FUNCTIONAL SAFETY IN CONTROLLING RAIL AUTOMATION SYSTEMS

ONE SYSTEM PLATFORM FOR SAFETY-CRITICAL ONBOARD AND TRACKSIDE APPLICATIONS

Download: Cyber Secure Products & Service Packages (PDF, 240 KB)

The duagon SAFE CONTROL (d-SC) system is safety certified, modular railway controller platform. It complies with the EN 50126 (RAMS), EN 50128 (software) and EN 50129 (hardware) railway development standards for functional safety, and all components are safety certified up to SIL 4.

The d-SC system is designed to operate in safety-critical onboard applications such as Automatic Train Operation (ATO) and Automatic Train Protection (ATP) as well as in wayside applications like level-crossing or computer-based interlocking systems. The modular system consists of the safe controller (1oo2, 2oo2), the safe I/O functions, and the communication interfaces to the "outside" world.

Its modular configuration enables the system to communicate with other train systems like service or diagnosis units via any type of wired or wireless interface. Additionally, fieldbus interfaces like MVB, CAN, Profinet and more, can be implemented to connect into other networks. This makes it easy to integrate into a TCN network as well as into regionally different train control systems such as ETCS, CTCS, ATCS, PTC or Klub-U.

The COTS safe controller supports QNX out-of-the-box using the provided safety certified board support package (BSP). Additionally, duagon offers various software packages e.g., process data synchronization (SNYCH), modular I/O framework (PACY) or high availability software (HA-SW) which enables customer applications to use two redundant d-SC systems in a Hot-standby setup.

The robust and rail-ready components comply with the railway standards for environmental and EMC conditions EN 50155 (rolling-stock) and EN 50125-3 / EN 50121-4 (signalling/trackside).

Pre-Certified, modular open systems for long-term use

CERTIFIED FUNCTIONAL SAFETY

 

Save Cost, Time and Risk with Pre-Certification
duagon’s safety-related components come with certification packages for the hardware and the relevant platform software based on QNX. No matter what final application, the parts are already certified and will speed up your overall certification process.

Get Synergies for all Safety-Critical Applications
As a modular safe platform, with flexible I/O configuration and extension options, this system can be used in all safety-related applications onboard and trackside: from single functions like signal and level-crossing control up to complex systems for Automatic Train Operation or Protection (ATO/ATP).

 

Certification

  • EN 50126: The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS)
  • EN 50128: Communication, signaling and processing systems - Software for railway control and protection systems
  • EN 50129: Communications, signaling and processing systems – safety-related electronic systems for signaling

Modularity in I/O Configuration and Software

Flexible Configuration for Controller Unit or Complete Network
The duagon SAFE CONTROL system is based on the modular 19” CompactPCI standard, making a scalable plug-and-play-like system configuration easy, enabling communication with other train functions like service or diagnosis, and supporting integration in existing train bus networks:

  • The MH50C controller can be configured with the exact number of required safe channels, and non-safe functions based on standard CompactPCI boards.
  • Up to 63 remote Safe I/O modules (with four to eight boards per device) can be connected to a single MH50C controller, saving wiring cost and increasing the operation stability.

 

Modularity in Terms of Software
Since all software functions (SYNCH, EXCH) are independent of each other, only the parts that are really needed can be configured in the system.
The PACY I/O framework is also modular in itself, so that functions such as new I/O modules, new bus systems or new safety protocols can be easily added.

 

Independency from Suppliers

 

Avoid Vendor Lock-In and Keep Control!
As an open and modular platform, the duagon SAFE CONTROL system makes rail service suppliers and rail operators independent of a platform supplier, giving them full control over their project.

Standards Based:

Standard CompactPCI industry standard and x86 host controller

  • Standard operating system (QNX, Linux)
  • Standard EtherCAT with safety protocol FSoE
  • Standard communication interfaces to TCN network, MVB, CANopen, ProfiNet, etc.
  • Standard POSIX programming interface for ‘‘C“
  • „C“ code generation, e.g. with model based code generation tools, such as ANSYS' SCADE or MathWorks' Simulink.

 

Long-Term Availability

 

Protect Your Investments From Discontinuation!
The system is exclusively based on open industry standards in hardware, software and communication with broad acceptance on the market. This guarantees alternatives for every function, so the end user is protected from obsolescence issues.

Extend your Project Life Cycle!
The lifetime is extendable by its family concept and a corresponding life-cycle management behind. After the guaranteed minimum availability of 10 years for all parts, duagon will provide its customers with all necessary steps and documents (e.g. change effect analysis, redesign) for possible successors.

duagon guarantees:

  • Delivery of identical duagon boards per project: 10 years
  • Technical support per project: 25 years
  • Delivery of functionality: unlimited in time

SAFE CONTROL (d-SC) HARDWARE

System Example

The heart of the modular duagon SAFE CONTROL system is the MH50C controller. It is based on the SIL 4-certified Intel CPU board F75P. The safe part can be extended by non-vital I/O functions without effecting the safety of the system. It can be used as a standalone device and in combination with up to 63 remote I/O boxes.

