FUNCTIONAL SAFETY IN CONTROLLING RAIL AUTOMATION SYSTEMS
ONE SYSTEM PLATFORM FOR SAFETY-CRITICAL ONBOARD AND TRACKSIDE APPLICATIONS
The duagon SAFE CONTROL (d-SC) system is safety certified, modular railway controller platform. It complies with the EN 50126 (RAMS), EN 50128 (software) and EN 50129 (hardware) railway development standards for functional safety, and all components are safety certified up to SIL 4.
The d-SC system is designed to operate in safety-critical onboard applications such as Automatic Train Operation (ATO) and Automatic Train Protection (ATP) as well as in wayside applications like level-crossing or computer-based interlocking systems. The modular system consists of the safe controller (1oo2, 2oo2), the safe I/O functions, and the communication interfaces to the "outside" world.
Its modular configuration enables the system to communicate with other train systems like service or diagnosis units via any type of wired or wireless interface. Additionally, fieldbus interfaces like MVB, CAN, Profinet and more, can be implemented to connect into other networks. This makes it easy to integrate into a TCN network as well as into regionally different train control systems such as ETCS, CTCS, ATCS, PTC or Klub-U.
The COTS safe controller supports QNX out-of-the-box using the provided safety certified board support package (BSP). Additionally, duagon offers various software packages e.g., process data synchronization (SNYCH), modular I/O framework (PACY) or high availability software (HA-SW) which enables customer applications to use two redundant d-SC systems in a Hot-standby setup.
The robust and rail-ready components comply with the railway standards for environmental and EMC conditions EN 50155 (rolling-stock) and EN 50125-3 / EN 50121-4 (signalling/trackside).
Pre-Certified, modular open systems for long-term use
CERTIFIED FUNCTIONAL SAFETY
Save Cost, Time and Risk with Pre-Certification
duagon’s safety-related components come with certification packages for the hardware and the relevant platform software based on QNX. No matter what final application, the parts are already certified and will speed up your overall certification process.
Get Synergies for all Safety-Critical Applications
As a modular safe platform, with flexible I/O configuration and extension options, this system can be used in all safety-related applications onboard and trackside: from single functions like signal and level-crossing control up to complex systems for Automatic Train Operation or Protection (ATO/ATP).
Certification
- EN 50126: The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS)
- EN 50128: Communication, signaling and processing systems - Software for railway control and protection systems
- EN 50129: Communications, signaling and processing systems – safety-related electronic systems for signaling
Modularity in I/O Configuration and Software
Flexible Configuration for Controller Unit or Complete Network
The duagon SAFE CONTROL system is based on the modular 19” CompactPCI standard, making a scalable plug-and-play-like system configuration easy, enabling communication with other train functions like service or diagnosis, and supporting integration in existing train bus networks:
- The MH50C controller can be configured with the exact number of required safe channels, and non-safe functions based on standard CompactPCI boards.
- Up to 63 remote Safe I/O modules (with four to eight boards per device) can be connected to a single MH50C controller, saving wiring cost and increasing the operation stability.
Modularity in Terms of Software
Since all software functions (SYNCH, EXCH) are independent of each other, only the parts that are really needed can be configured in the system.
The PACY I/O framework is also modular in itself, so that functions such as new I/O modules, new bus systems or new safety protocols can be easily added.
Independency from Suppliers
Avoid Vendor Lock-In and Keep Control!
As an open and modular platform, the duagon SAFE CONTROL system makes rail service suppliers and rail operators independent of a platform supplier, giving them full control over their project.
Standards Based:
Standard CompactPCI industry standard and x86 host controller
- Standard operating system (QNX, Linux)
- Standard EtherCAT with safety protocol FSoE
- Standard communication interfaces to TCN network, MVB, CANopen, ProfiNet, etc.
- Standard POSIX programming interface for ‘‘C“
- „C“ code generation, e.g. with model based code generation tools, such as ANSYS' SCADE or MathWorks' Simulink.
Long-Term Availability
Protect Your Investments From Discontinuation!
The system is exclusively based on open industry standards in hardware, software and communication with broad acceptance on the market. This guarantees alternatives for every function, so the end user is protected from obsolescence issues.
Extend your Project Life Cycle!
The lifetime is extendable by its family concept and a corresponding life-cycle management behind. After the guaranteed minimum availability of 10 years for all parts, duagon will provide its customers with all necessary steps and documents (e.g. change effect analysis, redesign) for possible successors.
duagon guarantees:
- Delivery of identical duagon boards per project: 10 years
- Technical support per project: 25 years
- Delivery of functionality: unlimited in time
SAFE CONTROL (d-SC) HARDWARE
System Example
The heart of the modular duagon SAFE CONTROL system is the MH50C controller. It is based on the SIL 4-certified Intel CPU board F75P. The safe part can be extended by non-vital I/O functions without effecting the safety of the system. It can be used as a standalone device and in combination with up to 63 remote I/O boxes.
