COTS Size Does Matter

1
COTS Size Does Matter
2
Why COTS?

• The case for COTS
• Costs money to keep re-inventing the wheel
• Technology development costs are becoming
  uneconomic for one-off low volume novel
  applications
• Commercial investment cases tend to rely on the
  ability to amortise development costs
• Technology is evolving at an ever-increasing rate
• Staying current or being able to maintain
  one-off low volume applications can incur a
  large organisational overhead.

• The case against COTS
• COTS products
• Contain unwanted functionality or features
• Usually do not contain all the required
  functionality or features
• Limitations not usually disclosed
• Product evolution driven by market forces
• Backward compatibility and supportability is not
  guaranteed
• Justification for intended application can be
  difficult and costly
• Time and cost may strongly influence the extent
  of reliance on claimed certifications

3
Axle Counter Case Study

• Introduction
• Background reason for processor-based axle
  counter technology
• The intended application
• Development Implementation 1987 Version
• Architecture
• Safety Issues and resolution
• Product Evolution 1987 to late 1990s
• Current Technology
• Architecture
• Certification
• Safety issues and resolution
• Conclusions

4
Coal Train - 2km, 10 000 tons, 52.5MW
locomotives, 25kV, 50Hz
5
Why consider axle counters?

• Track circuit technology not practical for long
  sections of track on a heavy-haul electrified
  railway
• Length limited by electric traction
  considerations
• Need to guarantee train detection in the presence
  of high traction current in the rails
• Need to ensure the safety of track workers by
  regularly tying the rail and traction system
  structures together and to Earth to keep touch
  potentials at a safe level.
• Limiting the usable length requires many more
  track circuits - higher capital and maintenance
  costs
• Track circuits necessitate line-side control and
  power distribution cabling which also require
  design to control the influence of the traction
  system for both system safety and worker safety.
• Axle counters do not have these issues (they do
  however have others).

6
Axle Counter Technology prior 1980s
Monitored section of track (Length limited by
voltage dropand electrical interference)
WDE
WDE
Inhibit
Line-side cable buried or aerial
Reset
Evaluator
LimitationsTrain is not continuously detected
it is only detected when going in and when
going out. Assumes one train at a time and it
travels through. Safety issues in use of inhibit
and reset features.
Track Status
WDE Wheel Detection Equipment Evaluator
Discrete electronic counter zero count -gt track
clear status Reset Input which resets the axle
counter to zero count (if last wheel detected
leaving) Inhibit To prevent undesired wheel
detections e.g. track maintenance vehicles,
electrical interference
7
Processor technology in rail early 1980s

• Emergence of rail industry fail-safe COTS
  processor based products
• Signal interlocking systems
• Axle counter systems
• Block data transmission systems
• Safety-related system concepts and standards were
  embryonic compared to today

8
Axle Counter QR Application

• Proving a section of track is not occupied by a
  train is not sufficient to allow a train to
  proceed.
• Need to also know that a vacant section of track
  has not been allocated to a train.
• For a train to depart Station A, from Signal 16
  need to prove 27A, 16A, 16B, Block Track, 25B and
  25A clear and Station A signals 18, 27 and
  Station B signals 23, 25 all at STOP.
• The status of the elements at Station B is
  conveyed to the signal interlocking at Station A
  via the UP Block function. (For a train
  travelling from Station B to Station A, this
  would be the Down Block function.

9
System Requirements QR Axle Counter Application

• Axle counting function with the remote wheel
  detector connected to the evaluation unit via a
  voice frequency channel.
• Integrated block data transmission for the UP
  Block and Down Block functions via the same
  voice frequency channel.
• An Inhibit function to discriminate the trains
  required to be detected from those that dont.
• A Reset function (to recover from system
  failure).
• No such product existed at the time
• QR initiated the development of the integrated
  axle counter and block data transmission product.

10
Axle Counter System 1987 VersionSystem
Architecture

• Both Evaluator and Recording Point are
  implemented using a 2.o.o.2 dual channel
  configuration
• Only the Evaluator determines the status of TVDS A

11
Axle Counter System 1987 VersionSafety Issues

• System development occurred in Germany there
  was no QR participation prior to manufacture of
  the pre-production unit.
• Pre-production unit delivered for QR approval
  contained all the features requested.
• QR identified, what they considered to be serious
  safety issues in relation to the systems User
  Defined I/O, Inhibit Input and Data Transmission.

12
Axle Counter System 1987 VersionSafety Issues
User Defined I/O

• Input Interface
• Each input consists of two opto-isolator devices
  one for each Channel, both fed from the same
  source.
• There is no diversity opto-isolator devices the
  same for each Channel.
• There is no testing of the inputs - it is
  possible for both optos to fail in the
  permissive state and for the failure not to be
  detected.

• Output Interface
• Each output consists of voltage-free relay
  contacts one relay for each Channel.
• The relays used, although high quality are not
  intrinsically safe.

13
Axle Counter System 1987 VersionSafety Issues
Inhibit Input

• The Inhibit Input has the same opto-isolator
  arrangement as for user defined inputs and is not
  tested.
• Whilst it was made clear that using the Inhibit
  function had safety implications this implied
  that there were no safety issues if it was not
  used.
• However, the Inhibit opto-isolators could still
  fail in the Inhibit on state.

