H2-1. System Role & Safety Boundary

What this module actually “does”

Interlocking & vital logic exists to make a single hard promise: permission is granted only when the evidence chain is complete. When inputs are stale, inconsistent, or not provably trustworthy, the only valid outcome is a safe default—typically deny and de-energize. This reframes the design goal from “keep running” to “always remain provably safe.”

Boundary definition: three layers that prevent scope creep

• Functional boundary: adjudicates permission/lock/deny based on validated conditions; it does not perform positioning fusion, radio link management, or track-circuit demodulation.
• Signal boundary: distinguishes vital signals (must be provable) from non-vital signals (diagnostics/monitoring that cannot directly grant permission).
• Safety boundary: defines where isolation exists, what is dual-channel, and what constitutes a safe state when anything is uncertain.

Vital I/O taxonomy (the engineering reason “safe” is enforceable)

Treating every wire as equal is how safety systems fail in the field. A strict taxonomy prevents accidental “permission by convenience”:

• Vital Inputs (dual-channel): must pass freshness, consistency, and channel agreement checks before they can influence a permit decision.
• Non-vital Inputs: informative only; never sufficient to grant permission.
• Vital Outputs: must be designed so that loss of energy implies safety (de-energize-to-safe), not “unknown.”
• Proof / Feedback: output feedback is mandatory for detecting welded relays, broken lines, or mismatched actuation.

Evidence chain: what must be logged to make decisions auditable

Safety reviews and field forensics are won or lost on evidence. The boundary is not “real” unless the system records what it relied on. A minimal evidence chain for each decision includes:

Acceptance criteria (what “done” means for this chapter)

• Safe state is explicitly defined and reachable under any uncertainty: deny + de-energize.
• Every boundary crossing (isolation, dual-channel inputs, vital output chain) is visible in the diagram and referenced in text.
• At least one complete decision evidence chain is described (inputs → checks → decision → outputs → feedback → logs).

H2-2. Vital State Model & “De-energize-to-trip” Philosophy

Why a state machine is mandatory (not optional)

“Fail-safe” becomes real only when behavior is deterministic under uncertainty. A vital state model turns safety from a slogan into an auditable contract: entry conditions define what must be true, allowed outputs constrain what the system may do, and evidence logs preserve why a transition occurred. Without a state model, field failures often degrade into oscillation (reboot loops, chatter, intermittent permission) that is unsafe and hard to diagnose.

Core states and what makes them provable

A rail-grade state model should make two outcomes always measurable: (1) how quickly the system reaches the safe state after a trigger, and (2) whether recovery is allowed, rate-limited, and evidence-backed. The following is a practical minimum set:

• INIT: outputs forced OFF; integrity + configuration + timing stability verified before any RUN transition.
• RUN: permission decisions allowed only when inputs are fresh and channels agree.
• DEGRADED: conservative behavior enforced (e.g., deny-only or restricted permits) when a non-fatal constraint is detected.
• TRIP: immediate de-energize; safe state reached within a measured latency budget.
• LATCHED: manual intervention or proof-test required; prevents “auto-recover oscillation.”
• RECOVERY: controlled checklist; back-off timers avoid repeated transitions in noisy conditions.

De-energize-to-trip: what it means in engineering terms

De-energize-to-trip is not simply “turn it off.” It is a design rule that makes safety enforceable: the safe state is reached by removing energy from the vital output chain, and the removal is confirmed by feedback. This approach is robust under supply anomalies and supports clean forensic evidence (command vs feedback).

How to prevent unsafe oscillation (the hidden field killer)

A large fraction of safety incidents stem from “half recoveries” that repeat under EMI or borderline supply conditions. A vital state model must explicitly block oscillation by combining: (1) latching rules for severe fault classes, (2) back-off timers, and (3) a recovery checklist that re-validates evidence inputs and output feedback before RUN.

• Latching: mismatch, output feedback abnormal, critical diagnostics failure → LATCHED.
• Back-off: rate-limit recovery attempts; record correlation with brownout/EMI bursts.
• Checklist: config hash match, timing stable, inputs fresh, channels agree, output feedback sane.

