Playing Factorio took me down the deepest of rabbit holes to understand railway signals. One of the most difficult situations to deal with is deadlock, where one train blocks another train, which blocks yet another train until the network is jammed. While there are design heuristics to avoid deadlock, I never found a formal way to verify deadlock avoidance. This in turn led me down a sub rabbit-hole about envisioning a language to specify a train network layout that could provide guarantees about deadlock.
Since IRL railways don't seem to deadlock as much as my in-game networks, I'm assuming railway designers have figured out a way to handle them that I haven't been able to replicate.
If anyone has experience in this field, I'd love to learn more. Oh, and if you're planning to play Factorio, you should probably block off your calendar for a couple weeks. It's notoriously addicting, especially for process-orientated engineering type folks.
If you want to do railway, try OpenTTD. The real railway networks are not safe from deadlocks. But they use planned schedules, which significantly reduce chances. These are available in OpenTTD.
Trains don't actually need signals anymore, there are a few fully automated rails in the world, the computer drivers the train. Most trains still have a human in control, but there is less and less for that human to do (as DoubleGlazing says, that is still a lot, he knows more than me so be sure to read what he said). However it is tricky to switch from human driven to computer driving trains as you need more signaling and it has to be perfect as humans can make judgement calls when something you didn't expect happens.
Unlike cars, trains are a lot easier to automate as you can ignore a lot of the failure modes autonomous cars have to deal with. Also, the signaling system knows where everything on the track is anyway, so you don't need to worry about vision systems to detect something in the way. (if something on the track the train can't stop in time anyway so it doesn't matter that you didn't detect it). Of course that assumes everything is connected to the signal system 100% of the time.
To expand on the article the most fundamental principle in railway signaling is the block section. That is a length of track for which there can only ever be one train inside it at any time. The length of the block section is typically decided upon by at the very minimum accommodating the train that would be the slowest to brake from its top speed at that location. However in practice most block sections are much longer because it reduces the need for extra signal boxes and line side equipment which results in a cost saving. For example in the UK the longest block section is 26 miles between Carnforth and Settle junction. The flipside to have having longer block sections is that you massively reduce the amount of trains the can run on that line and there have been major problems in the UK where block section lengths were increased in the 70s and 80s to reduce costs, but now with increasing demand they can't run extra trains.
Around railway stations and busy junctions block sections can be quite short, sometimes just a bit longer than the trains that run on those lines. So you might wonder how a train going at full speed could stop within its block section? In those cases there are mechanisms in place to prevent trains going faster than they should. In the UK a system called TPWS is used to control this speed of trains. If a train goes over a TPWS balun too fast then the brakes will be applied and a lot of paper work will have to be completed.
The three main systems used to actually control the movement the trains are absolute block, route relay interlocking and computer-based/solid state interlocking.
In absolute block the signals in adjacent signal boxes use a device known as a block instrument to protect the line between them. Using a bell messaging system the signaller at one box will ask the signaller at the next box if a train can enter their section, if so that signaller will turn a handle on the block instrument which will allow the first signaler to clear their starter signal to allow the train to enter that section. That signal is called the starter because it is at the start of the next section. It's worth noting absolute block is just a method of working and you could control it using old-fashioned mechanical levers, or modern switched control panels. Likewise the signals could be semaphores or electric lights.
Root relay interlocking was developed in the 1930s and uses huge numbers of relays to control the safety of railway operations. Track circuits indicate the presence of trains which will prevent conflicting train movements. An interesting thing to note that in the British railway rulebook is that under absolute block the signallers primary purpose is to ensure the safety of trains, whereas with route relay interlocking their primary purposes to keep the trains running on time. Route relay interlocking takes away the safety responsibility from the signaler. RRI signals are controlled using a vertical panel that shows a diagram of the railway tracks under control with buttons placed at the junctions between each block section. To set a route for the train the signaller simply presses the buttons at the start of the section and end of the section and if that's allowed by the relays then the section will light up and the points and signals will be set appropriately for the train.
Computer based interlocking, also known as solid state interlocking in the UK, is just basically route relay interlocking but now the logic is controlled by computers and instead of standing in front of a big panel the signaller now sits at a computer terminal.
One of the biggest advantages of computer-based interlocking is that it allows for the development of moving block sections. What this means is that physical block sections are replaced with virtual ones which are the length of the stopping distance of each particular train in that area. This means that each train has exactly the right amount of stopping distance in front of it. That allows for more trains to run on the same line.
Edit: Forgot to mention token block working which is an extension of absolute block working where a bi-directional single line is in operation. In addition to the normal signaling equipment, there is also a token machine in each signal box. In each machine there is a supply of tokens which look like big brass keys. The two token machines are linked so that only one token between them can be removed at any time. When a driver is about to enter the section they will be given a token which will be given up at the signal box at the other end and inserted into the token machine there. If you've ever seen the driver handing over a something that looks like a leather handbag with a massive metal loop for a handle then that's what's going on. Even though only one token is ever needed to go down the line, typically there might be a total of 20 or 30 tokens between the machines this is to allow for when there are a lot of trains going in the same direction repeatedly. Although it is rare there have been occasions where all the tokens ended up at one end, so a signaling engineer has to come out and remove some tokens and take them back to the other box.
A high speed train carries a lot of momentum, as does a slow one carrying a huge load for that matter, and it can take quite some distance to bring that to an orderly⁰ stop, noticeably more than a single signal separation distance in high density areas. I was on a main-line passenger train recently that did stop pretty hard¹ – it is a slightly disconcerting experience, feeling that rate of deceleration knowing how much force is involved.
Though as you say, a lot more of this is automated these days, with signallers and drivers prioritising efficiency more because the modern safety systems take a lot of that cognitive load of knowing what is going on further in front away from them.
