Safety Architectures for Railways Signalling Applications
Giorgio Mongardi
�Index, presentation overview
Presentation Overview
1. Applications 2. Hardware architecture 3. Software structure 4. Application software architecture
�Index, presentation overview
1. Railways Signalling Applications
ERTMS system
�Contents
Italian High Speed Lines
�IHSL - ETCS Level 2 - Specification Strategy
UNISIG ERTMS/ETCS SRS
Requirements Trace
RFI HSL SRS Vol. 1
Train Spacing Subsystem SRS Vol. 2
FFFIS RBC-RBC RBC HMI Spec
FFFIS RBC-IXL
RBC 1 Level Functional Spec.
Radio Msg & Tgm Config. Spec Design Criteria of ETCS Schematic Plan
RBC Detailed Sw Design
�ERTMS/ETCS Level 2 - Overview
Other RBC RBC GSM-R
CBI
OBU OBU
EUROBALISE
�Italian High Speed Line (IHSL) Main Features
Lines of new construction ERTMS/ETCS Level 2 No light signals - Fixed signals along the line and in the stations No other backup signalling systems (previous idea ERTMS/ETCS Level 1 was removed during the design phase) 300 km/h max speed Headway 2.5 min theoretic 5 min for operation to have
�Italian High Speed Lines Current Status
Torino-Novara-Milano Line extension 120 km IN OPERATION (TorinoNovara, 80 km) from February 2006 (after 3 months of pre-operation)
2 RBC 14 CBI (10 CBI Torino-Novara 4 CBI Novara-Milano) 900 balises (fixed and switchable) about 40 LEU (HSL entrance handling / Hot Box Detection) about 180 Audio frequency track circuits
Roma-Napoli Line extension 200 km - IN OPERATION from December 2005 (after 3 months of pre-operation )
3 RBC - 18 CBI about 1500 balises (fixed and switchable) about 60 LEU (HSL entrance handling / Hot Box Detection)
Milano-Bologna Line extension 185 km IN PROGRESS (expected 12/2008)
3 RBC - 19 CBI (single MS CBI) about 1500 balises (fixed and switchable) about 50 LEU (HSL entrance handling)
�IHSL Torino-Novara General Architecture
O.I.
RBC
O.I..
RBC
CBI CP
O.I..
CBI CP
O.I..
CBI CP
O.I..
CBI CP
CBI CP
PP
PP
PP
PP
PP
6 Km
6 Km
6 Km PT
6 Km
6 Km PM
6 Km
6 Km PJ
6 Km
PC
�IHSL Torino-Novara Detailed Architecture
CTC ANSALDO
RBC ANSALDO NSS
SIRTI BSC
Control Centre
Fiber optic WAN SIRTI
Peripheral Place
CBI CP/PP BTS SIRTI
Cabin
ANSALDO
Oleodyn. switch Electromech. switch ALSTOM (Hot Box Detector,) OTHERS
Audiofrequency Track Circuit ANSALDO
EUROBALISE ANSALDO
Trackside
10
�IHSL - Communication Protocols
EURORADIO protocol stack GSM-R Network
RBC
IXL
IXL CBI
Protocol Stack using the Safety layer of EURORADIO protocol stack (EURORADIO+ called) Fiber Optic WAN
RBC RBC RBC
11
�Radio Block Centre (RBC) Architecture
IHSL IXL
Communication Interface (redundant)
Vital Section: TMR (2oo3) TMR (2oo3)
IXL
IXL
OBU
ART1 ART2
GSM-R
WAN
Functional Keyboard (not vital) & D&M Interface Graphic Display & Functional Keyboard (vital) D&M
RBC, IXL
12
�ERTMS/ETCS Level 2 products: Radio Block Centre
(1/3)
OBU
Vital Section TMR (2oo3) & Communication Interface ART1
GSM-R
ART2
Other RBCs
WAN
IXLs
Graphic Display & Functional Keyboard (vital)
Functional Keyboard (not vital) & D&M Interface
13
�ERTMS/ETCS Level 2 products: Radio Block Centre
(2/3)
2 out of 3 technology Interface with trackside subsystems (IXLs, other RBCs) 2 port E1 (G.703 / G.704 @ 2Mbit/s, 30 channel at 64 kbit/s) Redundant interface and redundant communication (use of normal and redundant transmission channel) Interface with onboard subsystems (30 trains or more) 2 port E1 2 Mb/s with 30 data channel (B) at 64 Kb/s and 1 signalling channel (D) a 64 Kb/s (ISDN PRI) Redundant interface (use of normal or redundant transmission channel)
14
�ERTMS/ETCS Level 2 products: Radio Block Centre
(3/3)
For each RBC, a single cabinet encloses the Safety Nucleus and the Communication Computers For each RBC a couple of computers in redundant configuration realizes the ART (Alarm Recording & Telecontrol) A cabinet dedicated to ART(s) can enclose up to six couple of computers so that it can manage up to three RBCs and one shared display (for setting-up the system and local diagnosing) A single operator terminal can either be associated to a single RBC or to a group of more than one RBC (at present 3)
15
�Standard size Eurobalises (cont.)
