MTCS – Modular Train Control SystemSIL 4 Railway Computer for Rolling Stock and Wayside Applications

In Accordance with:

EN 50155EN 50121-4EN 50129EN 50126EN 50128

The MTCS Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

» MTCS – Modular Train Control System

» Safety Compliance with EN 5012x

» Environmental Compliance with EN 50155

» Long-Term Availability

MTCS Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

» Safe MTCS Controller

» Safe MTCS Remote I/O Box

» Safe MTCS CPU Component

» Safe MTCS I/O Components

» MTCS Configuration Examples

» Safe MTCS Real-Time Ethernet Topology

» MTCS Software Architecture

» MTCS Safety Guaranteed by TÜV Certificate

MTCS Application Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

» Rolling Stock

» Wayside

MTCS Benefits Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

The governments of many countries have increased their safety standards in mass transit and freight transport and / or work on nationwide traffic regulation programs, e .g .:

» SIRF stage 2 (Germany)

» PTC – Positive Train Control (USA)

» ETCS – European Train Control System

» CTCS – Chinese Train Control System

» KLUB-U – Russian Train Control System

The MTCS Approach

4

MTCS is an open and modular railway computer platform based exclusively on standard hardware and software. It is certifiable up to SIL 4 in all its single parts and complies completely with the EN 50155 and EN 50121-4 railway standards.

MTCS is designed to operate in rolling-stock applications such as Automatic Train Control (ATO) and Automatic Train Protection (ATP) as well as in wayside applications like interlocking systems.

MTCS consists of the safe controller, the safe I/O functions and the commu-nication interfaces to the “outside” world.

The final safety level of MTCS is scalable and as such solely determined by the application requirements – resulting in an optimum price / performance.

5

MTCS – Modular Train Control System

MTCS is the first computer system ever in the history of the railway industry that separates the control electronics – the computer hardware – from the real control function – the application software .

Unlike existing solutions that are proprietary and show a fixed hardware/software configuration which is closed to the access of the end user, MTCS opens up the essential interfaces between the control electronics and the application .

MTCS is therefore the first and only railway computer that is based on defined open standards for hardware, software and communication . Its modularity makes it configu- rable for every control function inside and outside the train – and scalable to any required SIL level .

MTCS comes with certification packages from TÜV Süd, drastically reducing the time of the certification process .

The SIL 4 certifiable and real-time capable kernel supports the partitioning of the application dependent on the required safety level, thus reducing the software develop-ment effort .

The “non-safe” and Linux based part for communication and service is completely separated . It guarantees that the system is open towards the external world .

The data transfer of the inputs and outputs is realized via a safe real-time Ethernet . Based again on an industry standard, also the safety of the I/O communication is proven by TÜV Süd .

Being a totally open platform concerning software and hardware, MTCS is the first and only railway computer that offers a separation of the rail service from the electronic control system behind .

This unique feature allows railway system suppliers to concentrate on their core business . It also facilitates the market entry for small and medium-size companies . And it enables rail operators to become their own general contractor, keeping full transparency of their project at any time .

6

Safety Compliance with EN 5012x

Environmental Compliance with EN 50155

MTCS complies with the requirements of the EN 5012x family of railway standards developed by CENELEC, based on IEC 61508 (Functional Safety of Electrical / Electronic /Programmable Electronic Safety-related Systems):

» EN 50126: Railway Applications – The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS)

» EN 50128: Railway Applications – Communications, signaling and processing systems» EN 50129: Railway Applications – Communications, signaling and processing systems –

Safety related electronic systems for signaling

MTCS components come with SIL 4 certification packages for the hardware, with complete support for the safe operating system QNX® (PikeOS on request), including safe protocols, CST layer, I/O transfer layer etc .

