Textmasterformat bearbeiten

▪ Second Level

▪ Third Level

▪ Fourth Level

Fifth Level

October 11, 2017

10 Frequently Asked Questions about the Safe Train Control System menTCS

2

10 Frequently Asked Questions about the Safe Train Control System menTCS

1: Is menTCS interoperable with already existing systems and how can it be integrated?

2: Why is menTCS called an open system?

3: Why is menTCS called a modular system?

4: Which kind of rolling-stock applications can be covered with menTCS?

5: Which kind of wayside applications can be covered with menTCS?

6: What are the safety configuration possibilities of menTCS?

7: Why choose QNX as the safe standard operating system for menTCS?

8: What would be the operating system of choice for the non-safe parts of the application?

9: Why does menTCS use EtherCAT for the communication?

10: Is the menTCS lifetime guaranteed by a life-cycle management?

1: Is menTCS interoperable with already existing systems and how can it be integrated?▪ Yes. Thanks to its modularity, menTCS is easy to install and retrofit safety

and automation functions in any type of older rail vehicles.

▪ menTCS can also be used for a soft modernization and automation of older electronic interlocking equipment, supporting installation of simpler, smaller and standardized inside facilities.

▪ The modular CompactPCI hardware architecture allows to extend the MH50C controller with further communication and interface cards, using also standard PCI Express Mini Cards and similar state-of the art devices:

▪ Connection to existing TCN network via MVB & WTB railway fieldbus interface boards

▪ Connection to existing train devices via CAN, ProfiNet and other fieldbus interface boards

▪ Connection to standard switches and routers via Ethernet

▪ Connection to all popular in-vehicle and external communication interfaces via Wi-Fi, radio, GPS, RS485 etc.

2: Why is menTCS called an open system?

▪ menTCS is exclusively based on open industry standards in hardware, software and communication, allowing the end user to stay vendor-independent and protected against obsolescence issues:

▪ Standard PC hardware architecture with state-of-the-art x86 host controller

▪ Standard 19” CompactPCI industry standard

▪ Standard operating systems (QNX, Linux)

▪ Standard Ethernet communication with safe real-time EtherCAT

▪ Standard communication interfaces to TCN network, MVB, CANopen, ProfiNet etc.

▪ Standard POSIX programming interface for “C”

▪ menTCS separates the control electronics (the computer hardware) from the control function (the application software).

▪ menTCS opens up the essential interfaces between the control electronics and the application.

▪ As a totally open platform, menTCS is the first railway computer that makes rail service suppliers and rail operators independent from a solution provider, giving them full control over their project.

3: Why is menTCS called a modular system?

▪ menTCS is modular in terms of hardware based on its proven 19” CompactPCI technology:

▪ The MH50C controller can be configured with the exact number of required safe I/O channels, and non-safe functions based on standard CompactPCI boards.

▪ menTCS is modular in terms of I/O location:

▪ Up to 63 remote I/O boxes (with four to eight boards per device) can be connected to one MH50C controller, saving huge wiring cost and increasing the operation stability.

▪ menTCS is modular in terms of software:

▪ Ready to integrate all state-of-the-art real-time operating system BSPs, with QNX being used as the standard operating system

▪ Ready to mix and match RTOS for safe functions with Linux for non-safe functions

▪ Ready to communicate via the EtherCAT standard real-time variant of standard Ethernet

▪ Ready to start programming based on different standard environments

▪ menTCS is modular in terms of certification:

▪ As the complete menTCS solution may contain “safe” and “non-safe” parts, different SIL 4 certification packages are provided.

▪ All certificates are available either for the hardware only or as a bundle together with the safe components of the QNX real-time operating system.

4: Which kind of rolling-stock applications can be covered with menTCS?▪ menTCS is the central computer platform for on-board ATO and ATP

(Automated Train Operation and Protection) functions.

▪ menTCS can be the heart of a CBTC (Communication Based Train Control) system.

▪ menTCS can be the heart of a TCMS (Train Control Management System).

▪ menTCS is at the door, at the wheel, at the gear with its up to 63 safe remote I/O boxes.

▪ menTCS connects to the driver cab display.

▪ menTCS interfaces to all existing train communication standards such as MVB, WTB, CAN etc.

▪ menTCS interfaces to the outside world via wireless communication using GSM-R, GPS, WLAN etc.

