men-train-control-system-brochure-web

menTCS –
MEN Train Control System
SIL 4 Railway Computer for Rolling Stock and Wayside Applications
Contents
menTCS Approach
menTCS Configuration Examples . . . . . . . . . . . . . . . . . . . . . .
16
menTCS Software Architecture . . . . . . . . . . . . . . . . . . . . . . . . .
18
» IT Trends in Transportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
» Open Computer Standards with SIL 4 Certificate. . . . . . . . . . . . . . . . . . . . 4
» Mobility 4.0 – Ready for the Internet of Things. . . . . . . . . . . . . . . . . . . . . 5
» Safety Compliance with EN 5012x. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
» Environmental Compliance with EN 50155 . . . . . . . . . . . . . . . . . . . . . . . . . 6
menTCS SIL 4 Component Certification
» TÜV Certificates for the Hardware together with QNX. . . . . . . . . . . . . . 24
» Long-Term Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
» TÜV Certificates for the Hardware without Operating System . . . . . . . 25
menTCS System Architecture
» Scalability and Modularity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
menTCS Application Areas
» Real-Time Ethernet Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
» Rolling Stock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
» Safe menTCS Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
» Wayside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
» Safe menTCS Remote I/O Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
» Safe menTCS CPU Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
» Safe menTCS I/O Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
» AAR Compliant menTCS Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
menTCS Ecosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
menTCS Benefits Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
The governments of many countries have increased their safety standards in mass transit
and freight transport and / or work on nationwide traffic regulation programs, e.g.:
»
»
»
»
»
SIRF stage 2 (Germany)
PTC – Positive Train Control (USA)
ETCS – European Train Control System
CTCS – Chinese Train Control System
KLUB-U – Russian Train Control System
menTCS Approach
IT Trends in Transportation
Mobility 4.0 –
Ready for the Internet of Things
The use of digital technology has transformed the way modern railways work today. Safe train control and rail signaling are expected to play a key role in the overall railway computer infrastructure
considerations, implying increasing demand for Safety Integrity Level standards up to SIL 4.
At a certain point, also the safe computer infrastructure – both, rolling-stock and wayside – need
to connect to the non-vital IT environment to exchange operation data, using a “vital-to-non-vital”
gateway. (For non-vital train IT applications please see the menRDC - MEN Railway Data Center
brochure under www.men.de/rdc)
Government-driven research and innovation programs like the European Shift2Rail
(http://shift2rail.org) initiative and others are discussing safety issues such as:
» How should vital train computers connect to the whole train IT platform in order to increase
efficiency and capacity of the whole rail traffic network?
» How would railway electronics be able to communicate with other connected devices in the IoT,
guaranteeing security and safety between big data and cloud computing?
Open Computer Standards
with SIL 4 Certificate
To meet the challenges of railway digitalization, computer
systems need to be built around open standards – also and
especially for all safety-related functions. This is the only way
to make rail transport means for passengers and freight
sustainably competitive and safe. The use of open computer
systems is the appropriate approach to support the efforts of
the national traffic regulation programs: ETCS in Europe, CTCS
in China, PTC in North America, or KLUB-U in Russia.
menTCS is the first computer system ever in the history of
the railway industry that is based on defined open standards
for hardware, software and communication. Its modularity
makes it configurable for every control function inside and
­outside the train – and scalable to any required safety level
from SIL 2 up to SIL 4.
menTCS opens up the essential interfaces between the control
electronics and the application. This is a major difference to
existing solutions, which are proprietary with a fixed hardware/
software configuration that is not accessible by the end user.
Consequently, menTCS is the ideal EN 50155 and EN 50121-4
4
k Of
Bac
RBC
compliant computer platform for any kind of safety-related
function up to SIL 4:
»
»
»
»
»
»
»
»
»
fice
CBTC (Communication Based Train Control)
ATP (Automatic Train Protection)
ATC (Automatic Train Control)
ATS (Automatic Train Supervision)
OBU (On Board Unit)
EVC (European Vital Computer)
RBC (Radio Block Center)
CBI (Computer Based Interlocking)
Level crossings
menTCS offers separation of the rail service from the electronic
control system behind. This unique feature allows railway system suppliers to concentrate on their core business
It also facilitates the market entry for small and mediumsize companies. And it enables rail operators to become
their own general contractor, keeping full transparency
of their project at any time.
menTCS
ATP
OBU
CBTC
ATO
EVC (ETCS)
ATS
Remote Control
menTCS – Train Control System
5
Safety Compliance with EN 5012x
menTCS complies with the requirements of the EN 5012x family of railway standards developed
by CENELEC, based on IEC 61508 (Functional Safety of Electrical / Electronic / Programmable
Electronic Safety-related Systems):
» EN 50126: Railway Applications – The Specification and Demonstration of Reliability,
Availability, Maintainability and Safety (RAMS)
» EN 50128: Railway Applications – Communications, signaling and processing systems
» EN 50129: Railway Applications – Communications, signaling and processing systems –
Safety related electronic systems for signaling
Safety-related menTCS components come with packages for the hardware and the safe QNX
operating system for the hardware.
