Professional Documents
Culture Documents
4 5
Why menTCS
Get Synergies for all Safety-Critical Applications » T he MH50C controller can be configured with the exact number of required safe channels, and nonsafe functions
based on standard CompactPCI boards.
As a modular safe platform, with flexible I/O configuration and extension options, menTCS can be used in all safe-
» U
p to 63 remote I/O boxes (with four to eight boards per device) can be connected to one MH50C controller, saving
ty-related applications on board and around a train: from single functions like door and brake control, or signal and
huge wiring cost and increasing the operation stability.
switch control up to complex systems for Automatic Train Operation or Protection (ATO/ATP).
Long-Term Availability
Independency from Suppliers Protect Your Investments From Discontinuation!
menTCS is exclusively based on open industry standards in hardware, software and communication with broad
Avoid Vendor Lock-In and Keep Control! acceptance on the market. This guarantees alternatives for every function, so the end user is protected from
As a totally open and modular platform, menTCS makes rail service suppliers and rail operators independent of a plat- obsolescence issues.
form supplier, giving them full control over their project.
Extend your Project Life Cycle!
menTCS is based on: The menTCS lifetime is extendable by its family concept and a corresponding life-cycle management behind. After
» tandard CompactPCI industry standard and x86 host controller
S the guaranteed minimum availability of 10 years for all parts of the menTCS, MEN will provide its customers with all
necessary steps and documents (e.g. change effect analysis, redesign) for possible successors.
» Standard operating system (QNX, Linux)
» Standard EtherCat with standard safety protocol FSoE
For menTCS, MEN guarantees:
» Standard communication interfaces to TCN network, MVB, CANopen, ProfiNet, etc.
» D elivery of identical menTCS boards per project: 10 years
» S tandard POSIX programming interface for ‘‘C“
» T echnical support per project: 25 years
» „ C“ code generation, e.g. with model based code generation tools, such as ANSYS' SCADE or MathWorks' Simulink
» Delivery of menTCS functionality: unlimited in time
AAR Compliant
Example Configuration of the menTCS Controller MA50C
Safe menTCS Controller MH50C
Example Configuration of the
Safe menTCS Remote I/O Box KT8
Safe menTCS
8 Safe menTCS CPU Component F75P I/O Components K1, K2 and K7 9
menTCS Software Architecture
The menTCS software distinguishes between the safe and the non-vital domain in order to save RAM Disk User‘s Safety Application Process/Satus Data
Control Processor Domain 1
cost and time for application development and certification. This separation allows to develop
non-vital applications separately from safe applications. Non-vital applications cannot influence RAM Disk User‘s Safety Application Process/Satus Data
safe applications because they are executed on a separate processor running a standard Linux Debug Server
operating system.
Net Support PACY
The safe application runs in a safe kernel of the QNX real-time operating system and can either be Debug Server
directly programmed with standard "C" language, offering POSIX compliant APIs. Netw Servers
Berkley
Net Support I/O Safety
PACYlayer
Telnetd, Sockets
Netw Servers
ftpd...
Berkley
Safe Application Interface Sockets
Fail Safe over EtherCat, FSoE
Telnetd,
ftpd...
As menTCS is an open general-purpose hardware platform for different kinds of safe applications,
the software programmer needs an interface to get full access to the control electronics. The PACY IP Stack MISC BIT SHMEM
safety I/O framework provides easy and modular access to the safe I/O boards. PACY also includes
WDOG RAM Synchronization
a safe communication layer (Fail Safe over EtherCat, FSoE). IP Stack MISC BITCPU CP SYNC
SHMEM CP1/CP2
Reset
IOP Transfer Via Shared RAM
StartupFlow ROS
WDOG RAM
CP SYNC
Safe Communication Safe Domain (CPU Board) QNX Microkernel
Reset CPU
IOP Transfer
StartupFlow ROS
Together with QNX, the menTCS CPU and I/O components come with pre-certified SIL 4 hardware/
software bundles, accelerating time to market even further. In fact, the QNX “Neutrino” micro-
External Interfaces
kernel provides important safety-relevant features like memory protection, interprocess communi
cation, or deterministic scheduling. It protects user processes from each other, so that processes
Safe Domain (I/O Board) can also have different SIL levels.
