7/29/2019 WP Railway Data Networks
1/12
White Paper
2008-09-15 KEYMILE 2008
Railway Data Networks
Demands for data networks with maximum availabilityin railway control and safety technology
7/29/2019 WP Railway Data Networks
2/12
White PaperRailway Data Networks
2008-09-15 KEYMILE 2008 Page 2
Table of content
1. Basic facts 3
2. Demands on control and safety technology 4
2.1. Explanation of CENELEC EN-50126 5
2.2. Explanation of CENELEC EN 50159 5
2.3. Operating licence 6
3. Safety and availability of the control and safety technology 6
3.1. Safety 6
3.2. Availability 7
3.3. The limits of redundancy 8
4. Trends in the railway sector 9
4.1. Increasing demand for bandwidth 9
4.2. Powerful network infrastructure 10
5. Conclusion 12
7/29/2019 WP Railway Data Networks
3/12
White PaperRailway Data Networks
2008-09-15 KEYMILE 2008 Page 3
Railway Data Networks
European railway companies are coming underpressure to operate their companies moreeconomically. This applies particularly toregional railways that appear on the one handto be threatened frequently by high operatingcosts and a lack of investment on the other.At the same time, an integrated concept foreffective and economical data communicationof the different railway services is playing a key
role.Todays data communication in control andsafety technology does however sometimesplace different demands on the applicationsconcerned, with in some cases diverse levels ofsafety and physically different transmissiontechnologies. To date this meant that separatenetworks were usually set up for individualgroups of applications. Hot axle box detectors,axle counters, track vacancy detection systemsand switch blade detectors are for example allpart of control and safety technology.
Because of the different parameters and thehistory of the development of control andsafety technology, nowadays separate cablesfor traditional modem technology and line-bound non-switched synchronous multiplexsystems can exist alongside each other.In other words these are network concepts thathave proved to be highly reliable, but from acommercial point of view have to be looked at
critically.One answer would be to use a standard,integrated data network for all datacommunications and therefore avoid operatingparallel networks and isolated solutions.
Railway network operators are constantly faced
with the challenge of enhancing the technicaland commercial aspects of network operation.Standardisation of transmission procedures hascreated the conditions for optimising datanetworks. As a result, control and safetytechnology in railways is increasingly using thedata communications technology alreadyavailable, instead of proprietary technology.
The high level of automation in todays, and inparticular tomorrows rail technology, is onlypossible when extremely reliable informationtransmission systems are used. Furthermore,
network topologies must be able to fulfil theextensive requirements for reliability.
The CENELEC standard EN 50126 and inparticular the standard it spawned EN 50159-1:2001 for closed transmissionnetworks are the basis for safety-criticalcommunication in todays safety systems incontrol and safety technology.
But the use of new technologies for economical
management is still in its infancy. Previousattempts to launch innovative technologies,such as Local Area Networks (LAN), Wide AreaNetworks (WAN), IP technology and GSM-R area start, but have not yet produced effectiveresults.
Till today, in control and safety technology, onlyphysically separate networks or SDH paths areaccepted. Other mechanisms to separatenetworks in accordance with EN 50159-1, likeVLAN tags or MPLS labels, are not recognisedyet so that an entire system can be authorised.
To be able to use advanced data technologiesin future, the foundations for transmitting viaopen network structures have been establishedin the EN 50159-2 standard.
Basic facts1.
7/29/2019 WP Railway Data Networks
4/12
White PaperRailway Data Networks
2008-09-15 KEYMILE 2008 Page 4
The integrated data network is the backbonefor efficient and smooth-running mobility ofpassengers and goods.
Previous attempts to develop and launchinnovative IP technologies for these types ofintegrated data networks in control and safety
technology have not been very effective tillnow. Railway companies believe that the riskinvolved in launching and using these types oftechnologies today is too high.
Demands on control and safety technology2.
