Railway Interlocking Systems Explained: Mechanical to CBI

Interlocking is the safety-critical “brain” of railway signaling. It is a system of hardware and software designed to prevent conflicting train movements by locking switches and signals in a safe sequence. From mechanical lever frames to modern Computer-Based Interlocking (CBI), learn how this technology ensures two trains never occupy the same track at the same time.

December 8, 2025 9:23 am | Last Update: March 20, 2026 6:48 pm

⚡ In Brief

Railway interlocking is the safety logic system that prevents conflicting train movements — it ensures a signal can only show “clear” when all required points are locked in the correct position, the track ahead is proven clear, and no conflicting routes have been set.
Interlocking is fail-safe by design: every failure mode — power loss, broken wire, software fault — causes all controlled signals to revert to danger. The system can only display a “proceed” indication when everything is working correctly and the route is genuinely safe.
Three generations of technology implement the same underlying logic: mechanical lever frames with steel tappet bars (19th century), relay interlocking with electromechanical relays (mid-20th century), and Computer-Based Interlocking / Solid State Interlocking with safety-certified software (1980s–present).
Modern Computer-Based Interlocking (CBI) is certified to SIL 4 — Safety Integrity Level 4, the highest level in the IEC 61508 standard — requiring a probability of dangerous failure on demand of less than 10⁻⁵ per hour, or roughly one dangerous failure per 11,400 years of continuous operation.
A single modern CBI system can control hundreds of route-miles from a single processor cluster, replacing dozens of separate relay interlocking installations, dramatically reducing both infrastructure footprint and maintenance cost.

On 21 March 1873, a signalman at Thorpe St Andrew on the Great Eastern Railway in England set the road for an express train to proceed on the Norwich–London main line. He had forgotten — or not been told — that a mail train was already on the same track, travelling toward him in the opposite direction. The two trains collided head-on at speed. Twenty-five people died.

The Thorpe Collision was one of a series of catastrophic 19th-century railway accidents caused by human error in signal box operation. It accelerated the adoption of interlocking — a technology that had existed in prototype form since the 1850s but had not yet been widely mandated. The principle of interlocking is simple: make it mechanically or electronically impossible for a signaller to create a dangerous conflicting route, rather than relying on them not to. In the 150 years since Thorpe, interlocking technology has evolved from mechanical steel levers to SIL 4 software, but the underlying safety philosophy has not changed at all.

What Is Interlocking?

Interlocking is the arrangement of signals, points (switches), and detection equipment such that a “clear” (proceed) signal can only be displayed to a train when the route ahead has been proven safe. “Proven safe” means three conditions are simultaneously verified:

Route set: All points (switches) in the route have been moved to the correct position and are locked there — they cannot be moved while the route is set.
Route clear: All track sections within the route are proven unoccupied, as confirmed by track circuits or axle counters.
Route locked against conflict: No conflicting route has been set or can be set — any other signal that would authorise a train into the same section is locked at danger.

Only when all three conditions are met simultaneously will the interlocking permit the signal to clear. If any condition fails — a point that has not completed its stroke, a track section that shows occupied, a conflicting signal that has been cleared — the interlocking locks the signal at danger regardless of the signaller’s request.

The Three Generations of Interlocking Technology

1. Mechanical Interlocking (1850s–1950s)

The mechanical interlocking lever frame — developed by John Saxby and John Farmer in England in the 1850s — implements safety logic through physical steel mechanisms. Each signal and each set of points is controlled by a separate lever in the signal box. The critical innovation is the tappet bar and locking bed: a horizontal steel plate (the locking bed) beneath the levers carries a row of tappet bars, one per lever. The tappet bars are shaped to physically interlock with each other — if lever A is pulled, its tappet bar physically blocks the movement of lever B’s tappet bar, preventing lever B from being operated.

The locking bed is designed so that dangerous combinations of lever positions are physically impossible — not just prohibited by rules, but mechanically blocked by steel. A signaller cannot pull the wrong lever because it will not move. The entire safety logic of the junction is encoded in the shape and arrangement of steel bars — no electronics, no software, no power supply required. The system fails safe because unpulled levers default to the normal (danger for signals, normal position for points) state under gravity or spring return.