PACY is a process data application framework that makes the menTCS hardware transparent for Synchronization service functions are part
the application. It handles the communication between the CPU together with custom-specific of the certified platform software and have
Wait for next cycle to begin Wait for next cycle to begin
application software and the safe I/O cards. Being a transparent abstraction layer PACY takes care SIL 4 quality according to EN 50128. The
SYNC TIME (1)
of the execution of the application’s commands, providing an API for "C" language programming. synchronization and comparison service
Developers can control the I/O through "C" language variables independently of the kind of I/Os function ensures that both safe processors SYNC (2)
that need to be controlled. use the same input data and verifies that Get inputs Get inputs
the calculated output data is the same. COMPARE (3)
As a module-based framework PACY provides open interfaces to allow flexible extension by indivi- Additionally, the application can use this ser- SYNC (4)
dual, custom-specific modules. vice for temporal logical monitoring of the
application program as r equired by EN 50129 Execute application logic SYNC (5) Execute application logic
The FSoE protocol (Fail Safe over EtherCAT) integrated in PACY is responsible for the safe data for SIL 3 or 4 applications.
transmission and protection of what is called the Black Channel. A SIL 4 certification according to SYNC (6)
EN 50128 will also be available for PACY, including the corresponding documents. PACY is confi- The following figure shows a representative
COMPARE (7)
gured by a tool to define the I/O configuration and mapping of the application variables to the I/O safety application which is using synch Write outputs part A Write outputs part B
interfaces. It also allows to run the same application with different I/O configurations. services to synchronize the execution of the
redundant architecture of the two control
processors.
Synchronization of Control Processors 1 and 2
Control Processor
Customer Safety Application
C/L
C/L
FSOE
FSOE
FSOE
FSOE
FSOE
FSOE
IOER
IOER
IOER
IOER
IOER
IOER
RUN
RUN
A
RUN
RUN
RUN
RUN
ERR
ERR
ERR
ERR
ERR
ERR
2
RST
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
X1
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
STA
10
11
12
10
11
12
9
9
13
14
15
16
13
14
15
16
IOP
1
X2
2 3
4
X3
EtherCAT-Master
DIGIN
DIGIN
DIGOUT
DIGOUT
DIGOUT
DIGOUT
VGA
STATUS
X4
Safe I/O boards (Kx)
3
K1 K7 K1 K7 K2 K2
PU20
F305 F75P
X1
Voltage Fail
Fan Fail
EC2 L/A
EC1 L/A
EC2 L/A
EC1 L/A
+12V OK
+12V OK
+12V OK
FSOE
FSOE
FSOE
FSOE
FSOE
FSOE
FSOE
FSOE
FSOE
FSOE
FSOE
FSOE
FSOE
FSOE
IOER
IOER
IOER
IOER
IOER
IOER
IOER
IOER
IOER
IOER
IOER
IOER
IOER
IOER
RUN
RUN
RUN
RUN
RUN
RUN
ERR
RUN
RUN
RUN
RUN
RUN
RUN
RUN
RUN
ERR
ERR
ERR
ERR
ERR
ERR
ERR
ERR
ERR
ERR
ERR
ERR
ERR
ADDR
ADDR
ADDR
HIGH
HIGH
HIGH
0..3
0..3
0..3
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
ADDR
ADDR
ADDR
LOW
LOW
LOW
0..F
0..F
0..F
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
5
6
7
8
10
11
12
10
11
12
10
11
12
10
11
12
10
11
12
10
11
12
9
9
13
14
15
16
13
14
15
16
13
14
15
16
13
14
15
16
13
14
15
16
13
14
15
16
X1
X1
X1
X2
X2
X2
DIGIN
DIGIN
DIGOUT
DIGIN
DIGIN
DIGIN
DIGIN
DIGOUT
DIGOUT
DIGOUT
DIGOUT
DIGOUT
DIGOUT
DIGOUT
+
+
Safe Real-Time Ethernet
PWR
PWR
PWR
-
-
K1 K7 K1 K7 K2 K2 K1 K7 K2 K2 K1 K7 K2 K2
12 13
Synchronized Communication Service Functions Linux Operating System
External systems communicating with the safe menTCS controllers via Ethernet using UDP or TCP While the safe applications are executed on two separated redundant control processors, a third
see both processors as “one instance” using MEN’s Y-COM service functions. Incoming frames are processor controls all non-vital applications. The operating system running on this third processor
distributed to both safe domain processors by the Y-COM server running on the non-vital processor, can be Linux or any of the known real-time operating systems. Being an open standard hardware
whereas outbound frames are synchronized between both safe domain processors. The payload platform, menTCS ideally uses Linux as the operating system based completely on open source
is mixed, meaning that each safe CPU generates a part of the outbound transmit frame, and the technology. Linux is free, and is supported by a broad, community driven product offering. Installa-
Y-COM server on the non-vital processors sends this frame to the external system. tion of applications is easy as it is to change options, and it comes with security features.
