WP Railway Data Networks

7/29/2019 WP Railway Data Networks

1/12

White Paper

2008-09-15 KEYMILE 2008

Railway Data Networks

Demands for data networks with maximum availabilityin railway control and safety technology


2/12

White PaperRailway Data Networks

2008-09-15 KEYMILE 2008 Page 2

Table of content

1. Basic facts 3

2. Demands on control and safety technology 4

2.1. Explanation of CENELEC EN-50126 5

2.2. Explanation of CENELEC EN 50159 5

2.3. Operating licence 6

3. Safety and availability of the control and safety technology 6

3.1. Safety 6

3.2. Availability 7

3.3. The limits of redundancy 8

4. Trends in the railway sector 9

4.1. Increasing demand for bandwidth 9

4.2. Powerful network infrastructure 10

5. Conclusion 12


3/12


2008-09-15 KEYMILE 2008 Page 3

Railway Data Networks

European railway companies are coming underpressure to operate their companies moreeconomically. This applies particularly toregional railways that appear on the one handto be threatened frequently by high operatingcosts and a lack of investment on the other.At the same time, an integrated concept foreffective and economical data communicationof the different railway services is playing a key

role.Todays data communication in control andsafety technology does however sometimesplace different demands on the applicationsconcerned, with in some cases diverse levels ofsafety and physically different transmissiontechnologies. To date this meant that separatenetworks were usually set up for individualgroups of applications. Hot axle box detectors,axle counters, track vacancy detection systemsand switch blade detectors are for example allpart of control and safety technology.

Because of the different parameters and thehistory of the development of control andsafety technology, nowadays separate cablesfor traditional modem technology and line-bound non-switched synchronous multiplexsystems can exist alongside each other.In other words these are network concepts thathave proved to be highly reliable, but from acommercial point of view have to be looked at

critically.One answer would be to use a standard,integrated data network for all datacommunications and therefore avoid operatingparallel networks and isolated solutions.

Railway network operators are constantly faced

with the challenge of enhancing the technicaland commercial aspects of network operation.Standardisation of transmission procedures hascreated the conditions for optimising datanetworks. As a result, control and safetytechnology in railways is increasingly using thedata communications technology alreadyavailable, instead of proprietary technology.

The high level of automation in todays, and inparticular tomorrows rail technology, is onlypossible when extremely reliable informationtransmission systems are used. Furthermore,

network topologies must be able to fulfil theextensive requirements for reliability.

The CENELEC standard EN 50126 and inparticular the standard it spawned EN 50159-1:2001 for closed transmissionnetworks are the basis for safety-criticalcommunication in todays safety systems incontrol and safety technology.

But the use of new technologies for economical

management is still in its infancy. Previousattempts to launch innovative technologies,such as Local Area Networks (LAN), Wide AreaNetworks (WAN), IP technology and GSM-R area start, but have not yet produced effectiveresults.

Till today, in control and safety technology, onlyphysically separate networks or SDH paths areaccepted. Other mechanisms to separatenetworks in accordance with EN 50159-1, likeVLAN tags or MPLS labels, are not recognisedyet so that an entire system can be authorised.

To be able to use advanced data technologiesin future, the foundations for transmitting viaopen network structures have been establishedin the EN 50159-2 standard.

Basic facts1.


4/12


2008-09-15 KEYMILE 2008 Page 4

The integrated data network is the backbonefor efficient and smooth-running mobility ofpassengers and goods.

Previous attempts to develop and launchinnovative IP technologies for these types ofintegrated data networks in control and safety

technology have not been very effective tillnow. Railway companies believe that the riskinvolved in launching and using these types oftechnologies today is too high.

Demands on control and safety technology2.

The technical end systems introduced in railwaycompanies, particularly for control and safetytechnology, have very long product cycles incomparison to industrialised automationtechnology solutions for example.

If components from the standard market areused to implement railway operation systems,

a discrepancy occurs between the product lifecycles of the components purchased and theexpected product life cycles of the technicalsystems in railways.

When introducing new technologies andprocedures for operating track-bound traffic,the exact conditions and the environment ineach individual application must be taken intoaccount, in order to make safe and at the sametime economical operation possible.

As a result, control and safety technology for

railway operation is increasingly using data

communications technology. Transmissionreliability and quality of service play a vital role.

The European Committee for ElectrotechnicalStandardization (CENELEC), defined normEN-50126 and in particular the follow-up normEN 50159-1:2001 for closed and acceptedtransmission networks. These standards are the

foundation for safety-critical communication ofthe safety systems in control and safetytechnology.

