Specifications of modern railway control systems often include resilience requirements in order to quickly and safely recovery from disasters (e.g. system-level failures). To that aim, spatial redundancy is required, with main and backup systems installed in fully isolated buildings, together with very short switchover times from main to backup systems in case of disasters. In order to fulfil those requirements, Ansaldo STS has developed a system-level hot stand-by solution allowing to quickly and smoothly switch from the main system to the back-up one, ensuring the necessary continuity of service and transparency to train supervisors and other operators. The functional architecture of such a solution is able to keep aligned the safety-critical nucleuses, typically based on N-modular redundancy (i.e. ‘KooM’ voting), of the main and the back-up systems. Such a coherent alignment must be kept in terms of both interfaced field devices (e.g. interlocking signals, track circuits, switch points, etc.) – on the ‘bottom’ level – and control room Human Machine Interfaces (HMI) – on the ‘top’ level. The solution is based on heterogeneous and redundant network links (copper/fiber Ethernet/HyperRing) at different levels of system architecture. In this speech, the reference architecture and the fault-tolerance functionalities for disaster recovery are provided, considering the requirements of real railway and mass-transit installations.
Hot Stand-By Disaster Recovery Solutions for Ensuring the Resilience of Railway Control Systems
1. 1
Finmeccanica is Italy’s leading manufacturer in the high technology sector.
Finmeccanica is the largest shareholder in Ansaldo STS with a 40% stake.
About us: Finmeccanica
Hot Stand-By Disaster Recovery
Solutions for Ensuring the
Resilience of Railway Control
Systems
Paris, September 2015
Bozzaotre M.
2. Text
Introduction
• Disaster recovery in modern railway control systems
• Ansaldo STS systems are based on a centralized
architecture
• Clients ask to guarantee the availability of service in case
of disasters involving the control room (fire, flooding…)
• Hot-standby solution developed by Ansaldo STS
3. 3
Text
Wayside Subsystem Overview
• Safety Nucleus (SN) performs the vital processing
• HMI: it allows to control the whole railway system
• Peripheral Place (PP) is the analogue interface the field devices
• Communication to the trains via radio
PP1
PP2
PP3
PP4 PP6
PP5
SN
WAN
Train Supervisor
HMI
CONTROL ROOM
Radio
4. 4
Text
Safety Nucleus Overview
CPU1 CPU2 WD
SECTION1
CPU1 CPU2 WD
SECTION2
Ethernet RS485 Radio
INTERFACES
Main feautures
• High Scalability
• CENELEC SIL4 certified
• Real Time processing
• Fault Tolerance through spatial redundancy
• Different and hetherogenous interfaces
5. 5
Text
COLD-STANDBY solution
* SN Backup in the same control room and not connected to the
interfaces
* Human action required for switchover
WD
SECTION 1
SECTION 2
SN NORMAL
SECTION 1
SECTION 2
SN BACKUP
Ethernet RS485
CONTROL ROOM
INTERFACES
Radio
Active Inactive
6. 6
HOT STANDBY solution
WD
SECTION 1
SECTION 2
SN NORMAL
SECTION 1
SECTION 2
SN BACKUP
MAIN CONTROL ROOM
Active Inactive
BACKUP CONTROL ROOM
• SN Normal and Backup in 2 different control rooms, connected by a network
• Only one section active for SN in each room
• Switchover automatically performed in case of fault/disaster, with non loss of
service
• With one only control room available, the second section can be activated by an
human action
7. 7
HOT STANDBY: specific issues
• Real time nature of the system
• Section alignment
• Amount of data
• Continuity of service
• Switchover time
• Multiple interfaces
• Split Brain
• Preserve the safety, whitout affecting the availability
• Reliability of the network
WD
SECTION 1
SECTION 2
SN NORMAL
SECTION 1
SECTION 2
SN BACKUP
MAIN CONTROL ROOM
Active Inactive
BACKUP CONTROL ROOM
8. 8
HMI – SCADA
• Monitoring all the components
• Accurate information and data analysis, in order to quickly figure out the
faults and perform repair actions
• Suitable for mobile devices
