MTCS – Modular Train Control SystemSIL 4 Railway Computer for Rolling Stock and Wayside Applications
In Accordance with:
EN 50155EN 50121-4EN 50129EN 50126EN 50128
The MTCS Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
» MTCS – Modular Train Control System
» Safety Compliance with EN 5012x
» Environmental Compliance with EN 50155
» Long-Term Availability
MTCS Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
» Safe MTCS Controller
» Safe MTCS Remote I/O Box
» Safe MTCS CPU Component
» Safe MTCS I/O Components
» MTCS Configuration Examples
» Safe MTCS Real-Time Ethernet Topology
» MTCS Software Architecture
» MTCS Safety Guaranteed by TÜV Certificate
MTCS Application Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
» Rolling Stock
» Wayside
MTCS Benefits Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
The governments of many countries have increased their safety standards in mass transit and freight transport and / or work on nationwide traffic regulation programs, e .g .:
» SIRF stage 2 (Germany)
» PTC – Positive Train Control (USA)
» ETCS – European Train Control System
» CTCS – Chinese Train Control System
» KLUB-U – Russian Train Control System
The MTCS Approach
4
MTCS is an open and modular railway computer platform based exclusively on standard hardware and software. It is certifiable up to SIL 4 in all its single parts and complies completely with the EN 50155 and EN 50121-4 railway standards.
MTCS is designed to operate in rolling-stock applications such as Automatic Train Control (ATO) and Automatic Train Protection (ATP) as well as in wayside applications like interlocking systems.
MTCS consists of the safe controller, the safe I/O functions and the commu-nication interfaces to the “outside” world.
The final safety level of MTCS is scalable and as such solely determined by the application requirements – resulting in an optimum price / performance.
5
MTCS – Modular Train Control System
MTCS is the first computer system ever in the history of the railway industry that separates the control electronics – the computer hardware – from the real control function – the application software .
Unlike existing solutions that are proprietary and show a fixed hardware/software configuration which is closed to the access of the end user, MTCS opens up the essential interfaces between the control electronics and the application .
MTCS is therefore the first and only railway computer that is based on defined open standards for hardware, software and communication . Its modularity makes it configu- rable for every control function inside and outside the train – and scalable to any required SIL level .
MTCS comes with certification packages from TÜV Süd, drastically reducing the time of the certification process .
The SIL 4 certifiable and real-time capable kernel supports the partitioning of the application dependent on the required safety level, thus reducing the software develop-ment effort .
The “non-safe” and Linux based part for communication and service is completely separated . It guarantees that the system is open towards the external world .
The data transfer of the inputs and outputs is realized via a safe real-time Ethernet . Based again on an industry standard, also the safety of the I/O communication is proven by TÜV Süd .
Being a totally open platform concerning software and hardware, MTCS is the first and only railway computer that offers a separation of the rail service from the electronic control system behind .
This unique feature allows railway system suppliers to concentrate on their core business . It also facilitates the market entry for small and medium-size companies . And it enables rail operators to become their own general contractor, keeping full transparency of their project at any time .
6
Safety Compliance with EN 5012x
Environmental Compliance with EN 50155
MTCS complies with the requirements of the EN 5012x family of railway standards developed by CENELEC, based on IEC 61508 (Functional Safety of Electrical / Electronic /Programmable Electronic Safety-related Systems):
» EN 50126: Railway Applications – The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS)
» EN 50128: Railway Applications – Communications, signaling and processing systems» EN 50129: Railway Applications – Communications, signaling and processing systems –
Safety related electronic systems for signaling
MTCS components come with SIL 4 certification packages for the hardware, with complete support for the safe operating system QNX® (PikeOS on request), including safe protocols, CST layer, I/O transfer layer etc .
