In the coming years, the digitalisation of the rail industry will be the dominant task for train and track operators as well as for the OEMs and automation vendors that supply them. The aim is to make rail transport safer, more efficient and customer-friendly.
The buzzword for this is smart railways: increasingly intelligent trains and infrastructures allow closer, more precise monitoring and hence tighter train scheduling. This improves track utilisation while at the same time increasing the reliability of timetables. In smart railway systems, rigid maintenance cycles can also be exchanged for a more efficient, on-demand service. This not only saves costs but also increases reliability because the need for maintenance is detected before a failure occurs.
In passenger transport, electronic ticketing helps to improve passenger satisfaction. With more differentiated data on passenger numbers, utilisation can be predicted more accurately and capacity planned in real time based on this big data. In freight transport, smart railway systems can, for example, offer Web-based timetables for individual wagon locations. This makes trains a real alternative to road transport, as customers can now plan and track smaller batches more accurately.
Big demand
The digital transformation of the rail transport market leads to immense investments: in the next 10 years, the market for rail transport technology is expected to grow at more than 22% CAGR (compound annual growth rate) worldwide.
If you look at Europe, one of the specific projects planned is to equip all of Italy’s more than 4000 unguarded level crossings with safety systems to minimise the risk of accidents. In Sweden, the signal box logic is due to be replaced in almost all systems because they still work with vulnerable relays that are expensive to maintain. And in Germany, freight transport is to be integrated into the European Train Control System (ETCS). In addition, German railway company Deutsche Bahn is planning to switch more of its regional transport over to autonomous passenger trains.
New technologies on the rise
Smart railways need new smart technologies. Smart systems along the tracks and onboard the trains must integrate many new features and be able to handle loads of big data, for instance to analyse readings delivered by smart sensors on wheel speed, acceleration, vibration and temperature in real time.
Exact location tracking also requires information from global satellite navigation systems such as GPS, GLONASS or Galileo. Semi- or even fully-autonomous operation requires significantly more accurate automatic train control, both wayside and on the trains themselves. In addition, radar or ultrasonic and vision-based systems need to be integrated.
Almost the entire safety-critical railway electronics, both with regards to tracks and trains, will be put to the test and often become obsolete, as it doesn’t allow the integration of new smart railway functions.
Railway standards are a must
What’s needed is a new generation of safety-critical management and control systems. Just like the previously installed systems, they must be highly robust to be able to operate reliably for years in the harsh conditions typical for the railway sector.
How to design such systems is specified, for example, by the EN 50155 standard. It stipulates the required resistance to extreme temperatures, rapid temperature changes, vibration, shock and electromagnetic interference. But that alone is not enough.
So are SIL standards
Systems where an error or failure may pose a risk to human life or the environment, or cause large financial losses, must meet high functional safety requirements. As a result, smart railway technology often needs to meet the extensive international safety requirements of EN 50128/IEC 62279 for software, and EN 50129/IEC 62425 for hardware. And providing proof of compliance with these requirements is neither an easy nor a quick task.
Certification documentation – a killer job
In a new design, getting the required documentation into place to demonstrate compliance with the safety standards can double or even triple project costs as well as the length of the project. Relevant specifications for functional safety in the railway market include the RAMS (Reliability, Availability, Manageability, Safety) criteria of EN 50126/EN 50128 for software and EN 50129 for hardware. They all require new documentation effort, which solution providers prefer to keep to a minimum.
Pre-certified hardware reduces documentation effort
The strategic lever for a significant reduction of the documentation effort is the use of pre-certified hardware as it is largely based on standardised technology. So, assuming there was a solution provider with specific knowhow of 501xx compliance requirements, it would be possible to delegate this part of the documentation to this supplier.
Two advantages would ensue: Firstly, it would save the costs of in-house documentation. Secondly, it would save valuable time, which in the competitive race for the most innovative solutions is one of the most crucial factors. Whoever is first-to-market, has the greatest market opportunities, enjoys market exclusivity and is in a position to define key standards. But what should such pre-certified hardware for the various tasks look like?
UIC recommendations for hardware implementation
In its ‘Global Vision for Railway Development Report’, the UIC makes three clear recommendations:
1. Instead of the often closed existing systems, new configurations should be built as modular designs. This makes it easier to adjust systems for different applications and promotes the efficient re-use of already existing designs. For instance, modular systems can be deployed in different configurations both in train management systems as well as in wayside installations that control switches or signals. Modular systems also allow faster, more cost effective maintenance as individual modules can be replaced directly in the field. Last but by no means least, they are future-proof because expansions are easy to implement by adding extra modules or swapping in more powerful ones.