Environmental Compliance
with EN 50155
menTCS complies with all environmental requirements of EN 50155 (Railway Applications –
Electronic equipment used on rolling stock) for in-vehicle operation:
» Operating
temperature: EN 50155 class T1, T2, T3, up to TX (–40 to +70 °C
[10 minutes up to +85 °C] with qualified components)
» Storage
temperature (cold): EN 50155 (–40 °C, 16 h)
» Humidity: EN50155 (+55 °C / +25 °C, 2 × 24 h)
» Shock: EN 61373 Cat. 1 Class B (50 m/s², 30 ms)
» Vibration (function): EN 61373 Cat. 1 Class B (1.01 m/s², 5 Hz – 150 Hz)
» Vibration (lifetime): EN 61373 Cat. 1 Class B (5.72 m/s², 5 Hz – 150 Hz)
» EMC
emission: EN50121-3-2
» EMC
immunity: EN 50121-3-2
» Electrical
safety: EN 50155; EN 50153; EN 50124-1
menTCS also complies with the EMC regulations of EN 50121-4: Railway Applications –
Electromagnetic compatibility. (Emission and immunity of the signaling and telecommunications
apparatus).
6
Long-Term Availability
Using an open system like menTCS means that the system itself does not become obsolete anymore under a classical definition of obsolescence. This means that product obsolescence management is limited to single standardized parts of a train control system or interlocking system that
can be replaced during maintenance of the running configuration. The application itself remains
untouched – thus, discontinuation of individual electronic components will never again affect and
endanger the complete train or wayside function.
If it becomes necessary to exchange such a standard electronic component – e.g., any of the computer boards because a supplier has discontinued an onboard component – this computer board
will be replaced by another function-compatible board from the menTCS family.
In case of any computer board obsolescence, MEN delivers a change effect analysis together with
the redesign. This ensures that the effort for re-porting of the application as well as for a potential recertification will be reduced to a minimum.
For menTCS, MEN guarantees:
» Delivery of identical menTCS boards per project: 10 years
» Technical support per project: 25 years
» Delivery of menTCS functionality: unlimited in time
7
» A
system availability of 99.9999% is reached with two menTCS
systems – an operating one and one in stand-by mode.
» The number and type of safe inputs and outputs can be
­tailored to the application requirements.
» Wired and wireless interfaces for Wi-Fi, 3G/4G and GPS can
be implemented for vehicle-tovehicle and vehicle-to-land
communication.
» Fieldbus interfaces can be added to connect into other
­networks like MVB, CAN bus, Profinet etc.
QNX
AD E
YS S C
AN S
PikeOS
Linux
menTCS is SIL 4 certifiable and comes with pre-certified
hardware in combination with pre-certified software and
­corresponding certificates from TÜV SÜD, drastically reducing
the time of the certification process.
menTCS separates the safe parts of the application from the
non-vital parts, thus reducing the software certification effort.
The non-vital communication and service functions run on
standard Linux, guaranteeing that the system is open towards
the external world. The safe application runs in a safe kernel of
the QNX real-time operating system and can either be directly
programmed with standard "C" language, offering POSIX compliant APIs or optionally a safe PLC.
PLC
PACY
VxWorks
menTCS is based on the modular 19” CompactPCI standard,
making a scalable plug-and-play-like system configuration easy,
enabling communication with other train functions like service
or diagnosis, and supporting integration in existing train bus
networks:
» Remote I/O boxes can be used to expand the central unit,
interconnecting to sensors and actuators distributed along
the train or wayside, thus being close to the controlled
­equipment.
Integrity
menTCS is an application-ready platform, allowing the immediate start of the application development and giving the user
complete control over the functionality of the whole system.
menTCS consists of the safe controller, the safe I/O functions
and the communication interfaces to the “outside” world.
General Purpose
User Software
S of t
Scalability and Modularity
Sa
Ap p l f e U s e r
icat io
n “C”
menTCS System Architecture
menTCS Hardware
Safe and Non-Vital Operating
System on menTCS
Real-Time Ethernet Communication
The communication inside the menTCS system – between the safe menTCS controller, safe I/O
boards and safe remote I/O boxes – is based completely on a safe ...standard real-time Ethernet,
using EtherCAT and FSoE (Fail Safe over EtherCAT). Thus, the application can treat all I/O functions
in the same way.
