GV1 Thales

Safety in Railway Systems
Overview TAS Platform, ELEKTRA
2013-01-15, Christoph Scherrer
Thales Austria
Presentation Outline
Overview THALES
Applicable Safety Standards
Case Study: TAS Platform
Case Study: Interlocking System ELEKTRA
The future : Operational Management Centers
1
Thales Austria
A technology leader providing safety and security
A global company with 67,000 employees
and €13 billion in revenues
We help our customers to:
Provide reliable and secure solutions
Monitor and control
Protect and defend
In two major sectors
Aerospace and Transport
40%
Defence and Security
60%
Thales: a reliable, long-term partner
with operations in 50 countries
2
Thales Austria
Thales solutions to boost efficiency
Signalling
Main Line Railways
Supervision &
Communication
Urban Public Transport
Providing systems and services enabling customers
to get the most out of their infrastructure
3
Thales Austria
Revenue
Collection
Roads
Thales position in transportation
A worldwide leader
Leader in advanced signalling systems
Leader in electronic interlocking with relevant references in
20 countries
Leader in Main Line ETCS (European Train Control System)
No.1 in Urban Rail CBTC (Communications Based Train Control)
No.1 in electronic axle counters
Leader in integrated communication and
supervision systems
Unique provider of end-to-end systems
No.1 provider of integrated fare collection systems worldwide
Unique provider of nationwide revenue collection systems
4
Thales Austria
Thales Austria – a historic footprint…
Thales Austria GmbH
(2010)
Thales Rail Signalling
Solutions GesmbH (2007)
Alcatel Austria (1987)
ITT, STT
ITT Austria (1971)
1969
Standard Telephon
& Telegraphen AG
Südbahnwerke (DOSAG)
1873
Südbahnwerke
k&k privilegierte
Südbahngesellschaft
5
Thales Austria
1924
1857
Thales in Austria
Thales in Austria - Experienced with
Signalling Systems
VP & Country Director CEO Alfred Veider
Turn-key integrated solutions for mainline &
suburban railway operations
Comprehensive country organisation with
RD&E, RAMS, Marketing & Sales,
Product Management, Staff functions
Local figures: ~ 350 Employees
Global competence centre and product
responsibilities for:
Electronic Interlockings
ERTMS/ETCS Systems
Train Monitoring & Detection Systems
TAS Platform (HW/SW base technology
for safe & dependable real time computing)
6
Thales Austria
Improved Transport Quality of Services
end users expect:
… safe, convenient,
competitive and
ecological travel
… and information
with easy access to it,
everywhere, always
7
Thales Austria
Defense and Security Business Activities
Payment
Security
Thales Austria
8 Thales Austria GmbH September 2012
Data
Encryption
Identity
Management
Network
Encryption
Storage
Security
Thales Austria with international market presence
Thales Austria
9 Thales Austria GmbH September 2012
Presentation Outline
Overview THALES
Applicable Safety Standards
Case Study: TAS Platform
Case Study: Interlocking System ELEKTRA
The future : Operational Management Centers
10
Thales Austria
Eisenbahnbetrieb
Gegenüberstellung Eisenbahnbetrieb - Straßenverkehr
Warum erfordert der Eisenbahnbetrieb eine umfassende
Sicherung?
Sicht
Bremsweg
Fahren auf Sicht möglich.
Sicht
Bremsweg
Nur ein Teil des Bremsweges ist überschaubar.
Kein Fahren auf Sicht.