MTCS complies with all environmental requirements of EN 50155 (Railway Applications – Electronic equipment used on rolling stock) for in-vehicle operation:
» Operating temperature class Tx: −40 to +70 °C (10 minutes up to +85 °C) with qualified components
» Shock: 50 m/s², 30 ms (EN 50155 (12 .2 .11) / EN 61373)» Vibration (function): 1 m/s², 5 Hz – 150 Hz (EN 50155 (12 .2 .11) / EN 61373)» Vibration (lifetime): 7 .9 m/s², 5 Hz – 150 Hz (EN 50155 (12 .2 .11) / EN 61373)» Humidity, dust: conformal coating» PSU class 2 hold-up times with just one wide range PSU 14 .4 to 154 V» 14 .4 to 154 V also supported by I/O components» EMC regulations:
» EN 50121-3-2 (tables 5 and 6) / EN 55011 (radio disturbance) » EN 50121-3-2 (table 9) / IEC 61000-4-6 (ESD) » EN 50121-3-2 (table 9) / IEC 61000-4-3 (electromagnetic field immunity) » EN 50121-3-2 (table 8) / IEC 61000-4-4 (burst) » EN 50121-3-2 (table 8) / IEC 61000-4-6 (conducted disturbances)
MTCS also complies with the EMC regulations of EN 50121-4: Railway Applications – Electromagnetic compatibility . (Emission and immunity of the signaling and telecommu- nications apparatus) .
7
Long-Term Availability
MEN guarantees long-term availability of all parts of the MTCS for a minimum period of 10 years .
After this period it might happen that single chips or electronic components can be made obsolete by one of our suppliers . In the worst case, this might result in the exchange of one or the other board in the MTCS system . As all these boards are standards-based, the application itself will remain untouched to a great extent .
If it becomes necessary to exchange such a standard board, MEN delivers a change effect analysis together with the redesign . This ensures that the effort for re-porting of the application as well as for a potential re-certification will be reduced to a minimum .
Using an open system like MTCS means that product obsolescence management can be limited to single standardized parts of a train control system or interlocking system . It will never again affect and endanger the complete train or wayside function .
MTCS Hardware
Linux
General Purpose User Software
QNX
Safe
Use
r A
pplic
atio
n “C
”
Soft
PLC
ANSY
S SC
ADE
MTCS Architecture
8
The communication inside the MTCS system – between the safe MTCS controller, safe I/O boards and safe remote I/O boxes – is based exclusively on a safe standard real-time Ethernet .
Its modular configuration enables the MTCS system to communicate with other train systems like service or diagnosis units via any type of wired or wireless interface . Additionally, fieldbus interfaces can be implemented to connect into other networks like MVB, CAN, Profinet etc . This makes it easy to integrate into a TCN network as well as into regionally different Train Control Systems like PTC, ETCS, CTCS, ATCS or Klub-U .
MTCS is an application-ready platform, allowing the immediate start of the application development and giving the user complete control over the functionality of the whole system . While the “unsafe” part of the application runs under a Linux operating system, the safe part of the application runs in a safe kernel of the real-time operating system QNX . The safe application can either be directly programmed with the Posix standard “C” language or optionally Flexisafe safe PLC .
MTCS is SIL 4 certifiable and comes with pre-certified hardware in combination with pre-certified software and corresponding certificates from TÜV Süd .
» The high level of modularity of the hardware and the software of the MTCS system allows to use MTCS as the sole platform for a multitude of varying rail applications .
» As the whole MTCS system is based on standards, also the life-cycle cost of each rail project can be drastically reduced .
» The pre-certification of the MTCS hardware and software results in significant cost and time savings during computerization of the train, whether a vehicle is new or is being refurbished .
The heart of the MEN Train Control System is the MTCS controller which delivers state-of-the art computing performance based on x86 PC technology. The MTCS controller consists of a safe part and what is called an “unsafe” (general purpose) part. The MTCS controller can be used as a standalone device and in combination with up to 63 remote I/O boxes.
9
Safe MTCS Controller
The MH50C MTCS controller supports a modular built-to-order configuration and consists of:
» Certifiable safe CPU board with local redundancy» Up to 6 I/O boards:
» Either certifiable safe I/O boards » Or interface boards to Ethernet, WiFi, GPS, COMs, CAN, MVB etc . » Or a combination of both
» 14 .4 to 154 V DC wide-range voltage supply» QNX® safe real-time operating system» Linux “unsafe” operating system» SIL 4 certification packages by TÜV Süd
To raise availability of the safe MTCS system, the functionality of two MTCS controllers can be clustered in one enclosure .