MTCS complies with all environmental requirements of EN 50155 (Railway Applications – Electronic equipment used on rolling stock) for in-vehicle operation:

» Operating temperature class Tx: −40 to +70 °C (10 minutes up to +85 °C) with qualified components

» Shock: 50 m/s², 30 ms (EN 50155 (12 .2 .11) / EN 61373)» Vibration (function): 1 m/s², 5 Hz – 150 Hz (EN 50155 (12 .2 .11) / EN 61373)» Vibration (lifetime): 7 .9 m/s², 5 Hz – 150 Hz (EN 50155 (12 .2 .11) / EN 61373)» Humidity, dust: conformal coating» PSU class 2 hold-up times with just one wide range PSU 14 .4 to 154 V» 14 .4 to 154 V also supported by I/O components» EMC regulations:

» EN 50121-3-2 (tables 5 and 6) / EN 55011 (radio disturbance) » EN 50121-3-2 (table 9) / IEC 61000-4-6 (ESD) » EN 50121-3-2 (table 9) / IEC 61000-4-3 (electromagnetic field immunity) » EN 50121-3-2 (table 8) / IEC 61000-4-4 (burst) » EN 50121-3-2 (table 8) / IEC 61000-4-6 (conducted disturbances)

MTCS also complies with the EMC regulations of EN 50121-4: Railway Applications – Electromagnetic compatibility . (Emission and immunity of the signaling and telecommu- nications apparatus) .

7

Long-Term Availability

MEN guarantees long-term availability of all parts of the MTCS for a minimum period of 10 years .

After this period it might happen that single chips or electronic components can be made obsolete by one of our suppliers . In the worst case, this might result in the exchange of one or the other board in the MTCS system . As all these boards are standards-based, the application itself will remain untouched to a great extent .

If it becomes necessary to exchange such a standard board, MEN delivers a change effect analysis together with the redesign . This ensures that the effort for re-porting of the application as well as for a potential re-certification will be reduced to a minimum .

Using an open system like MTCS means that product obsolescence management can be limited to single standardized parts of a train control system or interlocking system . It will never again affect and endanger the complete train or wayside function .

MTCS Hardware

Linux

General Purpose User Software

QNX

Safe

Use

r A

pplic

atio

n “C

”

Soft

PLC

ANSY

S SC

ADE

MTCS Architecture

8

The communication inside the MTCS system – between the safe MTCS controller, safe I/O boards and safe remote I/O boxes – is based exclusively on a safe standard real-time Ethernet .

Its modular configuration enables the MTCS system to communicate with other train systems like service or diagnosis units via any type of wired or wireless interface . Additionally, fieldbus interfaces can be implemented to connect into other networks like MVB, CAN, Profinet etc . This makes it easy to integrate into a TCN network as well as into regionally different Train Control Systems like PTC, ETCS, CTCS, ATCS or Klub-U .

MTCS is an application-ready platform, allowing the immediate start of the application development and giving the user complete control over the functionality of the whole system . While the “unsafe” part of the application runs under a Linux operating system, the safe part of the application runs in a safe kernel of the real-time operating system QNX . The safe application can either be directly programmed with the Posix standard “C” language or optionally Flexisafe safe PLC .

MTCS is SIL 4 certifiable and comes with pre-certified hardware in combination with pre-certified software and corresponding certificates from TÜV Süd .

» The high level of modularity of the hardware and the software of the MTCS system allows to use MTCS as the sole platform for a multitude of varying rail applications .

» As the whole MTCS system is based on standards, also the life-cycle cost of each rail project can be drastically reduced .

» The pre-certification of the MTCS hardware and software results in significant cost and time savings during computerization of the train, whether a vehicle is new or is being refurbished .

The heart of the MEN Train Control System is the MTCS controller which delivers state-of-the art computing performance based on x86 PC technology. The MTCS controller consists of a safe part and what is called an “unsafe” (general purpose) part. The MTCS controller can be used as a standalone device and in combination with up to 63 remote I/O boxes.

9

Safe MTCS Controller

The MH50C MTCS controller supports a modular built-to-order configuration and consists of:

» Certifiable safe CPU board with local redundancy» Up to 6 I/O boards:

» Either certifiable safe I/O boards » Or interface boards to Ethernet, WiFi, GPS, COMs, CAN, MVB etc . » Or a combination of both

» 14 .4 to 154 V DC wide-range voltage supply» QNX® safe real-time operating system» Linux “unsafe” operating system» SIL 4 certification packages by TÜV Süd

To raise availability of the safe MTCS system, the functionality of two MTCS controllers can be clustered in one enclosure .

