menTCS –

MEN Train Control System

SIL 4 Railway Computer for Rolling Stock and Wayside Applications
 Contents

menTCS Approach menTCS Software Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 10

» Standardization Efforts in Rail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
» Vendor-Lock-In through Proprietary Systems . . . . . . . . . . . . . . . . . . . . . . 4
» Modular and Safe Hardware Platforms are Key . . . . . . . . . . . . . . . . . . . . 4
menTCS SIL 4 Component Certification
» TÜV Certificates for the Hardware together with QNX. . . . . . . . . . . . . . 16
» Reduced Cost and Independency. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
» TÜV Certificates for the Hardware without Operating System . . . . . . . 16
» What we‘ve Learned from Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
» Our Solution: Open and Modular Platform Concept . . . . . . . . . . . . . . . . . 4
» Certified Functional Safety for all Critical Applications . . . . . . . . . . . . . . 5 menTCS Application Areas
» Rolling Stock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
» Wayside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Why menTCS
» Certified Functional Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
» Independency from Suppliers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 menTCS Benefits Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
» Modularity in I/O Configuration and Software . . . . . . . . . . . . . . . . . . . . . 7
» Long-Term Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

menTCS Family Members

» Safe menTCS Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
» Safe menTCS CPU Component. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
» AAR Compliant menTCS Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 The governments of many countries have increased their safety standards in mass transit
» Safe menTCS Remote I/O Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 and freight transport and / or work on nationwide traffic regulation programs, e.g.:
» SIRF stage 2 (Germany)
» Safe menTCS I/O Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
» PTC – Positive Train Control (USA)
» ETCS – European Train Control System
» CTCS – Chinese Train Control System
» KLUB-U – Russian Train Control System
 menTCS Approach
Challenges of Digital Technology in Railways
Standardization Efforts in Rail
National traffic regulation programs like ETCS in Europe, CTCS
in China, PTC in North America, or KLUB-U in Russia continue
to push ahead with standardization regarding implementation,
software and communication. But hardware is usually still man-
ufacturer-bound and incompatible with the solutions of other
system suppliers.
Vendor-Lock-In through Proprietary Systems
This leads to the fact that the computer systems are expensive
to purchase and also expensive over the entire life cycle. Op-
erators are bound to the system suppliers and extensions and
spare parts are only available from this supplier.
Modular and Safe Hardware Platforms are Key
The use of standardized, open and pre-certified computer
modules would help both system manufacturers and operators.
System manufacturers can still differentiate themselves from
the competition through their system and software design, but
no longer have to take care of the hardware themselves. They
would also be faster and cheaper on the market.
Reduced Cost and Independency
This would have even more advantages for the operators: they
could get spare parts and system extensions from various man-
ufacturers, provided they are compatible with the standard. The
costs of spare parts and thus the total costs over the service life
would be reduced.
Application fields of menTCS:
» CBTC (Communication Based Train Control)
» A TP (Automatic Train Protection)
» ATO (Automatic Train Operation)
» ATS (Automatic Train Supervision)
» EVC for ETCS (European Vital Computer)
» RBC (Radio Block Center)
» C  BI (Computer Based Interlocking)
» L evel crossings
 4 5
Certified Functional Safety for all
What we‘ve Learned from Customers Critical Applications
Counterpart for Communication -
menTCS comes with certified functional safety up to
To meet the challenges of railway digitalization and standardi-
zation, computer systems need to be an open platform, which level SIL 4, so it can be adapted to a wide variety of safe- Railway Data Center menRDC
can be configured to any kind of safety-related application. ty-critical applications. menTCS is predestined for use in
This saves time, money and effort, while functionality of train rolling-stock as well as in wayside applications. This can be At a certain point, also the safe computer infrastructure
equipment is growing rapidly. single functions like door and brake control, or signal and – both, rolling-stock and wayside – need to connect to the
At the same time rail suppliers are looking for solutions, which switch control up to complex systems for Automatic Train non-vital IT environment to exchange operation data, using a
come with a certain level of software, as the distinguishing fac- Operation or Protection (ATO/ATP). “vital-to-non-vital” gateway.
tor between them and competition is only the final application
For all communication and storage tasks MEN offers its own
software.
family as a perfect complement to menTCS: the Railway Data
Center menRDC.
Our Solution:
Open and Modular Platform Concept All information is available at: www.men.de/rdc
Based on all these factors and challenges, menTCS was devel-
oped with the approach to be able to offer customers a system
concept that exactly meets the requirements of the time: flexi-
bly configurable for various applications/functions, modular for
expansions, based on open industry standards and with exactly
that much software, so that one can quickly concentrate on the
final application and save time with later SIL x certifications.
menTCS consists of the safe controller, the safe I/O functions
and the communication interfaces to the “outside” world.
ce
ck Offi RBC
Ba
CBI
ATS
menTCS
menTCS – Train Control System
ATP CBTC ATO EVC (ETCS) Remote Control
 Why menTCS

