

Not to Scale

Figure 3 TICC Type SM4020 mechanical configuration.

Environment The TFMGWs, formed by the combination of the

Front Ends (FEs) and Gateways (GWs), therefore
The TICC is designed for use in buildings without provide the interface between the Central Interlocking
climatic control (Class T1 according to EN 50125-3), (CIXL) and the communications modules (DLMs or
with an operating temperature range of 0 to 35°C LDTs) providing the Trackside Data Links (TDLs). They
with relative humidity up to 85 %. The storage are responsible for managing communication, via the
temperature range is 0 to 55°C. It meets the TDLs, with the TFMs on their networks (including
environmental requirements of British Railways setting the cycle time and dealing with any reply
specification BR967, Category B. messages that might be missing because of a TFM
failure). Separate GWs are provided for the ‘A’ and ‘B’
TDLs. Normally, both links are in operation but a TFM
Trackside Functional Module Gateways will respond if it receives a telegram on one link only.
(TFMGWs) The TFM sends its reply messages simultaneously on
both ‘A’ and ‘B’ networks.
The Trackside Functional Module Gateway (TFMGW)
Subsystem provides the functional interface between
the CIXL and the TFM through the TFM Network.

Smartlock 400

Support System To ensure the communication between these

elements and the CIXL, a redundant network called
Overview Internal Maintenance Network (IMNet) is used.
The support system is mainly composed of a Support The Support System employs a dual redundant
System Cubicle (SSC) and one or more client PCs. It configuration of the Support System’s servers –
provides all the necessary information and controls (SSer’s) – as shown in Figure 4. In common with
required (by the Maintainer and Signalling Technician) other parts of the SML400 system, this dual-
for monitoring and managing the signalling system redundant configuration provides a system tolerant to
during maintenance activities. In addition to local first failures.
client PCs, a Remote Maintainer facility is available,
with connection via a secured Wide Area Network


The support system is based on a client/server

architecture, shown in Figure 4. The main elements of
the support system are as follows:-

• Redundant support system servers (support

server A and B)
• Local support system client
• Time source
• Printer
• Remote client


Monitor Link

Remote Time Signalling
Maintenance/ Source Technicians
Diagnostic Terminal (client)
(client) Server (B) Server (A)



Figure 4 Architecture of the Support System.

The Support System includes at least one dedicated Functionality
workstation for the Maintainer and Signalling
Technician with a screen, keyboard, mouse and The support system provides both diagnostic and
printer for one or more CIXLs. More than one local signalling technician functionality as follows:
terminal with full functionality is used for operational
Diagnostic Functionality
UK schemes within the signalling control centre. The
current configuration of the support system cubicle A. Monitoring: Provides text and graphical
provides one rack-mounted PC as the Maintainer’s information on the state of different elements of the
workstation. Other workstation PCs may be interlocking such as the CIXL, trackside objects,
distributed around the signalling control centre as communications equipment and links.
B. Alarm Management: Performs fault diagnosis and
Each support server logs all system activity on a pair provides text and graphical information on faults and
of logging devices, one of which may be removed for important events (including information on the
analysis offline in case of incident/accident health/state of the elements concerned) detected by
investigation. Data logs may also be transferred to the system.
offline facilities for analysis via removable media,
including USB flash drives and recordable DVD discs, C. Event Log Management: Logs and stores all
for less critical events. events in the exact order of their detection and
provides access to historical data.
The support system’s servers are linked to the CIXLs
by the IMNet, which is compatible with open D. User Access Management: Controls user access
communications. The IMNet is a pair of redundant to the different functions of the support system.
networks that link:
E. Configuration Facility: Provides configuration of
• the CIXL to the support servers the support system where an individual application is
described through a set of configurable application
• the clients, printers and the NTP time source to data.
the servers.
Signalling Technician Functionality
The redundant networks are linked together at the
central switches to allow the redundant support A. Interlocking mode control: Allows the technician to
servers to communicate. WAN links may be provided change the operating mode of the CIXL and individual
to allow clients at remote locations to access the VIXLs including starting/stopping.
system but with restricted functionality. A separate
B. Temporary controls: The support system provides
network may be used to link remote clients to a
commands to the technician to impose or remove
“local” client (nominated as a client gateway) using
temporary controls on the operation of the
WindowsTM terminal services software. A version of
interlocking. Owing to potentially serious
the SSC also includes connection to the IDNet
consequences of the setting and, in particular, the
enabling sensing and logging of communications
clearance of controls, the mechanism by which the
(read only) between CIXLs and to another
commands are issued (i.e. controls are set and
cleared) is Safety Integrity Level (SIL) 1.
In addition to the diagnostic information received via
In addition to the local clients, a remote maintainer
the IMNet, each CIXL Extended Adaptation Unit (XAU)
facility is also available with connection via a secured
is connected to the support system servers via a
WAN. The remote terminal will have the same
synchronous serial RS-422 Monitor Link. This link
operator interface as a local version, but with
enables ‘snooping’ to be performed by the support
restricted functionality.
system on the trackside communication data passing
between the CIXL and TFMGW. This information is
logged and incorporated into the live databases on
the support servers.