2. In addition, the systems should be based on open standards. This is to ensure that the total system design has a long life cycle and that it will not become obsolete if a vendor drops out. This also boosts cost efficiency because when components can be purchased from different manufacturers, this often brings cost advantages.
3. So-called white-box designs are further recommended. Unlike the currently prevailing proprietary black-box designs, where the hardware and software components are inseparable and there is no option to make adjustments, they aim to provide a transparent system structure. This allows flexible system adaptations for different tasks, interface standards and communication protocols and guarantees their interoperability. This is an important prerequisite for achieving cross-border security and communication in rail transport in the medium to long term.
Modular COTS platforms based on the CompactPCI standard by the PCI Industrial Manufacturing Group (PICMG), which has been maintained since 1997 and is specially developed for extremely robust, modular designs with passive backplanes, fulfil these requirements in general. However, they only describe the basic technology and do not, per se, include the certification and documentation necessary for EN 50155 and EN 50126, EN 50128 and EN 50129. For solution providers to gain the maximum benefit from the use of such modular COTS platforms, it is therefore imperative to extend this standard to railway technology.
The menTCS platform
MEN Mikro Elektronik is the first company worldwide to have recognised this need and has expanded its comprehensive EN 50155 compliant CompactPCI product portfolio with a system that is specially designed for safety-critical railway applications and pre-certified for EN 50126,
EN 50128 and EN 50129.
The new menTCS MEN Train Control System with SIL 4 pre-certified components (Figure 1) shortens the certification process for solution providers. Thanks to its modular design, it can be adapted for all types of different applications. For example, in rolling stock the menTCS is an ideal solution for automatic train operation (ATO), automatic train protection (ATP) or positive train control (PTC) and enhanced train control (ETC). In wayside applications, it can be used to control signals and switches up to safety level SIL 4.
System architecture
The heart of menTCS is the MH50C central controller. It houses the central control logic in the form of a CompactPCI-based multi-processor board that is pre-certified for EN 50155 and EN 50126, EN 50128 and EN 50129 and can be customised with up to six extension cards depending on the requirements of the application – see Figure 2.
In addition, up to 63 modular menTCS I/O boxes are available to connect remote I/Os to the central menTCS controller. This makes sense for installations in high-speed trains where each passenger car needs its own I/O box to connect the sensors and actuators.
The modular expansion concept is also proven for wayside installations such as signalling systems, where the modular menTCS I/O boxes can be used to control certain sections of track as required. In this case, the menTCS I/O boxes are connected via an Ethernet-based ring topology (Figure 3). This not only simplifies the wiring, but also greatly increases reliability because two redundant communication channels can be used.
The components of the modular family concept, which can be certified separately, can also simplify the development of complete, customised 19-inch systems if this is needed.
Flexible extensions and interfaces
The modular I/O concept of the standardised menTCS architecture gives developers great flexibility and makes it very easy for them to equip the controller and the remote I/O boxes with communication interfaces via CompactPCI-based cards. For connection with a TCN network, MVB interface boards can be used. Additional onboard components and control units can be connected via RS-485, CAN, ProfiNet and other fieldbuses or communicate for IoT connectivity via WLAN, GSM-R, GPS, GLONASS or Galileo, or as standard routers and switches via Ethernet.
Scalable safety
Since all safety-critical menTCS modules are pre-certified to the highest SIL 4 safety level according to EN 50128 and EN 50129, they fulfil all requirements that may arise in safety-critical railway applications – from SIL 2 for ATO systems to SIL 4 for signalling applications. This allows developers to focus exclusively on the software, without regard to the hardware. Depending on the final application, the security level of the hardware can be determined at any time and without engineering effort.
Safe domains reduce the software development effort
The menTCS hardware platform is designed so that the safety-related control software is clearly isolated from the peripheral software that is not relevant for the certification. It achieves this by executing the individual safety-critical control functions in separate safe domains, thereby keeping them apart from the general, non-critical I/O functions (Figure 4). This isolation is done both on the hardware and the software level.
Thanks to this stringent separation the more complex safety-critical programming is confined exclusively to the safe domains, which simplifies the software development and also makes SIL certification easier and faster. Next to the reduced hardware documentation effort, this is the second major lever for significant cost savings compared to in-house developments.
