Moving safely towards IP for signalling

Author: Joao Martins
Day: Aspect Day One
Session: Standardisation

In the railway industry, the trackside equipment represents an important layer for signalling solutions, the one responsible for the interaction with the physical world, i.e., lightning a lamp to show a proceed aspect or to detect a train within an area. The interface with this layer is changing, as electrical interfaces are being replaced by IP protocol interfaces. In fact, hardware interfaces are being replaced by software interfaces. This replacement is mainly explained by the efficiency of software systems regarding data exchange, due to their high integration, flexibility, and scalable capability to handle large amounts of data. The efficiency in (Big) data collection provided by communication protocols is essential when predictive maintenance systems are evolving fast with the goal to reduce maintenance costs and increase the systems life-cycle and resilience. Also, when an increase in the interoperability is required to improve the performance and reduce the development costs of railway systems, software communication protocols play an important role. The introduction of communication protocols to exchange safety-related data raises new challenges concerning safety and security aspects, in order to ensure data integrity and authenticity, respectively. The EN 50159 identifies the threats that a transmission system is subjected to, as well as defence strategies for those threats in the attempt of tackling safety and security issues. Regarding RAM (Reliability, Availability and Maintainability) even though they were not addressed by EN 50159 they should also be re-evaluated with this new type of interface in mind. Despite the mentioned challenges, there are already examples of communication protocols being successfully used by trackside equipment to exchange safety-related data. However, there is still no consensual standard protocol despite the effort of projects like EULYNX. Therefore, a new set of communication protocols have been emerging, pushed by the appearance of new IP interfaced equipment. The new vague of safety communication protocols entails also a challenge to system integrators: the implementation of these protocols. Thus, this paper presents an approach for the development of safety protocols intended to be compliant with EN 50128 for SIL 4 systems. The approach follows a modelbased development process, targeting the creation of a formal model with the aim to assess the protocols safety properties. In order to reduce unnecessary complexity and (consequently) improve the probabilities of a successful formal verification process, only the safety functions should be considered for the model creation. The remaining functions (ex: socket management) should only be added in the final target system. An implementation of the safety protocol FSE (Frauscher Safe Ethernet) will be used as an example, following the proposed approach in order to validate it against an already certified safety protocol for category 2 according EN
50159. In sum, while demonstrating the power of the modelling process, this paper also illustrates the importance of conducting formal proofs to ensure the safety properties of protocols, with the reuse of these properties in mind since most of the safety mechanisms provided by protocols are the same.