Smartlock 400

Cubicle Layout Support Servers

The cubicle itself is a standard industrial type, Two rack-mounted industrial servers host the
dimensions 1.2m (h) x 0.6m (w) x 1.0m (d). The software that monitors the state of the overall
mechanical configuration of a typical SSC is shown Smartlock 400 system and the equipment under its
in Figure 5. control. These provide a central service for individual
client PCs.
Each support server maintains a database that
The SSC is designed for use in buildings without records system events (including alarms and system
climatic control, class T1 according to EN 50125-3, status). The users may query the database on-line to
with limited operating temperature range of 0 to 35°C see the sequence of events surrounding any alleged
with relative humidity up to 85%. The storage incident or failure. Files that record the full set of
temperature range is 0 to 55°C. It meets the events, in sequential order, and further files that
environmental requirements of British Railways permit a graphical replay, are also held on these
specification BR967, Category B. servers for a period of 14 days. Copies of these files
may be taken on a removable USB drive. The log
files are held on mirrored “solid state” drives, a
pair of which is provided on each server.
The mirroring provides “1 out of 2”
redundancy on each server in the event
of drive failure, which also permits,
Support in extreme circumstances, one
Server A Solid State Drive from each
server to be taken away by
the investigating authority,
KVM Switch
whilst leaving the system
fully operational.

Server B

Client PC

Time Server

Patch Panel

LAN Switch

LAN Switch

Figure 5 Support System Cubicle.

Local Support System Client/Client Gateway

A Local Client PC, mounted in the SSC, provides a

user interface for the maintainer/technician to
graphically view the state of the system and the
equipment under its control. It is also the point of
entry for the application and removal of technician
controls. It communicates via a LAN connection to
one of the support servers, but automatically
switches to the other if this connection is lost.

Where remote client terminals

are provided to allow distant
maintainers to view the system
via a WAN link, the remote
users log into the client
gateway via WindowsTM
terminal services.

The local client is a

Commercial Off The Shelf
(COTS) rack-mounted
industrial computer. It is
contained in a 2U high rack
mount chassis. If remote
maintainer access is provided,
then this is replaced by the
externally similar client

Time Server - MSF Clock

An external clock is provided to allow synchronisation

of time across the various servers and clients within
the Support System, such that time stamps applied
to logged events are against a consistent time frame
linked to a common source that is synchronised to
national time.

The Galleon NTP Time Server is a 2U height rack KVM Switch

mounted unit. It connects directly to an Ethernet LAN
via the switches and incorporates a Galleon MSF A Keyboard Video & Mouse (KVM) switch is provided
radio atomic clock with remote antenna that can be to permit a single technician’s work position to be
positioned up to 200 m (600ft) away. It includes a switched as a control/display for a local client PC, or
LCD signal strength display for easy installation, an either of the support servers.
integral time display and 2 x LAN connections. A
software driver is included for uni-cast, broadcast or
multi-cast time synchronisation. The unit conforms to
Network Time Protocol Version 4 (NTP V4).

