Unmanned Systems Technology 001 | UAV Factory Penguin C | Real-time operating systems | Hirth S1218 two-stroke twin | Base stations | ASV C-Enduro | Composites | Datacomms

Unmanned Systems Technology | November 2014 Artesyn Embedded Systems has entered the market for safety-critical systems for the rail industry, including driverless trains. The ControlSafe Platform is one of the first embedded systems to use commercial-off-the-shelf (COTS) components to create a failsafe computing platform designed to be SIL 4-certified for a wide range of train control and rail signalling applications. It is designed to meet all the functional safety, reliability and availability requirements mandated by rail standards and specifications, and forms the basis of a new set of technologies for building autonomous systems. This is also a first step to providing equipment for intelligent highways, which have some of the same issues as rail systems as well as some that are specific to driverless cars. For example, high availability is not the primary requirement, but failsafe is – to stop the car rather than it driving over a cliff for example. The current packaging of the system in a dual rack is intended for the rail market, where boards can be easily replaced if necessary. It uses a dual- processor voting and data lock-step architecture that supports modern high-performance processors; it is also modular and scalable to allow extra I/O interfaces and processor upgrades to be fitted during the product’s lifecycle. Reliability, availability, maintainability and safety (RAMS) processes are designed to be certified to EN 50126, all safety-related software to EN 50128, and hardware to EN 50129. The platform has built-in redundancy, using two ControlSafe Computers (CSCs), each of which delivers failsafe operation. They are linked by a safety relay box that monitors the health of the CSCs, designates one as active and the other as standby, and controls fail-over operation between them to deliver a failsafe and fault-tolerant system. At the core of each CSC are two identical CPU boards that run in data lockstep mode and implement a two- out-of-two voting mechanism. Proprietary extensions to Wind River’s VxWorks 653 operating system are used to provide loose synchronisation of the two CPUs. If the two voting processors don’t agree then the system switches to the standby CSC to take over. This is a more cost- effective architecture than triple voting as the two-processor boards can be easily removed and replaced to have the primary system up and running quickly. This is key to the failsafe requirement of the SIL 4 safety specification. The processors are currently single-core devices from Freescale Semiconductor using the e500 PowerPC core, but they are linked via a dedicated switched Ethernet backplane and so could use other processor architectures as well. The Freescale devices were chosen to provide a 15-year design life and for the lower heat dissipation that allows a 3U-height card to be used in a 4U-high slot to provide more airflow. The single-core versions also provide a lower thermal profile than using a dual- core device. All the I/O modules have a common architecture based on the same Freescale CPU cores and the Wind River VxWorks 653 operating system that are on the main cards, simplifying software development. They are accessed over the same Ethernet backplane to provide a distributed architecture where additional expansion can be contained in a remote chassis. All the modules support remote online software and firmware upgrades without the risk of rendering a system inoperable. Less strain on trains ControlSafe is a platform for the failsafe operation of trains, and is one of the first such systems to use COTS components 9 Safety systems