The concept basis

The complexity (and therefore the costs) of railway safety architectrrres are generally much smaller than for nuclear or aerospace. Perhaps because an aircraft can not have an emergency brake The availabihty of the flight control functions is a safety necessity. Architectirral solutiorts natmally have a degree of additional complexity. 

A signal is composed of several colored lamps with command (fixed or flashing aspect) and control (state of filaments) functions. A switch is composed of a motorization command and a control of the stopping position of railway blades. 

The original safety concept retained for the PIPC was that of probabilistic controlled safety for all acquisition, processing and output channels in other words 2x2. Each independent channel mutually compares itself to a set of internal and external state variables, therefore ensuring consistency of behavioral performances in processing and outputs. Each chaimel can be placed in fallback position by an internal defect or an inconsistency in the vote/synchronization of the state variables. 

To this, complete hot redundancy is added when necessaiy, a redundant (for availabihty) dual (for safety) processor this is called 2oo2 x 2 . Redundancy is designed to make maintenance actions transparent regarding operation (no system shutdown, hot swap, etc.). Redundancy is optional and can be implemented retrospectively without affecting the operation of the existing installation. 

The choice was also retained for an architecture where each 2oo2 replica has a quasi-single-task cychc behavior one safety software process, cyclic, per processor, thus ensuring the determinism of execution. 

---