Acceptance criteria (what “done” means for this chapter)

• Every state includes: entry conditions, allowed outputs, evidence fields, and exit conditions.
• TRIP behavior is measurable: safe_state_latency_ms and output_drop_confirmed are defined.
• Recovery cannot chatter: rate-limit + checklist + latching rules are explicit.

H2-3. Redundancy Architectures: Lockstep vs Dual-Channel vs TMR

What this chapter is for

Redundancy is not “more MCUs.” It is a deliberate trade between fault models, safety behavior, availability targets, and the evidence that can be produced during audit and field forensics. A correct architecture choice starts by matching the dominant fault types (transient, random hardware, common-cause, systematic) to the redundancy pattern that can detect and contain them with measurable latency.

Lockstep (cycle-by-cycle compare)

• Best at: transient upsets and random hardware faults with fast detection (tight compare window).
• Weak at: common-cause failures (shared supply, reset, EMI injection) and systematic errors (same code/config → same wrong result).
• Evidence that must exist: mismatch counts and classification, correlated with reset/brownout/EMI indicators.

Dual-channel (1oo2 / 2oo2 variants)

• Best at: increasing independence (separate supplies/clocks/resets) and producing stronger decision evidence (value + timing + freshness contracts).
• Weak at: systematic errors if both channels share identical software/config and the same wrong assumption.
• Key choice: 2oo2 (permit only on agreement) favors safety; 1oo2 can favor availability but demands stricter “confidence + health” rules.

2oo3 / TMR (majority vote)

• Best at: availability under a single-channel random failure; the system can continue while isolating a faulty channel.
• Weak at: complexity and diagnostic coverage requirements; a weak health model can let majority voting hide a degrading channel.
• Non-negotiable: per-channel health scoring + “kick-out” evidence must be logged.

Minimum evidence fields (audit + field debugging)

Acceptance criteria

• The dominant fault types are explicitly mapped to each architecture’s strengths and limits.
• Safety vs availability is stated as a design intent (fail-silent vs fail-operational positioning).
• Evidence fields are not listed as nouns only—each is tied to a reason it is needed.

H2-4. Voter Design Deep Dive: 1oo2 / 2oo3 Decision Logic

Voter purpose: compare evidence, not only values

A robust voter does not simply compare numerical results. It compares evidence consistency: value agreement must be supported by freshness, alignment (sequence/time), and trust indicators (confidence/health/CRC). When evidence is incomplete, the correct decision is conservative (deny, trip, or degraded), with a reason code that makes the outcome auditable.

Decision inputs (the minimum contract)

• Value evidence: value, valid_flag
• Timing evidence: timestamp, seq_no
• Trust evidence: confidence, channel_health, crc_error_rate

Four-step decision flow (auditable and testable)

1. Freshness gate: reject stale inputs (age exceeds policy) → reason code indicates STALE, action becomes deny/degraded.
2. Alignment gate: enforce window_ms and seq_gap limits → reason code indicates ALIGN_FAIL (prevents “same value, different moment” mistakes).
3. Agreement gate: compare value_delta to tolerance → AGREE or VALUE_CONFLICT.
4. Conflict resolver: select conservative action or bias toward a higher-trust channel (confidence + health) and log the justification.

Fail-silent vs fail-operational (expressed as actions)

• Fail-silent (safety-first): any critical conflict → deny/trip/latch; outputs de-energize quickly and remain OFF until evidence is restored.
• Fail-operational (availability-first): continue only in constrained mode with stricter evidence gates; recovery attempts are rate-limited and logged.

Evidence fields that make decisions reviewable

Acceptance criteria

• Decision flow is specified as gates + resolver (can generate test vectors directly).
• Every non-permit outcome has a reason code; “unknown cause” is not acceptable.
• Alignment failures (timestamp/sequence) are explicitly handled to avoid intermittent field misvotes.

H2-5. Cross-Monitoring & Data Consistency Contracts

Goal: prove each channel is processing the same event

Cross-monitoring is not only about matching results. It must prove that each channel computed on the same inputs, under the same configuration and calibration, within the same time/sequence context. Without consistency contracts, two channels can appear to “agree” while operating on different samples, different parameter sets, or stale data—creating an unsafe false confidence.

