menTCS – MEN Train Control System SIL 4 Railway Computer for Rolling Stock and Wayside Applications Contents menTCS Approach menTCS Configuration Examples . . . . . . . . . . . . . . . . . . . . . . 16 menTCS Software Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 18 » IT Trends in Transportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 » Open Computer Standards with SIL 4 Certificate. . . . . . . . . . . . . . . . . . . . 4 » Mobility 4.0 – Ready for the Internet of Things. . . . . . . . . . . . . . . . . . . . . 5 » Safety Compliance with EN 5012x. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 » Environmental Compliance with EN 50155 . . . . . . . . . . . . . . . . . . . . . . . . . 6 menTCS SIL 4 Component Certification » TÜV Certificates for the Hardware together with QNX. . . . . . . . . . . . . . 24 » Long-Term Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 » TÜV Certificates for the Hardware without Operating System . . . . . . . 25 menTCS System Architecture » Scalability and Modularity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 menTCS Application Areas » Real-Time Ethernet Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 » Rolling Stock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 » Safe menTCS Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 » Wayside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 » Safe menTCS Remote I/O Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 » Safe menTCS CPU Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 » Safe menTCS I/O Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 » AAR Compliant menTCS Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 menTCS Ecosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 menTCS Benefits Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 The governments of many countries have increased their safety standards in mass transit and freight transport and / or work on nationwide traffic regulation programs, e.g.: » » » » » SIRF stage 2 (Germany) PTC – Positive Train Control (USA) ETCS – European Train Control System CTCS – Chinese Train Control System KLUB-U – Russian Train Control System menTCS Approach IT Trends in Transportation Mobility 4.0 – Ready for the Internet of Things The use of digital technology has transformed the way modern railways work today. Safe train control and rail signaling are expected to play a key role in the overall railway computer infrastructure considerations, implying increasing demand for Safety Integrity Level standards up to SIL 4. At a certain point, also the safe computer infrastructure – both, rolling-stock and wayside – need to connect to the non-vital IT environment to exchange operation data, using a “vital-to-non-vital” gateway. (For non-vital train IT applications please see the menRDC - MEN Railway Data Center brochure under www.men.de/rdc) Government-driven research and innovation programs like the European Shift2Rail (http://shift2rail.org) initiative and others are discussing safety issues such as: » How should vital train computers connect to the whole train IT platform in order to increase efficiency and capacity of the whole rail traffic network? » How would railway electronics be able to communicate with other connected devices in the IoT, guaranteeing security and safety between big data and cloud computing? Open Computer Standards with SIL 4 Certificate To meet the challenges of railway digitalization, computer systems need to be built around open standards – also and especially for all safety-related functions. This is the only way to make rail transport means for passengers and freight sustainably competitive and safe. The use of open computer systems is the appropriate approach to support the efforts of the national traffic regulation programs: ETCS in Europe, CTCS in China, PTC in North America, or KLUB-U in Russia. menTCS is the first computer system ever in the history of the railway industry that is based on defined open standards for hardware, software and communication. Its modularity makes it configurable for every control function inside and ­outside the train – and scalable to any required safety level from SIL 2 up to SIL 4. menTCS opens up the essential interfaces between the control electronics and the application. This is a major difference to existing solutions, which are proprietary with a fixed hardware/ software configuration that is not accessible by the end user. Consequently, menTCS is the ideal EN 50155 and EN 50121-4 4 k Of Bac RBC compliant computer platform for any kind of safety-related function up to SIL 4: » » » » » » » » » fice CBTC (Communication Based Train Control) ATP (Automatic Train Protection) ATC (Automatic Train Control) ATS (Automatic Train Supervision) OBU (On Board Unit) EVC (European Vital Computer) RBC (Radio Block Center) CBI (Computer Based Interlocking) Level crossings menTCS offers separation of the rail service from the electronic control system behind. This unique feature allows railway system suppliers to concentrate on their core business It also facilitates the market entry for small and mediumsize companies. And it enables rail operators to become their own