All remote I/O boxes are connected to the controller in a ring topology, which tolerates single
­failures. For example, in case of a broken cable, the system is still fully operational, as all I/O
boxes can still be reached from the other end of the ring.
menTCS Controller
Real-Time
Ethernet
Master
Bus
Coupler
I/O Boards
menTCS Controller
menTCS I/O
menTCS I/O
Bus
Coupler
Bus
Coupler
I/O Boards
I/O Boards
Real-Time
Ethernet
Master
Bus
BC
Coupler
I/O Boards
Safe Real-Time Ethernet Communication with menTCS
8
9
Safe menTCS Controller
Safe menTCS Remote I/O Box
Example Configuration of a MH50C Controller
Example Configuration of a KT8 Remote I/O Unit
The heart of the modular menTCS train control system family is the MH50C central controller which
delivers state-of-the art computing performance based on x86 PC technology. The safe part
consists of SIL-certified components, which can be extended by non-vital I/O functions without
effecting the safety of the system. The MH50C can be wall or rack mounted and supports forced air
cooling. It can be used as a standalone device and in combination with up to 63 remote I/O boxes.
An extension of the menTCS system by remote I/O boxes becomes necessary if:
» T
he I/O functions required exceed the capabilities of the central MH50C controller.
» The actors and sensors are located far away from the MH50C controller, requiring
interconnected sensors and actuators being close to the controlled equipment distributed
along the train or wayside.
The basic version of the MH50C consists of:
» One certifiable safe CPU board
» Up to six I/O boards:
» Certifiable safe input and output boards, or
» Interface boards to Ethernet, Wi-Fi, GPS, COMs, CAN, MVB etc., or
» a combination of safe and non-vital I/O boards
» O
ne PSU with Class 2 hold-up time with just one wide range power supply 14.4 to 154 V
» QNX safe real-time operating system
» Linux non-vital operating system
» SIL 4 certification packages by TÜV SÜD, one for the CPU board (with QNX) and one
for the safe I/O boards
Each remote I/O unit of the menTCS family consists of:
» U
p to 4, 6, or 8 certifiable safe I/O boards
» R
eal-time Ethernet interface with chassis configuration switch
» P
SU with Class 2 hold-up time with just one wide range power supply 14.4 to 154 V
» S
IL 4 certification package by TÜV SÜD for the safe I/O boards
The remote I/O boxes are based on 19“ technology, with a reduced depth to provide a compact,
spacesaving packaging. They can be either wall mounted or installed on DIN rail mechanics.
For smaller applications, one centralized and integrated processing and I/O system can be already
sufficient to do the job. For large applications, the central MH50C unit can be scaled by extending
the 19” enclosure or by distributed deployment using remote I/O boxes.
10
11
Safe menTCS CPU Component
menTCS CPU Board F75P
menTCS I/O Boards K1, K2 and K7
The central element of menTCS is the self-contained F75P safe CPU board which uses 2oo2d
voting. The F75P is a standard CompactPCI board that is designed to execute safety-critical applications as well as non-vital applications and which comes with its own dedicated SIL 4 certification
package.
The I/O boards of the menTCS system are self-contained, using 1oo1d architecture. A dedicated
SIL 4 certification package is available for all I/O boards together. A single I/O board can be used
to reach SIL 2. Two combined boards are required to reach SIL 3 and SIL 4. This scalable approach
reduces cost in case a lower SIL level is sufficient.
The safe CPU board F75P consists of:
» 3 Intel processors with
» 2 redundant CPUs executing the safety logic
» 1 CPU as general purpose and I/O communication processor
» Independent supervisors for each block
» Fail-safe board architecture
» Event logging with intelligent board management controller
Alternatively, two identical I/O boards can also be used to support hot stand-by in order to achieve
availability when required for critical functions.
In the standard configuration and as such included in the certification packages, the two independent control processors run the safe deterministic QNX Neutrino real-time operating system,
while the non-vital general purpose processor operates under Linux. Safe communication between
the control processor and the safe I/O boards is assured by communication protocols developed
­according to EN 50159 (safety-related communication in transmission systems).
All I/O components connect via spring cage terminal blocks for fast installation thanks to reduced
wiring. They are fully isolated and support the full voltage range from 14.4 to 154 V DC
As an option, the F75P can also work with the safe real-time operating systems PikeOS, Integrity
and VxWorks – even in a combination of different operating systems to support diversity in software on both kernels.
12
Safe menTCS I/O Components
The range of safe I/O boards comprise the typical functions required for railway applications:
» K
1 – 8 high-side switch outputs
» K
2 – 16 binary inputs
» K
7 – 8 low-side switch outputs
The safe menTCS I/O cards are designed to be used inside the MH50C controller as well as to
­configure the remote I/O boxes:
» M
H50C accommodates up to 6 safe I/O cards
» K
T8 accommodates up to 8 safe I/O cards
13
Configuration of the MA50C
As the final configuration of the MA50C highly depends on the application requirements,
the complete device is only available in a project context.