High safety SIL 4 controller boards
At the core of the menTCS MH50C controller sits the SIL 4 certified F75P CompactPCI PlusIO SBC processor board. This single board computer integrates three Intel Atom E680T processors. Two redundant processors perform the safety-critical control functions. They are linked to PCIe via an FPGA, which handles the synchronisation of the application checkpoints to SIL 4 for the required 2oo2 redundancy. The third processor is responsible for overall I/O communication.
Thanks to market-wide, long-term experience with these processors, all hitherto found safety-critical bugs are known and documented. As long as the available board guidelines are adhered to, no systematic errors that may affect the safety behaviour can occur.
Safe domain with QNX Neutrino
For safety-critical applications, the menTCS MH50C controller integrates the QNX Neutrino real-time operating system, which is specifically tailored to the integrated hardware. Compared to proprietary operating systems, this integration alone saves developers and OEMs around two million Euros in project costs and lets them avoid all the risks associated with certification. The board support package for the implementation of QNX Neutrino is SIL 4 pre-certified on the menTCS platform and therefore offers the highest degree of reliability from the outset.
QNX Neutrino uses a microkernel architecture that strictly isolates the software processes from each other, which prevents the performance and behaviour of other processes from being affected. This in turn guarantees that the system remains in a safe state at all times, since even malware can have no influence on the safety-critical processes. In addition, QNX Neutrino supports the separation and flexible adjustment of the CPU bandwidth.
The safety-critical applications can be programmed via C or Ada, as well as on model basis - for example in SCADE or soft PLC programming environments. Developers can often remain in their familiar development environment, which minimises costly re-certifications. Other operating systems, such as Green Hills’ INTEGRITY, PikeOS from Sysgo or Wind River VxWorks, can be implemented upon request.
Framework for unified I/O communication
To simplify I/O handling in the safe domain, MEN Mikro Elektronik has integrated the PACY I/O framework (Figure 5) into the safe domain, which introduces a transparent abstraction layer between the safe domain and the I/O domain. This means that identical functions are always addressed the same way in the same domain, and become independent from the actual execution of the inputs and outputs.
With PACY, it does not matter whether a command addresses a relay or a digital I/O. This makes the integration of menTCS much simpler and more flexible. Train and track systems with different sensors and actuators for the same functions can now be equipped with identical control systems, which not only immensely simplifies retrofits but also the roll-out of new technologies.
PACY is implemented as a flexible framework on a modular basis, which enables flexible expansion with individual, customer-specific modules as well as communication with any C application. In future, developers will also be able to define PACY function blocks that combine multiple tasks in one macro command. This way, frequently used processes, such as the emergency braking function, can simply be activated without the need to re-program them for each case. Communication between the safe control and the safe brake is done within the I/O domain.
I/O domain with Linux
Since the third Intel Atom processor handles the technical I/O connection completely separately from the safe domain (see Figure 6), it is guaranteed that the I/O domain will never influence the safe control logic. MEN Mikro Elektronik uses a pre-integrated and pre-certified Linux OS for this purpose. This gives customers access to a fully developed and proven ecosystem with off-the-shelf tools and drivers that they can use right away. Additional OS are available upon request.
The communication between the safe system and the I/O cards of the menTCS controller and I/O boxes is based on the EtherCAT protocol. EtherCAT is a real-time Ethernet standard with real-time cycles of less than 5 milliseconds that meets all requirements for safe communication with the menTCS components.
EtherCAT requires no switches as it supports the ring topology via redundant communication channels. It utilises the security protocol Fail Safe over EtherCAT (FSoE) to reliably detect altered, duplicated or lost data packets. The entire I/O communication path therefore functions as a Black Channel, which provides the required functional safety during communication.
Conclusion
The application-ready menTCS platform from MEN Mikro Elektronik is well suited for all safety-critical smart railway applications. It offers train and track operators, as well as third-party and automation suppliers, many advantages. Large OEMs, which currently dominate the market of SIL-enabled applications, stand to gain just as much from these innovative platforms as young startups and professional makers, who may have less interest in the technical requirements but want to implement innovative IoT-enabled smart railway solutions.
It is even possible to downsize the menTCS platforms to make them suitable for simpler railway applications such as infotainment or video surveillance of doors and passenger compartments. This way, extremely multifunctional solutions can be implemented with a single technology platform at any time.
| Tel: | +27 21 975 8894 |
| Fax: | +27 21 975 6456 |
| Email: | [email protected] |
| www: | www.ri-tech.co.za |
| Articles: | More information and articles about Rugged Interconnect Technologies |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version