REAL-TIME ETHERNET COMMUNICATION
The communication inside the duagon SAFE CONTROL (d-SC) system – between the safe d-SC controller, safe I/O boards and safe remote I/O boxes – is based completely on a standardized safe real-time Ethernet, using EtherCAT and FSoE (Fail Safe over EtherCAT).
The application can therefore treat all I/O functions in the same way. All remote I/O boxes are connected to the controller in a ring topology, which tolerates single failures. For example, in case of a broken cable, the system is still fully operational, as all I/O boxes can still be reached from the other end of the ring.
Software Architecture
Separation between Safe and Non-Vital Domains
The d-SC software distinguishes between the safe and the non-vital domain in order to save cost and time for application development and certification. This separation allows to develop non-vital applications separately from safe applications. Non-vital applications cannot influence safe applications because they are executed on a separate processor running a standard Linux operating system.
The safe application runs in a safe kernel of the QNX real-time operating system and can either be directly programmed with standard "C" language, offering POSIX compliant APIs.
Safe Application Interface
As d-SC is an open general-purpose hardware platform for different kinds of safe applications, the software programmer needs an interface to get full access to the control electronics. The PACY safety I/O framework provides easy and modular access to the safe I/O boards. PACY also includes a safe communication layer (Fail Safe over EtherCat, FSoE).
Safe Communication
In order to guarantee appropriate communication between the safe controller and the safe I/O functions via real-time Ethernet, the black channel approach is applied. The requirements to transport safe data over untrusted communication are defined by EN 50159 and realized using the FSoE safe communication protocol (Fail Safe over EtherCat).
Key Products
MH50C duagon SAFE CONTROL Vital System Controller
Modular Train Control System for Safe Applications in Transportation
F75P Vital Embedded Single Board Computer, 3 Intel Atom E6xx
3U CompactPCI PlusIO
KT8 d-SC Remote I/O Extension for 8 Cards
Modular Train Control System for Safe Applications in Transportation
K1 8 Safe Digital Outputs, High-Side Switching for d-SC
SIL 2 to SIL 4 Modular Train Control System I/O Board
Application Areas
Rolling Stock
The duagon SAFE CONTROL platform is well suited for control of all safety-related functions in new train models as well as for refurbishment of trains. Thanks to its modularity, it is easy to install and retrofit automation functions in combination with other parts of already existing train control equipment as well.
- Installation as the heart of the any train protection and/or automation system
- Increase in efficiency of already existing ATO, ATP and ATS functions as the central computer
- Step-by-step replacement of older equipment, resulting in one standardized general-purpose platform for all safe applications
- Remote control sitting directly at the door, at the wheel, at the gear
- All-in-one safe control system and non-vital communication system – safely separated through strict partitioning
- Interfacing to all existing train communication with Ethernet and MVB, CAN bus etc.
- Interfacing to the driver cab display
- Interfacing to wireless communication with the outside world through GSM-R, GPS, WLAN etc.
- Decrease in life cycle cost through easy maintenance of standard components
- Longer operating life by using standardized technologies.
TRACKSIDE
The duagon SAFE CONTROL system is well suited for control of CBI (Computer Based Interlocking), vital telemetry for train management, trackside devices such as switches, signals, or level crossings. Being a modular platform, it can be used in new interlocking systems as well as for a soft modernization and automation of older relay interlockings. Existing outside facilities can be preserved and adapted. The extremely compact inside facility of an interlocking system is clearly separated and forms the safe platform (SIL) for the control and automation layer.
- Introduction of ETCS L2/L3 for optimization of safety and track load
- Halving of the resulting opportunity cost for relay interlocking systems
- Increase in performance of the interlocking systems
- Low cabling cost thanks to standardized Ethernet technology
- Avoidance of the costly total replacement by CBIs (incl. outside facilities)
- Installation of simpler, smaller and standardized inside facilities
- Longer operating life of the outside facilities
- Lower cost for the expansion of total capacities
- Decrease in life cycle cost through easy maintenance of standard components
- Reduction of dependence on single suppliers, resulting in a growing service offer
Contact our Sales Team
Our international team of engineers and sales consultants are here to help - no matter where in the world you are.
At duagon we have a wide range of standard products ready for use, and our products can all be customized for use in a specific application environment. Our sales team is here to provide more specific information about our standard hardware range, our software technology, the required standards and certifications, and, together with our team of engineers, developing the optimal solution to your specific application requirements.