When failure can result in damage to the en-
vironment, significant property destruction
or even loss of life, the application requires an
embedded safety-critical system. In railway
applications, no margin of error is tolerable;
there is no opportunity to “tweak” improve-
ments on the fly or to allow for unanticipated
problems. The three major contributors to
unacceptably dangerous outcomes in railway
embedded control systems include: component
failure; system imbalances; and human error.
Fortunately, designers have an arsenal of es-
tablished standards and guidelines they can
use to greatly reduce the odds of a system
failure that can result in catastrophic damages.
By employing a methodical, verified and doc-
umented series of processes that span the full
scope of product development and implemen-
tation, the chances of having a reliable system
with functional safety are much greater.
The railway market is an important area for
these types of systems. The world market in
the transportation industry is estimated at
$200 billion, with an annual growth rate of
2% to 3%. A global initiative driving new op-
portunities within the rail industry is auto-
mated train control (ATC) and operation on-
train and wayside. In turn, the key driver for
ATC is increased safety for trains and increased
comfort for passengers. More specifically, op-
portunities exist in new technologies for sig-
naling systems and safety-critical sub-segments.
These opportunities are evolving in Europe,
USA, Australia, China and Russia.
An example of ATC in the US is positive train
control (PTC), which is technology that pre-
vents train-to-train collisions. PTC is being
driven by the Rail Safety Improvement Act of
2008 (RSIA). The act has mandated widespread
installation of PTC systems on freight rail by
2015. A comparable scenario is unfolding in
Europe spurred by the European Rail Traffic
Management System (ERTMS). The European
Union aims to enhance cross-border interop-
erability and signaling procurement by creating
a single European standard for train control
and command systems. Transportation safety
in other areas of the world is developing as
well. China has an initiative similar to that of
the US and Europe – the Chinese Train Control
System (CTCS). With over 90,000 km of rail
in China, this is a huge growth opportunity
for suppliers of safety- and mission-critical
systems. The infrastructure that needs to be
built out for each of these initiatives is immense,
and communications cannot be halted, even
for a minute, if passenger safety is to be
ensured. As these rail systems grow in use as
well as in speed, each systems will need to
know exactly where each train is, how each is
operating, and what state it is in.
A general standard, IEC 61508 by the Interna-
tional Electrotechnical Commission, covers func-
tional safety in electronic systems. It defines the
Safety Integrity Levels SIL 1 up to SIL 4. Manu-
facturers are obliged to find out the necessary
SIL for safety-relevant systems or functions by
carrying out a hazard and risk analysis. It gives
the measure for the effectiveness of a safety
function and is expressed by the probability of
failure of this function. Different scenarios
match a defined scale of numerical values.
Several bodies have added specific standards
for the varying industries and applications.
For railways, the European Committee for
Triple redundant single-board computer
based on three PowerPC 750 CPUs
B
OARDS
& M
ODULES
By Susanne Bornschlegl,
MEN
This article introduces triple
redundant single-board
computers based on three
PowerPC 750 CPUs operating
in lockstep architecture.
Compared to solutions using
three individual CPU boards,
the one-card approach
is much more compact
and reduces both software
overhead and power
consumption.
June 2014
16
Figure 1. Triple-redundant system: two out of
three subsystems must operate correctly.
