Skip to content

MBTA Train Inspection

Train inspection system for the Massachusetts Bay Transportation Authority (MBTA). Contract through Radix.

What We Built

A serverless application for conducting and tracking train inspections. Inspectors use mobile devices to complete checklists, capture signatures, and submit inspection reports. The system serves both field inspectors (mobile) and back-office staff (web).

Architecture

flowchart TB
    subgraph Users["Users"]
        EndUsers["End Users"]
    end

    subgraph Edge["Edge / CDN"]
        R53["Route 53"]
        CFWeb["CloudFront Web"]
        CFMobile["CloudFront Mobile"]
        APIGW["API Gateway"]
    end

    subgraph Storage["Storage"]
        S3Web["S3 Web"]
        S3Mobile["S3 Mobile"]
        S3Sig["S3 Signatures"]
    end

    subgraph Compute["Compute"]
        Lambda["Lambda"]
        Bastion["Bastion"]
    end

    subgraph Data["Database"]
        Aurora["Aurora MySQL"]
    end

    subgraph Security["Security & Config"]
        Secrets["Secrets Manager"]
        SSM["SSM Parameters"]
        KMS["KMS"]
    end

    subgraph Observability["Observability"]
        CloudWatch["CloudWatch"]
    end

    EndUsers -->|DNS| R53
    R53 --> CFWeb & CFMobile & APIGW
    CFWeb --> S3Web
    CFMobile --> S3Mobile
    APIGW --> Lambda
    Lambda -.-> Aurora
    Lambda -.-> S3Sig
    Lambda -.-> Secrets
    Lambda -.-> SSM
    Lambda -.-> CloudWatch
    Secrets -.-> KMS
    Aurora -.-> KMS
    Bastion -.-> Aurora

    classDef edge fill:#fef3e2,stroke:#f59e0b,color:#92400e
    classDef storage fill:#ecfdf5,stroke:#10b981,color:#065f46
    classDef compute fill:#fff7ed,stroke:#f97316,color:#9a3412
    classDef database fill:#eff6ff,stroke:#3b82f6,color:#1e40af
    classDef security fill:#fef2f2,stroke:#ef4444,color:#991b1b
    classDef observability fill:#f0fdf4,stroke:#84cc16,color:#3f6212

    class R53,CFWeb,CFMobile,APIGW edge
    class S3Web,S3Mobile,S3Sig storage
    class Lambda,Bastion compute
    class Aurora database
    class Secrets,SSM,KMS security
    class CloudWatch observability

Infrastructure Decisions

Serverless Backend

Lambda + API Gateway handles all backend logic. This eliminates server management and scales automatically with inspection volume. Cost scales with usage rather than fixed server costs.

Separate Frontend Distributions

Web and mobile apps have independent CloudFront distributions backed by S3. This allows different caching strategies and deployment cycles for each platform.

Aurora MySQL

Relational database for structured inspection data. Aurora provides automatic failover, backups, and encryption at rest via KMS. Bastion host provides secure access for maintenance.

Signature Storage

Inspection signatures are stored separately in S3. This keeps binary data out of the database and allows direct upload from mobile devices.

Security

  • All secrets in Secrets Manager (database credentials, API keys)
  • Application config in SSM Parameter Store
  • KMS encryption for secrets and database
  • CloudWatch for audit logging