AAR Compliant menTCS Controller
Standard components and specifications of MA50C:
» AAR 6 MCU core housing with
» Conduction cooling capacity suitable for 100 W internal power dissipation
» Power input connector
» Shelf controller and control panel board
» menTCS SIL 4 CPU board F75P with conduction cooling frame
» Flexible power concept with wide range power supply
» Input 14.4 to 154 VDC or 100 to 240 VAC
» Cranking voltage range 20 to 130 VDC (nominal 74 VDC)
» Operating temperature
» According to EN 50155 Class T2 (–40 to +70 °C)
» Compliant with AAR standard S-9401
» Environmental conditions
» According to AREMA 11.5.1 Class I, Class J
Device specific components of MA50C:
» Up to 5 vital and non-vital I/O boards with conduction cooling frame
» Backplane
» Front panel and I/O connectors
With its single components based on standard technologies, the MA50C offers fast time to market
at an attractive cost. A flexible configuration of I/O functions with modular CompactPCI boards
meets a quick installation in the AAR housing. The removable front panel supports easy maintenance and access to the internal electronics.
menTCS AAR Controller MA50C
The MA50C central controller is the first member of the AAR
sub-family of menTCS. It is functionally identical with the
MH50C, using the same CPU and I/O boards, QNX and Linux
operating systems, coming with the same SIL 4 certification
packages, supporting the same remote I/O architecture.
Mechanically, the system complies with the AAR Locomotive
Electronics System Architecture Standard S-590 of the American Association of Railway Manufacturers, being based on the
6 MCU (Modular Concept Unit) form factor as an optimal size to
host a single tower of standard 3U CompactPCI boards.
The MA50C is targeted primarily for the North American railway
market and railway markets in other countries where extremely
robust hardware is needed or where electronic systems have to be
provided in the standard AAR form factor. In dirty, humid and chemically harsh environments air cooling is simply not an option. Therefore all the boards inside the MA50C are conduction cooled and
the enclosure is in accordance with the IP65/NEMA-4 standard.
14
Conduction Cooling
menTCS is based on the CompactPCI standard and as such also
supports conductive cooling as an option, meaning that any
menTCS board can be converted into a conduction-cooled one
by embedding it into an individual aluminum frame. Conduction
cooling transfers the heat out of the system by connecting this
frame to the enclosure. By that measure the enclosure can also
be made hermetically tight, and it gets a particular mechanical
stability.
VGA
3
2
1
STA
CPU
RST
MA50C Configuration Example
Option slots populated with safe I/O
F075C
Option Slot 1
IOER
FSOE
ERR
RUN
IOER
FSOE
ERR
RUN
IOER
FSOE
ERR
RUN
IP65 Protection
IOER
FSOE
ERR
RUN
2 A
C/L
In accordance with the IEC 60529 standard, the IP (International
Protection) code classifies and rates the degree of protection
against environmental impact. With the fulfillment of class
IP65, the MA50C is completely tight against dust and water
jets from any direction shall have no harmful effects on
the system.
4
A
C/L
4
3
2
1
4
3
2
1
8
7
6
5
8
7
6
5
4
3
2
1
8
7
6
5
4
3
2
1
8
7
6
5
12
11
10
9
16
15
14
13
12
11
10
9
16
15
14
13
K001C
K001C
K002C
K002C
2A
C/L
1
A
C/L
F305C
PU20C
Option Slot 2
Option Slot 3
Option Slot 4
» 8 SIL 4 outputs (each using 2 pins)
» 16 SIL 4 inputs (each using 2 pins)
» 1 slot reserved for future use
Option Slot 5
Real-Time Ethernet
PSU
MA50C Configuration Example (Internal View)
15
menTCS Configuration Examples
menTCS System Controller
menTCS Remote I/O Boxes
MH50C Configuration Example 1
Configuration of a remote I/O box with eight I/O cards
Option slots populated with safe I/O
» 8
digital outputs, SIL 4 (each using 2 pins)
» 1 6 digital inputs, SIL 4 (each using 2 pins)
» 8
SIL 4 outputs (each using 2 pins) + 8 SIL 2 outputs
» 1 6 SIL 4 inputs (each using 2 pins) + 16 SIL 2 inputs
MH50C Configuration Example 2
Configuration of a remote I/O box with four I/O cards
Option slots populated with safe I/O
» 8 digital outputs, SIL2
» 16 digital inputs, SIL 2
» M
VB master
» 2 slots reserved for future use
» 8 SIL4 outputs (each using 2 pins)
» 16 SIL2 inputs
This configuration targets SIL 2 safe I/O applications:
each safe I/O card is only assembled once.
