II INTERNATIONAL CONFERENCE__________
TRANSPORT SYSTEMS TELEMATICS TST'02
ZE SZ Y T Y N A U K O W E PO LITEC H N IK I ŚLĄ SK IEJ 2002
T R A N S P O R T z.45, nr kol. 1570
rail control systems, f a il safe systems, safety computer networks Andrzej L E W IN S K I1
Tom asz P ER Z Y N SK I2
T H E SA FE T Y PR O B L E M S O F C O M PU T E R N E T W O R K S IN T R A N SP O R T A PPL IC A T IO N S
The paper deals with main safety aspects o f safety related computer networks for railway control.
The proposed mode! corresponding to real control systems (dispatcher centre, remote control, decentralised interlocking) and applying the homogenous and stationary Markov process allows to determine the necessary probabilistic and time parameters o f redundant communicating control computers. This model may be extended towards another safety configurations connected with real requirements. Such approach is consistent with UIC recommendations and elaborated CENELEC standards for UE railways.
P R O B L E M Y BE Z PIE C Z E Ń ST W A SIEC I K O M PU T E R O W Y C H W Z A ST O SO W A N IA C H T R A N SP O R T O W Y C H
W referacie przedstawiono główne aspekty bezpieczeństwa sieci komputerowych w konfiguracjach bezpiecznych dla zastosowań w sterowaniu ruchem kolejowym. Zastosowany model dostosowany do przykładowych konfiguracji (centrum dyspozytorskie, zdalne sterowanie, rozproszone sterowniki zależnościowe) i oparty na jednorodnych i stacjonarnych procesach Markowa pozwala określić istotne probabilistyczne i czasowe parametry komputerów nadmiarowych komunikujących się wzajemnie. Model może być z powodzeniem rozszerzony na inne konfiguracje bezpieczne, uwzględniając realne wymagania. Podejście takie jest zgodne z zaleceniami UIC oraz opracowanymi w UE standardami CENELEC.
1. IN TR O D U C TIO N
C om puter netw orks are efficient realisation o f safety system s. In transport control and m anagem ent system s [ 1] two techniques o f safety enforcem ent are used:
R edundancy, Self-testing.
B oth these m ethods, presented in intuitive way on the F ig .l, are applied together in the highest level (4) o f system safety, especially in interlocking system s w here system fault is connected w ith risk o f hum an life lost. In system architecture designed by Siem ens, A lcatel, two or three control com puters com m unicate each other using fast bus interface standards. In the fail safe realisation o f cross level protection controllers produced by S cheidt& B achm ann
^Faculty o f Transport, Technical University of Radom, 26-600 Radom, lewinski@kiux.man.radom.pl
" Faculty o f Transport, Technical University o f Radom, 26-600 Radom, tperzynski@kiux.man.radom.pl
110 A ndrzej LEW IŃ SK I, T om asz PER ZYŃ SKI
or ABB Signal [2] tw o coupled com puters are connected using serial transm ission standards.
Such netw orks related to fast rates and short distances are classified as pLA N , another applications connected w ith safety level 3 are typical L A N applications w here com puters may transm it m essages up to hundred m eters. T hese solutions are related to dispatcher centre com puters o r layers o f centralised interlocking system s (ABB Signal, A lcatel). Level 2 corresponds to W A N , b u t these com puter netw orks use special dedicated (not public) standards typical for rem ote control and inform ation gathering
In all netw orks in railw ay control and m anagem ent system s the safety transm ission m ust satisfy the U IC requirem ents, C EN ELEC recom m endations [3],[8],[9] and national standards [10]. Level 1 applications may apply public netw orks b u t w ith recom m ended cryptological data protection. (Level 0 is non safety related.)
T here are tw o class o f netw ork com puter system s [2]:
- System w ithout repair (for im plem entation o f level 4, 3, partially 2) System w ith repair (for im plem entation o f level 0, 1, partially 2)
F irst system s are determ ined by reliability (or m edium tim e to first failure), in the case of fault the em ergency, fail safe procedure is initialled. T he second system s assum e the repair cycle after detected fault and is characterised by availability (or corresponding repair tim e and m edium tim e betw een failures).
In the paper the m odelling o f both class o f netw ork system s using M arkov processes is presented. T his approach gives possibility o f sim ple estim ation o f probabilistic and tim e param eters necessary fo r safety analysis.