REAL-TIME ETHERNET COMMUNICATION

The communication inside the duagon SAFE CONTROL (d-SC) system – between the safe d-SC controller, safe I/O boards and safe remote I/O boxes – is based completely on a standardized safe real-time Ethernet, using EtherCAT and FSoE (Fail Safe over EtherCAT).


The application can therefore treat all I/O functions in the same way. All remote I/O boxes are connected to the controller in a ring topology, which tolerates single failures. For example, in case of a broken cable, the system is still fully operational, as all I/O boxes can still be reached from the other end of the ring.

Software Architecture

Separation between Safe and Non-Vital Domains

The d-SC software distinguishes between the safe and the non-vital domain in order to save cost and time for application development and certification. This separation allows to develop non-vital applications separately from safe applications. Non-vital applications cannot influence safe applications because they are executed on a separate processor running a standard Linux operating system.

The safe application runs in a safe kernel of the QNX real-time operating system and can either be directly programmed with standard "C" language, offering POSIX compliant APIs.

Safe Application Interface

As d-SC is an open general-purpose hardware platform for different kinds of safe applications, the software programmer needs an interface to get full access to the control electronics. The PACY safety I/O framework provides easy and modular access to the safe I/O boards. PACY also includes a safe communication layer (Fail Safe over EtherCat, FSoE).

Safe Communication

In order to guarantee appropriate communication between the safe controller and the safe I/O functions via real-time Ethernet, the black channel approach is applied. The requirements to transport safe data over untrusted communication are defined by EN 50159 and realized using the FSoE safe communication protocol (Fail Safe over EtherCat).

Key Products

MH50C duagon SAFE CONTROL Vital System Controller

Modular Train Control System for Safe Applications in Transportation

F75P Vital Embedded Single Board Computer, 3 Intel Atom E6xx

3U CompactPCI PlusIO

KT8 d-SC Remote I/O Extension for 8 Cards

Modular Train Control System for Safe Applications in Transportation

K1  8 Safe Digital Outputs, High-Side Switching for d-SC

SIL 2 to SIL 4 Modular Train Control System I/O Board

Application Areas

Rolling Stock

The duagon SAFE CONTROL platform is well suited for control of all safety-related functions in new train models as well as for refurbishment of trains. Thanks to its modularity, it is easy to install and retrofit automation functions in combination with other parts of already existing train control equipment as well.

  • Installation as the heart of the any train protection and/or automation system
  • Increase in efficiency of already existing ATO, ATP and ATS functions as the central computer
  • Step-by-step replacement of older equipment, resulting in one standardized general-purpose platform for all safe applications
  • Remote control sitting directly at the door, at the wheel, at the gear
  • All-in-one safe control system and non-vital communication system – safely separated through strict partitioning
  • Interfacing to all existing train communication with Ethernet and MVB, CAN bus etc.
  • Interfacing to the driver cab display
  • Interfacing to wireless communication with the outside world through GSM-R, GPS, WLAN etc.
  • Decrease in life cycle cost through easy maintenance of standard components
  • Longer operating life by using standardized technologies.

TRACKSIDE

The duagon SAFE CONTROL system is well suited for control of CBI (Computer Based Interlocking), vital telemetry for train management, trackside devices such as switches, signals, or level crossings. Being a modular platform, it can be used in new interlocking systems as well as for a soft modernization and automation of older relay interlockings. Existing outside facilities can be preserved and adapted. The extremely compact inside facility of an interlocking system is clearly separated and forms the safe platform (SIL) for the control and automation layer.

  • Introduction of ETCS L2/L3 for optimization of safety and track load
  • Halving of the resulting opportunity cost for relay interlocking systems
  • Increase in performance of the interlocking systems
  • Low cabling cost thanks to standardized Ethernet technology
  • Avoidance of the costly total replacement by CBIs (incl. outside facilities)
  • Installation of simpler, smaller and standardized inside facilities
  • Longer operating life of the outside facilities
  • Lower cost for the expansion of total capacities
  • Decrease in life cycle cost through easy maintenance of standard components
  • Reduction of dependence on single suppliers, resulting in a growing service offer

Contact our Sales Team

Our international team of engineers and sales consultants are here to help - no matter where in the world you are.

At duagon we have a wide range of standard products ready for use, and our products can all be customized for use in a specific application environment. Our sales team is here to provide more specific information about our standard hardware range, our software technology, the required standards and certifications, and, together with our team of engineers, developing the optimal solution to your specific application requirements.

CONTACT US