MH50C comes in a compact half 19" housing based on the established CompactPCI standard . The CPU board and I/O boards comply with the robust 3U Eurocard format . The system can be wall or rackmounted and supports forced air cooling .

10

Safe MTCS Remote I/O Box

An extension of the MTCS system by remote I/O boxes (KT4, KT6, KT8) becomes necessary if:

» The I/O functions required exceed the capabilities of the MTCS controller» The actors and sensors are located far away from the MTCS controller

Each MTCS remote I/O box consists of:

» Up to 4, 6, or 8 certifiable safe I/O boards» Real-time Ethernet interface with chassis configuration switch» 14 .4 to 154 V DC wide-range PSU» Certification packages by TÜV Süd for the safe I/O

The remote I/O boxes are based on 19" technology, with a reduced depth of less than 160 mm to provide a compact space-saving packaging . They can be either wall mounted or installed on DIN rail mechanics .

11

Safe MTCS CPU Component

The central element of MTCS is the safe CPU board F75P, a standard CompactPCI board that is designed to execute safety-critical applications as well as “unsafe” applications and comes with a dedicated certification package:

» 2 redundant Intel® processors to execute safety logic» 3rd Intel® CPU as general purpose and I/O communication processor» Independent supervisors for each block» Fail-safe and fail-silent board architecture» Hot or cold stand-by» Clustering of two F75P to raise availability» Event logging with intelligent board management controller

In the MTCS standard configuration and as such included in the certification packages available, the two independent control processors run the safe deterministic real-time operating system QNX Neutrino, while the “unsafe” general purpose processor operates under Linux .

Other MTCS configurations can also work with safe real-time operating systems such as PikeOS, Integrity or VxWorks – even in a combination of different safe operating systems to support optional diversity in software on both kernels .

12

Safe MTCS I/O Components

The SIL 4 certified safe I/O boards comprise the typical functions required for railway applications and come with dedicated certification packages:

» K1 – 8 binary outputs» K2 – 16 binary inputs» K3 – safety relay outputs in preparation» K4 – 4 frequency inputs, used to measure the speed of the train via wheel sensors» K5 – analog outputs in preparation» K6 – analog inputs in preparation

All I/O components connect via spring cage terminal blocks for fast installation thanks to reduced wiring . They are fully isolated and support the full voltage range from 14 .4 to 154 V DC .

Generally a single “K” board can be used to reach SIL 2 . Two combined boards are required to reach SIL 3 and SIL 4 . This scalable approach reduces cost in case a lower SIL level is sufficient . The safe MTCS I/O cards are designed to be used inside the MH50C MTCS controller as well as to configure the MTCS remote I/O boxes:

» MH50C accommodates up to 6 safe I/O cards» KT8 accommodates up to 8 safe I/O cards» Further remote I/O boxes will be able to accommodate smaller numbers of safe I/O

cards for installation areas with very limited space .

MTCS System Controller:

13

MTCS Configuration Examples

MH50C Configuration Example 1

Option slots populated with safe I/O» 8 digital outputs, SIL 4

(each using 2 pins)» 16 digital inputs, SIL 4

(each using 2 pins)» 8 frequency input channels, SIL 4

MH50C Configuration Example 2

Option slots populated with safe I/O» 8 digital outputs, SIL2» 16 digital inputs, SIL 2 » 4 frequency input channels, SIL 2» MVB master» 2 slots reserved for future use

This configuration targets SIL 2 safe I/O applications: each safe I/O card is only assembled once .

Both configuration examples are based on the “barebone configuration”, which includes the safe F75P CPU board, real-time Ethernet card connecting distributed safe I/O, a wide-range PSU and system supervision .