Certified Functional Safety Modularity in I/O Configuration and Software

Save Cost, Time and Risk with Pre-Certification Flexible Configuration for Controller Unit or Complete Network
Safety-related menTCS components come with certification packages for the hardware and the relevant platform menTCS is based on the modular 19” CompactPCI standard, making a scalable plug-and-play-like system configu-
software based on QNX. No matter for which final application you will use menTCS – the MEN parts are already certi- ration easy, enabling communication with other train functions like service or diagnosis, and supporting integration
fied and will speed up your overall certification process. in existing train bus networks:

Get Synergies for all Safety-Critical Applications » T he MH50C controller can be configured with the exact number of required safe channels, and nonsafe functions
based on standard CompactPCI boards.
As a modular safe platform, with flexible I/O configuration and extension options, menTCS can be used in all safe-
» U
 p to 63 remote I/O boxes (with four to eight boards per device) can be connected to one MH50C controller, saving
ty-related applications on board and around a train: from single functions like door and brake control, or signal and
huge wiring cost and increasing the operation stability.
switch control up to complex systems for Automatic Train Operation or Protection (ATO/ATP).

menTCS is certified to: Modularity in Terms of Software

» E N 50126: The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS)
» EN 50128: Communication, signaling and processing systems - Software for railway control and protection systems
» EN 50129: Communications, signaling and processing systems – safety-related electronic systems for signaling
Since all software functions (see following pages: PACY, SYNCH, EXCH, YCOM) are independent of each other, only the
parts that are really needed can be configured in the system.
The PACY I/O framework is also modular in itself, so that functions such as new I/O modules, new bus systems or new
safety protocols can be easily added.

Long-Term Availability
Independency from Suppliers Protect Your Investments From Discontinuation!
menTCS is exclusively based on open industry standards in hardware, software and communication with broad
Avoid Vendor Lock-In and Keep Control! acceptance on the market. This guarantees alternatives for every function, so the end user is protected from
As a totally open and modular platform, menTCS makes rail service suppliers and rail operators independent of a plat- obsolescence issues.
form supplier, giving them full control over their project.
Extend your Project Life Cycle!
menTCS is based on: The menTCS lifetime is extendable by its family concept and a corresponding life-cycle management behind. After
»  tandard CompactPCI industry standard and x86 host controller
S the guaranteed minimum availability of 10 years for all parts of the menTCS, MEN will provide its customers with all
necessary steps and documents (e.g. change effect analysis, redesign) for possible successors.
» Standard operating system (QNX, Linux)
» Standard EtherCat with standard safety protocol FSoE
For menTCS, MEN guarantees:
» Standard communication interfaces to TCN network, MVB, CANopen, ProfiNet, etc.
» D  elivery of identical menTCS boards per project: 10 years
» S tandard POSIX programming interface for ‘‘C“
» T echnical support per project: 25 years
» „ C“ code generation, e.g. with model based code generation tools, such as ANSYS' SCADE or MathWorks' Simulink
» Delivery of menTCS functionality: unlimited in time