5: Which kind of wayside applications can be covered with menTCS?▪ menTCS is compliant with the EN 50121-4 standard for wayside EMC

regulations describing the emission and immunity of the signaling and telecommunications apparatus.

▪ menTCS is the central computer platform for electronic interlocking in signaling control systems.

▪ menTCS is the basis for any kind of trackside and level-crossing TCMS (Train Control Management System).

▪ menTCS covers a part of the functions of the European ETCS as well as, e.g., CTCS, ATMS, PTC or Klub-U.

▪ The equivalent of the on-board ETCS function of menTCS is the EVC (European Vital Computer).

▪ The equivalent of the wayside ETCS function of menTCS is the RBC (Radio Block Center).

6: What are the safety configuration possibilities of menTCS?▪ menTCS consists of SIL 4 hardware and software components pre-certified

according to EN 50126, EN 50128 and EN 50129, leading to a significant time and cost saving for the end application.

▪ menTCS can also be configured as a SIL 2 system, saving cost through a reduced I/O channel count.

▪ A single F75P (safe CPU board) or MH50C (safe menTCS controller) is already a 2oo2 unit according to EN 50129. 2oo2

▪ The MH50C is designed to be fail-safe.

▪ It supports double execution of software on two redundant processors.

▪ It supports cross-checking between two redundant processors.

▪ The safe communication with the I/O is based on safety protocols.

Use Case for menTCS:

7: Why choose QNX as the safe standard operating system for menTCS?▪ The QNX real-time operating system is well established on an international level, and offers a

broad range of development tools.

▪ The safe QNX Neutrino microkernel supports partitioning of the application. Partitioning saves cost and development time by:

▪ Separating safe and non-safe functions on the same platform

▪ Combining different SILs on one platform, e.g., SIL 2 for ATO and SIL 4 for ATP

▪ In addition, the microkernel structure allows to separate application processes from protocol stacks and drivers.

▪ QNX also supports message passing, allowing the application to cross processor boundaries.

> menTCS can be used together with other safe operating systems, too:

▪ menTCS is prepared to support GreenHills Integrity, Sysgo PikeOS and Wind River VxWorks 7 Safety Profile.

▪ A demo BSP for PikeOS is available from Sysgo.

▪ Integrity and VxWorks 7 Safety Profile will be made available on request.

8: What would be the operating system of choice for the non-safe parts of the application?▪ Linux – because it is open source, independent of the hardware platform, it

offers a huge variety of freely available development tools as well as peripheral drivers and is used worldwide. Why does it make sense to separate the safe from the non-safe applications at all?

▪ The combination of two operating systems – QNX and Linux – on one hardware platform – menTCS – limits the effort of application programming to the safe parts. This makes the software development and the subsequent certification easier and faster, resulting in significantly reduced overall cost.

▪ Thanks to the abstraction of the periphery, the application can make use of the broad offering of peripheral Linux driver support.

9: Why does menTCS use EtherCAT for the communication?▪ EtherCAT is a real-time Ethernet standard based on open Ethernet that fulfills the conditions to

make communication between menTCS components safe:

▪ EtherCAT is deterministic, with cycle times ≤ 5 ms.

▪ EtherCAT is able to operate without switches.

▪ EtherCAT supports a ring topology which provides a continuity in service in the case of broken cable or the loss of power on one remote I/O.

▪ The safety communication layer of EtherCAT (FSoE) establishes an end-to-end protection to the safe I/O board.

▪ Any packet that leaves the safe domain is encapsulated in an envelope that is checked by the receiver of the packet (the safe I/O board). With this method, failures like packet duplication, loss, wrong sequence, corruption, wrong addressing etc. are covered.

▪ FSoE covers the requirements of EN 50159.

10: Is the menTCS lifetime guaranteed by a life-cycle management?▪ Yes – and: using an open system like menTCS means that product

obsolescence management can be limited to single standardized parts of the computer system. It will never affect and endanger the train or wayside function itself.

▪ MEN guarantees long-term availability of all parts of the menTCS for a minimum period of 10 years in order to best meet the specific requirements of railway applications.

▪ For the successor of the safe CPU board MEN will provide a BSP with identical APIs, so that the source code of the application can remain unchanged.

www.men.de/products/tcs

www.menmicro.com/tcs

www.men-france.fr/tcs