Both configuration examples are based on the “barebone configuration”, which
includes the safe F75P CPU board, real-time Ethernet card connecting distributed
safe I/O, a wide-range PSU and system supervision.
menTCS System Controller in
Combination with Remote I/O Boxes:
menTCS Controller
menTCS as ETCS Computer
Full 19“ system consisting of
» Safe CPU board F75P
» Safe I/O boards
» Digital inputs, SIL 4
» Digital outputs, SIL 4
» Non-vital I/O boards – to the right of F75P
» Uplink switch and storage shuttle
» Non-vital I/O boards – to the left of F75P
» Ethernet connection to safe I/O boards
» UART interfaces
» MVB and Profibus interfaces
16
menTCS Remote I/O
menTCS Remote I/O
menTCS Remote I/O
17
menTCS Software Architecture
Separation between Safe and Non-Vital Domains
Safe Application Interface
The menTCS software distinguishes between the safe and the
non-vital domain in order to save cost and time for application
development and certification. This separation allows to develop
non-vital applications separately from safe applications. Non-vital applications cannot influence safe applications because they
are executed on a separate processor running a standard Linux
operating system.
As menTCS is an open general-purpose hardware platform for
different kinds of safe applications, the software programmer
needs an interface to get full access to the control electronics.
The PACY safety I/O framework provides easy and modular
access to the safe I/O boards. PACY also includes a safe communication layer crossing the black channel.
Control Processor Domain 2
RAM Disk
Control Processor Domain 1
User‘s Safety Application
RAM Disk
Debug Server
User‘s Safety Application
In order to guarantee appropriate
communication between the
safe controller and the safe I/O
functions via real-time Ethernet,
the black channel approach
is applied. The requirements
to transport safe data over
untrusted communication
are defined by EN 50159 and
realized using the FSoE safe
communication protocol (Fail
Safe over EtherCat).
User Safety Application
User Safety Application
Safety Communication Layer Compare
Safety I/O Framework (PACY) Compare
Safe QNX/Safe BSP
Safe QNX/Safe BSP
Communication
(Shared RAM,
Virtual Ethernet)
I/O Domain (CPU Board)
I/O Safety
layer
PACY
Berkley
Sockets
I/O Safety layer
MISC
IP Stack
IP Stack
QNX Microkernel
WDOG
MISC
Reset
StartupFlow
WDOG
Reset
StartupFlow
BIT
RAM
BITCPU
ROS
RAM
CPU
ROS
SHMEM
CP SYNC
SHMEM
IOP Transfer
Synchronization
CP1/CP2
Via Shared RAM
CP SYNC
IOP Transfer
QNX Microkernel
menTCS Middleware Overview
“Unsafe” Application
Communication
Diagnosis, Services
Black
Channel
Driver Libraries
Linux (Soft Real-Time)
External Interfaces
Safe Domain (I/O Board)
Safety Communication Layer
Separation between Safe and Non-Vital Domains
18
PACY
Berkley
Net Support
Sockets
Telnetd,
ftpd...
Safe Domain (CPU Board)
Process/Satus Data
Net Support
Debug Server
Netw Servers
Telnetd,
Netw Servers
ftpd...
Safe Communication
Process/Satus Data
Safe Operating Systems
Without being influenced by non-vital applications, the safe applications are executed on two
separated redundant control processors. Integrity tests ensuring the safe operation of each safe
processor are provided by the safe operating system.
This architecture allows to develop safe applications on a menTCS platform in combination with all
market relevant safe operating systems, such as QNX, PikeOS, VxWorks, or Integrity.
Together with QNX, the menTCS CPU and I/O components come with pre-certified SIL 4 hardware/
software bundles, accelerating time to market even further. In fact, the QNX “Neutrino” microkernel provides important safety-relevant features like memory protection, interprocess communi­
cation, or deterministic scheduling. It protects user processes from each other, so that processes
can also have different SIL levels. QNX Neutrino is open to the usage of standard driver software
and middleware.
19
PACY I/O Framework
Synchronization Service Functions
PACY is a process data application framework that makes the menTCS hardware transparent for
the application. It handles the communication between the CPU together with custom-specific
application software and the safe I/O cards. Being a transparent abstraction layer PACY takes care
of the execution of the application’s commands, providing an API for "C" language programming.
Developers can control the I/O through "C" language variables independently of the kind of I/Os
that need to be controlled.
The synchronization and comparison service function ensures that both safe processors use
the same input data and verifies that the calculated output data is the same. Additionally, the
­application can use this service for temporal logical monitoring of the application program as
­required by EN 50129 for SIL 3 or 4 applications.
The following figure shows a representative safety application which is using synch services
to synchronize the execution of the redundant architecture of the two control processors.
As a module-based framework PACY opens up all interfaces from the application to the hardware.
This allows a flexible extension by individual, custom-specific modules.