The technical end systems introduced in railwaycompanies, particularly for control and safetytechnology, have very long product cycles incomparison to industrialised automationtechnology solutions for example.
If components from the standard market areused to implement railway operation systems,
a discrepancy occurs between the product lifecycles of the components purchased and theexpected product life cycles of the technicalsystems in railways.
When introducing new technologies andprocedures for operating track-bound traffic,the exact conditions and the environment ineach individual application must be taken intoaccount, in order to make safe and at the sametime economical operation possible.
As a result, control and safety technology for
railway operation is increasingly using data
communications technology. Transmissionreliability and quality of service play a vital role.
The European Committee for ElectrotechnicalStandardization (CENELEC), defined normEN-50126 and in particular the follow-up normEN 50159-1:2001 for closed and acceptedtransmission networks. These standards are the
foundation for safety-critical communication ofthe safety systems in control and safetytechnology.
The safety systems require an operating licenseif they are to be used in railways. This operatinglicence is always the final step in an extensiveauthorisation procedure. The operating licenceis issued by each country in accordance withCENELC EN-50126.
All service applications via one single data networkFigure 1:
Control
(sub) systems
Signal boxes Control systems Traffic monitoring SCADA/telecontrol
Communications
(sub) systems
Telephony Data Mobile/private mobile
radio
Safety
(sub) systems
Video surveillance Emergency call Contact detector Alarm detector
Information
(sub) systems
Passenger info display Information
announcements
Integrated
data network
7/29/2019 WP Railway Data Networks
5/12
White PaperRailway Data Networks
2008-09-15 KEYMILE 2008 Page 5
CENELEC stands for Comit Europen deNormalisation Electrotechnique (French).
The CENELEC standard EN-50126 is the keystandard for safety-critical communicationsoutlined in this paper. It provides informationfor specifications and confirmation of RAMS inall phases of the product life cycle.
RAMS stands for:
Reliability
Availability
Maintainability
Safety
Implementation of the CENELEC standardEN 50126 is carried out in four project phases(concept, systems definition, risk analysis,establishing the requirements). An independentexpert checks directly with the railway networkoperator that all these phases are adhered to.
The purpose of the technical equipment, usedfor control and safety technology, is to ensure
that risks are minimised should a human erroroccur. The prerequisite is that technology isfully functional when the error occurs. Thedemands produced as a result (e.g. disclosureof errors and prevention of authorisation fortrains to continue if the technology does notwork) must be taken into account whendeveloping the system. Terms such as safetyand availability of transmission networks arebrought to bear (see also the chapter onAvailability and safety in control and safetytechnology).
The CENELEC norm EN-50126 and inparticular the subsequent follow-on normEN 50159-1:2001 for closed transmissionnetworks are the basis for safety-criticalcommunication of the safety systems in controland safety technology.
Explanation of CENELEC EN-501262.1.
Explanation of CENELEC EN 501592.2.
EN 50159-1 (part 1)The standards main aim is to provide for safecommunication in closed networks. For this tohappen, the following conditions must exist:
Only authorised access is possible,
the maximum number of subscribers that canbe connected is known and
the transmission medium is known andcannot be altered.
EN 50159-2 (part 2)
The second step was to abolish the conditionsrequired for closed networks when definingsafe communications in open networks. Thismeans that the following conditions for anopen network were agreed to:
Different transmission paths andtechnologies,
messages can be stored at will and
possible unauthorised access to thecommunications network.
These extensive demands require protectionfrom unauthorised attack and thereforeadditional applications, such as encryptionprocedures and management of the crypto key.
In this case, less important are possible directattacks on physical parts of the system, such asdirect local tapping of data lines. It is moreimportant to prevent unauthorised anddeliberately destructive anonymous connectionwith powerful computers. This is easy in anopen data network with a large number ofsubscribers that cannot be controlled. Asattacks by Internet hackers on inadequatelyprotected computer systems at banks, militaryorganisations etc show, this is a highlydangerous, social phenomenon to be takenseriously.