Mechanical interlocking boxes required a separate signal box at each junction or station, staffed by a signaller who operated the levers. Large junctions might have lever frames of 100 or more levers. The mechanical resistance of pulling many levers and wires over long distances limited the geographic scope of each box.

2. Relay Interlocking (1920s–1980s)

Route Relay Interlocking (RRI) replaces the mechanical tappet bed with networks of electromechanical relays — electromagnetic switching devices where a coil, when energised, moves a contact that connects or disconnects an electrical circuit. The safety logic is implemented in relay wiring: specific relay contact combinations must all be made before the route-clear relay energises and allows the signal to clear.

Relay interlocking enabled several significant operational improvements over mechanical systems:

NX (eNtrance-eXit) operation: Signallers set routes by pressing an entry button and an exit button on a geographic panel — the interlocking automatically selects and sets the correct intermediate points and verifies track clearance. This replaced individual lever operation, dramatically reducing cognitive load and enabling one signaller to manage larger areas.
Remote operation: Electrical signals could be transmitted over much longer distances than mechanical rods and wires, allowing a single interlocking room to control points and signals over tens of kilometres.
Integration with track circuits: Relay circuits directly incorporated track circuit relay contacts, automatically conditioning signal clearing on proven track clearance without the signaller needing to manually verify occupation.

The disadvantage of relay interlocking is scale and maintenance: a large interlocking serving a major junction or station area may contain thousands of relays, occupying entire rooms of relay cabinets. Each relay requires periodic inspection and testing. Relay contact resistance must be checked; contacts can wear, stick, or corrode. A relay failure that produces a false “closed” contact — making the circuit think a condition is met when it is not — is a potential safety-critical failure mode. Relay interlockings are designed with detection relays (which verify the actual state rather than assuming it) to guard against this.

3. Computer-Based Interlocking / Solid State Interlocking (1980s–Present)

Computer-Based Interlocking (CBI) — also called Solid State Interlocking (SSI), Electronic Interlocking (EI), or Vital Computer Interlocking (VCI) depending on the supplier and era — replaces the physical relay logic with software algorithms running on safety-certified microprocessors. The safety logic that was embodied in the shape of steel tappets, and then in the wiring of relay circuits, is now encoded as a set of route tables and locking conditions in software.

The transition from relay to computer interlocking was not straightforward. Railway safety engineering in the 1970s and 1980s was deeply sceptical of software-based safety systems — software failures are less predictable than mechanical or relay failures, and the safety culture of the industry had been built on the demonstrable, auditable, physically verifiable logic of relay circuits. The development of formal software safety standards — particularly IEC 62279 (railway software safety) and IEC 61508 (functional safety of electronic systems) — provided the framework for certifying software-based interlockings to the same safety integrity level as relay systems.

Safety Integrity Level (SIL): How Safe Is Safe Enough?

SIL Level	Probability of Dangerous Failure on Demand	Railway Application
SIL 1	10⁻² to 10⁻¹ (1 in 10 to 1 in 100)	Non-safety-critical control systems
SIL 2	10⁻³ to 10⁻² (1 in 1,000 to 1 in 10,000)	Some ATP systems; platform screen door control
SIL 3	10⁻⁴ to 10⁻³ (1 in 10,000 to 1 in 100,000)	ATP/ATC on-board safety functions; some interlockings
SIL 4	10⁻⁵ to 10⁻⁴ (1 in 100,000 to 1 in 1,000,000)	Railway interlocking — the highest required level

Achieving SIL 4 certification for a CBI system requires a combination of hardware redundancy (typically dual or triple-redundant processor architectures that compare outputs and detect disagreements), rigorous software development processes (formal methods, extensive testing, independent verification), and operational evidence from deployed systems. The dominant CBI suppliers — Thales (NI (formerly GEC-Alstom)), Siemens (Sinet, Trackguard), Alstom (Smartlock), Hitachi, and Ansaldo STS (now Hitachi Rail) — all offer SIL 4-certified products.