Contract stack (inputs → configuration → output proof)

1. Input contract: mirrored inputs must be aligned (sequence/time) and represent the same sample set. Alignment failures should be categorized (skew vs missing frames) to avoid unnecessary trips during brief reordering.
2. Configuration contract: each channel must share the same policy parameters (windows/tolerances/modes) and the same calibration identity. Configuration drift is a safety boundary violation and must be logged and blocked from RUN.
3. Output proof contract: vital output commands must be confirmed by independent feedback and line monitoring. Command/feedback disagreements must be treated as severe because they imply welded relays, broken wiring, or monitoring faults.

Input mirroring & alignment (what “same data” means)

• Sampling alignment: enforce the same window_ms bucket and bounded skew (timestamp or tick-based).
• Sequence continuity: detect reordering or missing frames with seq_gap-style checks.
• Quantization & calibration consistency: differences are allowed only within defined tolerances, and calibration identity must match.

Output readback & line monitoring (proof of actuation)

• Vital relay feedback: compare command vs feedback to detect welded contacts or missing energization.
• Line monitor: detect open-load/short-to-supply/short-to-ground states and log the inferred wiring fault class.
• Severity rule: cmd=OFF but feedback=ON is typically latch-worthy; cmd=ON but feedback=OFF is deny + diagnose + conservative transition.

Minimum evidence fields

Acceptance criteria

• Contracts explicitly state “must match” fields vs “allowed to differ” fields.
• Contract failures are categorized (alignment vs hash vs config vs output proof) with deterministic actions.
• Output proof chain includes both feedback and line monitoring, not command-only assumptions.

H2-6. Diagnostic Coverage & Self-Test Strategy

What auditors and field teams need

Diagnostic coverage is not a checklist. It is a measurable mechanism that connects failure modes to detection methods, detection intervals, and evidence logs. The objective is to prevent unsafe operation under latent faults and to produce traceable proof that self-tests ran, what they tested, and what action was taken.

POST (Power-On Self-Test): block RUN without integrity proof

• Memory integrity: RAM test, Flash/ROM CRC verification.
• CPU critical path: register/ALU sanity, exception vectors, control-flow baseline.
• Clock & watchdog: clock presence/stability checks, watchdog behavior sanity.
• I/O loopback: verify the safety I/O path is observable (loopback where feasible).

Online diagnostics: detect drift, corruption, and intermittent faults

Online diagnostics should be scheduled at multiple rates to catch both fast transients and slow degradation. Failures must map to deterministic system states (degraded/trip/latched), consistent with the vital state model.

• High-rate: task timing watchdogs, heartbeat consistency, fast mismatch monitors.
• Mid-rate: periodic CRC, logic consistency checks, contract checks (input/config/output proof).
• Low-rate: trend analysis of error rates and health scores to surface latent faults.

Proof test: expose faults that normal operation can hide

• Trigger: maintenance window, operating-hours threshold, or post-event policy.
• Mechanism: controlled channel isolation/swap, injected stimuli, verification of voter and feedback paths.
• Evidence: timestamped proof-test record that ties outcomes to diagnostic IDs and latent fault counters.

Minimum evidence fields (self-test as auditable data)

Acceptance criteria

• Every diagnostic class states: what it detects, how often it runs, and what evidence it logs.
• Latent fault handling is explicit (fault_latent_counter behavior and clearing rules).
• Proof tests have defined triggers and produce timestamped evidence.

H2-7. Vital I/O: Isolated Inputs/Outputs, Relay Drivers, Feedback

Vital I/O is an energy chain with proof

A safety output is not a GPIO state. It is a controlled energy path that must be proven end-to-end: decision logic drives an output stage, the electromechanical element changes state, the load is affected, and independent feedback confirms the action. Any “command-only” assumption is insufficient for a vital function.

Vital inputs: dual DI + wiring fault classification

• Dual-channel DI: treat A/B as evidence sources; enforce agreement windows and deterministic conflict actions.
• Open/short detection: classify wiring states (open-load, short-to-batt, short-to-gnd) instead of “input flaky.”
• Debounce & sampling windows: debounce is a measurable policy (stable samples + time window), not a magic delay.

