Safety critical systems used within the railway industry require a controlled and systematic approach to design and development, coupled with extremely resilient and reliable hardware and software implementations, and rigorous testing. Together, these elements form the basis of a robust system which operates as designed, with failure modes and effects analysed and the resultant risks as low as reasonably practicable.
The railway is not unique in being a harsh environment in which complex systems and rugged electronics are required, however there are key factors that set it apart from say aircraft or marine, both of which have their own challenges. For example, data communication networks for onboard rail applications are challenged with a dynamically changing topology as rail carriages and additional units are connected and disconnected to the consist, often in any orientation. Additionally, the network must ensure high system availability, coping potentially with multiple concurrent failure scenarios. With any operational safety critical system, extremely high levels of network availability are required. Given that today, systems consist of many distributed Power over Ethernet (PoE) devices that require an uninterrupted power supply as well as continuous network connectivity, there is an increased requirement for the network devices to perform reliably and continuously.
UK rolling stock can be retrofitted with the latest systems and networks.
In 2016, Westermo started the design process with Petards Rail Technology for a resilient and redundant data communications network as a backbone for an on-board driver-controlled operation (DCO) system consisting of automatic selective door operation (ASDO) and on-train camera/monitor (OTCM) subsystems. The DCO system in question is complex which, rather than using external infrastructure such as track-side RFID tags, relies on global navigation satellite system (GNSS) positioning and wheel odometry for station level positioning accuracy. The OTCM and ASDO are both safety critical systems and thus the data network was developed in compliance with EN50128 and with a Safety Integrity Level (SIL) 2 rating. The network requirements for the DCO system presented several technical challenges, the primary being the necessity for connectivity to extend to any 2/3-car unit orientation, up to the maximum 12-car consist. In addition, a dual-redundant mixed-media inter-unit connection was specified by the customer consisting of both wired Ethernet and wireless communications.
To meet these application requirements, we utilised Westermo DDW-002 Ethernet Bridges to make a wired connection through the auto-coupler and Westermo Ibex-RT-320 5GHz Wireless Bridges for the wireless inter-carriage link (ICL).
Westermo solution for a DCO application.
In utilising both a through-coupler Ethernet over Powerline (EoP) connection and a 5GHz ICL for the inter-unit connection, we ensured that unit-unit connectivity would be available almost immediately after coupling. This was important in terms of DCO system availability, especially if units were coupled / uncoupled whilst in passenger service.
When coupling takes place, the wired Ethernet bridge connects first and provides the primary network. At the same time, the wireless ICL starts to negotiate and when it completes the connection becomes the primary network. The wired connection then becomes the redundant link with relevant ports blocked by a Westermo Viper Managed Ethernet switch, which negates a network loop and resultant data storm.
The Westermo Ibex-RT-320 wireless bridge incorporates radar detection and avoidance functionality, known as 'dynamic frequency selection' (DFS), which allows use of limited 5GHz frequencies that are commonly used by radar systems. Employing DFS permits use of under-utilised frequencies (U-NNI-2 and U-NNI-2e) and increases the number of channels available. This ensures that the wireless communication channel between connected trains remains connected in an uncongested electromagnetic environment, ultimately ensuring resilient train-train communication.
5GHz Wifi channels and associated frequencies
One of the most interesting and challenging aspects of the network design was the use of Layer 2 redundancy protocols such as fast reconfiguration of network topology (FRNT) and rapid spanning tree protocol (RSTP). These enhance the network resilience and support greater OTCM/ASDO system availability. During the unlikely event of either a link or a switch failure, FRNT reconfigures the network in 20ms, to ensure almost instant communications. On recovery, the network will self-heal, again providing very short outages and continuity of service.
The RSTP network protocol is used in the dual redundant inter-unit connection and ensures the wired and wireless connections between the coupled units are loop free, no matter what the orientation. RSTP is a cost-based protocol where different 'path costs' are calculated and the lowest cost (highest bandwidth) path assigned as preferred, allowing the Westermo Operating System (WeOS) to provide the fastest inter-unit connection available.
High network reliability and availability are key when specifying and designing for a safety critical system to be operated in a harsh environment and a resilient network is central to realising this. A systems approach to the development of the network ensured that we analysed the full life cycle of the system and all network relationships both physical and functional. As a result, the network performs as designed and will provide resilient and reliable connectivity for many years of DCO system operation.
Driver view of the preliminary DCO system HMI implementation.
Westermo understand the challenges faced by data communications networks installed in harsh rail environments and offer a range of products specific to on-board rail applications that meet the needs of the most critical safety systems. Our extensive range of EN50155 compliant networking devices can be used to create resilient solutions for many different on-board applications.
Carl de Bruin