16
�Standard size Eurobalise
FSK transmission, 565.4 KHz Train telepowering, 27.095 MHz 1023 and 341 - bit telegrams Weight: 10.5 kg Size: 523 (l) x 403 (w) x 40 (h) mm Connection cable distance: up to 5 Km Class A certified Tested over 500 km/h (HSL TGV-Est France)
17
�Index, presentation overview
1. Railways Signalling Applications
Line / Station Interlocking Systems
18
�ACC Multistation overview
19
�Line / Station Interlocking Systems
Interlocking models Model 1: Single railway stations: Central location with integrated Peripheral Posts (PPs) Model 2: Central location with PPs arranged along the line Model 3: Central location with local integration of PPs and also PPs arranged along the line (in Peripheral Locations, PLs)
20
�ACC of Roma Termini First Application
21
�22
�23
�24
�25
�26
�UNITED KINGDOM
27
�28
�ACC rack functions
Network rack has two hubs for signalling network and one hub for maintenance network
CIU with 2 out of 3 logic and direct link to vital keyboard
Art 3 server for on-line diagnostics and maintenance
ART 1 and 2 servers provide hot redundant interface to signalling LAN
29
�Manchester South Signalling Control Centre
30
�Trackside Installations
31
�Associated Components (1/2)
T72 Point Machine and VCC Clamp-lock
32
�Associated Components (2/2)
Fibre optic based JRI, GPLS
SDO Main Signal (Signal House LED option)
33
�ACC - OVERVIEW
ACC Milano Rogoredo Lines:
Milano-Bologna hi speed line Milano-Bologna traditional line Milano-Genova line Rogoredo-Trecca Merci Storica line Rogoredo-Trecca Merci Cintura line Rogoredo-Porta Romana line Linea Passante line
34
�ACC - OVERVIEW
ACC Milano Rogoredo Features:
Peripheral Posts : M.M.Signaller Interface: Operator Maintenance Interface:
P.Location)
62 2 3+3 (in each 1 Room with a system
Simulation/Test/Training :
complete and a real PP
Field Devices: Track Circuits: Points/Switchs: Signals:
Up to 1200 194 87 72+30
CIU Cabinet : ART Cabinet : D&M Cabinet : Network Cabinet :
1+1 2+2 1+1 1+1
35
�ACC - OVERVIEW
ACC Milano Rogoredo Features:
CENTRAL LOCATION
CIU - ART NETWORK CABINET SIGNALLER/MAINTENANCE M.M.I
MILANO LAMBRATE
01
28
38
05
D.B.S. Donato
MILANO LAMBRATE
06
27
37
02
D.B.S. Donato
MILANO LAMBRATE 2
03
MILANO LAMBRATE 2
08 13
D.B.S. Donato
24
34 10
D.B.S. Donato
23
33 07
Locate T.
PM Trecca
09
81o
81 04
Locate T.
PM Trecca
62o 14 62 83 63 19 64 85 12 65 86 66 84
MI PORTA ROMANA
MI PORTA ROMANA
North Peripheral Location
Manage field devices and Lambrate/Trecca/Porta Romana/Porta Vittoria Line Interfaces
South Peripheral Location Central Peripheral Location
Manage field devices Manage field devices and Bologna/Genova Line Interfaces
36
�ACC M.M.I.