F75P
n “C”
AD E
Ap p l f e U s e r
PLC
YS S C
ica t io
General Purpose
S of t
Sa
User Software
AN S
Safety Application Safety Application
PACY
Safety Protocol Safety Protocol
VxWorks
Integrity
Linux
PikeOS
QNX
Y-COM API-LIB Y-COM API-LIB
Development Tools
Ethernet UDP or TCP
As a general-purpose system being open to the final application, menTCS also supports a multitude of third-party develop-
ment tools. Generally, C-code generating tools like SCADE or Simulink can be used to implement the application running on
External System the safe processors.
Safety Protocol Another development tool that could be used with menTCS is the Prover iLock suite which automates development of sys-
tems (CBI).
For the development of non-vital a pplications under Linux there is a package for the Yocto ProjectTM development environment
Y-COM Communication available from MEN, including all relevant components to interact with menTCS.
14 15
menTCS SIL 4 Component Certification
menTCS is SIL 4 certifiable according to EN 5012x and comes with pre-certified hardware in combination with pre-certified
software and corresponding certificates from TÜV SÜD (German Technical Inspection Agency), drastically reducing the dura-
tion of the certification process.
As menTCS consists of a CPU board and a number of different I/O functions (boards) yet to be configured to the final appli-
cation, the certification packages are divided as well:
» 1 package for the redundant control processors of the F75P safe CPU board with QNX
» 1 basic package for the complete safe I/O board portfolio for QNX plus I/O board
specific packages
Pre-certification of the menTCS hardware together with the QNX software has significant advantages:
» S aves time – no need to get an own safe BSP (or drivers) developed
» Saves cost – just purchase certification packages from MEN and QNX licenses from QNX
» Reduces risk – the QNX BSP comes together with the certification package from MEN
In case that QNX is not the operating system of choice for the application, the certification packages for the F75P CPU
board are also available without a board support package or driver software.
A menTCS hardware SIL 4 certification package for just the hardware also includes: F75P
» Safety User Guide including the safety-relevant application requirements, a detailed
description of the hardware and instructions for appropriate operation
QNX
» Safety Case describing the concepts for reaching functional safety as well as all safety BSP
and quality-relevant processes and measures to meet the SIL 4 requirements
» Assessment report and SIL 4 certificate from TÜV SÜD I/O Board
» Support hours
QNX Drivers
Safe menTCS / QNX Bundle with SIL 4 Certification Packages
16 17
menTCS Application Areas
Gear Control
Fuel Control
Wheelslip Control
Driver Display
Driver Cab
Controls/Indicators
menTCS Valves, Relays,
Remote I/O Sensors…
menTCS Controller
Brakes
Ethernet
Train Bus (MVB, CAN)
I/O Bus (CAN, Profibus)
Covering all Vital Train and
Wayside Applications with menTCS
Rolling Stock
menTCS example application:
menTCS is well suited for control of all safety-related functions in new train models as well as
for refurbishment of trains. Thanks to its modularity, it is easy to install and retrofit automation ETCS EVC system, providing
functions in combination of menTCS with other parts of already existing train control equipment » GSM-R communication
as well. » E TCS application computer
» Fieldbus interfaces to other ETCS equipment (MVB, Profibus)
» Real-time Ethernet interfaces to train functions
» Control of train functions realized with remote I/O unit
menTCS provides:
Control
» Installation as the heart of the CBTC (Communication Based Train Control) system or the TCMS (Train Con- Center
trol Management System) for new trains
» Increase in efficiency of already existing ATO, ATP and ATS functions as the central computer
» Step-by-step replacement of older equipment, resulting in one standardized general-purpose platform Remote I/O menTCS
for all safe applications
» Remote control sitting directly at the door, at the wheel, at the gear
» All-in-one safe control system and non-vital communication system – safely separated through strict
partitioning
Train Interfaces MVB Profibus Balise GSM-R Ethernet
» Interfacing to all existing train communication with Ethernet and MVB, CAN bus etc.
