SAAKSHA Rail · AI Container Terminal Management System for Indian rail freight
The multi-tenant AI CTMS for Indian inland ports, dedicated freight corridors and PSU rail-yards. It reads every container ISO 6346 code, every IR 11-digit wagon number, every plate, AAR/UMLER rail mark and hazmat placard — at the gate and at line-rate up to 100 km/h on the corridor — reconciles each against the TMS manifest, and seals every event into a tamper-evident Bharatiya Sakshya Adhiniyam §63-aligned audit chain engineered to satisfy the §63 certificate requirements (hash, algorithm, device particulars, chain of custody, operator). India-built, India-hosted, GFR Rule 161(iv) eligible — the wedge below the Global-Tender-Enquiry floor where foreign-headquartered OEMs without a qualifying Indian-manufactured offering cannot bid via GTE.
Reference implementation, pilot-ready: the audit chain, OCR modules, per-PSU isolation and federation gate are in code and exercised by the CI test suite; production OCR models, live PSU connectors, CERT-In empanelment (in progress) and STQC certification (in progress) land at the anchor pilot. Admissibility in any proceeding is determined by the court.
01 — Who it's for
Every CONCOR ICD-level tender, every DFCCIL portal procurement, every CRIS MVIS framework site and most RailTel SOWs sit below the Global-Tender-Enquiry floor. Foreign-headquartered OEMs without a qualifying Indian-manufactured offering cannot bid via Global Tender Enquiry at these ticket sizes — the field at the entry point is effectively Indian-only, and a BSA §63-aligned audit chain is the differentiator. That is the SAAKSHA Rail market.
— Persona · 01 · CONCOR ICD
Runs ~14 gate clerks across 3 shifts, 4 lanes, 32 rake-stabling positions, 2,200 truck movements + 22 rakes a day. Wants gate dwell cut and the demurrage-dispute pool shrunk — with an evidence pack Vigilance can use without going to legal. (Demurrage figures used on this page are illustrative, modeled on public CONCOR data; we build a site-specific ROI model in the sales conversation.)
— Persona · 02 · DFCCIL corridor
Oversees ~32 MVIS-ready EDFC portals, 6 deployed across 3 vendors with no common audit chain. Wants every rake identified at line-rate, reconciled against OASIS, with an evidence-grade artefact per event the annual audit demanded.
— Persona · 03 · CRIS framework
Owns an MVIS framework rate-card for ~60 sites over 24 months. Wants a software-platform stack — targeting CERT-In + STQC + ISO 27001 — that integrates natively into FOIS, not a hardware snowflake per site at 1 site per 8–10 weeks.
— Persona · 04 · Private depot / Vigilance
Runs ~14 inland depots, a different gate-CV vendor at each, no unified audit chain. Wants <3 min gate dwell, data-lake integration, and a documented chain-of-custody ahead of CBIC / DGFT audit asks.
02 — How it works
A SAAKSHA Rail appliance runs at each gate lane or scanning portal. It aggregates every per-camera read into one multi-modal event, reconciles it against the CONCOR TMS / DFCCIL OASIS manifest, runs every code past the hotlist, and anchors the result into the per-PSU audit chain. The event is sealed at emission — any later correction is a separate, signed record, never a mutation of the evidence.
For any gate lane or corridor portal
6–8 IP66 ONVIF cameras per lane (front, rear, side, top-down, hazmat, plate) feed the edge appliance. The corridor portal adds stereo corner pairs and a tilted overhead cam for double-stack roofs. IR illumination handles 24/7 railyard night operation.
For the IR 11-digit wagon font
PlateKit 3.0 reads container ISO 6346, plate, AAR/UMLER rail mark, hazmat placard and VIN. A new IR 11-digit wagon-number OCR module reads the proprietary Indian-Railways rolling-stock font that AAR/UMLER does not cover, at up to 100 km/h.
For one event per rake, per truck
The RakeEvent aggregator waits for the full rake to clear the portal, then fires one event with an ordered list of WagonRead entries. The GateLaneEvent aggregator fires one event per truck at lane exit. One arrival, one record — not one per camera.