The safety systems require an operating licenseif they are to be used in railways. This operatinglicence is always the final step in an extensiveauthorisation procedure. The operating licenceis issued by each country in accordance withCENELC EN-50126.

All service applications via one single data networkFigure 1:

Control

(sub) systems

Signal boxes Control systems Traffic monitoring SCADA/telecontrol

Communications

(sub) systems

Telephony Data Mobile/private mobile

radio

Safety

(sub) systems

Video surveillance Emergency call Contact detector Alarm detector

Information

(sub) systems

Passenger info display Information

announcements

Integrated

data network


5/12


2008-09-15 KEYMILE 2008 Page 5

CENELEC stands for Comit Europen deNormalisation Electrotechnique (French).

The CENELEC standard EN-50126 is the keystandard for safety-critical communicationsoutlined in this paper. It provides informationfor specifications and confirmation of RAMS inall phases of the product life cycle.

RAMS stands for:

Reliability

Availability

Maintainability

Safety

Implementation of the CENELEC standardEN 50126 is carried out in four project phases(concept, systems definition, risk analysis,establishing the requirements). An independentexpert checks directly with the railway networkoperator that all these phases are adhered to.

The purpose of the technical equipment, usedfor control and safety technology, is to ensure

that risks are minimised should a human erroroccur. The prerequisite is that technology isfully functional when the error occurs. Thedemands produced as a result (e.g. disclosureof errors and prevention of authorisation fortrains to continue if the technology does notwork) must be taken into account whendeveloping the system. Terms such as safetyand availability of transmission networks arebrought to bear (see also the chapter onAvailability and safety in control and safetytechnology).

The CENELEC norm EN-50126 and inparticular the subsequent follow-on normEN 50159-1:2001 for closed transmissionnetworks are the basis for safety-criticalcommunication of the safety systems in controland safety technology.

Explanation of CENELEC EN-501262.1.

Explanation of CENELEC EN 501592.2.

EN 50159-1 (part 1)The standards main aim is to provide for safecommunication in closed networks. For this tohappen, the following conditions must exist:

Only authorised access is possible,

the maximum number of subscribers that canbe connected is known and

the transmission medium is known andcannot be altered.

EN 50159-2 (part 2)

The second step was to abolish the conditionsrequired for closed networks when definingsafe communications in open networks. Thismeans that the following conditions for anopen network were agreed to:

Different transmission paths andtechnologies,

messages can be stored at will and

possible unauthorised access to thecommunications network.

These extensive demands require protectionfrom unauthorised attack and thereforeadditional applications, such as encryptionprocedures and management of the crypto key.

In this case, less important are possible directattacks on physical parts of the system, such asdirect local tapping of data lines. It is moreimportant to prevent unauthorised anddeliberately destructive anonymous connectionwith powerful computers. This is easy in anopen data network with a large number ofsubscribers that cannot be controlled. Asattacks by Internet hackers on inadequatelyprotected computer systems at banks, militaryorganisations etc show, this is a highlydangerous, social phenomenon to be takenseriously.


6/12


2008-09-15 KEYMILE 2008 Page 6

Operating licence2.3.

To be able to operate technicaltelecommunication elements in safety-critical

railway applications, an official licence isrequired.

The railway network operator requests thelicence. The licence is given after confirmationis provided that the part works satisfactorily,also taking into account properties, such as forexample availability, environmental propertiesand ease of maintenance, based on definedparameters.

The application software must not interferewith non-safe signalling components or

components that are responsible for safety.This has to be guaranteed and ascertained by

the components responsible for safety. Thisprevents faults spreading in safe signallingcomponents.

Operating licences or type inspections arecarried out differently in each country. One ofthe aims of European standardisation is tomake a mutual recognition of the operatinglicences at different railway companiespossible.

Overview of the parties involved in the operating licence processFigure 2:

Safety and availability of the control and safety technology3.

Government

Ministry of Transport

Technical supervisory and licensing authority

Independent

safety officer (assessor)

Railway industry

(systems owner/operator)

Railway operator/

infrastructure companyGeneral building contractor

Safety3.1.

Safety is an objective that must be fulfilled bylaw. Better security cuts the risk of injury topeople, damage to the machinery and theenvironment (e.g. all planes are grounded).

A financial bonus is that lower insurancepremiums are charged. Safety is achieved by:

Monitored redundancy (fail-stop systems),

effective redundancy (persistent systems) or

protective redundancy.

The extreme demands on reliability andavailability of complex telecommunicationssystems can only be fulfilled, if during thedefinition, development, manufacturing andusage phase, steps are taken to guaranteequality and reliability.

A gauge for reliability is the MTTF: Mean TimeTo Fail (average life cycle), e.g. 100 years.