14
Axle Counter System 1987 VersionSafety Issues
Data Transmission

• The only defence to ensure that an Evaluator is
  communicating with the right Recording Point is
  an 8 bit Address.
• QR operates a closed communications system
  without store and forward however VF channels
  are derived channels on a digital communications
  network and so can be routed many ways.
• It is therefore quite possible for an Evaluator
  to be inadvertently connected to the wrong
  Recording Point.

15
Axle Counter System 1987 VersionSafety Issues
Solutions

• Input Proving reconfigure the system such that
  the system has a local output for each input
• This allows comparison of the input state with
  what the axle counter system thinks the input
  state is via an external Shut Down function -
  any disagreement results in the shut down of the
  Evaluator Recording Point.
• Output Proving compare each Channel output
  using the external Shut Down function.
• Inhibit Proving configure the signal
  interlocking to prove that the axle counter has
  entered the restricted state when it should have
  and to prevent further train movements if it has
  not.
• Data Transmission ensure that all systems on
  the QR network have a unique address limits
  number of systems to 61.

16
Product Evolution 1987 to 1997

• In 1989, QR purchased more axle counter systems
• Post delivery testing revealed that the system
  functionality had changed the user defined
  input proving feature had been removed.
• Not a big problem as the new hardware was
  backward compatible with 1987 QR version
  firmware.
• The removal of the user defined input proving
  feature was done to double the I/O capacity and
  give the product greater application flexibility.
  
• There was however no compensating change to the
  product to improve the integrity of the user
  defined inputs.
• The product was discontinued in 1997 and support
  ceased this year (2004).

17
Axle Counter System Current VersionSystem
Architecture

• Similar concept to 1987 QR version 2.o.o.2 dual
  channel architecture - however hardware and
  firmware incompatible (except for WDE)
• Both EC 1 and EC 2 independently determine the
  status of TVDS A.
• Greater User Defined I/O, capable of supporting
  more WDE, capable of monitoring more than one
  section of track, supports several Reset
  options, and has no Inhibit Function.
• QR had no involvement in the development of the
  product

18
Axle Counter System Current VersionProduct
Certification

• Rail industry standards and regulatory
  requirements now usually require such products to
  be certified for use.
• The supplier claims the product has been
  certified by Eisenbahn Bundesamt (German Federal
  Railways)
• Approval is in accordance with Mü 8004 Technical
  Principles for the Approval of Safety
  Installations, issued by the Federal Railways
  Office in Germany.
• Approval in accordance with Mü 8004 corresponds
  to CENELEC SIL4 i.e. the product meets current
  European standards, CENELEC EN50126, EN50128 and
  EN50129 for a Safety Integrity Level of 4.
• The supplier has not indicated if this
  certification is subject to any caveats regarding
  the application of the product.

19
Axle Counter System Current VersionSafety
Issues User Defined I/O

• The I/O configuration is essentially the same as
  for 1987 QR product version.
• The only difference being in the input interface
  connections separate connections are required
  for each Channel.
• QR safety concerns have not been addressed in the
  current product.

20
Axle Counter System Current VersionSafety
Issues No Inhibit Input

• The lack of an Inhibit function introduces some
  risk the system is now more susceptible to
  false wheel triggers
• Due to electrical transients caused by the
  electric traction system, atmospheric
  disturbances
• Track maintenance work
• Consequently there will be a much increased need
  to issue reset commands which effectively
  declares a track section clear something which
  QR has attempted to deter.

21
Axle Counter System Current VersionSafety
Issues Data Transmission

• The only defence to ensure that an Evaluator is
  communicating with the right Recording Point is a
  6 bit Address (1987 Version has an 8 bit
  address).
• This hazard remains and is somewhat now worse as
  the solution adopted for the 1987 version is not
  very practical as it would limit the number of
  uniquely addressed systems to 31.

22
Axle Counter System Current VersionSafety
Issues Solutions

• The solutions adopted do not involve any
  customisation of the COTS product.
• Input Proving adopt the same concept as for the
  1987 QR version but instead of system software
  customisation, develop a module which extracts
  the Input state from the transmitted data.
• As before this allows comparison of the input
  state with what the axle counter system thinks
  the input state is via an external Shut Down
  function - any disagreement results in the shut
  down of EC 1 EC 2.
• Output Proving compare each Channel output
  using the external Shut Down function.
• Inhibit Function develop a module which
  utilises the Diagnostic Meter slot in the WDE to
  provide the Inhibit function (the slot is
  normally unused).
• Use the same signal interlocking configuration to
  prove that that axle counter has entered the
  restricted state when it should have and to
  prevent further train movements if it has not.
• Data Transmission use the extended user defined
  I/O capacity to extend the addressing range. By
  reserving two user defined inputs the unique
  address range can be extended to 127.

23
Axle Counter System Current VersionSafety
Issues Solutions Architecture

• QR has consulted with the supplier regarding the
  solutions proposed.
• The supplier has been supportive and has provided
  system documentation to support the development
  of the Tx Decoder and Inhibit modules

24
Conclusions

• Being involved in the development of a COTS
  product is no guarantee that future evolutions of
  the product will provide the same functionality.
• The functionality of COTS products are driven by
  market forces.
• Customisations of COTS products should be avoided
  they may impact on product integrity, product
  supportability and product liability.
• Customisations are an overhead for suppliers to
  continually support.
• Customisations, if necessary, should be as least
  intrusive as possible.
• Claims of a SIL for a COTS product outside an
  application context can be very misleading.
• There will be differences of opinion as to the
  integrity of a COTS product in relation to a
  particular application.

25
(No Transcript)