Höchste Sicherheitsanforderungsstufe
11
Thales Austria
SIL4 Anwendung
Standards in der Sicherheitstechnik #1
IEC 61508
Functional Safety of electric / electronic /
programmable electronic safety-related systems
Allgemeine Definitionen
Als Ursprung für Spezialisierungen gedacht
Abgeleitet davon (Beispiele)
IEC 61511
Functional safety - Safety instrumented systems for
the process industry sector
IEC 62061
Safety of machinery - Functional safety of safetyrelated electrical, electronic and programmable electronic control
systems
IEC 61513
Nuclear power plants
ISO 26262
passenger cars
12
Thales Austria
Standards in der Sicherheitstechnik #2
Eisenbahnsicherungstechnik
EN 50126
Railway Application – The specification and
demonstration of Reliability, Availability, Maintainability and
Safety (RAMS)
13
EN 50129
… electronic systems for signalling
EN 50128
Software for railway control and protection systems
EN 50159
Communication, signalling and processing systems
Thales Austria
Definitionen in IEC 61508
Safety(Sicherheit): freedom from unacceptable risk
Risk (Risiko): combination of the probability of occurrence of
harm and the severity of that harm
Harm (Schaden): physical injury or damage to the health of
people or damage to property or the environment
Tolerable risk (Tolerierbares Risiko): risk which is accepted
in a given context based on the current values of society
Hazard (Gefahrenpotential): potential source of harm
14
Thales Austria
Aufgabentrennung (EN 50126)
Aus Handbuch Eisenbahninfrastrukturtechnik
15
Thales Austria
Safety-Entwicklungsmodell nach EN 50129
16
Thales Austria
Presentation Outline
Overview THALES
Applicable Safety Standards
Case Study: TAS Platform
Case Study: Interlocking System ELEKTRA
The future : Operational Management Centers
17
Thales Austria
Characteristics of Railway Control Applications
Product lifetime:
In the order of 20 years, including software maintenance,
function upgrades, and the delivery of spare computing
elements and replacement of faulty components
Safety:
-9
CENELEC requires less than 10 safety critical failures / hour
Fail safe systems:
In general a safe state exists, which can be entered, e.g.
switching all signals to red
Reliability and availability:
Required to keep trains operating on schedule. As an example,
ÖBB requires less than one service interruption in 10 years
Certification:
according to CENELEC standards required
18
Thales Austria
Motivation for a Common Platform
Open, scalable SW + HW architecture for all vital signalling
applications within Thales DTS (division transport system)
Modularity of system design based on a durable interface
description, orientated on standards, implemented in a set of
layers
Portable implementation of mechanisms for fault tolerance/
redundancy handling in SW (1oo1, 2oo2, 2oo3) - not restricted to
specific HW
CENELEC SIL 4 approval of generic platform core using reference
configuration (“TMR bench”) as real platform instantiation
Clear separation of application SW and platform services
Provision of an effective development methodology and of
corresponding tools
19
Thales Austria
TAS Control Platform: the Architecture - 1
Safe and Dependable Real-time Computing for Vital Railway Applications
20
Thales Austria
TAS Control Platform: the Architecture - 2
Redundancy configurations:
21
Thales Austria
Indoor Equipment
Typical 2-out-of-3 setup in 6U CompactPCI subracks
22
Thales Austria
FT, Layering
Communication System
(Incoming Messages)
Sync.
Msg.
Synchronization Layer:
Voter: o various voting
modes
o transient and
permanent faults
o globalizes messages
o synchronized time
o membership supervision
Fault Manag. & Recovery:
o supervises TS, CE, CN
o redundancy managing
o state based on-line
recovery
Communication System
(Outgoing Messages)
23
Thales Austria
Sync.
Msg.
Msg Delivery
Incoming message
Incoming message
CE0
24
Incoming message
CE1
CE2
sync
sync
sync
voter
voter
voter
Thales Austria
Msg Delivery – 2
CE0
sync
msg 1
voter
25
Thales Austria
CE1
sync
voter
msg 2
CE2
sync
voter
msg 3
Msg Delivery – 3
CE0
CE2
sync
sync
sync
voter
voter
voter
msg 1 / msg 2 / msg 3
26
CE1
Thales Austria
msg 1 / msg 2 / msg 3
msg 1 / msg 2 / msg 3
Msg Delivery – 4
CE0
CE2
sync
sync
sync
voter
voter
voter
outgoing message
27
CE1
Thales Austria
outgoing message
outgoing message
Synchronization Layer (SL)
Synchronization layer (SL) globalizes data and provides a
replica deterministic identical view on all replicas
SL supervises membership of CEs
SL provides synchronized time for platform applications
SL supports various interconnection structures
point-to-point connection and redundant or non-redundant
bus
SL supports various communication protocols:
IP (via Ethernet), HDLC
SL supports various strategies for initiating
synchronization activity: Periodic, Message priority based,
or Message load based
28
Thales Austria
Voter
Voter compares redundant messages and
delivers voted messages
Voter supports various configurable voting modes
m-out-of-n, 1 <= m <= n <= 3
Protocol specific voting: Concatenate voting, ocs voting
mode
Voter deals with transient and permanent faults
and configurable thresholds
Voter tolerates data errors, missing messages,
singular messages, timing errors, and sequence errors
29
Thales Austria
Fault Management, FM
Fault Management (FM) collects "error messages" from
Platform Components (SL, Voter, CS, ...)
