In the wake of the May 2015 Philadelphia train accident many discussions have ensued as to whether automatic safety technology could have prevented the accident and saved lives and injuries. The crash was caused by a train travelling at over twice the speed limit for a section of track, and although the emergency brake was applied by the engineer, the train still derailed. It is strongly suggested that if both the train and section of track had a PTC system installed and active, then the train would have been automatically slowed and the derailment averted.
The intent of Positive Train Control, or PTC, is to increase the safety of railroad transportation of passengers and hazardous materials, as well as increase the safety of railway workers, and was mandated by the United States congress in the Railway Safety Improvement Act of 2008 (RSIA).
Positive train control works by tracking the locations of assets (both stationary and mobile), predicting hazardous conditions, and acting to control trains to prevent accidents. There are three primary types of components in a PTC system that all communicate with each other. These are the locomotive (onboard) components which are used to track information about the train, the wayside components which are located outside the train, and the back office components that are used to store the information about the railway system as a whole.
The locomotive components have some very strict real-time and safety requirements, that enables them to collect and process information on a moving vehicle, and these requirements have some interesting similarities with airborne systems which need to be certified to the highest levels of safety standards before they can be deployed. For this reason, there is a natural fit for using an avionics safety-certified real-time operating system in PTC applications.
The LynxOS-178 RTOS is currently deployed in PTC locomotive (onboard) systems to gather and process data in hard real-time about the train such as its configuration, speed, GPS location, speed restrictions, movement authorities, work zones, wayside devices, switch alignment, signal information, and track data from an onboard geographic database. As the train moves along the track, the processes running on LynxOS-178 constantly monitor and ensure the crew’s compliance with all operating instructions and evaluates movement limits and required stopping distances to determine whether the PTC system must intervene to brake the train in order to maintain safety. Examples of when the train would be braked by the PTC processes running on LynxOS-178 would be in the case of potential track authority violations, speed limit violations, or improper switch alignment or signal aspects. If braking should become necessary, LynxOS-178’s hard real-time and deterministic environment is used to safely brake the train.
LynxOS-178 is a perfect fit for this application because of its hard real-time performance and determinism, conformance to open standards like POSIX for interoperability, and its avionics certification pedigree. These features give PTC developers the safety-certifiable operating system environment that they require to support their safety-critical applications. LynxOS-178 is the first and only hard real-time DO-178B FAA level A certified operating system to offer the interoperability benefits of POSIX as well as being recognized as a FAA-accepted Reusable Software Component (RSC). The capability to reuse both applications and certification artifacts is very beneficial in the design and development of real-time safety-critical systems such as PTC.