For demurrage-defensible reconciliation
Physical codes are matched against the TMS booking: MATCH, PARTIAL, MISMATCH or NO_MANIFEST. A mismatch above the configurable per-PSU value threshold fires a dispute trigger rather than silently passing.
For hotlist & hazmat exception holds
Every code is checked against CBIC, DGFT, RPF and per-PSU hotlists; every placard is cross-checked against TMS-declared dangerous goods. A hit or hazmat mismatch opens a two-operator approval workflow before any enforcement action — both operators affirm, or the action is cancelled.
For Vigilance, Customs & the court
Every event is hash-linked and Ed25519-signed into the per-PSU audit chain. On demand, any event or time-window exports a BSA §63 evidence bundle — signed PDF certificate, signed JSON manifest, crops and video segments — in under 90 seconds.
03 — Signature capabilities
Each capability below is a working module in the repository, built to the one-adapter pattern — Protocol + deterministic StubAdapter + ProductionAdapter slot + SQLite (WAL + RLock) storage + REST + audit-chain hand-off. The stub adapters are deterministic; production OCR models and live PSU connectors plug into the ProductionAdapter slots at the anchor pilot. Each claim is backed by a working module and pipeline/integration tests (which exercise the code paths — not a measure of model OCR accuracy or recognition rate).
vs mutable DVR logs & unsigned paper records
The bundle is a tamper-evident, BSA §63-aligned evidence pack engineered to satisfy the §63(4) certificate requirements by construction. The bundle PDF maps Section A to §63(4)(a) (record identification), Section B to §63(4)(b) (device particulars — appliance + tenant key fingerprints, NTP drift, calibration version), and Section C to §63(4)(c) affirmations — signed by the per-PSU Ed25519 key and counter-signed by the issuing operator. Each issuance is itself meta-audited. Admissibility in any proceeding is determined by the court.
vs AAR/UMLER-only readers (Camco, ABB, Carmen)
Indian Railways uses a proprietary 11-digit font on rolling stock that AAR/UMLER readers do not cover. Our module reads it across 12 wagon types (BOXNHL, BOST, BCNHL, BTPN, …) with a super-resolution second pass when first-pass confidence drops below 0.85, and falls back to the PlateKit AAR/UMLER reader for foreign-interchange stock.
vs placard OCR with no manifest cross-check
Every placard is parsed for UN number, hazard class (1–9) and packing group per IMDG / IS 14930, then cross-checked against the TMS-declared dangerous-goods cargo. A mismatch — placard says Class 3 flammable, TMS says benign — fires a HazmatMismatchEvent into the two-operator workflow, evidence-grade for prosecution under the Hazardous Chemicals rules.
vs free-text reason codes that make audits worthless
Sources are CBIC, DGFT, RPF and per-PSU custom lists. Reasons are a closed enum (cbic_directive, dgft_denied_entity, rpf_watchlist, court_order, hazmat_prohibition, …) — never free text. Every check, hit or no-hit, records the SHA-256 hash of the hotlist version in effect, so a later dispute can verify exactly what list state matched.
vs shared-schema deployments with cross-tenant query paths
Each PSU tenant lives in its own store with its own Ed25519 root key; per-appliance keys chain to the PSU root, which anchors monthly to a public transparency log. The store factory asserts distinct paths per tenant and raises on any isolation breach — CONCOR data and DFCCIL data never share a query surface.
vs covert cross-operator hotlist exchange
Cross-tenant hotlist or event lookup requires all three gates: a granting consent, a valid warrant (artefact ref and its SHA-256 hash — the artefact alone is not enough), and at least two distinct operators on each side. The gateway refuses construction if any gate is missing, and revocation is a single call. Enforced at the storage layer, not as a UI flag.
Target SLAs (design goals / contractual thresholds at GA, validated against our internal Indian rail test set at the anchor pilot — not yet independently measured): ≥97% container ISO 6346 OCR at ≤25 km/h · ≥95% IR wagon-number OCR at ≤100 km/h · ≥98% Indian plate (HSRP + BS-VI) · ≥96% hazmat placard at gate-speed · ≥95% AAR/UMLER + IR rail mark · lane availability ≥99.95% · 14-day offline operation per appliance · Hindi + English at GA, five more languages at GA+6.