ACC MMI Example:
37
�Index
4. Hardware Architecture of the main Platform
�Detailed architecture of the Multistation system
�Detailed architecture of the Multistation system
Central location -legendART1/2-Server: Server 1 and 2 for alarm, recording and remote control functions ART3/4-Server: Server 3 and 4 for diagnostic functions as well as for Firewall network for external systems CIU: Safe interlocking unit CTC: Traffic control system Diagnostic Ethernet WAN: Diagnostic Ethernet WAN FE RBC: Interface to RBC FK: Functional keyboard Maintainers desk: Maintainers work station Offline diagnostic: Offline diagnostics Online diagnostic: Online diagnostics Operator interface maintainer: Maintainers operator interface Operator interface signaller: Signallers operator interface PP: Peripheral post RCE Terminal: Event Chronological Recorder terminal Signallers desks: Signallers workstation Signalling Ethernet LAN: Ethernet LAN for signalling functions Signalling Vital Network: Safety network for PPs TEL 1 and 2: Interface to external systems Vital HUB: Safety communication hub that converts electric signals into optic signals and opposite and makes possible the connection of fibre optic cables, Mono-Mode or MultiMode type Wallscreen: Wall panel 3
�Main Basic Features
FAIL-SAFE ARCHITECTURE is based upon the following principles: EN50129, B.3.1
COMPOSITE FAIL-SAFETY, realized by using a parallel architecture (2oo2 or 2oo3, TMR). INHERENT FAIL-SAFETY, used in the implementation of the WATCH-DOG and vital output circuit. A hazardous failure causes the irreversible product shut-down: each I/O interface is unconditionally disabled. It has been demonstrated no single random HW failure mode is hazardous.
EN50128, Tables A.1 - A.20
4
�ACC Architecture Redundancies
�ACC CIU FEATURES
1 - Central Interlocking Unit 2 - ART 1 4 3 - ART 2 3
�CIU architecture
�CIU architecture functional block diagram
�2-out-of-3 Voting Mechanism Functional Diagram
Output channels
Safety nucleus
Electrical Isolamento isolation elettrico Electrical Isolamento isolation elettrico Electrical Isolamento isolation elettrico
Output
Output channels
Output
Output channels
Output
NS section NS sezione 1
NS section 2 NS section 1
NS section NS sezione 3
Exclusion logic
LELE1 module #1 1=2 1=2
LE module LE2 #2 2=3 2=3
LE LE3 module #3 3=1 3=1
Enable 48Vdc Enable 48Vdc Enable 48Vdc
�Solutions for MMI
10
�Multistation main characteristics
Man-machine-interface (MMI), safe operation and display :
Safety related information are displayed, according CENELEC standards, by means of: specific software platform and TFT LCD monitors, with proper internal devices. Those information are transferred from the CIU to the MMI computer through the Signaling LAN. Safety related commands are sent to the Safety Logic by means of a special vital keyboard.
11
�MMI hardware architecture
CPCI BUS GRAPHIC controller #1 GRAPHIC controller #2 GRAPHIC controller #3
ALIM
CPU Pentium M
48Vdc
Vital Watch-Dog
ALIM
CPU CELERON
CPCI BUS
Ethernet Link
12
�Display of safety related information
Field device status reception Device status verification Calculation of symbol aspects Graphic updating of views Vectorial description of symbols Color logic Verifying the integrity of the Video Card Hardware watch-dog management
13
�Verifying the integrity of the Video Card
Symbol Status A Drawing View Displayed
Previous Status View Displayed
Voting
Symbol Status B Drawing View in storage
Previous Status Storage View
14
�Index, Multistation maintenance concept
Software structure
15
�Software
Control Tables
Geographical Data Operating System Hw Drivers & Diag Data Handler Interlocking Rules Data
Scheme Plan
Interlocking Principles Logic Data Preparation Process
Control Tables
Scheme Plan
Specific Application Generic Application Generic Product
Geographical Data Preparation Process
Interlocking Rules Data
Geographical Data
Interlocking Principles
16
�Software layers
