Moving safely towards IP for signalling

Author: Joao Martins
Day: Aspect Day One
Session: Standardisation

In the railway industry, the trackside equipment represents an
important layer for signalling solutions, the one responsible for the
interaction with the physical world, i.e., lightning a lamp to show a
proceed aspect or to detect a train within an area. The interface with
this layer is changing, as electrical interfaces are being replaced by IP
protocol interfaces. In fact, hardware interfaces are being replaced by
software interfaces. This replacement is mainly explained by the
efficiency of software systems regarding data exchange, due to their
high integration, flexibility, and scalable capability to handle large
amounts of data. The efficiency in (Big) data collection provided by
communication protocols is essential when predictive maintenance
systems are evolving fast with the goal to reduce maintenance costs
and increase the systems life-cycle and resilience. Also, when an
increase in the interoperability is required to improve the performance
and reduce the development costs of railway systems, software
communication protocols play an important role. The introduction of
communication protocols to exchange safety-related data raises new
challenges concerning safety and security aspects, in order to ensure
data integrity and authenticity, respectively. The EN 50159 identifies
the threats that a transmission system is subjected to, as well as
defence strategies for those threats in the attempt of tackling safety
and security issues. Regarding RAM (Reliability, Availability and
Maintainability) even though they were not addressed by EN 50159
they should also be re-evaluated with this new type of interface in
mind. Despite the mentioned challenges, there are already examples
of communication protocols being successfully used by trackside
equipment to exchange safety-related data. However, there is still no
consensual standard protocol despite the effort of projects like
EULYNX. Therefore, a new set of communication protocols have been
emerging, pushed by the appearance of new IP interfaced equipment.
The new vague of safety communication protocols entails also a
challenge to system integrators: the implementation of these
protocols. Thus, this paper presents an approach for the development
of safety protocols intended to be compliant with EN 50128 for SIL 4
systems. The approach follows a modelbased development process,
targeting the creation of a formal model with the aim to assess the
protocols safety properties. In order to reduce unnecessary complexity
and (consequently) improve the probabilities of a successful formal
verification process, only the safety functions should be considered for
the model creation. The remaining functions (ex: socket management)
should only be added in the final target system. An implementation of
the safety protocol FSE (Frauscher Safe Ethernet) will be used as an
example, following the proposed approach in order to validate it
against an already certified safety protocol for category 2 according EN
50159. In sum, while demonstrating the power of the modelling
process, this paper also illustrates the importance of conducting formal
proofs to ensure the safety properties of protocols, with the reuse of
these properties in mind since most of the safety mechanisms
provided by protocols are the same.