general contractor, keeping full transparency of their project at any time. menTCS ATP OBU CBTC ATO EVC (ETCS) ATS Remote Control menTCS – Train Control System 5 Safety Compliance with EN 5012x menTCS complies with the requirements of the EN 5012x family of railway standards developed by CENELEC, based on IEC 61508 (Functional Safety of Electrical / Electronic / Programmable Electronic Safety-related Systems): » EN 50126: Railway Applications – The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS) » EN 50128: Railway Applications – Communications, signaling and processing systems » EN 50129: Railway Applications – Communications, signaling and processing systems – Safety related electronic systems for signaling Safety-related menTCS components come with packages for the hardware and the safe QNX operating system for the hardware. Environmental Compliance with EN 50155 menTCS complies with all environmental requirements of EN 50155 (Railway Applications – Electronic equipment used on rolling stock) for in-vehicle operation: » Operating temperature: EN 50155 class T1, T2, T3, up to TX (–40 to +70 °C [10 minutes up to +85 °C] with qualified components) » Storage temperature (cold): EN 50155 (–40 °C, 16 h) » Humidity: EN50155 (+55 °C / +25 °C, 2 × 24 h) » Shock: EN 61373 Cat. 1 Class B (50 m/s², 30 ms) » Vibration (function): EN 61373 Cat. 1 Class B (1.01 m/s², 5 Hz – 150 Hz) » Vibration (lifetime): EN 61373 Cat. 1 Class B (5.72 m/s², 5 Hz – 150 Hz) » EMC emission: EN50121-3-2 » EMC immunity: EN 50121-3-2 » Electrical safety: EN 50155; EN 50153; EN 50124-1 menTCS also complies with the EMC regulations of EN 50121-4: Railway Applications – Electromagnetic compatibility. (Emission and immunity of the signaling and telecommunications apparatus). 6 Long-Term Availability Using an open system like menTCS means that the system itself does not become obsolete anymore under a classical definition of obsolescence. This means that product obsolescence management is limited to single standardized parts of a train control system or interlocking system that can be replaced during maintenance of the running configuration. The application itself remains untouched – thus, discontinuation of individual electronic components will never again affect and endanger the complete train or wayside function. If it becomes necessary to exchange such a standard electronic component – e.g., any of the computer boards because a supplier has discontinued an onboard component – this computer board will be replaced by another function-compatible board from the menTCS family. In case of any computer board obsolescence, MEN delivers a change effect analysis together with the redesign. This ensures that the effort for re-porting of the application as well as for a potential recertification will be reduced to a minimum. For menTCS, MEN guarantees: » Delivery of identical menTCS boards per project: 10 years » Technical support per project: 25 years » Delivery of menTCS functionality: unlimited in time 7 » A system availability of 99.9999% is reached with two menTCS systems – an operating one and one in stand-by mode. » The number and type of safe inputs and outputs can be ­tailored to the application requirements. » Wired and wireless interfaces for Wi-Fi, 3G/4G and GPS can be implemented for vehicle-tovehicle and vehicle-to-land communication. » Fieldbus interfaces can be added to connect into other ­networks like MVB, CAN bus, Profinet etc. QNX AD E YS S C AN S PikeOS Linux menTCS is SIL 4 certifiable and comes with pre-certified hardware in combination with pre-certified software and ­corresponding certificates from TÜV SÜD, drastically reducing the time of the certification process. menTCS separates the safe parts of the application from the non-vital parts, thus reducing the software certification effort. The non-vital communication and service functions run on standard Linux, guaranteeing that the system is open towards the external world. The safe application runs in a safe kernel of the QNX real-time operating system and can either be directly programmed with standard "C" language, offering POSIX compliant APIs or optionally a safe PLC. PLC PACY VxWorks menTCS is based on the modular 19” CompactPCI standard, making a scalable plug-and-play-like system configuration easy, enabling communication with other train functions like service or diagnosis, and supporting integration in existing train bus networks: » Remote I/O boxes can be used to expand the central unit, interconnecting to sensors and actuators distributed along the train or wayside, thus being close to the controlled ­equipment. Integrity menTCS is an application-ready platform, allowing the immediate start of the application development and giving the user complete control over the functionality of the whole system. menTCS consists of the safe controller, the safe I/O functions and the communication interfaces to the “outside” world. General Purpose User Software S of t Scalability and Modularity Sa Ap p l f e U s e r icat io n “C” menTCS System Architecture menTCS Hardware Safe and Non-Vital Operating System on menTCS Real-Time Ethernet Communication The communication