More information about menTCS:

www.men.de/tcs
 6  7
 menTCS Family Members

Safe menTCS Controller AAR Compliant menTCS Controller

The heart of the modular menTCS train control system family is the MH50C central controller. It is based on the SIL 4-certified Intel The MA50C central controller is the first member of the AAR sub-family of menTCS. It is functionally identical with the MH50C,
CPU card F75P. The safe part can be extended by non-vital I/O functions without effecting the safety of the system. using the same hardware and software. Primarily targeting the North American market, the conduction cooled housing conforms to
It can be used as a standalone device and in combination with up to 63 remote I/O boxes. the AAR S-9401, 6 MCU standard and is protected against dust and water jets according to IP65/NEMA-4.
It communicates to the MEN safe I/O via standard real-time Ethernet and can be configured to interface to any type of consist
fieldbus network like MVB, CANopen, Profinet etc. This makes it easy to integrate into a TCN network as well as into regionally
different Train Control Systems like ETCS, CTCS, ATCS or Klub-U. Also, wired and wireless interfaces for WLAN, 3G/4G and GPS can
be implemented for vehicle-to-vehicle and vehicle-to-land communication.
Safe menTCS Remote I/O Box
If the I/O functions on MH50C are not sufficient or actors and sensors are located far away from the controller, the extension via
Safe menTCS CPU Component remote I/O boxes might be necessary. Up to 63 boxes can be connected within menTCS.
Each remote I/O unit of the menTCS family consists of:
The central element of menTCS is the self-contained F75P safe CPU board which uses 2oo2 voting. The F75P is a standard Com-
» Up
 to 8 certifiable safe I/O boards
pactPCI board that is designed to execute safety-critical applications as well as non-vital applications and which comes with its own
» Real-time
 EtherCAT interface with chassis configuration switch
dedicated SIL 4 certification package.
» PSU
 with Class 2 hold-up time with just one wide range power supply 14.4 to 154 V
The safe CPU board F75P consists of:
» 3 Intel processors with
» 2 redundant CPUs executing the safety logic

Safe menTCS I/O Components

» 1 CPU as general purpose and I/O communication processor
» Independent
 supervisors for each block
» Fail-safe
 board architecture
» Event
 logging with intelligent board management controller The I/O boards of the menTCS system are self-contained, using 1oo1d architecture. A dedicated certification package is available for
all I/O boards. A single I/O board can be used to reach SIL 2. Two combined boards are required to reach SIL 3 and SIL 4. This scalable
approach reduces cost in case a lower SIL level is sufficient.
Alternatively, two identical I/O boards can also be used to support hot stand-by in order to achieve availability when required for
critical functions.
The range of safe I/O boards comprise the typical functions required for railway applications:
» K1
 – 8 high-side switch outputs
» K2
 – 16 binary inputs
» K7
 – 8 low-side switch outputs

AAR Compliant
Example Configuration of the menTCS Controller MA50C
Safe menTCS Controller MH50C
Example Configuration of the
Safe menTCS Remote I/O Box KT8
Safe menTCS
 8 Safe menTCS CPU Component F75P I/O Components K1, K2 and K7  9
 menTCS Software Architecture

Separation between Safe and Non-Vital Domains Control Processor Domain 2

The menTCS software distinguishes between the safe and the non-vital domain in order to save RAM Disk User‘s Safety Application Process/Satus Data
Control Processor Domain 1
cost and time for application development and certification. This separation allows to develop
non-vital applications separately from safe applications. Non-vital applications cannot influence RAM Disk User‘s Safety Application Process/Satus Data
safe applications because they are executed on a separate processor running a standard Linux Debug Server
operating system.
Net Support PACY
The safe application runs in a safe kernel of the QNX real-time operating system and can either be Debug Server
directly programmed with standard "C" language, offering POSIX compliant APIs. Netw Servers
Berkley
Net Support I/O Safety
PACYlayer
Telnetd, Sockets
Netw Servers
ftpd...
Berkley
Safe Application Interface Sockets
Fail Safe over EtherCat, FSoE
Telnetd,
ftpd...
As menTCS is an open general-purpose hardware platform for different kinds of safe applications,
the software programmer needs an interface to get full access to the control electronics. The PACY IP Stack MISC BIT SHMEM
safety I/O framework provides easy and modular access to the safe I/O boards. PACY also includes
WDOG RAM Synchronization
a safe communication layer (Fail Safe over EtherCat, FSoE). IP Stack MISC BITCPU CP SYNC
SHMEM CP1/CP2
Reset
IOP Transfer Via Shared RAM
StartupFlow ROS
WDOG RAM
CP SYNC
Safe Communication Safe Domain (CPU Board) QNX Microkernel
Reset CPU
IOP Transfer
StartupFlow ROS