MH50C comes in a compact half 19" housing based on the established CompactPCI standard . The CPU board and I/O boards comply with the robust 3U Eurocard format . The system can be wall or rackmounted and supports forced air cooling .
10
Safe MTCS Remote I/O Box
An extension of the MTCS system by remote I/O boxes (KT4, KT6, KT8) becomes necessary if:
» The I/O functions required exceed the capabilities of the MTCS controller» The actors and sensors are located far away from the MTCS controller
Each MTCS remote I/O box consists of:
» Up to 4, 6, or 8 certifiable safe I/O boards» Real-time Ethernet interface with chassis configuration switch» 14 .4 to 154 V DC wide-range PSU» Certification packages by TÜV Süd for the safe I/O
The remote I/O boxes are based on 19" technology, with a reduced depth of less than 160 mm to provide a compact space-saving packaging . They can be either wall mounted or installed on DIN rail mechanics .
11
Safe MTCS CPU Component
The central element of MTCS is the safe CPU board F75P, a standard CompactPCI board that is designed to execute safety-critical applications as well as “unsafe” applications and comes with a dedicated certification package:
» 2 redundant Intel® processors to execute safety logic» 3rd Intel® CPU as general purpose and I/O communication processor» Independent supervisors for each block» Fail-safe and fail-silent board architecture» Hot or cold stand-by» Clustering of two F75P to raise availability» Event logging with intelligent board management controller
In the MTCS standard configuration and as such included in the certification packages available, the two independent control processors run the safe deterministic real-time operating system QNX Neutrino, while the “unsafe” general purpose processor operates under Linux .
Other MTCS configurations can also work with safe real-time operating systems such as PikeOS, Integrity or VxWorks – even in a combination of different safe operating systems to support optional diversity in software on both kernels .
12
Safe MTCS I/O Components
The SIL 4 certified safe I/O boards comprise the typical functions required for railway applications and come with dedicated certification packages:
» K1 – 8 binary outputs» K2 – 16 binary inputs» K3 – safety relay outputs in preparation» K4 – 4 frequency inputs, used to measure the speed of the train via wheel sensors» K5 – analog outputs in preparation» K6 – analog inputs in preparation
All I/O components connect via spring cage terminal blocks for fast installation thanks to reduced wiring . They are fully isolated and support the full voltage range from 14 .4 to 154 V DC .
Generally a single “K” board can be used to reach SIL 2 . Two combined boards are required to reach SIL 3 and SIL 4 . This scalable approach reduces cost in case a lower SIL level is sufficient . The safe MTCS I/O cards are designed to be used inside the MH50C MTCS controller as well as to configure the MTCS remote I/O boxes:
» MH50C accommodates up to 6 safe I/O cards» KT8 accommodates up to 8 safe I/O cards» Further remote I/O boxes will be able to accommodate smaller numbers of safe I/O
cards for installation areas with very limited space .
MTCS System Controller:
13
MTCS Configuration Examples
MH50C Configuration Example 1
Option slots populated with safe I/O» 8 digital outputs, SIL 4
(each using 2 pins)» 16 digital inputs, SIL 4
(each using 2 pins)» 8 frequency input channels, SIL 4
MH50C Configuration Example 2
Option slots populated with safe I/O» 8 digital outputs, SIL2» 16 digital inputs, SIL 2 » 4 frequency input channels, SIL 2» MVB master» 2 slots reserved for future use
This configuration targets SIL 2 safe I/O applications: each safe I/O card is only assembled once .
Both configuration examples are based on the “barebone configuration”, which includes the safe F75P CPU board, real-time Ethernet card connecting distributed safe I/O, a wide-range PSU and system supervision .
