menTCS is an open computer platform based upon modern IT standards that covers all safety-critical applications on a train and wayside. It is SIL 4 certifiable and comes with pre-certified hardware in combination with pre-certified software and corresponding certificates from TÜV SÜD, drastically reducing the time of the certification process.
2. Done by MEN
menTCS is an open computer platform based upon modern IT standards
that covers all safety-critical applications on a train and wayside.
It is SIL 4 certifiable and comes with pre-certified hardware in combina-
tion with pre-certified software and corresponding certificates from TÜV
SÜD, drastically reducing the time of the certification process.
menTCS Train Control System
3. 1. Is menTCS just a single piece of hardware – or more?
2. How can menTCS guarantee safety levels from SIL 2 to SIL 4?
3. What are the key factors that make menTCS innovative for the
railway market?
4. What significant cost savings are achieved with menTCS?
5. What are typical safety-relevant applications on board a train or
wayside?
menTCS Train Control System
5. 1. Is menTCS just a single piece of hardware – or more?
menTCS has a modular structure consisting of a safe controller, safe I/O func-
tions, and the communication interfaces to the “outside” world”. It is as such
scalable to the requirements of the application:
» Unlimited number of safe railway inputs and outputs
» Ethernet and wireless communication interfaces connecting WLAN, 4G-LTE and GPS
» Fieldbus interfaces connecting into existing networks like MVB, CAN bus, Profinet etc.
» Remote I/O boxes to expand the central unit, interconnecting to distributed sensors
and actuators
» Second safe controller to deliver system availability of 99,9999%
7. » Safe processing hardware: The central element of menTCS is a self-contained, safe CPU board
which uses 2oo2d voting. It consists of 3 Intel processors (two of which being redundant CPUs
that execute the safety logic), independent supervisors for each block, a fail-safe board ar-
chitecture and event logging with intelligent board management controller.
» Safe I/O hardware: The I/O boards of menTCS are self-contained, using a 1oo1d architecture. A
SIL 4 certification package is available for all I/O boards together. A single I/O board can be used
to reach SIL 2. Two combined boards are required to reach SIL 3 and SIL 4.
» Separation between safe and non-vital domains: The menTCS software distinguishes between
the safe and the non-vital domain, allowing to develop non-vital applications separately from
safe applications. Non-vital applications cannot influence safe applications because they are
executed on a separate processor running a standard Linux operating system.
2. How can menTCS guarantee safety levels from SIL 2 to SIL 4?
8. » Safe communication: In order to guarantee appropriate communication between the safe
controller and the safe I/O functions via real-time Ethernet, the black channel approach is
applied. The requirements to transport safe data over untrusted communication are defined
by EN 50159 and realized using the FSoE safe communication protocol (Fail Safe over EtherCat).
» Safe Application Interface: As menTCS is an open general-purpose hardware platform for diffe-
rent kinds of safe applications, the software programmer needs an interface to get full access
to the control electronics. The PACY safety I/O framework provides easy and modular access to
the safe I/O boards and includes a safe communication layer crossing the black channel.
» Safe operating systems: Without being influenced by non-vital applications, the safe appli-
cations are executed on two separated redundant control processors. Integrity tests ensure
the safe operation of each safe processor is provided by the safe operating system. This ar-
chitecture allows the development of safe applications on a menTCS platform in combination
with all market relevant safe operating systems, such as QNX, PikeOS, VxWorks, or Integrity.
2. How can menTCS guarantee safety levels from SIL 2 to SIL 4?
9. 3.
What are the key factors that make
menTCS innovative for the railway market?
10. The use of digital technology has transformed the way modern railways work
today. Safe train control and railway signaling are expected to play a key role
in the overall railway computer infrastructure with respect to an increasing
demand for passenger, worker and traffic safety in combination with higher
speeds, autonomous driving and higher track frequencies.
menTCS is the first computer system ever in the history of the railway
industry that is based on defined open standards for hardware, software
and communication. Its modularity makes it configurable for every control
function inside and outside the train – and scalable to any required safety
level from SIL 2 up to SIL 4.
3. What are the key factors that make menTCS innovative for the railway market?
11. menTCS offers separation of the rail service from the electronic control
system behind. This is a major difference to existing solutions, which are
proprietary with a fixed hardware/software configuration that is not
accessible by the end user. It allows railway system suppliers to concentrate
on their core business, facilitates market entry for small and medium-size
companies, and enables rail operators to become their own general
contractor, keeping full transparency of their project at any time.
3. What are the key factors that make menTCS innovative for the railway market?
13. 1. Acquisition costs must only be paid for one computer system for all applications –
instead of the previous practice of one computer for each application.
2. This also reduces installation costs – as there are fewer cables, less weight, and
reduced space requirements (resulting in lower energy consumption).
3. Maintenance and the necessary expertise are limited to one system.
4. New, additional or modified application software does not require any other or
additional hardware.
5. The life cycle management of an open system is limited to the exchange of single
components, without affecting the functionality of the overall system.
4. What significant cost savings are achieved with menTCS?
14. 4. What significant cost savings are achieved with menTCS?
6. Therefore, the life cycle of the application/s is practically unlimited.
7. Another cost saving factor is the fact that menTCS comes with pre-certified
hardware in combination
With a pre-certified QNX operating system and drivers, together with the
corresponding certificates from TÜV SÜD (German Technical Inspection Agency),
this means:
» Considerable reduction of the duration of the certification process – no need
to develop an own safe BSP and drivers from scratch.
» Considerable risk reduction – as the approval for SIL 4 operation has already
been achieved for hardware and software.
15. 5.
What are typical safety-relevant applications
on board a train or wayside?
16. menTCS is application-ready for the complete portfolio of
vital train and wayside functions.
Thanks to its scalability it is easy to install in new trains and
as a retrofit in combination with other already existing train
control equipment.
5. What are typical safety-relevant applications on board a train or wayside?
17. Rolling Stock:
» CBTC: Central computer of the Communication Based Train Control
» TCMS: Central computer of the Train Control Management System
» ATO, ATP, ATS: Central computer of the Automated Train Operation, Pro-
tection and Supervision systems
» OBU, EVC: On Board Unit or European Vital Computer as part of an ETCS
application
» Interfacing to: the driver cab display, all existing train communication with
Ethernet, MVB, CAN bus etc. and wireless to the outside world through
GSM-R, GPS, Wi-Fi etc.
5. What are typical safety-relevant applications on board a train or wayside?
18. Wayside:
» RBC: control of Radio Block Center as part of an ETCS application
» CBI: control of Computer Based Interlockings – increasing performance
at lower cost
» Wayside devices: control of level crossings, switches, signals
5. What are typical safety-relevant applications on board a train or wayside?