The FSoE protocol (Fail Safe over EtherCAT) integrated in PACY is responsible for the safe data
transmission and protection of what is called the Black Channel. A SIL 4 certification according
to EN 50128 will also be available for PACY, including the corresponding documents. PACY is configured by a configuration tool allowing to run the same application, using different menTCS I/O
boards.
Wait for next cycle to begin
Wait for next cycle to begin
SYNC TIME (1)
Customer Safety Application
Contol Processor
»
»
»
»
»
» K1
cheduling
S
Process Separation
Process Communication
Integrity Checks
Networking
Get inputs
Get inputs
COMPARE (3)
XXX
SYNC (4)
Process Data Variables
PACY
Safe ONX and BSP
Safe QNX and BSP
SYNC (2)
Contol Processor
Customer Safety Application
PACYF50€
F50€
Rel#1F50€
F50€
K1#1F50€
K1#2F50€
K1#3F50€
FSoE
FSoE
FSoE
PACY
Config Data
PACY
Config Data
Execute application logic
SYNC (5)
Execute application logic
SYNC (6)
SYNC
Functions
SYNC
Functions
COMPARE (7)
Write outputs part A
Write outputs part B
Exchange Functions
EtherCAT-Master
IOP
Synchronization of Control Processors 1 and 2
PACY Operating Principle
20
21
External systems communicating with the safe menTCS controllers via Ethernet using UDP or TCP
see both processors as “one instance” using MEN’s Y-COM service functions. Incoming frames are
distributed to both safe domain processors by the Y-COM server running on the non-vital processor,
whereas outbound frames are synchronized between both safe domain processors. The payload
is mixed, meaning that each safe CPU generates a part of the outbound transmit frame, and the
Y-COM server on the non-vital processors sends this frame to the external system.
While the safe applications are executed on two separated redundant control processors, a third
processor controls all non-vital applications. The operating system running on this third processor
can be Linux or any of the known real-time operating systems. Being an open standard hardware
platform, menTCS ideally uses Linux as the operating system based completely on open source
technology. Linux is free, and is supported by a broad, community driven product offering. Installation of applications is easy as it is to change options, and it comes with security features.
Safety Protocol
Y-COM API-LIB
Y-COM API-LIB
Linux
QNX
YS S C
PLC
AN S
PikeOS
Safety Protocol
PACY
VxWorks
Safety Application
Integrity
Safety Application
S of t
General Purpose
User Software
F75P
AD E
Linux Operating System
Sa
Ap p l f e U s e r
ica t io
n “C”
Synchronized Communication Service Functions
menTCS Hardware
Y-COM Server CP
Y-COM Server CP
Internal Ethernet
Internal Ethernet
Y-COM Server IOP
Ethernet UDP or TCP
External System
Safety Protocol
Y-COM Communication
22
Non-Vital Operating
System Linux on menTCS
Development Tools
As a general-purpose system being open to the final application, menTCS also supports a multitude of third-party development tools. Generally, C-code generating tools like SCADE
or Mathlab/Simulink can be used to implement the application
running on the safe processors.
Other development tools that have already been tested with
menTCS include the Prover iLock suite which automates development of computerized interlocking systems, or the safe soft
PLC FlexiSafe from infoteam which is used for implementations
based on PLC languages according to IEC 61131-3.
A new tool provided by MEN itself for the development of safe
applications is the menTCS configurator (in preparation). The
menTCS configurator simplifies the definition of any menTCS
architecture by abstracting the I/O topology, thus making the
application program independent of the I/O topology. The
advantage of this tool is that – in case the safe application must
run on different I/O configurations – a recompilation of the
application for each of the configurations is not necessary.
Another tool from MEN for the development of non-vital
­applications under Linux is a package for the Yocto ProjectTM
development environment, including all relevant components
to interact with menTCS.
23
menTCS SIL 4 Component Certification
TÜV Certificates for the Hardware together with QNX
menTCS is SIL 4 certifiable according to EN 5012x and comes with pre-certified hardware in combination with pre-certified software and corresponding certificates from TÜV SÜD (German Technical
Inspection Agency), drastically reducing the duration of the certification process.
As menTCS consists of a CPU board and a number of different I/O functions (boards) yet to be
configured to the final application, the certification
packages are divided as well:
» 1 package for the redundant control processors of the F75P safe CPU board with QNX
» 1 basic package for the complete safe I/O board portfolio for QNX plus I/O board
specific packages
» R
educes risk – the QNX BSP comes together with the certification package from MEN
Beside the hardware/software bundle the certification packages include:
» S
afety User Guide including the safety-relevant application requirements, a detailed
description of the hardware and instructions for appropriate operation
» S
afety Case describing the concepts for reaching functional safety as well as all safet
and quality-relevant processes and measures to meet the SIL 4 requirements
» A
ssessment report and SIL 4 certificate from TÜV SÜD
» A
number of support hours
Per Company
Per Project
Support Plan
QNX OS for
Safety License
Customer
menTCS Hardware
­Certification Packages
menTCS Software
­Certification Packages
Per Board
Runtime Fee
Shared Delivery of Components and Services
TÜV Certificates for the Hardware without Operating System
Safe menTCS / QNX Bundle with SIL 4
Certification Packages
Pre-certification of the menTCS hardware together with the QNX software has significant
advantages:
» Saves time – no need to get an own safe BSP (or drivers) developed
» Saves cost – just purchase certification packages from MEN and QNX licenses from QNX
24
In case that QNX is not the operating system of choice for the application, the certification
packages for the F75P CPU board and the separate one for the I/O boards are also available
without a board support package or driver software.