This gauge measures the probability that a

system will remain fully functional during agiven period.


7/12


2008-09-15 KEYMILE 2008 Page 7

Availability3.2.

Availability is a financial objective. Higher levelsof availability increase productivity and output

(e.g. all trains are running to schedule).The gain is underlined by higher levels ofproductivity. Availability is achieved thanks tobetter maintenance and functional redundancyso systems can carry on working.

To increase availability, transmission networksand their systems used in control and safetytechnology are redundant. Availability can alsobe increased by other steps, such as forexample carrying out maintenance.

All equipment is redundant that would not be

needed if there were no errors. There are alsosystems where redundancy is integratedautomatically, as well as systems whereredundancy can be seamlessly introduced afterrepairs have been carried out (interruption-freesystems).

A transmission network can be classified intothree groups as regards its availability for

example in minutes per year and in percent asfollows:

99.98 % unprotected(unavailable for approx. 1.75 hours per year)

99.999 % protected(unavailable for approx. 5 minutes per year)

99.9999 % secure(unavailable for approx. 32 seconds per year)

Depending on the level of availability, therailway application can be connected to thetransmission node (SAP: Single Access Point)with a single or double level of redundancy.

Availability categoriesFigure 3:

SAPApplication ApplicationSAPEnd node End nodeIntermediate systems

SAPApplication ApplicationSAPEnd node End node

ApplicationSAPEnd node

Path 1

Path 2

99.98 % unprotected

99.999 % protected

Path 12 x 64 kbps + 2 Mbps per station

Path 299.9999 % safe


8/12


2008-09-15 KEYMILE 2008 Page 8

At the same time the percentages, calculatedfrom the reliability figures for the individualelements (MTTF) for the whole of the networktopology, can indicate the probability of a

whole system actually performing as stated.Whether systems and their individualcomponents will have to be deployed withsingle or double redundancy, dependsprimarily on the level of availability of therailway application.

A summary is provided here of the mostfrequent railway applications, subdividedaccording to how available they are requiredto be.

Probability of failure according to individual railway applicationsFigure 4:

99.9999 %

99.999 %

99.98 %

Signa

lbox

Con

tro

lsys

tem

Tra

fficmon

itoring

SCADA/te

lecon

tro

l

Videosurve

illance

Emergencyca

ll

Con

tac

tmon

itor

Infoannouncemen

ts

Passenger

infodispla

y

Te

lep

hony,

TVAacces

s

Ho

tline

Office

LAN

(IT)

Sa

lesapp

lica

tion

Ticke

tmac

hine

GSM-R

TETRA/TETRAPOL

Ana

logue

tra

inra

dio

Alarms

3rd-partyequip

men

t

The limits of redundancy3.3.

Thanks to redundancy and error tolerance,

availability only depends on the probability of asecond failure, before the first one is repaired.However, availability is therefore not infinite.

The only definite factor in a doubly-redundantsystem is that it is twice as expensive and fails

more than twice as often. As a result reliability

and availability targets must be clear beforeredundant solutions are looked at.


9/12


2008-09-15 KEYMILE 2008 Page 9

Trends in the railway sector4.

Increasing demand for bandwidth4.1.

Heterogeneous network technology in controland safety technology systems has grown forseveral decades. Nowadays, there is pressureto modernise and consequently cut costs andincrease performance. Signalling applicationsusually transmit far less data volume than theother IT applications that are more technologydriven. However, due to increasing demand incontrol and safety technology for flexibility and

for increasing capacities in control andoperating systems, systems management,(remote) diagnosis, maintenance services etc,requirements for data transmission capacity areconstantly on the increase.

The individual railway applications bandwidth requirementsFigure 5:

The days where, as has been the case up tillnow, a 64 kbps channel was sufficient betweentwo locations, will soon draw to close. This willhappen once communications transmittedseparately till now, or new remote transmission(e.g. Radio Block Centres etc from theoperating centres), or entirely new services(such as maintenance service centres) will beswitched to joint network connections to savecosts. Sooner or later, a major operator shouldbe able to transmit WAN connections at astandard 2 Mbps between large nodes, such asoperating centres and sub-centres. Then withincreasing data volumes, enough bandwidth

would be available for some time to fulfil

real-time demands for time-critical applicationsusing the current TCP/IP basic protocols,leaving a reserve at the same time for otherapplications.

Otherwise, if a bottleneck occurs in a 64 kbpschannel, additional protocols that set prioritieswill have to be used, which will case delays tosubordinate applications.