Fig. 1. Redundancy, a) and self-testing, b) in computer networks
The safety problem s o f com puter netw orks in transport applications 111
2. SA FETY R ELA TED C O M P U TE R N ETW O R K S
T ypical com puter netw orks applications in transport m anagem ent and control is presented on the Fig.2. In the dispatcher centre presented on the F ig.2a [2],[4] both com puters (m ain com puter and hot stand-by com puter) are connected using LA N standards.
It is typical system w ith repair, after fault o f m ain com puter the stand-by com puter is switched to w ork. A fter repair o f perm anent or reset o f transient fault o f faulty com puter the two com puters structure w ork is restarted. T his system installed in P olish S tate Railw ays (PKP) has been successful exploited for ten years.
System w ithout repair is jiLA N solution o f interlocking controller fo r industrial depot shows Fig.2b [1], [5], [7]. B oth com puters w ork in the parallel fail safe structure, after single fault system sw itches to em ergency mode.
A ll m ulti-com puter system s applied to railw ay control and m anagem ent may be treated as systems o f both presented classes.
TELEPHONE UNE
■ B
OIJ1CTSb)
Fig.2. Computer networks in polish Railways
a) LAN computers in the dispatcher centre (system without repair)
b) pLAN computer controllers in industrial depot interlocking (system without repair)
3. SA FE T Y A N D R ELIA B ILR Y PA R A M ETER S O F CO U PLED N ETW O R K E D CO M PU TER S
T he behaviour o f m ulticom puter com m unicating system s m ay be m odelled using Markov process m odel. A ssum ing exponential distribution o f faults and stationary, hom ogenous and ergodic character o f stochastic process [2], [4], [6 ] w e can distinguish for two com puters system the follow ing states.
- 0 - state o f correct w ork w ith both com puters 1 - state o f single (one com puter) fault
- 2 - state o f catastrophic failure single com puter fault w ithout em ergency reaction - 3 - state o f fail-safe (controlled) failure initialising the em ergency reaction
112 Andrzej LEW IŃ SK I, T om asz PER ZY Ń SKI
T his state is introduced both for m odel w ithout repair and m odel w ith repair presented on F ig.3.
In the m odel w ith repair o f dispatcher system (Fig.3a) the failure rates and repair rates for both com puters may be assum ed as an identical, Xm = Xr = X = 10'5h "\ Pm-"1 = P r -’1 =
p- , ,,h --- — --- s » » u / — \ . « ■ «
probabilities P 2 and P 3 in this m odel are equal:
1 - 10' 1 h , probability o f correct sw itch (p) is equal to d - 1 0 '°. T h e stationary values of
P, = -
O
~ p)^F[.1 + X\i + pA.~
P^ 2
p" + Xp + pX~
(
1)
a) dispatcher centre system with repair b) interlocking system without repair
T he safety and m ean tim e to catastrophic failure are equal to
S = 1 - P , = 1 - , ( l : p )* V l - ( l - p £ | ,
p + X p + pX p 1 » k.p-U 11- 10"' (2)
_ pX + p X p + p~ 1 _ ( l - p ) X p 2 ( l - p ) X
1 + pX p 2 J
1
( i- p ) x |M»Xp-M
T he availability and m ean tim e to failure are equal to
• 10“ h (3)
A - 1 - (P, + P , ) - 1 - ł ( ' - , 1 - i p ^ t (I - p ) l
p + Xp + pX ^ p p_ • 1- 2 * 1 0 (4)
= 1 r t . i „ i s . 10. . h
^ X2 + ( l - p ) X p X^ X + ( l - p ) p
J
XX + ( l - p ) p l " >>x-p_>l (5)The safety problem s o f com puter netw orks in transport applications 113
Fig.3b show s m odel o f interlocking control as a system w ithout repair com posed with two identical com puter controllers (PLC ), the outputs are com pared by special fail-safe com parator. T h e failure rate o f com puter is X = 1 O'5 h' 1 and p.'1 = tR = 10‘3 h is a tim e o f com parator reaction after single com puter fault. F or this system the probabilities P i is evaluated as follow s:
F or com puter netw orks w ith greater num ber o f com m unicating com puters (both w ith repair and w ithout repair approach) this approach m ay be extended in the w ay presented in the
( 6 )
The safety is equal to
S = 1 - P2 = 1 ~ 1 - 10-8 F
(7)
and depends on sw itch on tim e. T he m ean tim e to first catastrophic failure
Tffc = 1/(22.) + 1/2. = 3/(22.) x * 1.5 10s h (8)
is longer than m ean tim e to first failure
Tff = 1/(22.) + 1/(2 + p) ~ 1/(22.) | f » 0.5 105 h (9)
In both exam ples the safety m easures are b etter than for single com puter system .