In order to guarantee appropriate User Safety Application

QNX Microkernel
communication between the safe User Safety Application
controller and the safe I/O functions Safety Communication Layer Compare
via real-time Ethernet, the black Safety I/O Framework (PACY) Compare
Safe QNX/Safe BSP
channel approach is applied. The
menTCS Middleware Overview
requirements to transport safe data Safe QNX/Safe BSP
over untrusted communication are
defined by EN 50159 and realized Communication
using the FSoE safe communication (Shared RAM, Safe Operating Systems
Virtual Ethernet)
protocol (Fail Safe over EtherCat).
I/O Domain (CPU Board) Without being influenced by non-vital applications, the safe applications are executed on two
separated redundant control processors. Integrity tests ensuring the safe operation of each safe
“Unsafe” Application processor are provided by the safe operating system.
Communication
Black Diagnosis, Services
Channel This architecture allows to develop safe applications on a menTCS platform in combination with all
Driver Libraries market relevant safe operating systems. The standard version comes with QNX. PikeOS, VxWorks
or Integrity are possible as well, but need to be developed for the customer individually.
Linux (Soft Real-Time)

Together with QNX, the menTCS CPU and I/O components come with pre-certified SIL 4 hardware/
software bundles, accelerating time to market even further. In fact, the QNX “Neutrino” micro-
External Interfaces
kernel provides important safety-relevant features like memory protection, interprocess communi­
cation, or deterministic scheduling. It protects user processes from each other, so that processes
Safe Domain (I/O Board) can also have different SIL levels.

Safety Communication Layer

Separation between Safe and Non-Vital Domains

 10  11
 PACY I/O Framework Synchronization Service Functions

PACY is a process data application framework that makes the menTCS hardware transparent for Synchronization service functions are part
the application. It handles the communication between the CPU together with custom-specific of the certified platform software and have
Wait for next cycle to begin Wait for next cycle to begin
application software and the safe I/O cards. Being a transparent abstraction layer PACY takes care SIL 4 quality according to EN 50128. The
SYNC TIME (1)
of the execution of the application’s commands, providing an API for "C" language programming. synchronization and comparison service
Developers can control the I/O through "C" language variables independently of the kind of I/Os function ensures that both safe processors SYNC (2)
that need to be controlled. use the same input data and verifies that Get inputs Get inputs
the calculated output data is the same. COMPARE (3)
As a module-based framework PACY provides open interfaces to allow flexible extension by indivi- Additionally, the ­application can use this ser- SYNC (4)
dual, custom-specific modules. vice for temporal logical monitoring of the
application program as r­ equired by EN 50129 Execute application logic SYNC (5) Execute application logic
The FSoE protocol (Fail Safe over EtherCAT) integrated in PACY is responsible for the safe data for SIL 3 or 4 applications.
transmission and protection of what is called the Black Channel. A SIL 4 certification according to SYNC (6)
EN 50128 will also be available for PACY, including the corresponding documents. PACY is confi- The following figure shows a representative
COMPARE (7)
gured by a tool to define the I/O configuration and mapping of the application variables to the I/O safety application which is using synch Write outputs part A Write outputs part B
interfaces. It also allows to run the same application with different I/O configurations. services to synchronize the execution of the
redundant architecture of the two control
processors.
Synchronization of Control Processors 1 and 2
Control Processor
Customer Safety Application

