Rail Safety Meets the Two OS are Better Than One Approach



Even as embedded and connected computer systems in railway transportation and other safety-critical sectors continue to make safety requirements imperative, it’s possible to overcome lengthy development cycles and spiralling costs.

“For embedded systems designers involved with safety-critical applications, the harsh reality is that there is no ‘margin for error,’ no allowance for ‘tweaking’ improvements on the fly and no time for addressing unanticipated ‘Version 2.0.’ problems.”

Any system whose malfunction could endanger human life or lead to property damage must show compliance with market-specific standards and is a candidate for designed-in functional safety and regulation. The computer-based implementation of functional safety takes significantly longer to develop, and experiences higher costs, than non-safety related product development encounters.

A Harvard Business Review article[1] (1) reported that large IT projects have shown that on average 45 percent of current projects run over budget, seven percent run over time, and 56 percent deliver less value than predicted.

Included in the set of large IT projects facing cost and time overruns are those involving rail transport functional safety certification. The time it takes to complete such projects can easily double or triple. And investment in certification is often greater than that in straight development. Tackling a development project with certification requirements significantly adds to cost and time to market, and can easily stretch the project duration by more than 100 percent (Table 1).

Table 1: Comparative timeline for projects requiring certification and those which do not.

Table 1: Comparative timeline for projects requiring certification and those which do not.

A Jump Forward

For embedded systems designers involved with safety-critical applications, the harsh reality is that there is no “margin for error,” no allowance for “tweaking” improvements on the fly, and no time for addressing unanticipated problems with “Version 2.0.”

From the initial definition of requirements through the design concept, component selection and implementation all the way up to testing and validation, life-critical applications are exactly that—a matter of life or death. The developer adds unique value to a system that can implement completely reliable safety. Thus, it is vital to identify a supplier and a platform upon which to build the needed application in a hardware/software framework of certifiable safety.

Opting to design such a platform from scratch will inevitably mean even more time and expense. When seeking a platform, a number of considerations will help make the project calculable, speed up the development process, and cut its time to market. These include selecting a hardware platform that will make certification easier and choosing operating systems that can support the certification process.
Creating a safety-critical platform can take a big jump forward if the basic operating systems and hardware are already bundled. A good selection of COTS components with drivers that can be integrated to tailor the system to the application’s exact needs is also key.

Of course, the platform must also be tailored to relieve the pain of the certification process, so it can’t just be any bundle. You need to know—in advance—how it will help meet certification demands and get a good idea of what sort of costs that will entail. What can be done if you run into obstacles during the certification process? How will you manage the future life cycle for reliability and safety?

Standardized PC Architecture

Any such platform should be exclusively based on open industry standards in hardware, software, and communication. The use of standardized PC architecture and mechanics, standard Linux, and real-time operating systems puts an end to dependence upon any one specific supplier, allows the integration of third-party products, and prevents system obsolescence.

One example of a platform that leverages the benefits of standardized PC architecture is the MEN Train Control System (menTCS) from MEN Micro, an open and modular railway computer platform based exclusively on standard hardware. For instance, the system’s F75P safe CPU board is a standard CompactPCI board with three Intel® Atom™ E680T processors. Two of the three are redundant processors that execute the safety logic. The third processor handles general purpose functions and I/O communication.

The platform is scalable and certifiable up to Safety Integrity Level 4 and complies with the European railway development standards EN 50128 and EN 50129—as well as with the EN 50155 and EN 50121-4 environmental standards. The same functionality and electronics are also provided in an AAR-compliant housing, making it ready to use for American railroads.

It comes with certification packages supported by the independent TÜV SÜD association for the safe hardware and for the safe QNX operating system, which runs on the two control processors of the CPU board. The platform is designed to operate in rolling-stock applications such as Automatic Train Operation (ATO), Automatic Train Protection (ATP) and Positive Train Control (PTC) as well as in wayside applications like interlocking systems.

Up to 63 remote I/O boxes can connect to one menTCS system controller, allowing a flexible I/O configuration according to the available train interfaces. An Ethernet ring topology reduces the overall cabling effort and brings the I/O control close to the sensors and actors.

Separation for Safety and Control

One of the unique attributes of this architecture is that the control electronics—the computer hardware—are separated from the real control function—the application software. Unlike proprietary solutions with a fixed hardware/software configuration—one which is inaccessible to the end user—this modular architecture opens up the essential interfaces between the control electronics and the application.

To achieve this open architecture, menTCS clearly separates the safe application, which must be submitted to the certification process, from the software that is not required to be certified. Consequently, the safe application runs on the certified QNX operating system, and the non-critical part of the application—operated by the third processor on the F75P CPU board—runs on standard Linux, allowing it to profit from the broad Linux driver support offering (Figure 1).

Figure 1: The ability to pre-certify the hardware and software platform enables the developer to concentrate on the safety-critical applications that will run in that environment.

Figure 1: The ability to pre-certify the hardware and software platform enables the developer to concentrate on the safety-critical applications that will run in that environment.

The open application interface allows railway system suppliers to concentrate on their core business and competencies. It also facilitates the market entry for small- and medium-size companies. And it enables rail operators to become their own general contractor, enabling full transparency of their project at any time.

The combination of two operating systems—QNX and Linux—on one hardware platform lets developers concentrate on application programming for the safe, certifiable parts (Figure 2). This makes the software development and the subsequent certification easier and faster, resulting in significantly reduced overall cost. As a pre-requisite, the internal hardware architecture makes sure that the I/O domain cannot interfere with the safe domain.

The use of standard software interfaces (open API) and standard operating systems offers maximum programming flexibility by way of the standard POSIX programming interface. It allows application programming in C or Ada, model-based development, e.g., with SCADE, or on a Soft PLC. This method prevents costly re-certifications and lets the end user focus on core competencies.

MEN-B-6252.highres.Figure2a

Figure 2: Two separate OS environments provide one for general applications that do not involve safety and connect to the outside world via the Internet and another that can protect safety-critical functions from outside interference.

Figure 2: Two separate OS environments provide one for general applications that do not involve safety and connect to the outside world via the Internet and another that can protect safety-critical functions from outside interference.

Positive Outlook for Train Control

This modular, open standards-based platform keeps the software application independent from the hardware and is based on a state-of-the-art embedded PC architecture supporting multiprocessor configurations, high data throughput, IoT connectivity and the required reliability and security features.

By having this type of architecture that can be scaled to suit specific needs, the railway industry is afforded several advantages. Having one compact data center that partitions critical and non-critical applications significantly reduces costs and decreases maintenance and obsolescence management while fostering a wider ecosystem for market growth.

Mathias_BeerElectrical engineer Mathias Beer supported MEN Mikro Elektronik GmbH in project and product management for several years on various railway projects, before he took over as head of product management for three years. He then was Director, Customer Relationship for two years and since the beginning of 2015, Beer has served as Director, Global Technical Solutions and Director, Global Marketing.


[1] Bent Flyvbjerg and Alexander Budzier, “Why Your IT Project May Be Riskier Than You Think,” Harvard Business Review, September 2011, https://hbr.org/2011/09/why-your-it-project-may-be-riskier-than-you-think

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • TwitThis