MTCS Remote I/O Boxes:

Configuration of a KT8 providing

» 8 SIL 4 outputs (each using 2 pins) + 8 SIL 2 outputs» 16 SIL 4 inputs (each using 2 pins) + 16 SIL 2 inputs» 4 SIL 4 frequency input channels (using 2 separate

frequency counters)

14

Configuration of a KT4 providing

» 8 SIL4 outputs (each using 2 pins)» 16 SIL2 inputs» 4 SIL2 frequency input channels

MTCS Controller

MTCS Remote I/O MTCS Remote I/O MTCS Remote I/O

MTCS System Controller in Combination with Remote I/O Boxes:

Safe MTCS Real-Time Ethernet Topology

15

The complete MTCS I/O – no matter whether it is part of the MH50C controller or located in the remote I/O boxes – is connected via real-time Ethernet . Thus, the application can treat all I/O functions in the same way .

All remote I/O boxes are connected to the controller in a ring topology, which tolerates single failures . For example, in case of a broken cable, the system is still fully operational, as all I/O boxes can still be reached from the other end of the ring .

MTCS I/O

BC

I/O Boards

MTCS I/O

BC

I/O Boards

MTCS Controller

BC

Real-TimeEthernet Master

I/O Boards

MTCS Controller

BC

Real-TimeEthernet Master

I/O Boards

16

MTCS Software Architecture

The MTCS software distinguishes between the safe and the “unsafe” domain in order to save cost and time for application development and certification . This separation allows to develop “unsafe”ty relevant applications separately from safe applications .

“Unsafe” applications cannot influence safe applications because they are executed on a separate processor running a standard Linux operating system .

In order to guarantee appropriate communication between the safe controller and the safe I/O functions via real-time Ethernet, the so called “black channel” approach is applied .

The method to transport safe data over untrusted communication is defined by EN 50159 .

Safe Domain (I/O Board)

Safety Communication Layer

I/O Domain (CPU Board)

Linux (Soft Real-Time)

Driver Libraries

None-Safe Application Communication

Diagnosis, Services

Safe Domain (CPU Board)

Safe QNX/Safe BSP

CompareSafety Communication Layer

User Safety Application

Safety Communication Layer

User Safety Application

Communication (Shared RAM, Virtual Ethernet)

External Interfaces

Black Channel

Compare

Safe QNX/Safe BSP

17

MTCS Safety Guaranteed by TÜV Certificate

The complete MTCS solution may contain safe and “unsafe” parts . For the safe parts of the system two certification packages are provided:

» For the F75P CPU board of the MH50C system controller – including QNX Board Support Package

» For the I/O cards – including QNX drivers

Each SIL 4 railway certification package according to EN 5012x includes a number of documents:

» Safety User Guide including the safety-relevant application requirements, a detailed description of the hardware and instructions for appropriate operation

» Safety Case describing the concepts for reaching functional safety as well as all safety and quality-relevant processes and measures to meet the SIL 4 requirements

» Assessment report and SIL 4 certificate from TÜV SÜD (German Technical Inspection Agency)

Safety User GuideSafety Case

TÜV Assessment

Report

TÜV Certificate

F75P QNX BSP

QNX Drivers

MTCS Application Areas

18

Rolling Stock

MTCS is well suited for use in new train models as well as for refurbished trains . Thanks to its modularity, it is easy to install and retrofit safety and automation functions with MTCS in any type of older rail vehicle as well .

MTCS is:

» Compact, safe and robust in accordance with EN 50155» A versatile, consistent, open and safe platform for all functions like ATO, ATP, PTC,

ETCS …» Safe control system plus communication system – all in one, but strictly partitioned» Fully compatible with EN50155 (incl . all temperature and voltage ranges)» Safe remote I/O, connected via redundant, real-time Ethernet» The interface to all existing train communication such as MVB, WTB, CAN …» The wireless communication interface to the outside world through GSM-R,

GPS, WLAN …

EthernetTrain Bus (MVB, CAN)I/O Bus (CAN, Profibus)

Gear ControlFuel Control

Wheelslip Control

Driver Display

Driver Cab Controls/Indicators

MTCS ControllerMTCS

Remote I/O

Valves, Relays, Sensors…

Brakes

19

Wayside

MTCS is both well suited for use in new interlocking systems and for a soft modernization and automation of older relay interlockings . Existing outside facilities can be preserved and adapted . The extremely compact inside facility of an interlocking system is clearly separated and forms the safe platform (SIL) for the control and automation layer . MTCS is compact, safe and robust in accordance with EN 50155 and EN 50121-4 (EMC) .

