The New York City Transit (NYCT) Signal Modernization Program has been ongoing since the mid-1990s. The current phase of modernization involves the procurement of Solid State Interlocking (SSI) systems that are designed to replace relay-based interlockings. SSI procurement has necessitated significant adjustments to NYCT’s system deployment processes, most notably in the areas of design, implementation, test, maintenance, and safety certification. NYCT has successfully met the challenge of applying the updated deployment processes to multiple, concurrent system procurements.

The most fundamental change to the NYCT procurement approach required a shift from the traditional design-build model of acquisition for relay-based systems to a software-based development lifecycle for SSIs. The relay-based Interlocking systems’ design-build model has traditionally involved the realization of complex relay logic with well-known hardware components such as relays, trip-stops, signals and switch machines. The SSI systems’ software model however requires additional consideration of software and hardware development phases, such as designated in the V-lifecycle.

V-model phases include requirement, design, implementation, and test. For SSI systems, NYCT adopted a “double” V-Life cycle approach, one V for the supplier’s SSI hardware and software (executive) platform, and one V for the SSI application (site-specific field) logic. At NYCT, the first V is dedicated to the suppliers’ executive platform. Hardware and software comprising the supplier platform are verified to meet safety and performance requirements. Safety analyses such as Fault Tree Analysis, Failure Modes and Effects Analysis, Timing Analysis, and Hazard Analysis are generated by SSI suppliers. System Safety Concepts, e.g., Numerical Assurance, Checked Redundancy, Intrinsic Fail-Safety are also assessed. NYCT’s second V is dedicated to the application software, i.e., the site-specific relay-based logic, which is implemented as Boolean logic within the SSI. For the Booleans, the process of traditional circuit checking is supplemented by Model Checking, wherein NYCT General Safety Properties are used to verify the site-specific logic. Model Checking provides assurance that safety properties are met throughout the entire interlocking design, for every system state, and does not rely on a manual review process. This paper will focus on the benefits NYCT has realized as a result of adopting Model Checking as a requirement for safety certification, along with an overview of the NYCT SSI safety certification process.

This content is only available via PDF.
You do not currently have access to this content.