Vital outputs: driver, relay/contactor, and readback

• Driver stage: high-side / relay / contactor drivers should provide observable diagnostics (fault flags, current/voltage cues where applicable).
• Feedback readback: compare command state vs feedback state within a defined window; mismatches must be logged and classified.
• Weld detect: cmd=OFF but feedback=ON is typically treated as severe because it suggests welded contacts or feedback short.
• Line monitoring: open-load and short faults on the output path should be detectable and mapped to action policies.

Isolation: separate domains, suppress common-mode coupling

• Digital isolators: keep vital logic domain independent from noisy field wiring while preserving timing integrity.
• Isolated power: avoid shared disturbances that collapse both domains; record reset/brownout evidence for correlation.
• Common-mode suppression: route return paths intentionally to prevent EMI-induced false transitions and feedback errors.

Minimum evidence fields

Acceptance criteria

• Output behavior is defined as an energy-chain with proof, not a command-only control.
• Wiring faults and weld conditions are classified and logged (not treated as generic “noise”).
• Isolation boundary is explicit and tied to diagnostic evidence and recovery actions.

H2-8. Event Recording: Evidentiary Logs, Trusted Time, Tamper Signals

From “logs exist” to “logs are evidentiary”

Evidentiary logging is designed for reconstruction and audit. It must preserve event order, capture critical context (reset reasons, firmware/config identities), and prevent silent loss during power interruptions. A reliable pipeline turns field anomalies into records that can be verified and replayed.

Event taxonomy (what must be recorded)

• Critical: trip/latched, output proof failures, weld suspects, persistent contract violations.
• Near-miss: mismatch spikes, transient contract failures, CRC bursts, recoveries that barely passed.
• Change control: config changes, firmware updates, calibration identity changes.
• Platform: reset_reason, brownout, watchdog, clock faults.

Trusted time: monotonic first, external time as an aid

• monotonic_counter: guarantees order and supports reconstruction even if wall time jumps.
• External time (if present): used for correlation, not as the sole evidence source.
• Time anomalies: time jumps or time-source loss should generate explicit records.

Power-loss integrity: commit without silent loss

• Holdup window: detect power fail and preserve enough energy to finalize the critical commit.
• Journal / double-write: avoid half-written records and ensure replayable recovery after reset.
• CRC chain: each record carries CRC and links to the previous record to detect missing segments.

Tamper signals: record the evidence of abnormal access

• Enclosure/debug signals: cover open, debug enable, unexpected mode changes.
• Identity changes: firmware_hash or config_version changes must be logged as change-control events.

Minimum evidence fields

Acceptance criteria

• Every critical event carries identity (firmware/config) and platform context (reset/brownout).
• Ordering is reconstructable even without wall time (monotonic_counter).
• Power-loss behavior is fail-safe: no silent loss; commit failures are recorded and replayed.

H2-9. EMC & Common-Cause Failure Hardening (Rail Reality)

Goal: prevent one disturbance from collapsing all channels

In rail environments, the key EMC risk is not a single-channel upset. The real hazard is common-cause failure: the same disturbance (power dip, ground bounce, EMI injection, or shared logic defect) impacts multiple channels at once, removing the redundancy that 1oo2/2oo3 architectures rely on. Hardening must therefore reduce correlation and create measurable evidence when correlation still happens.

Common-cause catalog (what tends to hit channels together)

• Power CCF: shared front-end dips, undervoltage thresholds aligned across channels, simultaneous brownouts.
• Reference CCF: ground bounce and reference shifts that move logic thresholds together.
• EMI CCF: common-mode injection through cables, connectors, and shield return paths, causing bursts of errors.
• Logic/Config CCF: shared firmware defects or configuration mistakes producing consistent-but-wrong decisions.

Hardening strategy (partition, suppress, de-correlate)

1. Partition power domains: avoid a single supply disturbance resetting every channel; use distinct filtering paths and independent supervision where practical.
2. Independent reset & supervision: separate reset decision logic per channel to avoid “one reset line resets all.”
3. Suppress injection at the boundary: input filtering and common-mode suppression close to the cable entry, before the disturbance becomes “logic-level.”
4. Control shield/ground return paths: define where shield currents return so common-mode energy does not couple into every reference.
5. De-correlate where safe: avoid identical coupling paths (routing symmetry, identical harness grouping) and use bounded timing diversity without breaking data consistency contracts.