Smartlock 400

Desk Top Clients Printers

Further local client PCs may be provided to permit At least two printers from the approved equipment list
technicians within range of the locally switched part of will be provided at the SCC to ensure technician
the IMNet LAN to access the system, ie. without control states can be printed, signed and centrally
involving transmission over the WAN. A desk top saved. The printers may also be used to print screen
client PC is provided for such purposes. Copies of shots of current system states or historical events to
saved logs may be transferred to removable USB assist with investigation and analysis. A screen shot
storage devices. of the “states” mimic is advised to support any screen
shots that might rely on colour. Printers may also be
provided at remote locations if required.

Trackside Data Links (TDL)

Each TDL communicates with up to 63 TFMs and
Remote Clients can employ Data Link Modules (DLM) to provide
baseband links between the interlocking and the
remote users may access the system via WAN links
trackside part of the link, or they can use a Long Line
through “thin client” terminals. These may be used to
Link (LLL) as provided by LDTs over a
log into the client gateway PC using WindowsTM
telecommunications interface. They are the same
terminal services. These devices have limited
data links provided by an SSI system and afford the
functionality, but transmit key strokes and mouse
same (accepted) level of Safety Integrity for carrying
movements/clicks to, and receive screen updates
safety information between the CIXL and the TFMs.
from, the client gateway, over the WAN link. These
Two levels of coding protect the information sent on
terminals connect via a remote router which provides
them. They are fully duplicated for high availability
secure communication, via the WAN link, with a
with separate ‘A’ and ‘B’ links.
central router.

The baseband link uses a dedicated twisted pair In the absence of controls from the Central
cable over which data is transmitted in half-duplex Interlocking, all TFMs will assume the “red retained”
mode at a rate of 20 kbits/s by the DLMs. Separate state, and display their “most restrictive” aspects.
cables are provided for the ‘A’ and ‘B’ links and they Points will remain locked in their current positions.
can, if required, be run over different physical routes
in order to increase availability. The subsystems in the TICC take approximately 10
seconds to recover once power is restored, but the
The maximum length of the baseband link, including CIXL takes between 2 and 3 minutes to restart, but
any spur up to 1 km in length, is 10 km (but it can be then enters a 4 minute timeout to ensure that all
extended to 40 km by using repeaters at intervals of trains that may have previously observed clear signal
up to 8 km). aspects have come to a stand. During this timeout
period, signals will be sent controls for their most
restrictive aspects and points will not be controlled by
Trackside Functional Modules (TFM) the Central Interlocking, hence remain locked in their
current positions.
Trackside Functional Modules (TFMs) are the local
interface with vital signalling equipment at the trackside.
These are the same modules that are employed by
SSI. Two types are currently in use in the UK as follows:

Signal Module (SM)

The Signal Module is designed to provide the power

interface with coloured-light signals, and is sufficiently
flexible to handle other signalling loads as well. It
provides inputs for current proving and for general
purpose signalling inputs such as track circuits.

Points Module (PM)

The Points Module forms the power interface for

direct drive of clamplock type point motors. Other
types of point machine such as the Alstom Type HW
are driven via interface relays. The PM provides inputs
for point detection and general purpose signalling
inputs such as track circuits.

Emergency Signal On Control (ESOC)

An “Emergency Signals on Control” feature is
provided by a circuit that, when the signaller presses
a button dedicated to a specific area of control,
removes power (both A and B supplies) from the CIXL
and all TICCs used to control the data links in that

As with an SSI ESOC circuit, a timer relay ensures

that, once pressed, the power is removed for a
minimum of 15 seconds, regardless of how quickly
the button is released. This ensures that the affected
CIXL and sub-systems within the TICCs are all
subject to a restart.

Designed & produced by Anderson Lambert +44 (0) 1582 754000

Signalling Solutions Limited

Borehamwood Industrial Park
Rowley Lane Borehamwood

Telephone: +44 (0) 20 8953 9922

Facsimile: +44 (0) 20 8207 5905
For product information:

Prices are correct at the time of publication. Signalling Solutions Limited reserve the right to change specifications and prices.

Issue 2 April 2009