7/29/2019 WP Railway Data Networks
6/12
White PaperRailway Data Networks
2008-09-15 KEYMILE 2008 Page 6
Operating licence2.3.
To be able to operate technicaltelecommunication elements in safety-critical
railway applications, an official licence isrequired.
The railway network operator requests thelicence. The licence is given after confirmationis provided that the part works satisfactorily,also taking into account properties, such as forexample availability, environmental propertiesand ease of maintenance, based on definedparameters.
The application software must not interferewith non-safe signalling components or
components that are responsible for safety.This has to be guaranteed and ascertained by
the components responsible for safety. Thisprevents faults spreading in safe signallingcomponents.
Operating licences or type inspections arecarried out differently in each country. One ofthe aims of European standardisation is tomake a mutual recognition of the operatinglicences at different railway companiespossible.
Overview of the parties involved in the operating licence processFigure 2:
Safety and availability of the control and safety technology3.
Government
Ministry of Transport
Technical supervisory and licensing authority
Independent
safety officer (assessor)
Railway industry
(systems owner/operator)
Railway operator/
infrastructure companyGeneral building contractor
Safety3.1.
Safety is an objective that must be fulfilled bylaw. Better security cuts the risk of injury topeople, damage to the machinery and theenvironment (e.g. all planes are grounded).
A financial bonus is that lower insurancepremiums are charged. Safety is achieved by:
Monitored redundancy (fail-stop systems),
effective redundancy (persistent systems) or
protective redundancy.
The extreme demands on reliability andavailability of complex telecommunicationssystems can only be fulfilled, if during thedefinition, development, manufacturing andusage phase, steps are taken to guaranteequality and reliability.
A gauge for reliability is the MTTF: Mean TimeTo Fail (average life cycle), e.g. 100 years.
This gauge measures the probability that a
system will remain fully functional during agiven period.
7/29/2019 WP Railway Data Networks
7/12
White PaperRailway Data Networks
2008-09-15 KEYMILE 2008 Page 7
Availability3.2.
Availability is a financial objective. Higher levelsof availability increase productivity and output
(e.g. all trains are running to schedule).The gain is underlined by higher levels ofproductivity. Availability is achieved thanks tobetter maintenance and functional redundancyso systems can carry on working.
To increase availability, transmission networksand their systems used in control and safetytechnology are redundant. Availability can alsobe increased by other steps, such as forexample carrying out maintenance.
All equipment is redundant that would not be
needed if there were no errors. There are alsosystems where redundancy is integratedautomatically, as well as systems whereredundancy can be seamlessly introduced afterrepairs have been carried out (interruption-freesystems).
A transmission network can be classified intothree groups as regards its availability for
example in minutes per year and in percent asfollows:
99.98 % unprotected(unavailable for approx. 1.75 hours per year)
99.999 % protected(unavailable for approx. 5 minutes per year)
99.9999 % secure(unavailable for approx. 32 seconds per year)
Depending on the level of availability, therailway application can be connected to thetransmission node (SAP: Single Access Point)with a single or double level of redundancy.
Availability categoriesFigure 3:
SAPApplication ApplicationSAPEnd node End nodeIntermediate systems
SAPApplication ApplicationSAPEnd node End node
ApplicationSAPEnd node
Path 1
Path 2
99.98 % unprotected
99.999 % protected
Path 12 x 64 kbps + 2 Mbps per station
Path 299.9999 % safe
7/29/2019 WP Railway Data Networks
8/12
White PaperRailway Data Networks
2008-09-15 KEYMILE 2008 Page 8
At the same time the percentages, calculatedfrom the reliability figures for the individualelements (MTTF) for the whole of the networktopology, can indicate the probability of a
whole system actually performing as stated.Whether systems and their individualcomponents will have to be deployed withsingle or double redundancy, dependsprimarily on the level of availability of therailway application.