04 — The reconciliation record
A RakeEvent is a single sealed record: an ordered list of WagonRead entries, the containers on each wagon (multi-container for double-stack), hazmat placards, rail marks, the manifest match status, and the audit-chain entry that signs it. The CLI generates the BSA §63 bundle straight from the event ID; the cloud control plane exposes the same surface over REST. (The tenant IDs and codes below are illustrative sample values.)
# One RakeEvent emitted as a 58-wagon BOXNHL rake clears an EDFC portal # at 92 km/h. Sealed at emission; corrections are separate signed records. { "event_id": "a1f3…-rake", "tenant_id": "concor", # per-PSU schema isolation "site_type": "freight_corridor_portal", "direction": "in", "rake_speed_kmh": 92.0, "wagon_reads": [ {"pos": 1, "wagon_number_ir": "31201234567", # 11-digit IR font "wagon_type_code": "BOXNHL", "confidence": 0.974, "container_codes": ["MSCU1234565"], # ISO 6346, check-digit valid "rail_mark_aar_umler": "IR 21201"}, {"pos": 2, "wagon_number_ir": "31201234568", "wagon_type_code": "BOXNHL", "confidence": 0.961, "container_codes": ["TGHU7654321", "FCIU5555550"]} # double-stack # … 56 more wagons … ], "hazmat_reads": [ {"un_number": 1203, "hazard_class": 3, # Class 3 flammable "packing_group": "II", "placard_position": "side"} ], "manifest_match_status": "match", # reconciled vs OASIS booking "audit_entry_id": "7c0e…" # Ed25519 chain-linked, BSA §63 }
→ CLI: saaksha-rail init (per-appliance Ed25519 keypair) → saaksha-rail enroll <psu-id> →
saaksha-rail verify-chain (chain integrity) → saaksha-rail bsa-cert <event-id> (evidence bundle) →
saaksha-rail customs-cert <container-code> (DGFT / ICEGATE export cert). Cloud REST: POST /ingest validates
the appliance Ed25519 signature before any event lands.
05 — System integrations
Every integration is a Protocol + StubAdapter + ProductionAdapter triple, so the platform is testable and demonstrable today against deterministic stub adapters, then plugs into production behind the same interface once a PSU connector is provisioned at the pilot. These are target integrations; none is a signed partnership yet. FOIS integration is a P0 requirement — the national rail-freight master system handles ~2.4 million wagon-events a day.
Legacy SOAP + EDI 322 booking lookup feeds the gate-lane manifest match, so a physical-vs-TMS mismatch is caught and disputed at the gate instead of surfacing six to fourteen days later.
REST + Kafka into the DFCCIL operations system; the RakeEvent reconciles its ordered WagonRead list against the OASIS booking and pushes the result back as one record per rake.
WagonRouting against the CRIS-published Phoenix adapter spec, so SAAKSHA Rail events land in the Freight Operations Information System the same way the existing MVIS portals do — but with an audit-chained provenance the legacy hardware never had.
For export-bound containers, the customs-cert PDF is generated on gate-exit in ICEGATE Bill-of-Entry format, signed and BSA-grade, then pushed to ICEGATE where direct integration is enabled — or made available for operator upload.
06 — Compliance & standards
SAAKSHA Rail sits on the intersection of two Indian regulations no foreign incumbent can occupy at the entry-point tenders: BSA §63 evidence admissibility, and GFR Rule 161(iv)'s ban on Global Tender Enquiries below the prescribed threshold. The audit chain, key custody and data-residency posture are designed to clear CONCOR / DFCCIL Vigilance review on the first pass.
In force 1 July 2024, replacing IT Act §65B. Every electronic record offered as evidence needs a certificate citing the hash, algorithm, device particulars and chain of custody. The SAAKSHA Rail bundle satisfies §63(4)(a), (b) and (c) by construction — and ships a dual cert that also satisfies legacy IT Act §65B during the transition window.
No Global Tender Enquiry below the prescribed threshold. Every Tier-1 ICD tender, DFCCIL portal and CRIS MVIS site is sub-threshold. As an Indian-engineered, Indian-assembled platform on India-hosted infrastructure, SAAKSHA Rail is eligible to bid where foreign-headquartered OEMs without a qualifying Indian-manufactured offering cannot reach the tender via Global Tender Enquiry.