Customer Safety Application Control Processor

XXX
Real-Time Ethernet Communication
Process Data Variables
PACY
Config Data The communication inside the menTCS system – between the safe menTCS controller, safe I/O boards and safe remote I/O
Safe ONX and BSP
F50€
PACY boxes – is based completely on a standardized safe real-time Ethernet, using EtherCAT and FSoE (Fail Safe over EtherCAT).
Safe QNX and BSP PACY
» K1 Config Data Thus, the application can treat all I/O functions in the same way.
» S cheduling F50€ F50€ F50€
Rel#1 SYNC
» P rocess Separation
F50€ F50€ F50€ Functions All remote I/O boxes are connected to the controller in a ring topology, which tolerates single f­ ailures. For example, in case of a
» P rocess Communication K1#1 K1#2 K1#3
» Integrity Checks SYNC broken cable, the system is still fully operational, as all I/O boxes can still be reached from the other end of the ring.
» N etworking FSoE FSoE FSoE Functions
menTCS Controller F305 RT Ethernetnet
- +

F75P safe CPU

Exchange Functions
® ®

C/L

C/L
FSOE
FSOE
FSOE

FSOE

FSOE

FSOE
IOER
IOER
IOER

IOER

IOER

IOER
RUN
RUN

A
RUN

RUN

RUN

RUN
ERR
ERR
ERR

ERR

ERR

ERR

2
RST
1
2
3
4
1
2
3
4
1
2
3
4

1
2
3
4

1
2
3
4

1
2
3
4

X1
5
6
7
8
5
6
7
8
5
6
7
8

5
6
7
8

5
6
7
8

5
6
7
8

STA
10
11
12

10
11
12
9

9
13
14
15
16

13
14
15
16
IOP

1
X2

2 3
4
X3
EtherCAT-Master

DIGIN

DIGIN
DIGOUT
DIGOUT

DIGOUT

DIGOUT

VGA
STATUS

X4
Safe I/O boards (Kx)