A summary is provided here of the mostfrequent railway applications, subdividedaccording to how available they are requiredto be.
Probability of failure according to individual railway applicationsFigure 4:
99.9999 %
99.999 %
99.98 %
Signa
lbox
Con
tro
lsys
tem
Tra
fficmon
itoring
SCADA/te
lecon
tro
l
Videosurve
illance
Emergencyca
ll
Con
tac
tmon
itor
Infoannouncemen
ts
Passenger
infodispla
y
Te
lep
hony,
TVAacces
s
Ho
tline
Office
LAN
(IT)
Sa
lesapp
lica
tion
Ticke
tmac
hine
GSM-R
TETRA/TETRAPOL
Ana
logue
tra
inra
dio
Alarms
3rd-partyequip
men
t
The limits of redundancy3.3.
Thanks to redundancy and error tolerance,
availability only depends on the probability of asecond failure, before the first one is repaired.However, availability is therefore not infinite.
The only definite factor in a doubly-redundantsystem is that it is twice as expensive and fails
more than twice as often. As a result reliability
and availability targets must be clear beforeredundant solutions are looked at.
7/29/2019 WP Railway Data Networks
9/12
White PaperRailway Data Networks
2008-09-15 KEYMILE 2008 Page 9
Trends in the railway sector4.
Increasing demand for bandwidth4.1.
Heterogeneous network technology in controland safety technology systems has grown forseveral decades. Nowadays, there is pressureto modernise and consequently cut costs andincrease performance. Signalling applicationsusually transmit far less data volume than theother IT applications that are more technologydriven. However, due to increasing demand incontrol and safety technology for flexibility and
for increasing capacities in control andoperating systems, systems management,(remote) diagnosis, maintenance services etc,requirements for data transmission capacity areconstantly on the increase.
The individual railway applications bandwidth requirementsFigure 5:
The days where, as has been the case up tillnow, a 64 kbps channel was sufficient betweentwo locations, will soon draw to close. This willhappen once communications transmittedseparately till now, or new remote transmission(e.g. Radio Block Centres etc from theoperating centres), or entirely new services(such as maintenance service centres) will beswitched to joint network connections to savecosts. Sooner or later, a major operator shouldbe able to transmit WAN connections at astandard 2 Mbps between large nodes, such asoperating centres and sub-centres. Then withincreasing data volumes, enough bandwidth
would be available for some time to fulfil
real-time demands for time-critical applicationsusing the current TCP/IP basic protocols,leaving a reserve at the same time for otherapplications.
Otherwise, if a bottleneck occurs in a 64 kbpschannel, additional protocols that set prioritieswill have to be used, which will case delays tosubordinate applications.
C
onnectionduration
1minute
1hour
1day
Bandwidth
1 Mbps1 kbps 1 Gbps
Video surveillance Office LAN (IT)
Private mobile radio
(GSM-R, TETRA, analogue)
Telephony
Sales transactions
Control
system serives
Passenger info
7/29/2019 WP Railway Data Networks
10/12
White PaperRailway Data Networks
2008-09-15 KEYMILE 2008 Page 10
Powerful network infrastructure4.2.
From the perspective of control and safetytechnology, two evolutionary paths are
becoming obvious.One of the trends is the development towardslarge systems that integrate networks andservices (convergent networks is the term). Theother trend is the increasing usage of processesto safeguard closed sections of networks withinlarge networks (network security). Systems thatintegrate services mean for example thatreal-time services, such as voice and live videoservices are transmitted via IP networks, whichthese days still tend to be designed forcomputer data communication that is not time
critical. At the same time safety and controltechnology systems (e.g. rail IP) are also to betransmitted. The customary TCP/IP protocolfamily (including UDP, a protocol providingfaster transmission when data loads are heavy,but which does not prevent transmission faults),does not yet offer any satisfactory methods ofalways guaranteeing quick through-put timesand error-free transmission. Should aninterruption occur, convergence times of lessthan ms (type 50 ms) have to be adhered to atback-up level.