Lane-side identifier data is PII. The audit chain, the warrant gate and the two-operator pattern are the DPDP-aligned design. Cross-PSU access runs through the consent + warrant + two-operator federation gate; law-enforcement seizure runs through the CrPC 91/92 warrant gate. No driver-face recognition at the lane — an explicit RPF / CONCOR Vigilance ask, deferred by policy.
The control plane is designed to run in CERT-In-empanelled Indian data centres (Yotta, Sify, NIC targeted for ultra-sensitive PSU deployments). Per-PSU Ed25519 root keys; key custody includes a rotation-attestation check. CERT-In empanelment and STQC certification are on the regulatory track, targeted (in progress) as the revenue-blocking M1 milestone — not yet obtained, and not capability gaps in the code.
ISO 6346 (container code) · AAR/UMLER (rail mark) · IR 11-digit wagon number · IMDG / IS 14930 (hazmat) · HSRP + BS-VI (Indian plate) · CBIC ICEGATE Bill-of-Entry · DGFT Foreign Trade Policy 2023 · BSA §63 + IT Act §65B dual cert · GFR Rule 161(iv) · DPDP Act 2023 · NDAA Section 889 (via the HARDWARE-NON-CHINA BOM track).
07 — Multi-role web console
The operator console is server-rendered FastAPI + HTMX — no SPA build, runs anywhere Python runs. Permissions are a closed Permission enum gated by OperatorRole, so a lane operator cannot issue a BSA cert and an auditor cannot rotate keys. Each high-stakes view routes through the two-operator workflow before any action commits.
Low-confidence reads and manifest mismatches surface in a queue with crop, suggested correction, and one-click accept / correct / reject. Corrections are logged as separate signed OperatorCorrection records — the original detection is preserved as evidence.
The supervisor view drives hotlist-hit, hazmat-mismatch and high-value-manifest-mismatch approvals — both operators affirm within the window or the action cancels — alongside live gate-lane and rake throughput tiles.
The customs desk reviews export-bound containers and issues the ICEGATE-format customs cert per container — signed, BSA-grade, ready to attach to the Bill of Entry filing or auto-pushed to ICEGATE.
The read-only auditor verifies any audit entry on demand — the console re-runs verify_chain and reports the signature and hash-link status — and exports the BSA §63 evidence bundle for Vigilance or court proceedings.
Companion iOS + Android app for in-yard supervisors on foot, gate-manager mobile alerts, and the Vigilance officer's field-investigation tool. The calibration tool (live multi-camera view, drag-to-set ROI, lens-distortion correction) commissions a lane or portal inside a 4-hour install window — and the calibration version is itself logged in the chain, so an evidence bundle can cite the calibration in effect at event time.
08 — Deployment model
The commercial model is structured the way PSU procurement prefers post-EDFC-ramp-up: IcyCastle carries the appliance hardware and recovers it over the contract term. The ROI case is the demurrage-dispute pool itself — an illustrative 60% reduction at a Tier-1 ICD models out to a multi-crore annual saving; we build a site-specific ROI model in the sales conversation. Engagement routes by channel below.
We scope every deployment with a site-specific ROI model — contact us to start the conversation for your ICD, corridor portal or depot.
Request early access →Appliance: fanless IP66, -10°C to +55°C, 25 kV OHE-EMI-hardened. Compute — Hailo-10H (40 TOPS, 5 W) for gate lanes; Jetson AGX Orin (275 TOPS) for portal-class multi-stream. 14-day offline NVMe cache, dual-SIM LTE failover, 4-hour UPS, tamper-detection switches. A managed-service tier via a telecom channel partner (e.g. RailTel) is a planned route to market, not a signed arrangement.
09 — Start
The BSA §63 audit chain, the IR wagon-number OCR, the per-PSU isolation and the three-gate federation are all in code, with a green CI test suite. The remaining milestones are commercial and regulatory — CERT-In and STQC (in progress), and the anchor pilot. Request early access and we will walk you through the codebase and a live evidence-bundle generation.