Turning “rail constraints” into circuit requirements

Environmental and EMC constraints should be translated into explicit circuit-level requirements: undervoltage behavior (no unsafe toggling), hold-up thresholds, reset qualification, input filter time constants relative to sampling windows, and a defined common-mode return path strategy. The design is considered hardened only if correlation between channels is measurably reduced and diagnosable when it occurs.

Evidence fields (correlation is measurable)

Acceptance criteria

• Hardening actions are mapped to specific common-cause types (power/reference/EMI/logic).
• Correlation is quantified and logged; simultaneous resets are not treated as “random.”
• Mitigation placement is explicit (where filtering, shielding return, and CM suppression occur).

H2-10. Fault Handling & Reset/Recovery Policy (No “Oscillating” Failures)

Goal: deterministic actions, never restart oscillations

Many rail field incidents are not a single trip, but a repeated cycle of reset → partial recovery → failure again. This oscillation creates unstable outputs, destroys diagnostic clarity, and can mask common-cause issues. A robust policy classifies faults, caps recovery attempts, introduces backoff, and forces stable end states (latched trip or controlled degraded mode) when recovery is not evidenced.

Fault classes (latch vs degrade vs attempt)

1. Class A — Trip-latch: output proof failure, weld suspect, repeated diagnostic failures, persistent contract violations.
2. Class B — Degraded: single-channel health decline, isolated I/O path issues that still allow safe deny behavior.
3. Class C — Attempt recovery: transient error bursts that clear and do not violate evidence gates.

Reset policy: cold vs warm, caps, and backoff

• Warm restart: for transient software timing faults; must preserve evidence logs and avoid rapid state flips.
• Cold restart: full re-initialization when state integrity is suspect; re-validate configuration and contracts before RUN.
• Attempt cap + backoff: recovery attempts are limited; retry intervals increase to prevent oscillation.
• Boot-loop detection: detect “fails shortly after boot” and force a stable terminal state.

Channel-isolated recovery: keep redundancy meaningful

• Isolate the suspect channel: based on health indicators, mismatch counters, and diagnostic results.
• Controlled degraded mode: proceed only if safety can be maintained conservatively; otherwise deny and latch.
• Evidence gate to exit degraded: return to normal only when diagnostics and correlation indicators are stable.

Evidence fields

Acceptance criteria

• Faults are classified with deterministic actions (latch/degrade/attempt) and consistent evidence logs.
• Recovery attempts are bounded and backoff prevents fast oscillation.
• Exit from degraded mode requires evidence gates, not “time passed.”

H2-11. Validation & Audit Evidence Pack (Bench → Track)

Purpose: “verifiable” means deliverable evidence

Validation for vital logic is judged by closed-loop evidence: faults can be injected repeatably, detection and safe-state latencies are measured with unambiguous time markers, and logs can be replayed without silent gaps. The output of this chapter is a checklist-style evidence pack that serves audit, bench re-test, and track investigations consistently.

Validation map (Bench → HIL → Track)

• Bench (board/subsystem): isolate single-channel diagnostics, vital I/O proof chain, log commit integrity (power-fail scenarios).
• HIL/SIL (system behavior): redundancy/voter behavior under mismatch, window/sequence alignment, recovery policy anti-oscillation gates.
• Track/field (rail reality): correlation under EMC/power events, simultaneous reset correlation, safe-state determinism under disturbances.

Fault injection matrix (minimum set)

Each case is defined as: injection point (where), profile (shape/level/duration), expected action (latch/degrade/deny/recover), observables (what to measure), and artifacts (what to export into the evidence pack). Use stable case IDs (e.g., FI-PWR-03).

Criteria and metrics (measured + reported)

• Detection: report detect_latency_ms as max and 95th percentile per case ID (not only average).
• Safety response: report safe_state_latency_ms as max and 95th percentile; confirm no unsafe output chatter.
• False triggers: express as “false trips per injected burst count” per profile level.
• Log integrity: log_integrity_ok requires: no silent gaps, CRC/chain check passes, and power-fail commits leave evidence.

Evidence pack (deliverables) and traceability

The evidence pack should be a fixed directory template so audits and field replays can locate artifacts quickly. Each injection case ID must map to waveforms, logs, and metric summaries. Any deviations require a recorded waiver with clear justification and bounded risk.