Safety Architectures for Railways Signalling Applications

Giorgio Mongardi

Index, presentation overview

Presentation Overview

1. Applications 2. Hardware architecture 3. Software structure 4. Application software architecture

Index, presentation overview

1. Railways Signalling Applications

ERTMS system

Contents

Italian High Speed Lines

IHSL - ETCS Level 2 - Specification Strategy

UNISIG ERTMS/ETCS SRS

Requirements Trace

RFI HSL SRS Vol. 1

Train Spacing Subsystem SRS Vol. 2

FFFIS RBC-RBC RBC HMI Spec

FFFIS RBC-IXL

RBC 1 Level Functional Spec.

Radio Msg & Tgm Config. Spec Design Criteria of ETCS Schematic Plan

RBC Detailed Sw Design

ERTMS/ETCS Level 2 - Overview

Other RBC RBC GSM-R

CBI

OBU OBU

EUROBALISE

Italian High Speed Line (IHSL) Main Features

Lines of new construction ERTMS/ETCS Level 2 No light signals - Fixed signals along the line and in the stations No other backup signalling systems (previous idea ERTMS/ETCS Level 1 was removed during the design phase) 300 km/h max speed Headway 2.5 min theoretic 5 min for operation to have

Italian High Speed Lines Current Status

Torino-Novara-Milano Line extension 120 km IN OPERATION (TorinoNovara, 80 km) from February 2006 (after 3 months of pre-operation)
2 RBC 14 CBI (10 CBI Torino-Novara 4 CBI Novara-Milano) 900 balises (fixed and switchable) about 40 LEU (HSL entrance handling / Hot Box Detection) about 180 Audio frequency track circuits

Roma-Napoli Line extension 200 km - IN OPERATION from December 2005 (after 3 months of pre-operation )
3 RBC - 18 CBI about 1500 balises (fixed and switchable) about 60 LEU (HSL entrance handling / Hot Box Detection)

Milano-Bologna Line extension 185 km IN PROGRESS (expected 12/2008)

3 RBC - 19 CBI (single MS CBI) about 1500 balises (fixed and switchable) about 50 LEU (HSL entrance handling)

IHSL Torino-Novara General Architecture

O.I.

RBC

O.I..

RBC

CBI CP
O.I..

CBI CP
O.I..

CBI CP
O.I..

CBI CP

CBI CP

PP

PP

PP

PP

PP

6 Km

6 Km

6 Km PT

6 Km

6 Km PM

6 Km

6 Km PJ

6 Km

PC

IHSL Torino-Novara Detailed Architecture

CTC ANSALDO

RBC ANSALDO NSS

SIRTI BSC

Control Centre
Fiber optic WAN SIRTI

Peripheral Place
CBI CP/PP BTS SIRTI

Cabin

ANSALDO

Oleodyn. switch Electromech. switch ALSTOM (Hot Box Detector,) OTHERS

Audiofrequency Track Circuit ANSALDO

EUROBALISE ANSALDO

Trackside

10

IHSL - Communication Protocols

EURORADIO protocol stack GSM-R Network

RBC

IXL

IXL CBI

Protocol Stack using the Safety layer of EURORADIO protocol stack (EURORADIO+ called) Fiber Optic WAN

RBC RBC RBC

11

Radio Block Centre (RBC) Architecture

IHSL IXL
Communication Interface (redundant)
Vital Section: TMR (2oo3) TMR (2oo3)

IXL
IXL

OBU

ART1 ART2

GSM-R

WAN
Functional Keyboard (not vital) & D&M Interface Graphic Display & Functional Keyboard (vital) D&M

RBC, IXL

12

ERTMS/ETCS Level 2 products: Radio Block Centre

(1/3)

OBU

Vital Section TMR (2oo3) & Communication Interface ART1

GSM-R

ART2

Other RBCs

WAN

IXLs
Graphic Display & Functional Keyboard (vital)

Functional Keyboard (not vital) & D&M Interface

13

ERTMS/ETCS Level 2 products: Radio Block Centre

(2/3)

2 out of 3 technology Interface with trackside subsystems (IXLs, other RBCs) 2 port E1 (G.703 / G.704 @ 2Mbit/s, 30 channel at 64 kbit/s) Redundant interface and redundant communication (use of normal and redundant transmission channel) Interface with onboard subsystems (30 trains or more) 2 port E1 2 Mb/s with 30 data channel (B) at 64 Kb/s and 1 signalling channel (D) a 64 Kb/s (ISDN PRI) Redundant interface (use of normal or redundant transmission channel)

14

ERTMS/ETCS Level 2 products: Radio Block Centre

(3/3)

For each RBC, a single cabinet encloses the Safety Nucleus and the Communication Computers For each RBC a couple of computers in redundant configuration realizes the ART (Alarm Recording & Telecontrol) A cabinet dedicated to ART(s) can enclose up to six couple of computers so that it can manage up to three RBCs and one shared display (for setting-up the system and local diagnosing) A single operator terminal can either be associated to a single RBC or to a group of more than one RBC (at present 3)

15

Standard size Eurobalises (cont.)