4. CO N CLU SIO N S
Fig-4.
114 A ndrzej LEW IŃ SK I, T om asz PER ZY Ń SK I
a)
Fig.4. Modelling of multicomputer structures a) systems with repair b) systems without repair
T he analysis o f safety criteria (probabilistic or tim e m easures) for real system s based on com puter netw orks is m ore com plicated, the m atrix description both for system w ith repair and for system w ithout repair is rather sophisticated and solutions require the com puter support. T he estim ation o f rates A, and p, necessary for evaluation is d ifficult because such param eters are rather unknow n and m ay be determ ined w ith respect to tests elaborated during several years. (The estim ation o f pi in system s w ithout repair com posed w ith several com puters is rather sophisticated w ith respect to characteristics o f m ultiple sw itches). The failure rate for com puter controllers installed at P olish State R ailw ays guaranteed by producers (Siem ens, P E P M odular C om puters Inc.) is better than 10'5 h '1. T he repair rates may be estim ated during special safety tests. T he system level analysis m ust regard b oth softw are and hardw are coincidences, som e hardw are faults are m asked by softw are m ethods, softw are faults som etim es require additional hardw are. T he obtained results have rather qualitative aspect and are an optim isation criteria for system structure. A nother aspect is related to com parison o f functionally consistent system s (validation o f several cross level signalling system s applied the presented interlocking com puter structure).
The safety problem s o f com puter networks in transport applications 115
B IB LIO G R A PH Y
[1] LEWIŃSKI A., PERZYŃSKI T., New computer control systems in polish state railways, I Międzynarodowa Konferencja Naukowa TELEMATYKA SYSTEM ÓW TRANSPORTOWYCH, Katowice-Ustroń 2001
[2] LEWIŃSKI A., Problemy oprogramowania bezpiecznych systemów komputerowych w zastosowaniach transportu kolejowego, Seria Monografie N r 49, Wydawnictwo Politechniki Radomskiej, Radom, 2001 [3] LEWIŃSKI A., The design o f correct software for safety related railway control systems according to UE
standards, requirements and recommendations, Archiwum Transportu PAN, Warszawa, Nr 2, 2001
[4] LEWIŃSKI A., KONOPIŃSKI L., Szacowanie niezawodności i bezpieczeństwa komputerowych systemów sterowania ruchem kolejowym, Przegląd Kolejowy, Nr 8, W arszawa 2000
[5] LEWIŃSKI A., PERZYŃSKI T., Nowe rozwiązania komputerów sterujących w systemach sterowania ruchem kolejowym na przykładzie systemów' ssp”, prace konferencji TRANSPORT W XXI WIEKU, Wydział Transportu Politechniki Warszawskiej, Oficyna Wydawnicza politechniki warszawskiej, Warszawa 2001
[6] LEWIŃSKI A., SIERGIEJCZYK M., Problemy szacowania bezpieczeństwa i niezawodności mikroprocesorowych systemów sterowania ruchem, Prace Konferencji BEZPIECZEŃSTW O SYSTEMÓW, Zakopane 1998, Wydawnictwa Instytutu Technicznego Wojsk Lotniczych, Nr 7, 1998
[7] LEWIŃSKI A., PERZYŃSKI T., Zastosowanie sterowników PLC w bezpiecznych systemach sterowania dla potrzeb systemów sterowania ruchem kolejowym, prace konferencji Wydziału Transportu Politechniki Radomskiej TRANSCOMP 2001, Zakopane 2001
[8] Railway applications: Safety Related Electronic Railway Control and Protection Systems, report on the standard EN 50129, CENELEC 1997.
[9] Railway Application: The specification of dependability, reliability, availability, maintability and safety (RAMS), report on the standard EN 50126, CENELEC 1997
[10] Wymagania bezpieczeństwa dla urządzeń sterowania ruchem kolejowym, opracowanie Centrum Naukowo- Technicznego Kolejnictwa, Zakład Sterowania Ruchem i Zasilania, zadanie N r 1060/23, Warszawa 1997
Review er: Ph. D. Jerzy M ikulski