MTCS Remote I/O Boxes:
Configuration of a KT8 providing
» 8 SIL 4 outputs (each using 2 pins) + 8 SIL 2 outputs» 16 SIL 4 inputs (each using 2 pins) + 16 SIL 2 inputs» 4 SIL 4 frequency input channels (using 2 separate
frequency counters)
14
Configuration of a KT4 providing
» 8 SIL4 outputs (each using 2 pins)» 16 SIL2 inputs» 4 SIL2 frequency input channels
MTCS Controller
MTCS Remote I/O MTCS Remote I/O MTCS Remote I/O
MTCS System Controller in Combination with Remote I/O Boxes:
Safe MTCS Real-Time Ethernet Topology
15
The complete MTCS I/O – no matter whether it is part of the MH50C controller or located in the remote I/O boxes – is connected via real-time Ethernet . Thus, the application can treat all I/O functions in the same way .
All remote I/O boxes are connected to the controller in a ring topology, which tolerates single failures . For example, in case of a broken cable, the system is still fully operational, as all I/O boxes can still be reached from the other end of the ring .
MTCS I/O
BC
I/O Boards
MTCS I/O
BC
I/O Boards
MTCS Controller
BC
Real-TimeEthernet Master
I/O Boards
MTCS Controller
BC
Real-TimeEthernet Master
I/O Boards
16
MTCS Software Architecture
The MTCS software distinguishes between the safe and the “unsafe” domain in order to save cost and time for application development and certification . This separation allows to develop “unsafe”ty relevant applications separately from safe applications .
“Unsafe” applications cannot influence safe applications because they are executed on a separate processor running a standard Linux operating system .
In order to guarantee appropriate communication between the safe controller and the safe I/O functions via real-time Ethernet, the so called “black channel” approach is applied .
The method to transport safe data over untrusted communication is defined by EN 50159 .
Safe Domain (I/O Board)
Safety Communication Layer
I/O Domain (CPU Board)
Linux (Soft Real-Time)
Driver Libraries
None-Safe Application Communication
Diagnosis, Services
Safe Domain (CPU Board)
Safe QNX/Safe BSP
CompareSafety Communication Layer
User Safety Application
Safety Communication Layer
User Safety Application
Communication (Shared RAM, Virtual Ethernet)
External Interfaces
Black Channel
Compare
Safe QNX/Safe BSP
17
MTCS Safety Guaranteed by TÜV Certificate
The complete MTCS solution may contain safe and “unsafe” parts . For the safe parts of the system two certification packages are provided:
» For the F75P CPU board of the MH50C system controller – including QNX Board Support Package
» For the I/O cards – including QNX drivers
Each SIL 4 railway certification package according to EN 5012x includes a number of documents:
» Safety User Guide including the safety-relevant application requirements, a detailed description of the hardware and instructions for appropriate operation
» Safety Case describing the concepts for reaching functional safety as well as all safety and quality-relevant processes and measures to meet the SIL 4 requirements
» Assessment report and SIL 4 certificate from TÜV SÜD (German Technical Inspection Agency)
Safety User GuideSafety Case
TÜV Assessment
Report
TÜV Certificate
F75P QNX BSP
QNX Drivers
MTCS Application Areas
18
Rolling Stock
MTCS is well suited for use in new train models as well as for refurbished trains . Thanks to its modularity, it is easy to install and retrofit safety and automation functions with MTCS in any type of older rail vehicle as well .
MTCS is:
» Compact, safe and robust in accordance with EN 50155» A versatile, consistent, open and safe platform for all functions like ATO, ATP, PTC,
ETCS …» Safe control system plus communication system – all in one, but strictly partitioned» Fully compatible with EN50155 (incl . all temperature and voltage ranges)» Safe remote I/O, connected via redundant, real-time Ethernet» The interface to all existing train communication such as MVB, WTB, CAN …» The wireless communication interface to the outside world through GSM-R,
GPS, WLAN …
EthernetTrain Bus (MVB, CAN)I/O Bus (CAN, Profibus)
Gear ControlFuel Control
Wheelslip Control
Driver Display
Driver Cab Controls/Indicators
MTCS ControllerMTCS
Remote I/O
Valves, Relays, Sensors…
Brakes
19
Wayside
MTCS is both well suited for use in new interlocking systems and for a soft modernization and automation of older relay interlockings . Existing outside facilities can be preserved and adapted . The extremely compact inside facility of an interlocking system is clearly separated and forms the safe platform (SIL) for the control and automation layer . MTCS is compact, safe and robust in accordance with EN 50155 and EN 50121-4 (EMC) .