inside the menTCS system – between the safe menTCS controller, safe I/O boards and safe remote I/O boxes – is based completely on a safe ...standard real-time Ethernet, using EtherCAT and FSoE (Fail Safe over EtherCAT). Thus, the application can treat all I/O functions in the same way. All remote I/O boxes are connected to the controller in a ring topology, which tolerates single ­failures. For example, in case of a broken cable, the system is still fully operational, as all I/O boxes can still be reached from the other end of the ring. menTCS Controller Real-Time Ethernet Master Bus Coupler I/O Boards menTCS Controller menTCS I/O menTCS I/O Bus Coupler Bus Coupler I/O Boards I/O Boards Real-Time Ethernet Master Bus BC Coupler I/O Boards Safe Real-Time Ethernet Communication with menTCS 8 9 Safe menTCS Controller Safe menTCS Remote I/O Box Example Configuration of a MH50C Controller Example Configuration of a KT8 Remote I/O Unit The heart of the modular menTCS train control system family is the MH50C central controller which delivers state-of-the art computing performance based on x86 PC technology. The safe part consists of SIL-certified components, which can be extended by non-vital I/O functions without effecting the safety of the system. The MH50C can be wall or rack mounted and supports forced air cooling. It can be used as a standalone device and in combination with up to 63 remote I/O boxes. An extension of the menTCS system by remote I/O boxes becomes necessary if: » T he I/O functions required exceed the capabilities of the central MH50C controller. » The actors and sensors are located far away from the MH50C controller, requiring interconnected sensors and actuators being close to the controlled equipment distributed along the train or wayside. The basic version of the MH50C consists of: » One certifiable safe CPU board » Up to six I/O boards: » Certifiable safe input and output boards, or » Interface boards to Ethernet, Wi-Fi, GPS, COMs, CAN, MVB etc., or » a combination of safe and non-vital I/O boards » O ne PSU with Class 2 hold-up time with just one wide range power supply 14.4 to 154 V » QNX safe real-time operating system » Linux non-vital operating system » SIL 4 certification packages by TÜV SÜD, one for the CPU board (with QNX) and one for the safe I/O boards Each remote I/O unit of the menTCS family consists of: » U p to 4, 6, or 8 certifiable safe I/O boards » R eal-time Ethernet interface with chassis configuration switch » P SU with Class 2 hold-up time with just one wide range power supply 14.4 to 154 V » S IL 4 certification package by TÜV SÜD for the safe I/O boards The remote I/O boxes are based on 19“ technology, with a reduced depth to provide a compact, spacesaving packaging. They can be either wall mounted or installed on DIN rail mechanics. For smaller applications, one centralized and integrated processing and I/O system can be already sufficient to do the job. For large applications, the central MH50C unit can be scaled by extending the 19” enclosure or by distributed deployment using remote I/O boxes. 10 11 Safe menTCS CPU Component menTCS CPU Board F75P menTCS I/O Boards K1, K2 and K7 The central element of menTCS is the self-contained F75P safe CPU board which uses 2oo2d voting. The F75P is a standard CompactPCI board that is designed to execute safety-critical applications as well as non-vital applications and which comes with its own dedicated SIL 4 certification package. The I/O boards of the menTCS system are self-contained, using 1oo1d architecture. A dedicated SIL 4 certification package is available for all I/O boards together. A single I/O board can be used to reach SIL 2. Two combined boards are required to reach SIL 3 and SIL 4. This scalable approach reduces cost in case a lower SIL level is sufficient. The safe CPU board F75P consists of: » 3 Intel processors with » 2 redundant CPUs executing the safety logic » 1 CPU as general purpose and I/O communication processor » Independent supervisors for each block » Fail-safe board architecture » Event logging with intelligent board management controller Alternatively, two identical I/O boards can also be used to support hot stand-by in order to achieve availability when required for critical functions. In the standard configuration and as such included in the certification packages, the two independent control processors run the safe deterministic QNX Neutrino real-time operating system, while the non-vital general purpose processor operates under Linux. Safe communication between the control processor and the safe I/O boards is assured by communication protocols developed ­according to EN 50159 (safety-related communication in transmission systems). All I/O components connect via spring cage terminal blocks for fast installation thanks to reduced wiring. They are fully isolated and support the full voltage range from 14.4 to 154 V DC As an option, the F75P can also work with the safe real-time operating systems PikeOS, Integrity and VxWorks – even in a combination of different operating systems to support diversity in software on both kernels. 