A menTCS hardware SIL 4 certification package for just the hardware also includes:
» S
afety User Guide including the safety-relevant application requirements, a detailed
description of the hardware and instructions for appropriate operation
» S
afety Case describing the concepts for reaching functional safety as well as all safety
and quality-relevant processes and measures to meet the SIL 4 requirements
» A
ssessment report and SIL 4 certificate from TÜV SÜD
» A
number of support hours
25
menTCS Application Areas
Gear Control
Fuel Control
Wheelslip Control
Driver Display
Driver Cab
Controls/Indicators
menTCS Controller
Valves, Relays,
Sensors…
menTCS
Remote I/O
Brakes
Ethernet
Train Bus (MVB, CAN)
I/O Bus (CAN, Profibus)
Covering all Vital Train and
Wayside Applications with menTCS
Rolling Stock
menTCS is well suited for control of all safety-related functions in new train models as well as
for refurbishment of trains. Thanks to its modularity, it is easy to install and retrofit automation
functions in combination of menTCS with other parts of already existing train control equipment
as well.
menTCS enables:
» Installation as the heart of the CBTC (Communication Based Train Control) system or the TCMS
(Train Control Management System) for new trains
» Increase in efficiency of already existing ATO, ATP and ATS functions as the central computer
» Step-by-step replacement of older equipment, resulting in one standardized general-purpose
platform for all safe applications
» Remote control sitting directly at the door, at the wheel, at the gear
» All-in-one safe control system and non-vital communication system – safely separated through
strict partitioning
» Interfacing to all existing train communication with Ethernet and MVB, CAN bus etc.
» Interfacing to the driver cab display
» Interfacing to wireless communication with the outside world through GSM-R, GPS, Wi-Fi etc.
» D
ecrease in life cycle cost through easy maintenance of standard components
» L onger operating life by using standardized technologies
» Reduction of dependence on single suppliers, resulting in a growing service offer
26
menTCS example application:
ETCS EVC system, providing
» G
SM-R communication
» E
TCS application computer
» Fieldbus interfaces to other ETCS equipment (MVB, Profibus)
» R
eal-time Ethernet interfaces to train functions
» C
ontrol of train functions realized with remote I/O unit
Control
Center
Remote I/O
Train Interfaces
menTCS
MVB
Profibus
Balise
GSM-R
Ethernet
EuroBalise
menTCS as ETCS On Board Unit (OBU)
27
menTCS Ecosystem
Wayside
menTCS is well suited for control of CBI (Computer Based Interlocking), vital telemetry for train
management, wayside devices such as switches, signals, or level crossings. Being a modular
platform, it can be used in new interlocking systems as well as for a soft modernization and
­automation of older relay interlockings. Existing outside facilities can be preserved and adapted.
The extremely compact inside facility of an interlocking system is clearly separated and forms the
safe platform (SIL) for the control and automation layer.
menTCS enables:
» Introduction of ETCS L2/L3 for optimization of safety and track load
» Halving of the resulting opportunity cost for relay interlocking systems
» Increase in performance of the interlocking systems
» Low cabling cost thanks to standardized Ethernet technology
» Avoidance of the costly total replacement by CBIs (incl. outside facilities)
» Installation of simpler, smaller and standardized inside facilities
» Longer operating life of the outside facilities
» Lower cost for the expansion of total capacities
» Decrease in life cycle cost through easy maintenance of standard components
» Reduction of dependence on single suppliers, resulting in a growing service offer
menTCS is a general purpose
platform for safe train and
wayside functions based on
standard technologies – and
as such open to the features
and requirements of the final
application. Several packages
and services around menTCS
help the customer to save cost
and speed up time-to-market.