MTCS enables:
» Introduction of ETCS (European Train Control System) L2/L3 for optimization of safety and track load
» Halving of the resulting opportunity cost for relay interlocking systems» Reduction of dependence from single suppliers, resulting in a growing service offer» Increase of the performance of the interlocking systems» Decrease of life cycle cost» Avoidance of the costly total replacement by electronic interlocking systems
(incl . outside facilities)» Installation of simpler, smaller and standardized inside facilities» Longer operating life of the outside facilities» Lower cost for the increase of total capacities» Low cabling cost thanks to standardized Ethernet technology
MTCS Benefits Summary
20
Safety
Safety levels SIL 4, SIL 3, SIL 2, SIL 1, SIL 0 Flexible configuration of safety levels results in optimum price/performance
Redundancy Provides safety by means of 2 control processors on a single CPU board
Fail-silent The system provides the correct service or remains silent .
Fail-safe The system will not endanger lives or property when it fails .
Fail-operational Clustering of hardware components if the system must stay operational
Open I/O
Ethernet communication» Makes use of standard cabling, line interfaces
» Connects main control system and remote I/O boxes
Real-time Ethernet communication Guarantees deterministic behavior on standard communication protocol
Functional safety over Ethernet “Black channel” for safe TÜV certified I/O communication
Safe modular railway I/O up to SIL 4
» Digital inputs/outputs (wide range EN 50155 compliant)
» Analog inputs/outputs (wide range EN 50155 compliant)
» Frequency inputs (detection of hold, frequency, period, pulse width, direction distance, encoder supply)
» Relay outputs (wide range EN 50155 compliant)
Open Safe Platform
Safe API (Application Interface) » POSIX compliant » “C” programming language
QNX Real-time Operating System Partitioning of the application for different safety levels
Open General Purpose Platform
Linux Operating System Development of “unsafe” part of the application in familiar standard software environment
21
Open Communication Extensions
Railway fieldbusses Connection to existing TCN network via MVB & WTB interface boards
Other fieldbusses Connection to existing train devices via CAN, ProfiNet etc . interface boards
Ethernet Connection to standard switches and routers
WIFI, radio, GPS, RS485 Connection to all popular in-vehicle and external communication interfaces
Functionality
Open API for “C” or safe PLC Freely programmable or Flexisafe PLC software environ-ment
Safe programming» In “C” language
» Or based on “Soft SPS”
» Or “ANSYS SCADE” model-based
Physical software separation between safe and “unsafe” domain
Saves time and cost for application development and certification
LInux For general purpose and open communication
Open Hardware Standard
Standard PC hardware architecture State-of-the-art X86 host controller
Main controller with Intel CPU board architecture» Safety execution with 2 redundant processors
» 1 general purpose processor
» Independent supervisors for each block
CompactPCI Robust industry-proven backplane and computer board standard
19" systems Well-known enclosure standard
3U Eurocard format Robust board standard
I/O connectivity Spring-cage terminal blocks make connection easy and reduce cabling
14.4 to 154 V DC wide-range PSU International railway compliance with just one system
22
Standards Compliance
EN50155 & EN 50121-4 Fully proven for rolling stock and wayside railway environments
EN 50126/128/129 (based on IEC 61508) Developed for functional safety from SIL 0 to SIL 4
SIL 4 certification packages with TÜV Süd certificate Modular hardware/software packages make certification of the final application easy and fast
Customer Support
Long-term availability 10 years guaranteed to save time and cost investment of the project
Life-cycle management Secures overall operability of the application when single components need to be substituted
Development services
Environmental test services
Worldwide sales support
Consultancy Defining the appropriate solution together with the customer
Experienced supplier of reliable embedded computer solutions IRIS certified partner of the railway industry for many years
February 2015 Copyright © MEN Micro Inc. / MEN Mikro Elektronik GmbH® / MEN Mikro Elektronik SAS All rights reserved.
www.men.dewww.men-france.frwww.menmicro.com