12 Safe menTCS I/O Components The range of safe I/O boards comprise the typical functions required for railway applications: » K 1 – 8 high-side switch outputs » K 2 – 16 binary inputs » K 7 – 8 low-side switch outputs The safe menTCS I/O cards are designed to be used inside the MH50C controller as well as to ­configure the remote I/O boxes: » M H50C accommodates up to 6 safe I/O cards » K T8 accommodates up to 8 safe I/O cards 13 Configuration of the MA50C As the final configuration of the MA50C highly depends on the application requirements, the complete device is only available in a project context. AAR Compliant menTCS Controller Standard components and specifications of MA50C: » AAR 6 MCU core housing with » Conduction cooling capacity suitable for 100 W internal power dissipation » Power input connector » Shelf controller and control panel board » menTCS SIL 4 CPU board F75P with conduction cooling frame » Flexible power concept with wide range power supply » Input 14.4 to 154 VDC or 100 to 240 VAC » Cranking voltage range 20 to 130 VDC (nominal 74 VDC) » Operating temperature » According to EN 50155 Class T2 (–40 to +70 °C) » Compliant with AAR standard S-9401 » Environmental conditions » According to AREMA 11.5.1 Class I, Class J Device specific components of MA50C: » Up to 5 vital and non-vital I/O boards with conduction cooling frame » Backplane » Front panel and I/O connectors With its single components based on standard technologies, the MA50C offers fast time to market at an attractive cost. A flexible configuration of I/O functions with modular CompactPCI boards meets a quick installation in the AAR housing. The removable front panel supports easy maintenance and access to the internal electronics. menTCS AAR Controller MA50C The MA50C central controller is the first member of the AAR sub-family of menTCS. It is functionally identical with the MH50C, using the same CPU and I/O boards, QNX and Linux operating systems, coming with the same SIL 4 certification packages, supporting the same remote I/O architecture. Mechanically, the system complies with the AAR Locomotive Electronics System Architecture Standard S-590 of the American Association of Railway Manufacturers, being based on the 6 MCU (Modular Concept Unit) form factor as an optimal size to host a single tower of standard 3U CompactPCI boards. The MA50C is targeted primarily for the North American railway market and railway markets in other countries where extremely robust hardware is needed or where electronic systems have to be provided in the standard AAR form factor. In dirty, humid and chemically harsh environments air cooling is simply not an option. Therefore all the boards inside the MA50C are conduction cooled and the enclosure is in accordance with the IP65/NEMA-4 standard. 14 Conduction Cooling menTCS is based on the CompactPCI standard and as such also supports conductive cooling as an option, meaning that any menTCS board can be converted into a conduction-cooled one by embedding it into an individual aluminum frame. Conduction cooling transfers the heat out of the system by connecting this frame to the enclosure. By that measure the enclosure can also be made hermetically tight, and it gets a particular mechanical stability. VGA 3 2 1 STA CPU RST MA50C Configuration Example Option slots populated with safe I/O F075C Option Slot 1 IOER FSOE ERR RUN IOER FSOE ERR RUN IOER FSOE ERR RUN IP65 Protection IOER FSOE ERR RUN 2 A C/L In accordance with the IEC 60529 standard, the IP (International Protection) code classifies and rates the degree of protection against environmental impact. With the fulfillment of class IP65, the MA50C is completely tight against dust and water jets from any direction shall have no harmful effects on the system. 4 A C/L 4 3 2 1 4 3 2 1 8 7 6 5 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 12 11 10 9 16 15 14 13 12 11 10 9 16 15 14 13 K001C K001C K002C K002C 2A C/L 1 A C/L F305C PU20C Option Slot 2 Option Slot 3 Option Slot 4 » 8 SIL 4 outputs (each using 2 pins) » 16 SIL 4 inputs (each using 2 pins) » 1 slot reserved for future use Option Slot 5 Real-Time Ethernet PSU MA50C Configuration Example (Internal View) 15 menTCS Configuration Examples menTCS System Controller menTCS Remote I/O Boxes MH50C Configuration Example 1 Configuration of a remote I/O box with eight I/O cards Option slots populated with safe I/O » 8 digital outputs, SIL 4 (each using 2 pins) » 1 6 digital inputs, SIL 4 (each using 2 pins) » 8 SIL 4 outputs (each using 2 pins) + 8 SIL 2 outputs » 1 6 SIL 4 inputs (each using 2 pins) + 16 SIL 2 inputs MH50C Configuration Example 2 Configuration of a remote I/O box with four I/O cards Option slots populated with safe I/O » 8 digital outputs, SIL2 » 16 digital inputs, SIL 2 » M VB master » 2 slots reserved for future use » 8 SIL4 outputs (each using 2 pins) » 16 SIL2 inputs This configuration targets SIL 2 safe I/O applications: each safe I/O card is only assembled once. Both configuration examples are based on the “barebone configuration”, which includes the safe F75P CPU board, real-time Ethernet card connecting distributed safe I/O, a wide-range PSU and system supervision. menTCS System Controller in Combination with Remote I/O Boxes: menTCS