--
[0] minimum stopping distance is often not a pleasant stopping distance!
[1] on that section we could have been doing up to 90mph I think, though we weren't going that fast as just before the stop we were accelerating, the train came to a rest smoothly but in an unusually short time/distance
> A high speed train carries a lot of momentum, as does a slow one carrying a huge load for that matter, and it can take quite some distance to bring that to an orderly⁰ stop, noticeably more than a single signal separation distance in high density areas.
While dissipating the kinetic energy resulting from high speeds and/or high weights can be a noticeable design constraint, too, especially on longer downhill gradients, the more immediate limiting factor is simply the fact that the coefficient of friction for steel wheels on steel rails (0.1 to 0.4) is quite low when compared to that of rubber tyres on asphalt or concrete (0.4 to 1.0).
(Which is goes hand in hand with the significantly lower rolling resistance enjoyed by railways, but it does make reliably achieving higher brake deceleration rates somewhat more difficult. Though even if you could do away with that constraint, the next issue is that passenger comfort and safety would prevent much higher deceleration rates, anyway.)
A good overview but a bit short on details. Some crucial things that got omitted (and are generally valid across Central Europe - no idea about the US, India and other places notorious for railway accidents):
- signals, both "old" mechanical and modern filament/LED light based, are continuously monitored for their status. If a wire breaks (for mechanical signals) or the current is abnormal, a fault is detected by the interlock control and there are rigid procedures on how to operate safely under such conditions.
- Signals have some sort of direct connection to a railside element communicating the status of the signal (go/slow/stop) to the locomotive. In the case of the most common used system PZB [1], it's a box containing a tuned inductor circuit, with the resonance frequency changing according to the status of the signal by connecting or disconnecting a capacitor (which can also be done by a mechanical signal). The train drives over these boxes and the locomotive's antenna detects driving over a tuned or mistuned box. The French use a system applying a low voltage to a third, short center rail that gets picked up by a brush [2] or, for high-speed rails, a low-frequency FM carrier signal transmitted over the rails [3].
- railway sections are sub-divided into "blocks", spaced at least a full brake distance from full speed apart. Signals signal to conductors what to do, and axle counters or DC monitors verify a block of rail is free of trains. The purpose of all that effort is to make sure that a) even in the worst case of a conductor missing a red light at full speed, the safety system has enough time to stop the train before it crashes into the train ahead and b) should a train separate and someone made an error in linking the central brake pipe (leading to the front part not braking automatically), the axle counter will detect that less axles came out of the block than came into it. It has the obvious disadvantage that a lot of capacity is wasted by the requirement to have one entirely empty block between trains; as a consequence systems like ETCS or LZB got developed that monitor position, speed and condition of trains and provide a virtual "moving block" leading to better utilization. In the long term, ETCS will lead to a complete elimination of track-side signals and eventually pave the way towards fully automated driving - but that's many decades away.
> even in the worst case of a conductor missing a red light at full speed, the safety system has enough time to stop the train before it crashes into the train ahead
For legacy systems that's not generally true, especially outside of rapid transit applications. This is because most legacy train protection systems can only intervene (if at all – some systems like the British AWS only require the driver to acknowledge a warning and don't actually stop the train even if it passes a signal at danger) when the train actually passes the signal, and at that point it's already too late and a mainline train at full speed will still require several hundred metres or even up into the kilometre range to come to a stop.
Spacing signals that far apart is impractical (it's not just about the signal-to-signal spacing on the plain line, but also how close to a junction signals can be placed and things like that), so most mainline railways didn't bother and only provide a limited "overlap" that gives some margin for mis-judged braking and similar incidents, but doesn't cater for a full-speed signal overrun. (And some countries like e.g. the Netherlands don't really do overlaps at all.)
Reliably stopping trains within such a limited (not full braking distance) length overlap requires a train protection system which can react not just when the train actually passes the signal, but also if it approaches the signal too fast to stop in time, and only a limited number of legacy train protection systems possess that capability (and even then maybe only in a partial fashion).
Things are somewhat different on rapid transit-style railways, where lower speeds mean that a full-length overlap (to go hand-in-hand with a simple trainstop-style train protection system of the day) isn't quite as ridiculously long and more practical to implement, and the combination of frequent trains with high passenger loadings in constrained surrounding (and therefore bigger risks in the case of accidents) also provided a higher impetus for improved safety measures than on mainline railways even one hundred years ago.
> It has the obvious disadvantage that a lot of capacity is wasted by the requirement to have one entirely empty block between trains
Even with modern cab signalling trains are usually spaced apart based on absolute braking distance (i.e. even if the train ahead came to a sudden, instantaneous stop, the following train could still safely stop. Even if you wanted to be more adventurous and allow spacing based on relative braking distance, a set of points/turnout that requires changing between successive trains effectively acts as a stationary obstacle, effectively returning you back to absolute braking distance.) The capacity loss with conventional signalling happens because the actual spacing then needs to be quantised and rounded up based on the actual signal spacing.
> spaced at least a full brake distance from full speed apart.
Sub-braking distance block lengths aren't anything too unusual, though with conventional signalling there's usually a limit to how fine you can sub-divide your regular braking distance. With more modern systems on the other hand, simulating "moving" block by just providing a large number of very short fixed blocks has been done and is entirely practicable. The motivation for true moving block is hoping to save on the installation costs for axle counters and suchlike.
Since IRL railways don't seem to deadlock as much as my in-game networks, I'm assuming railway designers have figured out a way to handle them that I haven't been able to replicate.
If anyone has experience in this field, I'd love to learn more. Oh, and if you're planning to play Factorio, you should probably block off your calendar for a couple weeks. It's notoriously addicting, especially for process-orientated engineering type folks.