16

Standard size Eurobalise

FSK transmission, 565.4 KHz Train telepowering, 27.095 MHz 1023 and 341 - bit telegrams Weight: 10.5 kg Size: 523 (l) x 403 (w) x 40 (h) mm Connection cable distance: up to 5 Km Class A certified Tested over 500 km/h (HSL TGV-Est France)
17

Index, presentation overview

1. Railways Signalling Applications

Line / Station Interlocking Systems

18

ACC Multistation overview

19

Line / Station Interlocking Systems

Interlocking models Model 1: Single railway stations: Central location with integrated Peripheral Posts (PPs) Model 2: Central location with PPs arranged along the line Model 3: Central location with local integration of PPs and also PPs arranged along the line (in Peripheral Locations, PLs)

20

ACC of Roma Termini First Application

21

22

23

24

25

26

UNITED KINGDOM

27

28

ACC rack functions

Network rack has two hubs for signalling network and one hub for maintenance network

CIU with 2 out of 3 logic and direct link to vital keyboard

Art 3 server for on-line diagnostics and maintenance

ART 1 and 2 servers provide hot redundant interface to signalling LAN

29

Manchester South Signalling Control Centre

30

Trackside Installations

31

Associated Components (1/2)

T72 Point Machine and VCC Clamp-lock

32

Associated Components (2/2)

Fibre optic based JRI, GPLS

SDO Main Signal (Signal House LED option)

33

ACC - OVERVIEW
ACC Milano Rogoredo Lines:

Milano-Bologna hi speed line Milano-Bologna traditional line Milano-Genova line Rogoredo-Trecca Merci Storica line Rogoredo-Trecca Merci Cintura line Rogoredo-Porta Romana line Linea Passante line

34

ACC - OVERVIEW
ACC Milano Rogoredo Features:

Peripheral Posts : M.M.Signaller Interface: Operator Maintenance Interface:

P.Location)

62 2 3+3 (in each 1 Room with a system

Simulation/Test/Training :
complete and a real PP

Field Devices: Track Circuits: Points/Switchs: Signals:

Up to 1200 194 87 72+30

CIU Cabinet : ART Cabinet : D&M Cabinet : Network Cabinet :

1+1 2+2 1+1 1+1

35

ACC - OVERVIEW
ACC Milano Rogoredo Features:

CENTRAL LOCATION
CIU - ART NETWORK CABINET SIGNALLER/MAINTENANCE M.M.I
MILANO LAMBRATE

01

28

38

05
D.B.S. Donato

MILANO LAMBRATE

06

27

37

02

D.B.S. Donato

MILANO LAMBRATE 2

03

MILANO LAMBRATE 2

08 13
D.B.S. Donato

24

34 10
D.B.S. Donato

23

33 07
Locate T.

PM Trecca

09

81o

81 04
Locate T.

PM Trecca

62o 14 62 83 63 19 64 85 12 65 86 66 84

MI PORTA ROMANA

MI PORTA ROMANA

North Peripheral Location

Manage field devices and Lambrate/Trecca/Porta Romana/Porta Vittoria Line Interfaces

South Peripheral Location Central Peripheral Location

Manage field devices Manage field devices and Bologna/Genova Line Interfaces

36

ACC M.M.I.
ACC MMI Example:

37

Index

4. Hardware Architecture of the main Platform

Detailed architecture of the Multistation system

Detailed architecture of the Multistation system

Central location -legendART1/2-Server: Server 1 and 2 for alarm, recording and remote control functions ART3/4-Server: Server 3 and 4 for diagnostic functions as well as for Firewall network for external systems CIU: Safe interlocking unit CTC: Traffic control system Diagnostic Ethernet WAN: Diagnostic Ethernet WAN FE RBC: Interface to RBC FK: Functional keyboard Maintainers desk: Maintainers work station Offline diagnostic: Offline diagnostics Online diagnostic: Online diagnostics Operator interface maintainer: Maintainers operator interface Operator interface signaller: Signallers operator interface PP: Peripheral post RCE Terminal: Event Chronological Recorder terminal Signallers desks: Signallers workstation Signalling Ethernet LAN: Ethernet LAN for signalling functions Signalling Vital Network: Safety network for PPs TEL 1 and 2: Interface to external systems Vital HUB: Safety communication hub that converts electric signals into optic signals and opposite and makes possible the connection of fibre optic cables, Mono-Mode or MultiMode type Wallscreen: Wall panel 3