Controller menTCS as ETCS Computer Full 19“ system consisting of » Safe CPU board F75P » Safe I/O boards » Digital inputs, SIL 4 » Digital outputs, SIL 4 » Non-vital I/O boards – to the right of F75P » Uplink switch and storage shuttle » Non-vital I/O boards – to the left of F75P » Ethernet connection to safe I/O boards » UART interfaces » MVB and Profibus interfaces 16 menTCS Remote I/O menTCS Remote I/O menTCS Remote I/O 17 menTCS Software Architecture Separation between Safe and Non-Vital Domains Safe Application Interface The menTCS software distinguishes between the safe and the non-vital domain in order to save cost and time for application development and certification. This separation allows to develop non-vital applications separately from safe applications. Non-vital applications cannot influence safe applications because they are executed on a separate processor running a standard Linux operating system. As menTCS is an open general-purpose hardware platform for different kinds of safe applications, the software programmer needs an interface to get full access to the control electronics. The PACY safety I/O framework provides easy and modular access to the safe I/O boards. PACY also includes a safe communication layer crossing the black channel. Control Processor Domain 2 RAM Disk Control Processor Domain 1 User‘s Safety Application RAM Disk Debug Server User‘s Safety Application In order to guarantee appropriate communication between the safe controller and the safe I/O functions via real-time Ethernet, the black channel approach is applied. The requirements to transport safe data over untrusted communication are defined by EN 50159 and realized using the FSoE safe communication protocol (Fail Safe over EtherCat). User Safety Application User Safety Application Safety Communication Layer Compare Safety I/O Framework (PACY) Compare Safe QNX/Safe BSP Safe QNX/Safe BSP Communication (Shared RAM, Virtual Ethernet) I/O Domain (CPU Board) I/O Safety layer PACY Berkley Sockets I/O Safety layer MISC IP Stack IP Stack QNX Microkernel WDOG MISC Reset StartupFlow WDOG Reset StartupFlow BIT RAM BITCPU ROS RAM CPU ROS SHMEM CP SYNC SHMEM IOP Transfer Synchronization CP1/CP2 Via Shared RAM CP SYNC IOP Transfer QNX Microkernel menTCS Middleware Overview “Unsafe” Application Communication Diagnosis, Services Black Channel Driver Libraries Linux (Soft Real-Time) External Interfaces Safe Domain (I/O Board) Safety Communication Layer Separation between Safe and Non-Vital Domains 18 PACY Berkley Net Support Sockets Telnetd, ftpd... Safe Domain (CPU Board) Process/Satus Data Net Support Debug Server Netw Servers Telnetd, Netw Servers ftpd... Safe Communication Process/Satus Data Safe Operating Systems Without being influenced by non-vital applications, the safe applications are executed on two separated redundant control processors. Integrity tests ensuring the safe operation of each safe processor are provided by the safe operating system. This architecture allows to develop safe applications on a menTCS platform in combination with all market relevant safe operating systems, such as QNX, PikeOS, VxWorks, or Integrity. Together with QNX, the menTCS CPU and I/O components come with pre-certified SIL 4 hardware/ software bundles, accelerating time to market even further. In fact, the QNX “Neutrino” microkernel provides important safety-relevant features like memory protection, interprocess communi­ cation, or deterministic scheduling. It protects user processes from each other, so that processes can also have different SIL levels. QNX Neutrino is open to the usage of standard driver software and middleware. 19 PACY I/O Framework Synchronization Service Functions PACY is a process data application framework that makes the menTCS hardware transparent for the application. It handles the communication between the CPU together with custom-specific application software and the safe I/O cards. Being a transparent abstraction layer PACY takes care of the execution of the application’s commands, providing an API for "C" language programming. Developers can control the I/O through "C" language variables independently of the kind of I/Os that need to be controlled. The synchronization and comparison service function ensures that both safe processors use the same input data and verifies that the calculated output data is the same. Additionally, the ­application can use this service for temporal logical monitoring of the application program as ­required by EN 50129 for SIL 3 or 4 applications. The following figure shows a representative safety application which is using synch services to synchronize the execution of the redundant architecture of the two control processors. As a module-based framework PACY opens up all interfaces from the application to the hardware. This allows a flexible extension by individual, custom-specific modules. The FSoE protocol (Fail Safe over EtherCAT) integrated in PACY is responsible for the safe data transmission and protection of what is called the Black Channel. A SIL 4 certification according to EN 50128 will also be available for PACY, including the corresponding documents. PACY is configured