Full Comparison: Mechanical vs Relay vs CBI

Parameter	Mechanical	Relay (RRI)	Computer-Based (CBI)
Logic medium	Steel tappet bars and levers	Electromechanical relay circuits	Safety-certified software on redundant processors
Physical footprint	Large lever frame in signal box	Multiple relay rooms (often 100s of sq metres)	Small equipment rack (1–2 sq metres per system)
Geographic range	Limited by mechanical rod/wire resistance (~1–2 km)	Tens of km (electrical)	Unlimited (fibre optic network)
Modification process	Physical fabrication of new tappet arrangement	Rewiring of relay circuits — weeks of work	Software route table update — days (with full re-testing)
Maintenance burden	Very high — lubrication, adjustment, rod tension	High — relay testing, contact inspection, cable maintenance	Low — hardware replacement; no mechanical adjustment
Safety certification	Proven-in-use; no formal SIL rating	Equivalent to SIL 4 (by design and proven-in-use)	Formally certified SIL 4 (IEC 62279 / IEC 61508)
Failure mode transparency	Excellent — physically visible and verifiable	Good — relay states measurable; fault tracing complex	Software diagnostics; requires specialist tools to interpret
New installations (2026)	None — legacy only	Rare — some legacy preservation	100% of new signalling schemes

Route Setting: How a Signaller Sets a Train’s Path

In a modern CBI-controlled area, the signaller (or in an ETCS/CBTC environment, the automated train management system) sets routes using one of two methods:

NX (entrance-exit) panel operation: The signaller presses an entrance button (at the signal protecting the start of the route) and an exit button (at the end of the route). The CBI automatically calculates the required route, verifies all conditions, sets all necessary points, and clears the signal — or, if any condition is not met, announces the conflict and leaves the signal at danger. The signaller does not need to know which individual points need to move; the route table in the CBI encodes this automatically.

Automatic route setting: In ATO/CBTC environments, the train management system requests routes automatically from the CBI based on the train’s programmed timetable. The CBI grants or rejects route requests without signaller intervention, with the signaller monitoring but not initiating routine moves.

Interlocking and ETCS: The Modern Integration

In ETCS Level 2 and Level 3 deployments, the CBI continues to perform its core function — locking routes, verifying track clearance, enforcing point positions — but the movement authority communication channel changes. Rather than displaying the authority on a lineside signal that the driver reads visually, the CBI generates a movement authority that is transmitted by radio (via the RBC — Radio Block Centre) to the train’s ETCS onboard equipment and displayed in the cab. The CBI logic is unchanged; only the interface between the interlocking and the driver changes.

The Radio Block Centre (RBC) is the ETCS-specific component that interfaces between the CBI and the ETCS radio network. It receives route and track occupation information from the CBI and translates it into movement authorities transmitted to individual trains. In an ETCS Level 2 area, lineside signals may be retained as a backup or removed entirely — the interlocking itself operates identically in either case.

The Legacy Interlocking Problem

One of the most significant challenges facing European and North American rail infrastructure managers is the replacement of ageing relay interlocking systems. Relay interlockings installed in the 1960s–1980s are reaching the end of their designed lifespans — components are no longer manufactured, specialist maintenance engineers are retiring, and spare parts are increasingly difficult to source. Replacing a relay interlocking with a modern CBI requires a complete signalling scheme redesign, extensive testing, and a carefully managed commissioning weekend (when the old system is disconnected and the new one activated) — a major operational and engineering undertaking.

Network Rail’s Control Period 7 (2024–2029) includes funding for replacing numerous relay interlocking installations as part of its Signalling Renewals programme. The consolidation of control to fewer, larger, technology-based signalling centres — each managing longer route lengths with CBI systems — is a central element of the strategic direction across most major European network managers.