3
K1 K7 K1 K7 K2 K2
PU20
F305 F75P

X1
Voltage Fail

Fan Fail

Sys Status Temp Fail Power

PACY Operating Principle

menTCS Remote I/O menTCS Remote I/O menTCS Remote I/O
EC2 L/A
EC1 L/A

EC2 L/A
EC1 L/A

EC2 L/A
EC1 L/A
+12V OK

+12V OK

+12V OK
FSOE
FSOE
FSOE

FSOE

FSOE

FSOE

FSOE

FSOE

FSOE

FSOE

FSOE

FSOE

FSOE

FSOE
IOER
IOER
IOER

IOER

IOER

IOER

IOER

IOER

IOER

IOER

IOER

IOER

IOER

IOER
RUN
RUN
RUN

RUN

RUN

RUN
ERR

RUN

RUN

RUN

RUN

RUN

RUN

RUN

RUN
ERR
ERR

ERR

ERR

ERR

ERR

ERR

ERR

ERR

ERR

ERR

ERR

ERR
ADDR

ADDR

ADDR
HIGH

HIGH

HIGH
0..3

0..3

0..3
1
2
3
4
1
2
3
4
1
2
3
4

1
2
3
4

1
2
3
4

1
2
3
4

1
2
3
4

1
2
3
4

1
2
3
4

1
2
3
4

1
2
3
4

1
2
3
4

1
2
3
4

1
2
3
4
ADDR

ADDR

ADDR
LOW

LOW

LOW
0..F

0..F

0..F
5
6
7
8
5
6
7
8
5
6
7
8

5
6
7
8

5
6
7
8

5
6
7
8

5
6
7
8

5
6
7
8

5
6
7
8

5
6
7
8

5
6
7
8

5
6
7
8

5
6
7
8

5
6
7
8
10
11
12

10
11
12

10
11
12

10
11
12

10
11
12

10
11
12
9

9
13
14
15
16

13
14
15
16

13
14
15
16

13
14
15
16

13
14
15
16

13
14
15
16
X1

X1

X1
X2

X2

X2
DIGIN

DIGIN
DIGOUT

DIGIN

DIGIN

DIGIN

DIGIN
DIGOUT

DIGOUT

DIGOUT

DIGOUT

DIGOUT

DIGOUT

DIGOUT
+

+
Safe Real-Time Ethernet
PWR

PWR

PWR
-

-
K1 K7 K1 K7 K2 K2 K1 K7 K2 K2 K1 K7 K2 K2

Communication with menTCS

K100 K100 K100

 12  13
 Synchronized Communication Service Functions Linux Operating System

External systems communicating with the safe menTCS controllers via Ethernet using UDP or TCP
see both processors as “one instance” using MEN’s Y-COM service functions. Incoming frames are
distributed to both safe domain processors by the Y-COM server running on the non-vital processor,
whereas outbound frames are synchronized between both safe domain processors. The payload
is mixed, meaning that each safe CPU generates a part of the outbound transmit frame, and the
Y-COM server on the non-vital processors sends this frame to the external system.
While the safe applications are executed on two separated redundant control processors, a third
processor controls all non-vital applications. The operating system running on this third processor
can be Linux or any of the known real-time operating systems. Being an open standard hardware
platform, menTCS ideally uses Linux as the operating system based completely on open source
technology. Linux is free, and is supported by a broad, community driven product offering. Installa-
tion of applications is easy as it is to change options, and it comes with security features.

F75P

n “C”

AD E
Ap p l f e U s e r

PLC

YS S C
ica t io
General Purpose

S of t
Sa
User Software

AN S
Safety Application Safety Application

PACY
Safety Protocol Safety Protocol

VxWorks
Integrity
Linux

PikeOS
QNX
Y-COM API-LIB Y-COM API-LIB

Y-COM Server CP Y-COM Server CP

menTCS Hardware
Non-Vital Operating
System Linux on menTCS
Internal Ethernet Internal Ethernet

Y-COM Server IOP

Development Tools
Ethernet UDP or TCP
As a general-purpose system being open to the final application, menTCS also supports a multitude of third-party develop-
ment tools. Generally, C-code generating tools like SCADE or Simulink can be used to implement the application running on
External System the safe processors.

Safety Protocol Another development tool that could be used with menTCS is the Prover iLock suite which automates development of sys-
tems (CBI).

For the development of non-vital a­ pplications under Linux there is a package for the Yocto ProjectTM development environment
Y-COM Communication available from MEN, including all relevant components to interact with menTCS.

 14  15
 menTCS SIL 4 Component Certification

TÜV Certificates for the Hardware together with QNX

menTCS is SIL 4 certifiable according to EN 5012x and comes with pre-certified hardware in combination with pre-certified
software and corresponding certificates from TÜV SÜD (German Technical Inspection Agency), drastically reducing the dura-
tion of the certification process.

As menTCS consists of a CPU board and a number of different I/O functions (boards) yet to be configured to the final appli-
cation, the certification packages are divided as well:

» 1 package for the redundant control processors of the F75P safe CPU board with QNX
» 1 basic package for the complete safe I/O board portfolio for QNX plus I/O board
specific packages

Pre-certification of the menTCS hardware together with the QNX software has significant advantages:

» S aves time – no need to get an own safe BSP (or drivers) developed
» Saves cost – just purchase certification packages from MEN and QNX licenses from QNX
» Reduces risk – the QNX BSP comes together with the certification package from MEN

Beside the hardware/software bundle the certification packages include:

TÜV
» S afety User Guide including the safety-relevant application requirements, a detailed TÜV Safety
Assessment Safety Case
description of the hardware and instructions for appropriate operation Certificate User Guide
» Safety Case describing the concepts for reaching functional safety as well as all safety Report
and quality-relevant processes and measures to meet the safety requirements
» Assessment report and certificate from TÜV SÜD
» Support hours

TÜV Certificates for the Hardware without Operating System

In case that QNX is not the operating system of choice for the application, the certification packages for the F75P CPU
board are also available without a board support package or driver software.

A menTCS hardware SIL 4 certification package for just the hardware also includes: F75P
» Safety User Guide including the safety-relevant application requirements, a detailed
description of the hardware and instructions for appropriate operation
QNX
» Safety Case describing the concepts for reaching functional safety as well as all safety BSP
and quality-relevant processes and measures to meet the SIL 4 requirements
» Assessment report and SIL 4 certificate from TÜV SÜD I/O Board
» Support hours
QNX Drivers
Safe menTCS / QNX Bundle with SIL 4 Certification Packages

 16  17
 menTCS Application Areas
Gear Control
Fuel Control
Wheelslip Control

Driver Display

Driver Cab
Controls/Indicators
menTCS Valves, Relays,
Remote I/O Sensors…
menTCS Controller