by a configuration tool allowing to run the same application, using different menTCS I/O boards. Wait for next cycle to begin Wait for next cycle to begin SYNC TIME (1) Customer Safety Application Contol Processor » » » » » » K1 cheduling S Process Separation Process Communication Integrity Checks Networking Get inputs Get inputs COMPARE (3) XXX SYNC (4) Process Data Variables PACY Safe ONX and BSP Safe QNX and BSP SYNC (2) Contol Processor Customer Safety Application PACYF50€ F50€ Rel#1F50€ F50€ K1#1F50€ K1#2F50€ K1#3F50€ FSoE FSoE FSoE PACY Config Data PACY Config Data Execute application logic SYNC (5) Execute application logic SYNC (6) SYNC Functions SYNC Functions COMPARE (7) Write outputs part A Write outputs part B Exchange Functions EtherCAT-Master IOP Synchronization of Control Processors 1 and 2 PACY Operating Principle 20 21 External systems communicating with the safe menTCS controllers via Ethernet using UDP or TCP see both processors as “one instance” using MEN’s Y-COM service functions. Incoming frames are distributed to both safe domain processors by the Y-COM server running on the non-vital processor, whereas outbound frames are synchronized between both safe domain processors. The payload is mixed, meaning that each safe CPU generates a part of the outbound transmit frame, and the Y-COM server on the non-vital processors sends this frame to the external system. While the safe applications are executed on two separated redundant control processors, a third processor controls all non-vital applications. The operating system running on this third processor can be Linux or any of the known real-time operating systems. Being an open standard hardware platform, menTCS ideally uses Linux as the operating system based completely on open source technology. Linux is free, and is supported by a broad, community driven product offering. Installation of applications is easy as it is to change options, and it comes with security features. Safety Protocol Y-COM API-LIB Y-COM API-LIB Linux QNX YS S C PLC AN S PikeOS Safety Protocol PACY VxWorks Safety Application Integrity Safety Application S of t General Purpose User Software F75P AD E Linux Operating System Sa Ap p l f e U s e r ica t io n “C” Synchronized Communication Service Functions menTCS Hardware Y-COM Server CP Y-COM Server CP Internal Ethernet Internal Ethernet Y-COM Server IOP Ethernet UDP or TCP External System Safety Protocol Y-COM Communication 22 Non-Vital Operating System Linux on menTCS Development Tools As a general-purpose system being open to the final application, menTCS also supports a multitude of third-party development tools. Generally, C-code generating tools like SCADE or Mathlab/Simulink can be used to implement the application running on the safe processors. Other development tools that have already been tested with menTCS include the Prover iLock suite which automates development of computerized interlocking systems, or the safe soft PLC FlexiSafe from infoteam which is used for implementations based on PLC languages according to IEC 61131-3. A new tool provided by MEN itself for the development of safe applications is the menTCS configurator (in preparation). The menTCS configurator simplifies the definition of any menTCS architecture by abstracting the I/O topology, thus making the application program independent of the I/O topology. The advantage of this tool is that – in case the safe application must run on different I/O configurations – a recompilation of the application for each of the configurations is not necessary. Another tool from MEN for the development of non-vital ­applications under Linux is a package for the Yocto ProjectTM development environment, including all relevant components to interact with menTCS. 23 menTCS SIL 4 Component Certification TÜV Certificates for the Hardware together with QNX menTCS is SIL 4 certifiable according to EN 5012x and comes with pre-certified hardware in combination with pre-certified software and corresponding certificates from TÜV SÜD (German Technical Inspection Agency), drastically reducing the duration of the certification process. As menTCS consists of a CPU board and a number of different I/O functions (boards) yet to be configured to the final application, the certification packages are divided as well: » 1 package for the redundant control processors of the F75P safe CPU board with QNX » 1 basic package for the complete safe I/O board portfolio for QNX plus I/O board specific packages » R educes risk – the QNX BSP comes together with the certification package from MEN Beside the hardware/software bundle the certification packages include: » S afety User Guide including the safety-relevant application requirements, a detailed description of the hardware and instructions for appropriate operation » S afety Case describing the concepts for reaching functional safety as well as all safet and quality-relevant processes and measures to meet the SIL 4 requirements » A ssessment report and SIL 4 certificate from TÜV SÜD » A number of support hours Per Company Per Project Support Plan QNX OS for Safety License Customer menTCS Hardware ­Certification Packages menTCS Software ­Certification Packages Per Board Runtime Fee Shared Delivery of Components and Services TÜV Certificates for the Hardware without Operating System Safe menTCS / QNX Bundle with SIL 4 Certification Packages Pre-certification of the menTCS hardware together with the QNX software has significant advantages: » Saves time – no need to get an own safe BSP (or drivers) developed » Saves cost – just purchase certification packages from MEN and QNX licenses from QNX 24 In case that QNX is not the operating system of choice for the application, the certification packages for the F75P CPU board and the separate one for the I/O boards are also available without a board support package or driver software. A menTCS hardware SIL 4 certification package for just the hardware also includes: » S afety User Guide including the safety-relevant application requirements, a detailed description of the hardware and instructions for appropriate operation » S afety Case describing the concepts for reaching functional safety as well as all safety and quality-relevant processes and measures to meet the SIL 4 requirements » A ssessment report and SIL 4 certificate from TÜV SÜD » A number of support hours 25 menTCS Application Areas Gear Control Fuel Control Wheelslip Control Driver Display Driver Cab Controls/Indicators menTCS Controller Valves, Relays, Sensors… menTCS Remote I/O Brakes Ethernet Train Bus (MVB, CAN) I/O Bus (CAN, Profibus) Covering all Vital Train and Wayside Applications with menTCS Rolling Stock menTCS is well suited for control of all safety-related functions in new train models as well as for refurbishment of trains. Thanks to its modularity, it is easy to install and retrofit automation functions in combination of menTCS with other parts of already existing train control equipment as well. menTCS enables: » Installation as the heart of the CBTC (Communication Based Train Control) system or the TCMS (Train Control Management System) for new trains » Increase in efficiency of already existing ATO, ATP and ATS functions as the central computer » Step-by-step replacement of older equipment, resulting in one standardized general-purpose platform for all safe applications » Remote control sitting directly at the door, at the wheel, at the gear » All-in-one safe control system and non-vital communication system – safely separated through strict partitioning » Interfacing to all existing train communication with Ethernet and MVB, CAN bus etc. » Interfacing to the driver cab display » Interfacing to wireless communication with the outside world through GSM-R, GPS, Wi-Fi etc. » D ecrease in life cycle cost through easy maintenance of standard components » L onger operating life by using standardized technologies » Reduction of dependence on single suppliers, resulting in a growing service offer 26 menTCS example application: ETCS EVC system, providing » G SM-R communication » E TCS application computer » Fieldbus interfaces to other ETCS equipment (MVB, Profibus) » R eal-time Ethernet interfaces to train functions » C ontrol of train functions realized with remote I/O unit Control Center Remote I/O Train Interfaces menTCS MVB Profibus Balise GSM-R Ethernet EuroBalise menTCS as ETCS On Board Unit (OBU) 27 menTCS Ecosystem Wayside menTCS is well suited for control of CBI (Computer Based Interlocking), vital telemetry for train management, wayside devices such as switches, signals, or level crossings. Being a modular platform, it can be used in new interlocking systems as well as for a soft modernization and ­automation of older relay interlockings. Existing outside facilities can be preserved and adapted. The extremely compact inside facility of an interlocking system is clearly separated and forms the safe platform (SIL) for the control and automation layer. menTCS enables: » Introduction of ETCS L2/L3 for optimization of safety and track load » Halving of the resulting opportunity cost for relay interlocking systems » Increase in performance of the interlocking systems » Low cabling cost thanks to standardized Ethernet technology » Avoidance of the costly total replacement by CBIs (incl. outside facilities) » Installation of simpler, smaller and standardized inside facilities » Longer operating life of the outside facilities » Lower cost for the expansion of total capacities » Decrease in life cycle cost through easy maintenance of standard components » Reduction of dependence on single suppliers, resulting in a growing service offer menTCS is a general purpose platform for safe train and wayside functions based on standard technologies – and as such open to the features and requirements of the final application. Several packages and services around menTCS help the customer to save cost and speed up time-to-market. Safe Applications General Purpose Applications Application Development PACY Safe I/O Framework Yocto Project Development Vital Operating System Non-Vital Operating System menTCS Train Control System Control Logic Centralized Traffic Control CBI (redundand) Remote I/O Relays Actors & Sensors As an embedded systems solution provider to the railway industry MEN delivers especially ­computer hardware with adapted