MTCS enables:

» Introduction of ETCS (European Train Control System) L2/L3 for optimization of safety and track load

» Halving of the resulting opportunity cost for relay interlocking systems» Reduction of dependence from single suppliers, resulting in a growing service offer» Increase of the performance of the interlocking systems» Decrease of life cycle cost» Avoidance of the costly total replacement by electronic interlocking systems

(incl . outside facilities)» Installation of simpler, smaller and standardized inside facilities» Longer operating life of the outside facilities» Lower cost for the increase of total capacities» Low cabling cost thanks to standardized Ethernet technology

MTCS Benefits Summary

20

Safety

Safety levels SIL 4, SIL 3, SIL 2, SIL 1, SIL 0 Flexible configuration of safety levels results in optimum price/performance

Redundancy Provides safety by means of 2 control processors on a single CPU board

Fail-silent The system provides the correct service or remains silent .

Fail-safe The system will not endanger lives or property when it fails .

Fail-operational Clustering of hardware components if the system must stay operational

Open I/O

Ethernet communication» Makes use of standard cabling, line interfaces

» Connects main control system and remote I/O boxes

Real-time Ethernet communication Guarantees deterministic behavior on standard communication protocol

Functional safety over Ethernet “Black channel” for safe TÜV certified I/O communication

Safe modular railway I/O up to SIL 4

» Digital inputs/outputs (wide range EN 50155 compliant)

» Analog inputs/outputs (wide range EN 50155 compliant)

» Frequency inputs (detection of hold, frequency, period, pulse width, direction distance, encoder supply)

» Relay outputs (wide range EN 50155 compliant)

Open Safe Platform

Safe API (Application Interface) » POSIX compliant » “C” programming language

QNX Real-time Operating System Partitioning of the application for different safety levels

Open General Purpose Platform

Linux Operating System Development of “unsafe” part of the application in familiar standard software environment

21

Open Communication Extensions

Railway fieldbusses Connection to existing TCN network via MVB & WTB interface boards

Other fieldbusses Connection to existing train devices via CAN, ProfiNet etc . interface boards

Ethernet Connection to standard switches and routers

WIFI, radio, GPS, RS485 Connection to all popular in-vehicle and external communication interfaces

Functionality

Open API for “C” or safe PLC Freely programmable or Flexisafe PLC software environ-ment

Safe programming» In “C” language

» Or based on “Soft SPS”

» Or “ANSYS SCADE” model-based

Physical software separation between safe and “unsafe” domain

Saves time and cost for application development and certification

LInux For general purpose and open communication

Open Hardware Standard

Standard PC hardware architecture State-of-the-art X86 host controller

Main controller with Intel CPU board architecture» Safety execution with 2 redundant processors

» 1 general purpose processor

» Independent supervisors for each block

CompactPCI Robust industry-proven backplane and computer board standard

19" systems Well-known enclosure standard

3U Eurocard format Robust board standard

I/O connectivity Spring-cage terminal blocks make connection easy and reduce cabling

14.4 to 154 V DC wide-range PSU International railway compliance with just one system

22

Standards Compliance

EN50155 & EN 50121-4 Fully proven for rolling stock and wayside railway environments

EN 50126/128/129 (based on IEC 61508) Developed for functional safety from SIL 0 to SIL 4

SIL 4 certification packages with TÜV Süd certificate Modular hardware/software packages make certification of the final application easy and fast

Customer Support

Long-term availability 10 years guaranteed to save time and cost investment of the project

Life-cycle management Secures overall operability of the application when single components need to be substituted

Development services

Environmental test services

Worldwide sales support

Consultancy Defining the appropriate solution together with the customer

Experienced supplier of reliable embedded computer solutions IRIS certified partner of the railway industry for many years

February 2015 Copyright © MEN Micro Inc. / MEN Mikro Elektronik GmbH® / MEN Mikro Elektronik SAS All rights reserved.

www.men.dewww.men-france.frwww.menmicro.com