Brakes

Ethernet
Train Bus (MVB, CAN)
I/O Bus (CAN, Profibus)
Covering all Vital Train and
Wayside Applications with menTCS

Rolling Stock
menTCS example application:
menTCS is well suited for control of all safety-related functions in new train models as well as
for refurbishment of trains. Thanks to its modularity, it is easy to install and retrofit automation ETCS EVC system, providing
functions in combination of menTCS with other parts of already existing train control equipment » GSM-R communication
as well. » E TCS application computer
» Fieldbus interfaces to other ETCS equipment (MVB, Profibus)
» Real-time Ethernet interfaces to train functions
» Control of train functions realized with remote I/O unit
menTCS provides:
Control
» Installation as the heart of the CBTC (Communication Based Train Control) system or the TCMS (Train Con- Center
trol Management System) for new trains
» Increase in efficiency of already existing ATO, ATP and ATS functions as the central computer
» Step-by-step replacement of older equipment, resulting in one standardized general-purpose platform Remote I/O menTCS
for all safe applications
» Remote control sitting directly at the door, at the wheel, at the gear
» All-in-one safe control system and non-vital communication system – safely separated through strict
partitioning
Train Interfaces MVB Profibus Balise GSM-R Ethernet
» Interfacing to all existing train communication with Ethernet and MVB, CAN bus etc.
» Interfacing to the driver cab display
Euro-
» Interfacing to wireless communication with the outside world through GSM-R, GPS, WLAN etc. Balise
» D ecrease in life cycle cost through easy maintenance of standard components
» L onger operating life by using standardized technologies
» Reduction of dependence on single suppliers, resulting in a growing service offer menTCS as ETCS On Board Unit (OBU)
 18  19
 menTCS Ecosystem
Wayside
menTCS is a general purpose
menTCS is well suited for control of CBI (Computer Based Interlocking), vital telemetry for train platform for safe train and
management, wayside devices such as switches, signals, or level crossings. Being a modular wayside functions based on Safe
platform, it can be used in new interlocking systems as well as for a soft modernization and standard technologies – and Applications
­automation of older relay interlockings. Existing outside facilities can be preserved and adapted. as such open to the features (Customer) General Purpose
The extremely compact inside facility of an interlocking system is clearly separated and forms the and requirements of the final Applications
safe platform (SIL) for the control and automation layer. application. Several packages (Customer)
and services around menTCS
help the customer to save cost
menTCS provides: and speed up time-to-market. Application Development

» Introduction of ETCS L2/L3 for optimization of safety and track load PACY Safe I/O Yocto Project
» Halving of the resulting opportunity cost for relay interlocking systems Framework Development
» Increase in performance of the interlocking systems
» Low cabling cost thanks to standardized Ethernet technology
» Avoidance of the costly total replacement by CBIs (incl. outside facilities)
Non-Vital
» Installation of simpler, smaller and standardized inside facilities Vital Operating System Operating System
» Longer operating life of the outside facilities
» Lower cost for the expansion of total capacities
» Decrease in life cycle cost through easy maintenance of standard components
» Reduction of dependence on single suppliers, resulting in a growing service offer menTCS
Train Control System

Control Logic

Centralized As an embedded systems solution provider to the railway industry MEN delivers especially
Traffic Control
­computer hardware with adapted BSPs and drivers:
» menTCS hardware installation in a modular configuration tailored to the application
» QNX safe operating system and turnkey Linux
CBI (redundand) » Safety certification documents

Understanding the requirements of the application programmer MEN delivers middleware

Remote I/O and tools:
» PACY safe I/O framwork and service functions
menTCS example application: » Non-vital service and configuration tools

Relays New CBI system for railway and Understanding the requirements of the final use case MEN provides consultancy and recom-
metro stations mends approved partner products:
» One CBI per station, requiring SIL 4 » MEN product support, training and in-depth documentation
Actors & Sensors
» Dual MH50C system, one in hot stand-by » C-code generating Simulink from MathWorks
» Each MH50C to control 1500 digital » Tool suite for development of computerized interlocking systems from Prover
inputs and 600 digital outputs » In-house approved design tools like SCADE, Yocto ProjectTM

menTCS as Interlocking Computer (CBI)