Safe
Applications
General Purpose
Applications
Application Development
PACY Safe I/O
Framework
Yocto Project
Development
Vital Operating System
Non-Vital
Operating System
menTCS
Train Control System
Control Logic
Centralized
Traffic Control
CBI (redundand)
Remote I/O
Relays
Actors & Sensors
As an embedded systems solution provider to the railway industry MEN delivers especially
­computer hardware with adapted BSPs and drivers:
» m
enTCS hardware installation in a modular configuration tailored to the application
» Q
NX safe operating system and turnkey Linux
» S
IL 4 certification documents
menTCS example application:
Understanding the requirements of the application programmer MEN delivers middleware
and tools:
» P
ACY safe I/O framwork and service functions
» N
on-vital service and configuration tools
New CBI system for railway and
metro stations
» One CBI per station, requiring SIL 4
» Dual MH50C system, one in hot stand-by
» Each MH50C to control 1500 digital inputs
and 600 digital outputs
Understanding the requirements of the final use case MEN provides consultancy and recommends
approved partner products:
» M
EN product support, training and in-depth documentation
» S
afe soft PLC (IEC 61131-3 system) under QNX functionality from infoteam
» T
ool suite for development of computerized interlocking systems from Prover
» In-house approved design tools like SCADE, Yocto Projecttm
menTCS as Interlocking Computer (CBI)
28
29
menTCS Benefits Summary
Open Safe Platform
Open Hardware
Different safety functions with different
SIL levels on one platform
Reduces hardware cost and obsolescence risk
Standard PC hardware architecture
State-of-the-art x86 host controller
Processor redundancy
Provides safety by means of 2 control processors on a single CPU board
Safe modular I/O
Main controller with Intel CPU board
­architecture
Covers all application-specific requirements
» Safety execution with 2 redundant processors
» 1 general purpose processor
» Independent supervisors for each block
Safe API (Application Interface)
» POSIX compliant
» “C” programming language
3U 19" CompactPCI
Robust industry-proven backplane and computer board standard
I/O with spring-cage terminal blocks
Makes connection easy and reduces cabling
14.4 to 154 V DC wide-range PSU
International railway compliance with just one device
Remote I/O boxes
Provides less cabling, improved signal quality and a huge number of I/Os
QNX real-time operating system
Partitioning of the application for different safety levels
SIL 4 from the beginning
No workarounds or compromises necessary
Same platform for wayside and
rolling stock
Reduces learning efforts
Open Non-Vital Extension
Linux operating system
Standard open source
software interfaces
Future-proof computer solution providing same functionality without
limitation in time
Use of open standards
Independence from single supplier, small learning curve
Standards Compliance
Development of non-vital functions in standard software environment
EN50155 & EN 50121-4
Fully proven for rolling-stock and wayside railway environments
Flexible and easy installation of applications
EN 50126/128/129 (based on IEC 61508)
Developed for functional safety from SIL 0 to SIL 4
SIL 4 certification packages with
TÜV SÜD certificate
Modular hardware/software packages make certification of the final application
easy and fast
Pre-certified hardware and software
compliant to railway standards
Open Communication
30
menTCS family concept
Low certification risk, fast time-to-market, customer can concentrate
on application
Ethernet communication
» Makes use of standard cabling, line interfaces, connects to standard
devices easy
» Connects main control system and remote I/O boxes
Services
Real-time Ethernet communication
Guarantees deterministic behavior on standard communication protocol
Long-term availability
EtherCAT based I/O with safety layer FSoE
Safe, fast and deterministic I/O
» Delivery of identical menTCS boards per project: 10 years
» Technical support per project: 25 years
» Delivery of menTCS functionality: unlimited in time
Railway fieldbusses
Connection to existing train networks and devices via MVB, CAN, Profinet, etc …
Life-cycle management
Secures overall operability of the application when single components need
to be substituted
Wi-Fi, radio, GPS, RS485
Connection to all popular in-vehicle and external communication interfaces
Expertise in embedded railway solutions
» Development and environmental test services
» Worldwide sales support and consultancy
» Evaluating and understanding the application
No proprietary end application
Application is customers' value add to differentiate from market players
Open communication extensions
Integration of menTCS in any existing railway application
Your Project?
Rely on us!
31
MEN is a member of:
»
»
»
»
»
»
»
»
»
»
»
»
»
»
MD Fusion Partner Program
A
ARINC (Aeronautical Radio Incorporated)
B
avAIRia (Cluster for innovative aerospace technology in Bavaria)
C
AN in Automation
C
NA (Center for Transportation & Logistics Neuer Adler e.V.)
N
XP Design Alliance
I ntel® IoT Solutions Alliance
O
pen Source Automation Development Lab (OSADL)
P
CI-SIG (Peripheral Component Interconnect Special Interest Group)
PICMG (PCI Industrial Computer Manufacturers Group)
Unife (Union des Industries Ferroviaires Européennes)
U
SB-IF (Universal Serial Bus Implementers Forum, Inc.)
V
ITA (VMEbus International Trade Association)
W
ind River Partner Eco System
Issue 4.0, September 2017
Copyright © MEN Mikro Elektronik GmbH
All rights reserved.
www.men.de
www.men-france.fr
www.menmicro.com
www.men-china.cn