In control and safety technology, Quality ofService (QoS) and fast convergence rates areimportant. Today, standard solutions from theMetro-Ethernet-IP environment are not yetgood enough to be used in control and safetycontrol.
Nevertheless, these technologies do definitelyhave potential as regards data transmissioncapacity. As a result, two routes are beingpursued. A protocol called Multi-Protocol LabelSwitching (MPLS) will be added to the basic IPtransport functions. MPLS technology adds an
additional marker (a label) to the IP datapackages during transmission in the datanetwork. Based on this information, routerswith MPLS capability take into account differentpriorities and service categories in theindividual data packages and, depending ontheir service category, allocate themqualitatively different routes through the datanetwork. With regard to configurationmanagement, MPLS is considered very timeconsuming and therefore complex to operateand maintain.
Another procedure called Next GenerationSDH (NG-SDH) opts for the tried and trusted
TDM-based SDH infrastructure using Ethernetover SDH (EoS). With Ethernet over SDH,packet-enhanced Ethernet technology iscombined with the real-time enhanced TDMprocess from the Synchronous Digital Hierarchy(SDH). By combining both technologies, theadvantages are fully exploited and thedisadvantages prevented. Implementing theEoS technology includes flexible broadbandmanagement with dynamic broadbandallocation to communications demands,physical separation of networks, the
interruption-free transmission of data, as well asthe integration of the Ethernet interfaces inSDH.
EoS offers network operators an interestingalternative to MPLS, especially as real-timebehaviour exists and the Quality of Service(QoS) can be modified. Furthermore, NG-SDHenables consolidation of all services in a singledata network with high levels of availability.
Other protocols, such as Provider BackboneTransport (PBT), are to take into account thespecific parameter as well, as mentioned
above. They are being pushed by renownedmanufacturers, but have not yet been testedproperly in practice.
The table below summarises the properties ofthe different transmission technologies we havediscussed.
7/29/2019 WP Railway Data Networks
11/12
White PaperRailway Data Networks
2008-09-15 KEYMILE 2008 Page 11
Properties of the different transmission technologiesFigure 6:
NG SDH
METRO
ETHERNET
MPLS (IP)
PBT
Path and sectionprotection
(pre-confgured)
7/29/2019 WP Railway Data Networks
12/12
White PaperRailway Data Networks
2008-09-15 KEYMILE 2008 Page 12
Publisher
KEYMILE GmbH
Wohlenbergstrasse 330179 Hanover, Germany
Phone +49 511 6747-0Fax +49 511 6747-450Internet www.keymile.comMail [email protected]
From an ICT standpoint, data communicationin control and safety technology will remain a
special case as regards:Data rates that are currently still relativelylow,
particularly high demands regarding safetyand
relatively long user system innovation cycles.
The directions ICT developments are heading,are however inevitably reflected in the waycontrol and safety technology is used. This isevident in the current proliferation of LAN/WAN technology in the cross-over to IP.
Control and safety technology networkdesigners are facing conflicting priorities ofcompatibility with the legacy systems, differentdemands nationwide from the railway operatorsfor new solutions, international standardisationtrends in control and safety technology, as wellas affordable, but never totally adequatestandard solutions from the global market ininformation and telecommunicationstechnology.
Because the length of innovation cycles varies,it is always a problem to identify when a new
ICT trend is here to stay and likely to become atrendsetter in the future, so that adopting itinto control and safety technology, with itstime-consuming testing and licensingprocesses, is economical.
Finally, networks must be designed forimplementation as an entire control and safetytechnology system that will receive a licence.As a result, KEYMILE has opted to supply itsintegrated and advanced multi-service accesssystem UMUX to its railway customersworldwide.
Conclusion5.