![[Go Up],](a.return.gif)
![[Go Back].](a.left.gif)
1.4.3. Implementing Remote Route Locking
With the current generation of Solid State Interlocking the number of
IDL telegrams that can be used is limited to a maximum of fifteen in
total. Each IDL telegram conveys eight data bits, and the
Interlockings connected to the link take it in turns to transmit all
fifteen bytes of data in a round-robin protocol: the transport layer
is configured so that each SSI broadcasts its data at least once a
major cycle (the frequency depends on the number of Interlockings
connected to the link). On receipt of an IDL data packet the SSI is
able to extract those bytes that are relevant to it (this address
information can be computed statically, and is `burned' into EPROM
when the system is installed). Since the outgoing IDL telegram will be
written at arbitrary times during a major cycle it is necessary to
buffer the telegrams. As a consequence the protocol as presented is
far from being robust as the various uses of the request telegram can
interfere with one another. If one SSI locks the inward portion of a
route in response to a remote route request, the (buffered) reply
telegram should not be overwritten before it can be sent. While not
unsafe, in extreme circumstances this may lead to livelock, and other
problems. Another reason why the protocol sketched above is not
correct is that the remote route request may simply fail in the second
Interlocking (West), but the first (East) has to be notified of this
failure.
Such concerns introduce the need for telegram protection and timers.
To implement remote route locking the designer has access to a
collection of
elapsed timers
which may be stopped and started
by commands from the Geographic Data, but which are otherwise updated
by the (real-time) generic program. Note that an elapsed timer can
serve both purposes if we can differentiate between a timer that is
stopped, and one that is running. One timer is needed for
each IDL telegram used to convey request codes to another SSI, but
other control data are needed to implement the sub-route release
mechanism over the boundary. The details are drawn out in
Chapter 5
where safety properties of these inter-SSI communications will be
examined. Until then our concern will be with the safety properties of
the Geographic Data within a single SSI.
Matthew Morley, Edinburgh. Date: 29 November, 1998