BSPs and drivers: » m enTCS hardware installation in a modular configuration tailored to the application » Q NX safe operating system and turnkey Linux » S IL 4 certification documents menTCS example application: Understanding the requirements of the application programmer MEN delivers middleware and tools: » P ACY safe I/O framwork and service functions » N on-vital service and configuration tools New CBI system for railway and metro stations » One CBI per station, requiring SIL 4 » Dual MH50C system, one in hot stand-by » Each MH50C to control 1500 digital inputs and 600 digital outputs Understanding the requirements of the final use case MEN provides consultancy and recommends approved partner products: » M EN product support, training and in-depth documentation » S afe soft PLC (IEC 61131-3 system) under QNX functionality from infoteam » T ool suite for development of computerized interlocking systems from Prover » In-house approved design tools like SCADE, Yocto Projecttm menTCS as Interlocking Computer (CBI) 28 29 menTCS Benefits Summary Open Safe Platform Open Hardware Different safety functions with different SIL levels on one platform Reduces hardware cost and obsolescence risk Standard PC hardware architecture State-of-the-art x86 host controller Processor redundancy Provides safety by means of 2 control processors on a single CPU board Safe modular I/O Main controller with Intel CPU board ­architecture Covers all application-specific requirements » Safety execution with 2 redundant processors » 1 general purpose processor » Independent supervisors for each block Safe API (Application Interface) » POSIX compliant » “C” programming language 3U 19" CompactPCI Robust industry-proven backplane and computer board standard I/O with spring-cage terminal blocks Makes connection easy and reduces cabling 14.4 to 154 V DC wide-range PSU International railway compliance with just one device Remote I/O boxes Provides less cabling, improved signal quality and a huge number of I/Os QNX real-time operating system Partitioning of the application for different safety levels SIL 4 from the beginning No workarounds or compromises necessary Same platform for wayside and rolling stock Reduces learning efforts Open Non-Vital Extension Linux operating system Standard open source software interfaces Future-proof computer solution providing same functionality without limitation in time Use of open standards Independence from single supplier, small learning curve Standards Compliance Development of non-vital functions in standard software environment EN50155 & EN 50121-4 Fully proven for rolling-stock and wayside railway environments Flexible and easy installation of applications EN 50126/128/129 (based on IEC 61508) Developed for functional safety from SIL 0 to SIL 4 SIL 4 certification packages with TÜV SÜD certificate Modular hardware/software packages make certification of the final application easy and fast Pre-certified hardware and software compliant to railway standards Open Communication 30 menTCS family concept Low certification risk, fast time-to-market, customer can concentrate on application Ethernet communication » Makes use of standard cabling, line interfaces, connects to standard devices easy » Connects main control system and remote I/O boxes Services Real-time Ethernet communication Guarantees deterministic behavior on standard communication protocol Long-term availability EtherCAT based I/O with safety layer FSoE Safe, fast and deterministic I/O » Delivery of identical menTCS boards per project: 10 years » Technical support per project: 25 years » Delivery of menTCS functionality: unlimited in time Railway fieldbusses Connection to existing train networks and devices via MVB, CAN, Profinet, etc … Life-cycle management Secures overall operability of the application when single components need to be substituted Wi-Fi, radio, GPS, RS485 Connection to all popular in-vehicle and external communication interfaces Expertise in embedded railway solutions » Development and environmental test services » Worldwide sales support and consultancy » Evaluating and understanding the application No proprietary end application Application is customers' value add to differentiate from market players Open communication extensions Integration of menTCS in any existing railway application Your Project? Rely on us! 31 MEN is a member of: » » » » » » » » » » » » » » MD Fusion Partner Program A ARINC (Aeronautical Radio Incorporated) B avAIRia (Cluster for innovative aerospace technology in Bavaria) C AN in Automation C NA (Center for Transportation & Logistics Neuer Adler e.V.) N XP Design Alliance I ntel® IoT Solutions Alliance O pen Source Automation Development Lab (OSADL) P CI-SIG (Peripheral Component Interconnect Special Interest Group) PICMG (PCI Industrial Computer Manufacturers Group) Unife (Union des Industries Ferroviaires Européennes) U SB-IF (Universal Serial Bus Implementers Forum, Inc.) V ITA (VMEbus International Trade Association) W ind River Partner Eco System Issue 4.0, September 2017 Copyright © MEN Mikro Elektronik GmbH All rights reserved. www.men.de www.men-france.fr www.menmicro.com www.men-china.cn