Main Basic Features

FAIL-SAFE ARCHITECTURE is based upon the following principles: EN50129, B.3.1

COMPOSITE FAIL-SAFETY, realized by using a parallel architecture (2oo2 or 2oo3, TMR). INHERENT FAIL-SAFETY, used in the implementation of the WATCH-DOG and vital output circuit. A hazardous failure causes the irreversible product shut-down: each I/O interface is unconditionally disabled. It has been demonstrated no single random HW failure mode is hazardous.

EN50128, Tables A.1 - A.20

4

ACC Architecture Redundancies

ACC CIU FEATURES

1 - Central Interlocking Unit 2 - ART 1 4 3 - ART 2 3

CIU architecture

CIU architecture functional block diagram

2-out-of-3 Voting Mechanism Functional Diagram

Output channels

Safety nucleus

Electrical Isolamento isolation elettrico Electrical Isolamento isolation elettrico Electrical Isolamento isolation elettrico

Output

Output channels

Output

Output channels

Output

NS section NS sezione 1

NS section 2 NS section 1

NS section NS sezione 3

Exclusion logic

LELE1 module #1 1=2 1=2

LE module LE2 #2 2=3 2=3

LE LE3 module #3 3=1 3=1

Enable 48Vdc Enable 48Vdc Enable 48Vdc

Solutions for MMI

10

Multistation main characteristics

Man-machine-interface (MMI), safe operation and display :

Safety related information are displayed, according CENELEC standards, by means of: specific software platform and TFT LCD monitors, with proper internal devices. Those information are transferred from the CIU to the MMI computer through the Signaling LAN. Safety related commands are sent to the Safety Logic by means of a special vital keyboard.

11

MMI hardware architecture

CPCI BUS GRAPHIC controller #1 GRAPHIC controller #2 GRAPHIC controller #3

ALIM

CPU Pentium M

48Vdc

Vital Watch-Dog

ALIM

CPU CELERON

CPCI BUS

Ethernet Link

12

Display of safety related information

Field device status reception Device status verification Calculation of symbol aspects Graphic updating of views Vectorial description of symbols Color logic Verifying the integrity of the Video Card Hardware watch-dog management

13

Verifying the integrity of the Video Card

Symbol Status A Drawing View Displayed

Previous Status View Displayed

Voting

Symbol Status B Drawing View in storage

Previous Status Storage View

14

Index, Multistation maintenance concept

Software structure

15

Software

Control Tables

Geographical Data Operating System Hw Drivers & Diag Data Handler Interlocking Rules Data

Scheme Plan

Interlocking Principles Logic Data Preparation Process

Control Tables

Scheme Plan

Specific Application Generic Application Generic Product

Geographical Data Preparation Process

Interlocking Rules Data

Geographical Data

Interlocking Principles
16

Software layers
Basic Software : Fixed, it manages the safety system functions Application Software : Including the safety logic functions suitable for the relevant application (customer signalling rules) Validated only for the first application Used without changes for all the following projects Configuration Software : Describes the station data (routes, objects to be controlled, ..) Captures from the application software database the rules needed for the project to be implemented

17

Software Structure

Software characteristics The following software environment is provided: CIU is proprietary The following software languages are used: Assembler Subset C The following software levels are provided: System software (Operating System, HW-Driver and Diagnostic) Generic Product (Data Handler) Generic application software (Interlocking Rules Data with Customers standards) Specific application software With geographical/project specific data
18

Index

4. Application software

19

Safety Logic structure

Safety Logic module i (e.g. Signal)

Header

Description of used data Operations (1, 2, j, n) (e.g. from stop aspect to clear aspect) Check of safety conditions (input data) Exception handlers Set of variables (output data) and activation of other modules Set of value to process status End of operation
20

