IEEE-1473-L  & Safety Critical Applications

Home | CBTC | FAQ's | Discussion


Introduction

LonWorks is used in safety-critical applications worldwide in many diverse industries. In addition to many rail applications LonWorks is used to control (not just monitor) nuclear reactors in Europe, demonstrated as a proof of concept for a fully deterministic primary flight control for the US Army's Apache helicopter and as the helm to propeller control for the US Navy's USS Rushmore

In the US LonWorks is the new standard to brake freight trains up to 3 miles long faster and more safely than traditional air brakes. For NYC Transit's latest generation subway cars LonWorks is used both for its primary and backup propulsion control. For the San Francisco Bay Area Rapid Transit District's latest subway cars, LonWorks is used to ensure friction brake systems are working properly and is also used to communicate safety critical Train Control information within trains as part of BART's next generation Communications Based Train Control System known as Advanced Automatic Train Control.  

LonWorks is also used by US signal system suppliers for communications interoperability by transporting safety critical information train control information by tunneling the ATCS (Advanced Train Control System) communications protocol through LonWorks networks.

Each of these LonWorks based systems takes a different approach to ensuring system safety.

What about Determinism?

High reliability, availability, and fully deterministic behavior absolutely necessary in an aviation flight control system was accomplished by the US Army for its Apache helicopter using a special implementation of LonWorks developed originally by Control by Light (www.controlbylight.com) It is based upon a redundant fiber optic ring physical layer. Optical fiber offers many advantages over copper including high bandwidth and immunity to EMI. Since very high EMI fields typically exist on electric rail cars and also on tracks and along the wayside, Control by Light's LonWorks architecture can be especially attractive. 

While standard LonWorks can be configured to provide deterministic behavior over fiber or copper it comes with a performance hit: inefficiency. Further, unlike an aircraft, it is always safe to apply the brakes on a train. So the question becomes: Do you really need determinism?  

Consistent with many traditional train control "fail safe" design philosophy, watchdog timers can be implemented in a LonWorks based system so equipment can fail safely or "fail stop" if a permissive signal is not received in time. Thus, for many non-aviation requirements such as railway signal systems, deterministic behavior is not always necessary. 

It is very important not confuse safety with determinism.

How is Safety Achieved with LonWorks?

Many, many different ways. 

LonWorks was designed to be a highly robust and reliable control network protocol.
Reliable message delivery is provided by using end-to-end acknowledgements through the use of an advanced  seven layer OSI stack, 16-bit checksum, watchdog timers, and in the case of certain transceivers, error correction algorithms. Because of this, the probability of an undetected error in a LonWorks channel is very low. 

Claude Shannon in his 1948 classic paper A Mathematical Theory of Communications showed that no serial communications system can deliver error free communications in the presence of noise. But all communications systems have some error rate that can be detected and controlled by a tradeoff between channel bandwidth and the time required to send the data through the channel.

Therefore, because there is always a non-zero error rate in any communications system it is up to the systems designer to determine what, if any, additional safety protections are necessary to ensure a safe system design when using a LonWorks network. When sending safety-critical train control data over a "foreign" communications channel it is standard practice in the signal industry to protect safety data with additional CRC or checksums before sending it through the communications channel. 

For example, both General Electric (formerly Harmon Industries) and Safetran Systems offer several safety critical signal system products with interoperable LonWorks interfaces. To ensure the safe delivery of safety critical train control information both firms rely upon the ATCS (Advanced Train Control System) communications protocol to protect the safety critical train control data. The ATCS protocol has additional CRC protection to significantly reduce the likelihood of undetected errors causing an unsafe condition. This protected data is then sent as a "foreign frame" over the LonWorks network.

In the case of NYCT's latest generation of rail cars LonWorks is used for both primary and backup propulsion systems. But a separate hardwired Emergency Brake trainline is used. When this EB signal is lost the brakes are applied and the propulsion systems go into full braking overriding any propulsion command that may be in conflict. 

Invensys which owns Safetran Systems and Triconex (a maker of Triple Modular Redundant safety computers) has used LonWorks with its non-stop safety computers to safely control  nuclear reactors in Europe. 

Knorr Brakes cross checks the proper operation of truck (bogie) brakes by using LonWorks as a "watchdog timer. 

Thus, there are many different ways in which companies have used LonWorks in safety critical systems. 

What about IEC 61508 Safety Integrity Levels?

In Europe and many parts of the world IEC 61508 is gaining popularity in defining safety requirements for safety systems including railway signaling. IEC 61508 describes a risk based approach/method of how to demonstrate the effects of electrical/electronic/programmable electronic safety related functions and systems. 

This standard states requirements to document the design i.e. components used in the safety function, the reliability of the components, the component performance and maintenance. The standard applies 4 reliability levels, Safety Integrity Levels SIL. SIL 4 is the most reliable (the safety function will not fail more than 1 out of 10,000 demands in one year). Thus SIL 4 is roughly equivalent to 1EXP9 hours in terms of a MTBH (Mean Time Between Hazards and probably the level appropriate for most safety critical train control functions.

IEC 61508 is generally not used in the US by signal and train control companies. In the US we generally prefer to design signal designs are based upon failsafe design principles and without "numerical bounds" for safety. 

However, many US signal firms claim to offer safety comparable to those in other transportation industries such as aviation which are in the range of 1EXP9 hours for a MTBH. One of the challenges in the signal industry today is to define a "safety baseline" for existing signal systems that use relay technology. Once this is done, newer systems based upon computer technology can be compared.