ASE’s Client, Mors Smitt UK Ltd, engaged ASE to design and develop the control unit for a UK STM to operate with UNISIG’s defined interface to Baseline 2 of Subset 35. The unit had a targeted reliability figure for a general MTBF of over 220,000 hours of operation, and had to be certified to SIL-1 under EN 50129.
The hardware selected by ASE was based upon Altera’s SoC Cyclone V chipset, which provided a dual-processor ARM solution embedded within an FPGA as a single device. The hardware choice enabled ASE to develop a single main processor board and a generic backplane, thus facilitating different interface modules for different projects. In this case, the client was looking for a track signalling system, but ASE was aware that the client also had a potential need for a power monitoring solution. ASE’s solution provided the client with generic interfaces to a number of communication standards, a generic upgrade feature that can reprogram both the Linux applications and the FPGA program, in order to support the different I/O board types.
The hardware was developed to SIL-1 under EN 50129, with the equivalent software complying with the same safety level under EN 50128. The STM unit monitors an RF antenna and a Hall Effect sensor device, which are excited by wayside beacons and magnets. The STM’s interpretation of these inputs results in decisions with regard to whether or not the train is safe to continue on its current section of track. In the event that the STM considers it unsafe to continue, this could be as a result of the train being considered to be in an unsafe position or travelling at an unsafe speed, it causes the application of the emergency brake on the train.
A number of hardware issues needed to be addressed, mainly related to the use of a state of the art device in which not all problems were resolved by the manufacturer at the time the project started. Further, the Siemens ASPC2 device needed to support the PROFIBUS interface to the ETCS is only available in a five Volt option while the SoC Cyclone V is only available in a 3.3 Volt system. The bus needed tristate support, which presented some challenges with the voltage matching. The system required the usual EMC protection, and the transient burst protection was particularly challenging, as ASE needed to be able to receive the real RF inputs, which could be masked or mistaken for transient bursts.
The main software challenge on this project was the fact that the controlling ETCS unit was also not available, even in prototype form, meaning that it was not possible to confirm the correct operation of the STM against a real unit during development. It therefore became necessary for ASE to implement most of the ETCS side of the protocol in ASE’s own test rigs, essentially emulating the ETCS, in order to confirm correct operation of the unit ahead of the real ETCS becoming available. ASE is extremely proud of the final test rig, which is able to simulate all inputs and outputs (including Ethernet traffic) to the unit, and is used in extensive automated testing of the STM.
The software was implemented on a Linux kernel version 3.10, for which ASE has successfully put forward a suitability case for the use of that kernel on SIL-1 rated implementations. ASE needed to write a number of Linux drivers for the bespoke hardware solution.
The development of the ETCS (not an ASE item), with which the STM unit had to communicate, has overrun by considerably longer than expected, further demonstrating the benefit of ASE’s test harness. As a result of the ETCS delay, the STM project was modified to communicate directly with Bombardier’s train units, essentially performing some of the tasks of the ETCS, such as creating driver displays using BT’s IPTCOM protocol in order to provide a temporary signalling solution and get trains on tracks.
This whole project has taken around two years to complete.