Basic Software : Fixed, it manages the safety system functions Application Software : Including the safety logic functions suitable for the relevant application (customer signalling rules) Validated only for the first application Used without changes for all the following projects Configuration Software : Describes the station data (routes, objects to be controlled, ..) Captures from the application software database the rules needed for the project to be implemented
17
�Software Structure
Software characteristics The following software environment is provided: CIU is proprietary The following software languages are used: Assembler Subset C The following software levels are provided: System software (Operating System, HW-Driver and Diagnostic) Generic Product (Data Handler) Generic application software (Interlocking Rules Data with Customers standards) Specific application software With geographical/project specific data
18
�Index
4. Application software
19
�Safety Logic structure
Safety Logic module i (e.g. Signal)
Header
Description of used data Operations (1, 2, j, n) (e.g. from stop aspect to clear aspect) Check of safety conditions (input data) Exception handlers Set of variables (output data) and activation of other modules Set of value to process status End of operation
20
�eudo-code translation
26. OPERAZIONE attivata da stato processo con valore "impresenziamento comandato" Elenco attributi "tipo_oper=0, brapido=0" 26.1 SOTTOOPERAZIONE VERIFICA a) "stato comando i/idl/sp" = "i" b) "stato telecomando" = "i" ca) ESEGUI "gestione nmdlb" ("mmd generale") = VERO da) "stato processo" ("manovre a mano", "mmd generale") = "a riposo" ea) "stato zona" ("zone area telecomandata ambito dco") = "incluso" ECCEZIONI a) MC "VI Comando annullato." AZIONI - "stato processo" = "idl" se "regime impianto" = "idl" - "stato processo" = "stazione porta" se "regime impianto" = "sp" b) MC "VI Comando annullato." AZIONI - "stato processo" = "idl" se "regime impianto" = "idl" - "stato processo" = "stazione porta" se "regime impianto" = "sp" ca) MC "VA0 MMD in atto" da) MC "VA0 MMD in atto" ea) MC "VA0 Zona IS esclusa" 26.2 SOTTOOPERAZIONE PER_ENTE ATTIVA_SUCCESSIVA VERIFICA *) "posizione richiesta" ("deviatoi di confine telecomando in posizione normale") = "rovescio" ASSEGNA - COMUL "manovra in posizione normale" ("deviatoi di confine telecomando in posizione normale")
Sub-Operation 26.1
21
�achine code
; ; 26. Operazione attivata da stato processo con valore "impresenziamento comandato" ; $OPER VSTICOM, $PSSTA, VSTICOM $STOPER $NORM, $ATTIF $VEROP $SING, $STAZ, SSTSTACOMIID, VSTI, 1 ;a $ECCOP $SING, $STAZ, SSTSTAPROCES, VSTIDL $CONDOP $SING, $STAZ, SSTREGIMP, VSTIDL $ECCOP $SING, $STAZ, SSTSTAPROCES, VSTSP $CONDOP $SING, $STAZ, SSTREGIMP, VSTSP $VEROP $SING, $STAZ, SSTSTATEL, VSTI, 2 ;b $ECCOP $SING, $STAZ, SSTSTAPROCES, VSTIDL $CONDOP $SING, $STAZ, SSTREGIMP, VSTIDL $ECCOP $SING, $STAZ, SSTSTAPROCES, VSTSP $CONDOP $SING, $STAZ, SSTREGIMP, VSTSP $VEROP $LAUT, ESTMMD, CGEGESTNMDLB, 3 ; ca $VEROP $LIS2, ESTMMD, EGEMANMAN, SMMSTAPROC, VMMARIPOSO, 4 $VEROP $LISTA, ESTZOTELDCO, SSISTAZON, VSIINCLUSO, 5 ; ea $STOPER $PEREN, $ATTIV $VEROP $LISTA, ESTDVINPONOR, SDVPOSRICHIE, VDVROVESCIO, 0 $ASSOP $LISUL, ESTDVINPONOR, 0, CDVMANPOSNOR $STOPER $PEREN, $ATTIV $VEROP $LISTA, ESTDVINPOROV, SDVPOSRICHIE, VDVNORMALE, 0 $ASSOP $LISUL, ESTDVINPOROV, 0, CDVMANPOSROV $STOPER $NORM, $ATTIF $VEROP $LISTA, ESTDEVSTA, SDVSTACOMAND, VDVAUTOMATIC, 6 $VEROP $LISTA, ESTSEGSTA, SSESTACOMAND, VSEAUTOMATIC, 7 $VEROP $LISTA, ESTCHSSTA, SCHSTACHICS, VCHNORMALE, 8 ; e $VEROP $LISTA, ESTDVINPONOR, SDVPOSRICHIE, VDVNORMALE, 9 $VEROP $LISTA, ESTDVINPONOR, SDVSTAPROCES, VDVARIPOSO, 10 $VEROP $LISTA, ESTDVINPONOR, SDVSTACONPOS, VDVNORMALE, 11 $VEROP $LISTA, ESTDVINPOROV, SDVPOSRICHIE, VDVROVESCIO, 12 $VEROP $LISTA, ESTDVINPOROV, SDVSTAPROCES, VDVARIPOSO, 13 $VEROP $LISTA, ESTDVINPOROV, SDVSTACONPOS, VDVROVESCIO, 14 $VEROP $LISTA, ESTPLSTAZ, SPLSTACOMAND, VPLAUTOMATIC, 15 $VEROP $LISTA, ESTFEDSTA, SFECONTCONCO, VFENORMALE, 16 $ASSOP $LISUL, ESTFEDSTA, 0, CFELIBRAUT $ASSOP $SING, $STAZ, SSTREGIMP, VSTI $ASSOP $SING, $STAZ, SSTSTAPROCES, VSTIMPRES $ASSOP $GEST, $CFIEX, 0, $TRUE $ASSOP $GEST, $CPROS, 0, $FALSE
Sub-Operation 26.1
; da ;*
;*
;c ;d ;f ;g ;h ;i ;j ;k ;l ;m
22
�Thank you for your attention
23