FM supervises
application software (TS)
computing elements (CEs)
computing node (CN)
FM initiates proper reaction upon error detection
Kill of taskset
Shutdown of CE
Shutdown of CN (failsafe reaction)
Error messages and fault reactions are reported
via syslog mechanism
30
Thales Austria
Recovery
Recovery = live reintegration of replaced or
formerly down components
Recovery is performed on Computing Element (CE) level
and TaskSet (TS) level
Recovery is performed on-line during operation without
interruption of service
Application state information (user data, stacks, registers
of threads, TS control information) is transferred from
active TS replicas to passive TS replica (TS under
recovery)
31
Thales Austria
TAS PLF in operation
TAS PLF is used in field since 2001
All new SIL4 system within Thales Transport Division are
based on TAS PLF
Installed base:
Interlocking Systems:
On-board Systems:
Field elements (axle counters, LEUs, field element
controllers, ….):
32
Thales Austria
Presentation Outline
Overview THALES
Applicable Safety Standards
Case Study: TAS Platform
Case Study: Interlocking System ELEKTRA
The future : Operational Management Centers
33
Thales Austria
System
System ELEKTRA
Electronic interlocking for all sizes of railway stations
Highest level of safety (SIL4) and reliability
Central functions and remote control
Automatic functions for train number, train route
setting and shunting operations
Control of relay interlockings
Connectivity to both fail safe and
non fail safe systems
Steadily upgrade to „State of the Art“
processor technology
Most efficient support in diagnosis and maintenance
34
Thales Austria
Cabinets
35
Thales Austria
Cabinets
36
Thales Austria
Safety and Reliability
Different mechanisms for safety and reliability:
Safety
2 software channels
Diverse work rules (e.g. master - slave)
Diverse programming paradigmn -> N-version programming
(Safety Bag)
Reliability
Redundancies – different for several components
Fault detection, Alarming and Diagnosis
Separation of redundancy and safety
37
Thales Austria
Architecture
MMI functionality / components of the operator
Highest level of safety due to
interlocking
functionality
CCA
diverse
interlocking
functionality
CCB
LAN
comm.
logical channel
element
functionality
ECA
safety bag
diverse
element
functionality
ECB
TTP
comm.
interface
functionality
ICA
track side elements
38
Thales Austria
Diverse software and
specification
Safety relays for
interfaces
SIL4 approved!
diverse
interface
functionality
ICB
interlocking interfaces
Two channel approach
(logic-channel, safetychannel)
Basic Concept
HMI
Communication
via X.25 or
Ethernet
LDA
CCA
Central
Controller
CCB
ESM
LDB
Redundancy possible
„Warm
Stand-by“
Diagnosis
Processor
DGP
2fr LAN (Ethernet)
ECA
ECB
1
ECA
ECB
Fieldbus (TTP-Bus)
ICA
IF1
39
ICB 1
IF4
Thales Austria
ICA
IF1
ICB N
IF4
N
Element
Controller
Fieldbus (TTP-Bus)
ICA
IF1
ICB 1
IF4
ICA
IF1
„Hot
Stand-by“
Time Triggered
Protocol - Bus
ICB N
IF4
Interface to
outdoor elements
Presentation Outline
Overview THALES
Applicable Safety Standards
Case Study: TAS Platform
Case Study: Interlocking System ELEKTRA
The future : Operational Management Centers
40
Thales Austria
Introduction
System Model
Timetabling
NMS
Process Visualisation
Forecasting
Conflict detection
Automatic Train Route Setting
Customer Information
Automated Shunting
Remote Control
Route Control
(z.B. ELEKTRA, SCWS)
Train Protection- ETCS
…
41
Thales Austria
Introduction
Traditionally
Interlockings usually locally manned
Station masters are responsible for train- and shunting
movements
Route control, Train supervision
Work Gang Protection
Customer / Passenger information
Limited options of dispatching
Limited application of automatic operations
Information exchange only via phone
42
Thales Austria
NMS~ARAMIS
Strategy
1 Network Management Center
Traffic coordination on the network
All information about the traffic situation on the network
5 Operation Management Centers
Disposition and control of traffic
Regional traffic management
Customer information
Technical service-center
43
Thales Austria
Operator Working Place
44
Thales Austria
Many thanks for your attention
Thales Austria