C

onnectionduration

1minute

1hour

1day

Bandwidth

1 Mbps1 kbps 1 Gbps

Video surveillance Office LAN (IT)

Private mobile radio

(GSM-R, TETRA, analogue)

Telephony

Sales transactions

Control

system serives

Passenger info


10/12


2008-09-15 KEYMILE 2008 Page 10

Powerful network infrastructure4.2.

From the perspective of control and safetytechnology, two evolutionary paths are

becoming obvious.One of the trends is the development towardslarge systems that integrate networks andservices (convergent networks is the term). Theother trend is the increasing usage of processesto safeguard closed sections of networks withinlarge networks (network security). Systems thatintegrate services mean for example thatreal-time services, such as voice and live videoservices are transmitted via IP networks, whichthese days still tend to be designed forcomputer data communication that is not time

critical. At the same time safety and controltechnology systems (e.g. rail IP) are also to betransmitted. The customary TCP/IP protocolfamily (including UDP, a protocol providingfaster transmission when data loads are heavy,but which does not prevent transmission faults),does not yet offer any satisfactory methods ofalways guaranteeing quick through-put timesand error-free transmission. Should aninterruption occur, convergence times of lessthan ms (type 50 ms) have to be adhered to atback-up level.

In control and safety technology, Quality ofService (QoS) and fast convergence rates areimportant. Today, standard solutions from theMetro-Ethernet-IP environment are not yetgood enough to be used in control and safetycontrol.

Nevertheless, these technologies do definitelyhave potential as regards data transmissioncapacity. As a result, two routes are beingpursued. A protocol called Multi-Protocol LabelSwitching (MPLS) will be added to the basic IPtransport functions. MPLS technology adds an

additional marker (a label) to the IP datapackages during transmission in the datanetwork. Based on this information, routerswith MPLS capability take into account differentpriorities and service categories in theindividual data packages and, depending ontheir service category, allocate themqualitatively different routes through the datanetwork. With regard to configurationmanagement, MPLS is considered very timeconsuming and therefore complex to operateand maintain.

Another procedure called Next GenerationSDH (NG-SDH) opts for the tried and trusted

TDM-based SDH infrastructure using Ethernetover SDH (EoS). With Ethernet over SDH,packet-enhanced Ethernet technology iscombined with the real-time enhanced TDMprocess from the Synchronous Digital Hierarchy(SDH). By combining both technologies, theadvantages are fully exploited and thedisadvantages prevented. Implementing theEoS technology includes flexible broadbandmanagement with dynamic broadbandallocation to communications demands,physical separation of networks, the

interruption-free transmission of data, as well asthe integration of the Ethernet interfaces inSDH.

EoS offers network operators an interestingalternative to MPLS, especially as real-timebehaviour exists and the Quality of Service(QoS) can be modified. Furthermore, NG-SDHenables consolidation of all services in a singledata network with high levels of availability.

Other protocols, such as Provider BackboneTransport (PBT), are to take into account thespecific parameter as well, as mentioned

above. They are being pushed by renownedmanufacturers, but have not yet been testedproperly in practice.

The table below summarises the properties ofthe different transmission technologies we havediscussed.


11/12


2008-09-15 KEYMILE 2008 Page 11

Properties of the different transmission technologiesFigure 6:

NG SDH

METRO

ETHERNET

MPLS (IP)

PBT

Path and sectionprotection

(pre-confgured)


12/12


2008-09-15 KEYMILE 2008 Page 12

Publisher

KEYMILE GmbH

Wohlenbergstrasse 330179 Hanover, Germany

Phone +49 511 6747-0Fax +49 511 6747-450Internet www.keymile.comMail [email protected]

From an ICT standpoint, data communicationin control and safety technology will remain a

special case as regards:Data rates that are currently still relativelylow,

particularly high demands regarding safetyand

relatively long user system innovation cycles.

The directions ICT developments are heading,are however inevitably reflected in the waycontrol and safety technology is used. This isevident in the current proliferation of LAN/WAN technology in the cross-over to IP.

Control and safety technology networkdesigners are facing conflicting priorities ofcompatibility with the legacy systems, differentdemands nationwide from the railway operatorsfor new solutions, international standardisationtrends in control and safety technology, as wellas affordable, but never totally adequatestandard solutions from the global market ininformation and telecommunicationstechnology.

Because the length of innovation cycles varies,it is always a problem to identify when a new

ICT trend is here to stay and likely to become atrendsetter in the future, so that adopting itinto control and safety technology, with itstime-consuming testing and licensingprocesses, is economical.

Finally, networks must be designed forimplementation as an entire control and safetytechnology system that will receive a licence.As a result, KEYMILE has opted to supply itsintegrated and advanced multi-service accesssystem UMUX to its railway customersworldwide.

Conclusion5.

Documents

WP Railway Data Networks