Electronic Interlocking (EI) — Architecture, Working, and Deployment
A detailed guide to Electronic Interlocking systems in railways — how they replace relay interlocking, their architecture, safety principles, and deployment considerations.
What is Electronic Interlocking?
Electronic Interlocking (EI) is a computer-based signalling system that replaces traditional relay-based interlocking with software-controlled safety logic. It ensures safe train movements by controlling signals, points, and level crossings through vital (safety-critical) processors.
Evolution of Interlocking Systems
Mechanical (1800s) → Relay (1930s+) → SSI (1985+) → Electronic/CBI (2000s+)
| Generation | Technology | Typical Size | Maintenance | |-----------|-----------|-------------|-------------| | Mechanical | Levers + wire connections | Small stations | High (manual) | | Relay | Electromagnetic relays | Medium stations | Medium (relay replacement) | | SSI | First-gen computer (GEC) | Large stations | Lower | | Modern EI | Dual/triple redundant processors | Any size | Lowest |
EI Architecture
System Components
┌────────────────────────────────────────────────────────────────────┐
│ CONTROL LEVEL │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────────────┐ │
│ │ Operator │ │ CTC / ARS │ │ Maintenance Terminal │ │
│ │ Workstation │ │ (Automatic │ │ (Diagnostics, │ │
│ │ (HMI) │ │ Route │ │ Configuration) │ │
│ │ │ │ Setting) │ │ │ │
│ └──────┬───────┘ └──────┬───────┘ └──────────┬───────────────┘ │
│ │ │ │ │
├─────────┼──────────────────┼──────────────────────┼─────────────────┤
│ │ INTERLOCKING LEVEL │ │
│ ▼ ▼ ▼ │
│ ┌──────────────────────────────────────────────────────────────┐ │
│ │ VITAL COMPUTER (Safety SIL4) │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │ │
│ │ │ Processor A │ │ Processor B │ │ Comparator / │ │ │
│ │ │ (Interlocking│ │ (Interlocking│ │ Voter │ │ │
│ │ │ Logic) │ │ Logic) │ │ │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────────────┘ │ │
│ └──────────────────────────┬───────────────────────────────────┘ │
│ │ │
├─────────────────────────────┼───────────────────────────────────────┤
│ OBJECT CONTROLLER LEVEL │
│ ┌───────────────────┼───────────────────┐ │
│ ▼ ▼ ▼ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Point Machine │ │ Signal │ │ Track Circuit │ │
│ │ Controller │ │ Controller │ │ Controller │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
└────────────────────────────────────────────────────────────────────┘
Three Levels of Architecture
1. Control Level (Non-vital)
- Operator workstations (HMI) for route setting
- Centralized Traffic Control (CTC) interfaces
- Automatic Route Setting (ARS)
- Maintenance and diagnostic terminals
2. Interlocking Level (Vital — SIL4)
- Vital computer executing interlocking logic
- Dual or triple modular redundancy
- Continuous self-checking and comparison
- Contains the complete interlocking data (routes, conflicts, approach locking)
3. Object Controller Level (Vital)
- Interface between the vital computer and field equipment
- Point machine controllers
- Signal drivers
- Track circuit interfaces
- Level crossing controllers
Vital Computer Design
The vital computer is the heart of the EI. It must meet Safety Integrity Level 4 (SIL4) — the highest level defined by EN 50129.
Redundancy Architectures
2oo2 (Two out of Two) — Comparison
- Two identical processors execute the same logic
- Outputs are compared — if they disagree, the system goes to a safe state
- Used by: Siemens Simis IS, Alstom Smartlock
2oo3 (Two out of Three) — Voting
- Three processors execute independently
- Majority vote determines the output
- A single faulty processor is outvoted and isolated
- Higher availability than 2oo2
Diverse Redundancy
- Two different processor architectures run different software implementations
- Even common-mode software faults are caught
- Used by: Thales PIPC, Hitachi
Safety Principles
- Fail-safe — Any detected error → safe state (all signals to red)
- Self-checking — Processors continuously verify each other's outputs
- Watchdog timer — External hardware timer resets the system if software hangs
- Coded monovibrator — Output relays require continuous pulsed signals; loss of pulse = safe state
- Vital communication — Messages between components are cryptographically authenticated
Interlocking Data
The interlocking logic is configured through data tables rather than hardwired relay circuits:
Key Data Tables
Route Table
- Defines all possible routes through the station
- Specifies signal, points positions, track circuits, overlap, and conflicting routes
Conflict Table
- Lists which routes cannot be set simultaneously
- Prevents conflicting movements
Point/Signal Association
- Maps which points must be in which position for each route
Approach Locking Data
- Defines timing and conditions for approach locking release
Example: Route Data Structure
Route R001:
Entry Signal: S1
Exit Signal: S5
Points Required:
- P1: Normal
- P3: Reverse
- P7: Normal
Track Circuits to Clear:
- TC01, TC02, TC03, TC04
Overlap Track Circuits:
- TC05, TC06
Conflicting Routes:
- R003, R007, R012
Approach Locking Time: 120 seconds
EI vs Relay Interlocking
| Feature | Relay Interlocking | Electronic Interlocking | |---------|-------------------|----------------------| | Space | Large relay room required | Compact equipment rack | | Wiring | Thousands of relay connections | Minimal (serial communication) | | Modification | Physical rewiring needed | Software data change | | Diagnostics | Manual testing | Built-in remote diagnostics | | Capacity | Limited by relay room size | Easily scalable | | Lifetime | 30-40 years | 20-25 years (hardware refresh) | | Cost (initial) | Higher for large stations | Lower for large stations | | Cost (maintenance) | Higher (relay replacement) | Lower (software-based) | | Testing | Weeks of on-site testing | Simulation + reduced site testing |
Object Controllers
Object controllers are the interface between the vital computer and the field equipment:
Point Machine Controller
- Drives point machines (normal/reverse)
- Monitors point detection (position feedback)
- Reports faults (detection failure, drive failure, obstruction)
- May support multiple point machines per controller
Signal Controller
- Drives signal aspects (LED or filament)
- Lamp proving — confirms correct aspect is displayed
- Reports lamp failures and degraded LED arrays
- Supports multi-aspect signals (2, 3, or 4 aspect)
Track Circuit Controller
- Interfaces with track circuit equipment
- Reports track clear/occupied status
- Monitors track circuit power supply health
- Supports various track circuit types (DC, AC, jointless)
Deployment Process
1. Design Phase
- Define the signalling layout (track plan, signal positions)
- Create interlocking data tables
- Develop the safety case (EN 50129)
- Design verification by independent safety assessor (ISA)
2. Factory Testing
- Load interlocking data into the system
- Execute comprehensive test cases (every route, conflict, and failure scenario)
- Simulation testing with virtual field equipment
3. Site Installation
- Install vital computer racks and object controllers
- Connect field equipment (points, signals, track circuits)
- Commission communication links
4. Site Testing
- Verify every route, point, signal, and track circuit
- Test all failure scenarios (cable cuts, power failures)
- Verify approach locking and overlap timing
- Conduct controlled train movements
5. Go-Live
- Parallel running with existing interlocking (if upgrading)
- Cutover during possession (planned block)
- Post-commissioning monitoring period
Conclusion
Electronic Interlocking represents the modern standard for railway signalling safety systems. By replacing relay logic with vital computers, EI systems offer compact installations, easier modifications, built-in diagnostics, and lower maintenance costs — all while maintaining the highest safety integrity level (SIL4).
Related posts: Railway Interlocking Systems Guide, Track Circuit Working Principle, and Point Machine Working Principle.