monitors the output of the three components.
If there is a problem with one of the systems,
the voter will isolate it and the other two will
continue operating.
A minus with this design is the complexity
such a system requires. It is imperative that all
three CPUs be synchronized and have the ca-
pability to communicate with each other; a
major challenge from a software development
perspective, but one that can be overcome
with the proper technical resources to rely on.
In some critical applications, availability defines
safety, while in railway systems specifically,
availability does not necessarily influence safety.
Whereas a train can be stopped when the con-
trol system fails, for an airplane, this is not an
option. A train that is at rest (that is, not avail-
able) is in a safe state. It heavily depends on
each application which exact behavior is re-
quired for a specific function. This even goes
for the definition of “safe”, as we have seen.
When implementing redundancy you need to
consider that identical subsystems can fail si-
multaneously because they are vulnerable to
Common Mode Failures (CMF, failures with a
uniform behavior) and Common Cause Fail-
ures (CCF, failures that occur by one common
cause). You can counter this by building in dif-
ferences, so that a single fault does not result
in the corresponding failure of multiple com-
ponents and ultimately the system. This prin-
ciple is called diversity.
For instance, common mode failures, such as
an electrostatic discharge, can disturb identical
outputs resulting in failure. Another example
is a shared power supply or shared memory
device that can affect redundant processor
outputs. When the shared resource fails, all of
the redundant CPUs could be prevented from
performing their intended function. A system
architecture using two independent CPUs, in-
dependent clocks and independent power sup-
plies can still share a common memory as
long as it is secured by a check sum or an
error correcting code (ECC) function. Using
two different physical executions of a binary
output, instead of two identical types, can im-
prove reliability. Diversity can also be achieved
through the use of varying software. For in-
stance, you can run different, independently
designed software applications on the redun-
dant subsystems.
A system with built-in triple redundancy is an
innovative architecture that offers an alternative
to classic configurations. It contains three
processors and three memory ranks running
in lockstep mode. All are monitored by a voter
contained within a field programmable gate
array (FPGA). Should CPU 2 fail, the voter
isolates it, puts it into reset mode permanently
and indicates this to the software. The voter
then switches to “compare” mode in which
only the outputs of the remaining two proces-
sors are compared. The system is still fully
functional; however, a fault in either CPU 1 or
CPU 3 would be fatal to the system. Even di-
versity is possible on one single board: memory
management of the PowerPC processors in
the MEN design allows partitioning the re-
sources, which is in turn supported by real-
time operating systems like PikeOS. The parti-
tions are assigned specific memory areas. The
applications and tasks being executed within
the partitions can be completely different.
The value of contracting with a supplier expe-
rienced in mission-critical applications cannot
be overstated. Manufacturers with a history of
success in key areas of safety-critical design
and implementation will have the most expe-
ditious and cost-effective outcome. Better still
that they should have demonstrated experience
in related industry standards such as require-
ment tracing, code-rule checking for software
and FPGA development, risk management,
component obsolescence management, quali-
fication, or for example IRIS quality manage-
ment dedicated to the railway industry. Al-
though the number of qualified vendors de-
creases as the sophistication and critical nature
of the application rises, they do exist. The pro-
tection of human life and the avoidance of
catastrophic events must be paramount in the
computing systems used throughout safety-
critical applications. Systems must function
reliably and communicate effectively – and
nowhere is this truer than in the growing rail-
way market.
June 2014
18
B
OARDS
& M
ODULES
ADLINK: 40G ATCA switch blade for
bandwidth-demanding applications
ADLINK announces the availability of its new
40G AdvancedTCA switch blade, the aTCA-
3710, featuring a Broadcom BCM56846 10/40
GbE Fabric Interface Switch, Broadcom
BCM56334 24-port GbE Base Interface Switch
and Freescale QorIQ P2041 quad-core Local
Management Processor. The aTCA-3710 pro-
vides fourteen 10 GbE SFP+ uplink ports and
supports a total of 640 Gb/s bandwidth for
use in 14-slot 40G ATCA shelves.
Advantech: industrial-grade Mini-ITX
motherboard with 4th gen Intel Core
processor
Advantech introduced AIMB-203, a new in-
dustrial-grade Mini-ITX motherboard based
on the 4th generation Intel Core i7/5/3 with
H81 chipset, resulting in lower power con-
sumption and better graphic performance.
Designed with a rich variety of I/O functions,
AIMB-203 is ideal for a multitude of applica-
tions such as ATM/Kiosks, automation, medical
equipment, gaming machines etc. With the
preloaded remote management software – SU-
SIAccess, AIMB-203 not only saves develop-
ment cost but also enhances system manage-
ment efficiency.
Artesyn: ATCA system management
software accelerates integration of
complex systems
Artesyn Embedded Technologies announced
a new software solution for its ATCA systems,
which Artesyn believes could save up to 40
percent of customers’ time-to-market. System
Services Framework (SSF) is a complete system
management suite for Artesyn ATCA systems,
allowing users or applications to configure
and monitor the hardware and software ele-
ments of a single ATCA shelf or across multiple
shelves.
MSC: intelligent starter kit for high-end
COM express modules
MSC Technologies presents the ready-to-use
starter kit MSC C6-SK-8S-T6T2 for the in-
stant operation and evaluation of its MSC
C6B-8S COM Express Type 6 module family
based on 4th generation Intel Core processors.
The starter kit contains a baseboard, a heat
sink with fan and two 4GB DDR3L SO-
DIMM memory modules. Designers are free
to choose any COM Express module from
MSC Technologies’ MSC C6B-8S product
family.
AAEON: mini-ITX industrial boards with
4th Gen Intel Core processors
AAEON announces the release of the three
new Mini-ITX industrial boards: EMB-
QM87A, EMB-CV2, which are designed to
fulfill the growing needs of NVR and industry
automation markets, and EMB-Q87A , de-
signed for AIO and digital signage applications.
The EMB-QM87A is a Mini-ITX form factor
board featuring a 4th generation Intel Core
i7/i5 processor and the mobile Intel QM87
Express chipset. It supports two DDR3L
1333/1600 SODIMMs with a maximum of
16GB memory.
Product News