 20  21
 menTCS Benefits Summary
Open Safe Platform
Different safety functions with different
SIL levels on one platform
Processor redundancy
Safe modular I/O
Safe API (Application Interface)
QNX real-time operating system
»
SIL 4 from the beginning
» Same platform for wayside and
rolling stock
Open Non-Vital Extension
Linux operating system
» Standard open source
software interfaces
Open Communication
Ethernet communication
Real-time Ethernet communication
EtherCAT based I/O with safety layer FSoE
Railway fieldbusses
WLAN, radio, GPS, RS485
»
No proprietary end application
» Open communication extensions
 22
Open Hardware
Standard PC hardware architecture x86 host controller
Reduces hardware cost and obsolescence risk
» Safety execution with 2 redundant processors
Provides safety by means of 2 control processors on a single CPU board Main controller with Intel CPU board
» 1 general purpose processor
­architecture
Covers all application-specific requirements » Independent supervisors for each block
» POSIX compliant 3U 19" CompactPCI Robust industry-proven backplane and computer board standard
» “C” programming language
I/O with spring-cage terminal blocks Makes connection easy and reduces cabling
Partitioning of the application for different safety levels
14.4 to 154 V DC wide-range PSU International railway compliance with just one device
No workarounds or compromises necessary
Remote I/O boxes Provides less cabling, improved signal quality and a huge number of I/Os
Reduces learning efforts
» menTCS family concept
Future-proof computer solution providing same functionality without
limitation in time
» Use of open standards Independence from single supplier, small learning curve
Standards Compliance
Development of non-vital functions in standard software environment EN 50155 & EN 50121-4 Fully proven for rolling-stock and wayside railway environments
Flexible and easy installation of applications EN 50126/128/129 (based on IEC 61508)
SIL 4 certification packages with
Developed for functional safety from SIL 0 to SIL 4
Modular hardware/software packages make certification of the final application
TÜV SÜD certificate easy and fast
» Pre-certified hardware and software
compliant to railway standards
Low certification risk, fast time-to-market, customer can concentrate
on application
» Makes use of standard cabling, line interfaces, easily connects to standard
devices Services
» Connects main control system and remote I/O boxes
» Delivery of identical menTCS boards per project: 10 years
Guarantees deterministic behavior on standard communication protocol Long-term availability » Technical support per project: 25 years
» Delivery of menTCS functionality: unlimited in time
Safe, fast and deterministic I/O
Secures overall operability of the application when single components need
Life-cycle management
Connection to existing train networks and devices via MVB, CAN, Profinet, etc … to be substituted
Connection to all popular in-vehicle and external communication interfaces » Development and environmental test services
Expertise in embedded railway solutions » Worldwide sales support and consultancy
Application is customers' value add to differentiate from market players » Evaluating and understanding the application
Integration of menTCS in any existing railway application
» Your Project? Rely on us!
 23
www.duagon.com

MEN is a member of:

»  MD Fusion Partner Program

A
» ARINC (Aeronautical Radio Incorporated)
» BavAIRia (Cluster for innovative aerospace technology in Bavaria)
» CNA (Center for Transportation & Logistics Neuer Adler e.V.)
» Intel® IoT Solutions Alliance
» NXP Design Alliance
» Open Source Automation Development Lab (OSADL)
» PCI-SIG (Peripheral Component Interconnect Special Interest Group)
» PICMG (PCI Industrial Computer Manufacturers Group)
» R SSI (Railway Systems Suppliers, Inc. Trade Association)
» UNIFE (Union des Industries Ferroviaires Européennes)
» USB-IF (Universal Serial Bus Implementers Forum, Inc.)
» Wind River (Partner Eco System)
» Z VEI (German Electrical and Electronic Manufacturers Association)

www.men.de
www.men-deutschland.de
www.men-france.fr
www.menmicro.com
www.men-china.cn

355713 AS0016D ISO/TS 22163:2017

Issue 6.0, August 2019

Copyright © MEN Mikro Elektronik GmbH
All rights reserved.