Editor’s Analysis

Interlocking is the most fundamental safety system in railway operations — more fundamental than ATP, more fundamental than track circuits, more fundamental than any other technology discussed in railway signalling. ATP can fail and a driver can still stop at a red signal. Track circuits can give a false clear and the driver can still observe line-of-sight. But an interlocking failure that clears a signal into a conflicting route has no secondary defence — the only protection is the interlocking itself. This is why the transition from relay to computer interlocking was the most contentious safety certification challenge the railway industry faced in the 20th century, and why SIL 4 certification requires such rigorous evidence. The current frontier is the cybersecurity of CBI systems. A relay interlocking cannot be remotely hacked — its logic is physically wired. A software-based interlocking, connected to centralised traffic management systems over network infrastructure, is in principle susceptible to cyberattack. Railway network managers and CBI suppliers are investing heavily in network segmentation, cryptographic authentication, and intrusion detection, but the attack surface of a modern signalling system is orders of magnitude larger than its relay predecessor. The safety case for CBI correctly addresses hardware and software failure modes to SIL 4 standard. Whether it adequately addresses deliberate adversarial attack is a question that regulators and infrastructure managers are actively working to answer. — Railway News Editorial

Frequently Asked Questions

Q: What is the difference between interlocking and signalling?: Signalling refers to the visual indications displayed to train drivers — the lineside signal lights (red, yellow, green) or cab display that tell a driver whether and at what speed to proceed. Interlocking is the underlying safety logic that decides what those signals should display. A signal is the visible output; the interlocking is the hidden “brain” that controls it. A signal on its own is just a light. Without interlocking enforcing the conditions under which that light may show green, it provides no safety guarantee — a signaller could display green into a conflicting movement. Interlocking makes it physically or electronically impossible to display a proceed indication unless the route is proven safe, regardless of what the signaller does.
Q: What is a “route” in interlocking terms?: A route, in interlocking terminology, is a defined path through a controlled area from one signal to the next — specifying which points must be in which position, which track sections must be clear, and which conflicting signals must be locked at danger. Every possible safe path through a junction or station is pre-defined as a numbered route in the interlocking’s route table. When a signaller (or an automated system) requests a route, the interlocking looks up all the conditions for that route number, verifies them, and either grants the route (setting points and clearing the signal) or refuses it (leaving the signal at danger and reporting the blocking condition). A large junction may have hundreds of defined routes; a simple crossover may have only four.
Q: Can interlocking prevent all possible accidents?: Interlocking prevents conflicting route accidents — two trains being authorised into the same section simultaneously — which was historically the most common cause of collision at junctions. It does not prevent all accident types. It cannot protect against a driver passing a signal at danger (SPAD) — the train enters the cleared section of an adjacent route before the interlocking has time to respond. It cannot prevent derailments caused by track defects or excessive speed. It does not directly protect against signals passed at danger by ATO systems in automated operation. ATP systems address the SPAD risk by automatically enforcing braking before a red signal. The combination of interlocking (preventing conflicting route setting) and ATP (preventing trains from passing red signals) together addresses the two primary categories of collision risk at junctions and block sections.
Q: How long does it take to replace a relay interlocking with a CBI?: Replacing a relay interlocking with a CBI is a multi-year project. The engineering phase — redesigning the signalling scheme, producing the CBI route tables, testing the software, wiring the field equipment — typically takes 2–4 years depending on the size and complexity of the controlled area. The commissioning itself — the actual weekend when the old system is switched off and the new one activated — requires an extended possession (typically 52–65 hours for a medium-sized scheme), exhaustive testing, and contingency plans if problems arise. Post-commissioning, a period of intensive monitoring and snagging typically extends 3–6 months. For the largest resignalling schemes (major terminus stations, complex multi-junction areas), the entire project from contract award to final acceptance can take 5–8 years and cost hundreds of millions of pounds.
Q: What is a PICOP and how does it relate to interlocking?: A PICOP (Permission to Isolate, Connect, Operate and Possess) is the formal process by which maintenance staff request and receive safe access to track for engineering work, in coordination with the interlocking. When maintenance staff need access to a track section, they request a possession — the interlocking is instructed to lock all signals protecting that section at danger and to refuse any route-setting requests that would authorise a train into the section. The interlocking physically enforces the possession boundary by locking the relevant signals and preventing them from being cleared, ensuring that even if a signaller mistakenly attempts to route a train into the possession, the interlocking prevents it. The PICOP process is integrated with modern CBI systems through direct electronic interfaces with the possession management system, replacing the manual reminder appliances (physical locks on lever handles) used on mechanical and relay systems.