eudo-code translation
26. OPERAZIONE attivata da stato processo con valore "impresenziamento comandato" Elenco attributi "tipo_oper=0, brapido=0" 26.1 SOTTOOPERAZIONE VERIFICA a) "stato comando i/idl/sp" = "i" b) "stato telecomando" = "i" ca) ESEGUI "gestione nmdlb" ("mmd generale") = VERO da) "stato processo" ("manovre a mano", "mmd generale") = "a riposo" ea) "stato zona" ("zone area telecomandata ambito dco") = "incluso" ECCEZIONI a) MC "VI Comando annullato." AZIONI - "stato processo" = "idl" se "regime impianto" = "idl" - "stato processo" = "stazione porta" se "regime impianto" = "sp" b) MC "VI Comando annullato." AZIONI - "stato processo" = "idl" se "regime impianto" = "idl" - "stato processo" = "stazione porta" se "regime impianto" = "sp" ca) MC "VA0 MMD in atto" da) MC "VA0 MMD in atto" ea) MC "VA0 Zona IS esclusa" 26.2 SOTTOOPERAZIONE PER_ENTE ATTIVA_SUCCESSIVA VERIFICA *) "posizione richiesta" ("deviatoi di confine telecomando in posizione normale") = "rovescio" ASSEGNA - COMUL "manovra in posizione normale" ("deviatoi di confine telecomando in posizione normale")

Sub-Operation 26.1

21

achine code
; ; 26. Operazione attivata da stato processo con valore "impresenziamento comandato" ; $OPER VSTICOM, $PSSTA, VSTICOM $STOPER $NORM, $ATTIF $VEROP $SING, $STAZ, SSTSTACOMIID, VSTI, 1 ;a $ECCOP $SING, $STAZ, SSTSTAPROCES, VSTIDL $CONDOP $SING, $STAZ, SSTREGIMP, VSTIDL $ECCOP $SING, $STAZ, SSTSTAPROCES, VSTSP $CONDOP $SING, $STAZ, SSTREGIMP, VSTSP $VEROP $SING, $STAZ, SSTSTATEL, VSTI, 2 ;b $ECCOP $SING, $STAZ, SSTSTAPROCES, VSTIDL $CONDOP $SING, $STAZ, SSTREGIMP, VSTIDL $ECCOP $SING, $STAZ, SSTSTAPROCES, VSTSP $CONDOP $SING, $STAZ, SSTREGIMP, VSTSP $VEROP $LAUT, ESTMMD, CGEGESTNMDLB, 3 ; ca $VEROP $LIS2, ESTMMD, EGEMANMAN, SMMSTAPROC, VMMARIPOSO, 4 $VEROP $LISTA, ESTZOTELDCO, SSISTAZON, VSIINCLUSO, 5 ; ea $STOPER $PEREN, $ATTIV $VEROP $LISTA, ESTDVINPONOR, SDVPOSRICHIE, VDVROVESCIO, 0 $ASSOP $LISUL, ESTDVINPONOR, 0, CDVMANPOSNOR $STOPER $PEREN, $ATTIV $VEROP $LISTA, ESTDVINPOROV, SDVPOSRICHIE, VDVNORMALE, 0 $ASSOP $LISUL, ESTDVINPOROV, 0, CDVMANPOSROV $STOPER $NORM, $ATTIF $VEROP $LISTA, ESTDEVSTA, SDVSTACOMAND, VDVAUTOMATIC, 6 $VEROP $LISTA, ESTSEGSTA, SSESTACOMAND, VSEAUTOMATIC, 7 $VEROP $LISTA, ESTCHSSTA, SCHSTACHICS, VCHNORMALE, 8 ; e $VEROP $LISTA, ESTDVINPONOR, SDVPOSRICHIE, VDVNORMALE, 9 $VEROP $LISTA, ESTDVINPONOR, SDVSTAPROCES, VDVARIPOSO, 10 $VEROP $LISTA, ESTDVINPONOR, SDVSTACONPOS, VDVNORMALE, 11 $VEROP $LISTA, ESTDVINPOROV, SDVPOSRICHIE, VDVROVESCIO, 12 $VEROP $LISTA, ESTDVINPOROV, SDVSTAPROCES, VDVARIPOSO, 13 $VEROP $LISTA, ESTDVINPOROV, SDVSTACONPOS, VDVROVESCIO, 14 $VEROP $LISTA, ESTPLSTAZ, SPLSTACOMAND, VPLAUTOMATIC, 15 $VEROP $LISTA, ESTFEDSTA, SFECONTCONCO, VFENORMALE, 16 $ASSOP $LISUL, ESTFEDSTA, 0, CFELIBRAUT $ASSOP $SING, $STAZ, SSTREGIMP, VSTI $ASSOP $SING, $STAZ, SSTSTAPROCES, VSTIMPRES $ASSOP $GEST, $CFIEX, 0, $TRUE $ASSOP $GEST, $CPROS, 0, $FALSE

Sub-Operation 26.1
; da ;*

;*

;c ;d ;f ;g ;h ;i ;j ;k ;l ;m

22

Thank you for your attention

23