» Interfacing to the driver cab display
Euro-
» Interfacing to wireless communication with the outside world through GSM-R, GPS, WLAN etc. Balise
» D ecrease in life cycle cost through easy maintenance of standard components
» L onger operating life by using standardized technologies
» Reduction of dependence on single suppliers, resulting in a growing service offer menTCS as ETCS On Board Unit (OBU)
18 19
menTCS Ecosystem
Wayside
menTCS is a general purpose
menTCS is well suited for control of CBI (Computer Based Interlocking), vital telemetry for train platform for safe train and
management, wayside devices such as switches, signals, or level crossings. Being a modular wayside functions based on Safe
platform, it can be used in new interlocking systems as well as for a soft modernization and standard technologies – and Applications
automation of older relay interlockings. Existing outside facilities can be preserved and adapted. as such open to the features (Customer) General Purpose
The extremely compact inside facility of an interlocking system is clearly separated and forms the and requirements of the final Applications
safe platform (SIL) for the control and automation layer. application. Several packages (Customer)
and services around menTCS
help the customer to save cost
menTCS provides: and speed up time-to-market. Application Development
» Introduction of ETCS L2/L3 for optimization of safety and track load PACY Safe I/O Yocto Project
» Halving of the resulting opportunity cost for relay interlocking systems Framework Development
» Increase in performance of the interlocking systems
» Low cabling cost thanks to standardized Ethernet technology
» Avoidance of the costly total replacement by CBIs (incl. outside facilities)
Non-Vital
» Installation of simpler, smaller and standardized inside facilities Vital Operating System Operating System
» Longer operating life of the outside facilities
» Lower cost for the expansion of total capacities
» Decrease in life cycle cost through easy maintenance of standard components
» Reduction of dependence on single suppliers, resulting in a growing service offer menTCS
Train Control System
Control Logic
Centralized As an embedded systems solution provider to the railway industry MEN delivers especially
Traffic Control
computer hardware with adapted BSPs and drivers:
» menTCS hardware installation in a modular configuration tailored to the application
» QNX safe operating system and turnkey Linux
CBI (redundand) » Safety certification documents
Relays New CBI system for railway and Understanding the requirements of the final use case MEN provides consultancy and recom-
metro stations mends approved partner products:
» One CBI per station, requiring SIL 4 » MEN product support, training and in-depth documentation
Actors & Sensors
» Dual MH50C system, one in hot stand-by » C-code generating Simulink from MathWorks
» Each MH50C to control 1500 digital » Tool suite for development of computerized interlocking systems from Prover
inputs and 600 digital outputs » In-house approved design tools like SCADE, Yocto ProjectTM
» POSIX compliant 3U 19" CompactPCI Robust industry-proven backplane and computer board standard
Safe API (Application Interface)
» “C” programming language
I/O with spring-cage terminal blocks Makes connection easy and reduces cabling
QNX real-time operating system Partitioning of the application for different safety levels
»
14.4 to 154 V DC wide-range PSU International railway compliance with just one device
SIL 4 from the beginning No workarounds or compromises necessary
Remote I/O boxes Provides less cabling, improved signal quality and a huge number of I/Os
» Use of open standards Independence from single supplier, small learning curve
Linux operating system Development of non-vital functions in standard software environment EN 50155 & EN 50121-4 Fully proven for rolling-stock and wayside railway environments
Open Communication
» Pre-certified hardware and software
compliant to railway standards
Low certification risk, fast time-to-market, customer can concentrate
on application
WLAN, radio, GPS, RS485 Connection to all popular in-vehicle and external communication interfaces » Development and environmental test services
»
Expertise in embedded railway solutions » Worldwide sales support and consultancy
No proprietary end application Application is customers' value add to differentiate from market players » Evaluating and understanding the application
22 23
www.duagon.com
www.men.de
www.men-deutschland.de
www.men-france.fr
www.menmicro.com
www.men-china.cn