subconcept cp-to-l translation · figure 1 oc reference model (central processing unit = engl. base...
TRANSCRIPT
OC Concept
Subconcept CP-to-L TranslationSubconcept L-to-W interface electronicsVersion 12_published 3042018
1 Disclaimer
This document is a DRAFT version which is still under construction Its content may change in the ongoing concept
phase of SmartRail 40 The document is not completely verified and is not finalized by now The document is published
to enable an open discussion of the ongoing work of the SmartRail 40 program
Links and references inside of this document may refer to other documents inside of the program SmartRail 40 that
may not be published at this stage
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
122 SBB CFF FFS 2018-05-27 2224
2 Content1 Disclaimer 1
2 Content 2
3 List of Figures 3
4 List of Tables 3
5 Glossary 3
6 Initial position 4
61 General 4
62 CP-to-L Translation and L-to-W interface electronics 4
7 Aims 4
71 General product aim OC and Y-switch 4
72 Modularization OC and Y-switch 5
73 Functional aims OC and Y-switch 5
74 Safety aims OC and Y-switch 6
75 Migration aim Y-switch 6
8 Input parameters (Inputs) 6
9 Requirements 7
10 Functional description CP-to-L Translation and L-to-W interface 7
101 Overview 7
102 Software module 8
103 L-Interface 8
104 Configuration Profile to L-interface translation 10
105 Hardware considerations 12
1051 General 12
1052 Hardware Module 12
1053 Power supply 13
1054 OC Y-switch design 14
1055 Control unit Y-switch (OC external) 15
106 Type approval process 16
11 General functional description 17
111 Operational concept 17
112 Maintenance concept 17
12 Open issues and working hypotheses 18
121 TA controllability 18
122 Y-switch general 18
123 Y-switch monitoring function (Shadow mode) 18
124 Behaviour of the LI during switchover and reset 18
125 TA modules and TA connection 19
13 Sources References 20
14 Appendix Possible approaches Y-switch and TA elements 21
15 Appendix Procedure for moving the points 21
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
222 SBB CFF FFS 2018-05-27 2224
3 List of FiguresFigure 1 OC Reference model (Central processing unit = engl Base Module AA Modul = engl TA Module)
Figure 2 Detailed view
Figure 3 Two-way point with trafficability vectors
Figure 4 CP Example of track point P1
Figure 5 - OC Reference Model
Figure 6 Modularization for type approval
4 List of TablesTable 1 UML Terminology
Table 2 Schematic for Y-switch installation
5 Glossary
Term Abbrev Description
B-Interface Bm Interface to the existing Interlocking (LI) type m (Example m=Do 67) harr OC
ETCS
Interlocking
EI ETCS FSS based interlocking comprising the RBC Its dynamic rule based and geometric safety logic
controls all movements of the objects and all changes of the state of the trackside assets within the EIs
effective range All operational logic is moved to the higher-level systems
L-Interface L OC Internal interface between the Base Module and the TA Modules
Legacy
Interlocking
LI Legacy interlocking system (eg relay and electronic interlocking) that shall be replaced by the ETCS
Interlocking (EI)
Object
Controller
OC The Object Controller connects the ETCS Interlocking (EI) with the trackside assets (TA) by translating
CommandsMessages between ETCS Interlocking and trackside asset (eg point motor)
Trackside
Asset
TA Trackside installations such as rail points level crossing barriers signals etc
W-Interface Wnx OC Interface that connects the TA Modules (through the Y-Switch) to the Trackside Assets of type n
subtype x (eg n=barrier motor x= ASSA engine with coal 110V)
Y-Switch Technical solution that provides during the migration phase a switching mechanism to alternate the
control of trackside elements between the legacy interlocking systems (LI) and the ETCS Interlocking (EI)
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
322 SBB CFF FFS 2018-05-27 2224
6 Initial position
61 General
In the safety systems area (SA or LST) the Trackside Assets (TA) make up the great bulk of the systems and theprovisioning processes They have a huge impact on availability and costs Depending on the architectural scenario30000-70000 TAs of todays 115000 will remain in the long-term target models of Railway Production 40
62 CP-to-L Translation and L-to-W interface electronics
Chapter 9 deals specifically with the topics CP-to-L Translation and (superficially) with the translation of the logical TASignals (L-interface) into the physical (eg 230V ~ power electronics for motor powering) referred to as L-to -Winterface electronics The topics in this context are
HWSW rough design of the OC base module1
Translation of the Configuration Profile2
Hardware considerations3
Y-switch and its control unit4
7 Aims
The following aims are to be addressed with the OC and the Y-switch
General product aim1
Modularization2
Functional aims3
Safety aims4
Migration aims5
71 General product aim OC and Y-switch
The purpose of the OC is to create an independent product which serves as a universal interface to the largest possible
number of TA Types (W interface) In order for larger migrations to be sensibly and economically feasible a Y-switch
must also be provided as a switching element between the old and the new world (switch-over option B and W
interface)
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
422 SBB CFF FFS 2018-05-27 2224
Figure 1 OC Reference model (Central processing unit = engl Base Module AA Modul = engl TA Module)
The OC uses TA Elements as subfunctions These together make up a logical element For example the level crossing
(BUe) consists of the subfunctions of the TA Elements motors of the barriers flashing lights etc These together form
the logical element BUe
In the ES concepts the abstract representations of TA are referred to as infrastructure objects The abstracted
representations are not to be confused with the terms TA and TA Elements which denote the physical assets
72 Modularization OC and Y-switch
The OC should have a modular design and consist of a base module TA Module and the Y-switch (possibly
implemented externally)
The aim is to achieve the greatest possible decoupling within the OC (Base Module TA Modules Y-switches) so that
the results are interfaces which are as simple and manageable as possible
The complex safety logic of the present Legacy Interlocking (LI) should be distributed among TMS ES and OC Base
Module elements and decoupled as far as possible The TA Modules should focus on pure signal processing
73 Functional aims OC and Y-switch
The OC for controlling the TA Elements should be constructed in the simplest possible hardware and software structure
likewise the Y-switch
The Y-switch should switch up to 20 conductors simultaneously between LI and OC The use of several Y-switches
allows the switching of arbitrary track layouts
For the scope of the planned switching (number of TA Elements) the OC or Y-switch must provide a high degree of
switching automation
The Y-switch must be able to be integrated into the existing interlocking infrastructure with minimal installation effort
The Y-switch must ensure the safe isolation of the LI and the OC system without interference
The type of construction should be so compact that installation on the cable termination frame (CTF) is possible andor
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
522 SBB CFF FFS 2018-05-27 2224
integration in the existing frames is possible
74 Safety aims OC and Y-switch
The OC respective Y-switch is installed in the preparation phase between LI and TA by means of the valid safety
process so that the previous LI and TA functionality is unchanged (= safe in terms of safety)
The OC respective Y-switch have no impact on the reliable and safe functionality of the LI and its TA
The OC respective Y-switch allows the reliable and safe operation and monitoring of the functionalities of the ES and
the switched TA
The OC respective Y-switch enables the safe switching of the connected TA Elements in the sense of safety No
unmanageable hazards are permitted to result from this
The state of the TA Elements must be known before switching through the Y-switch to ensure synchronization (EI and
LI) This is also relevant in terms of increasing security and availability by switching the Y-switch
Incorrect switching of the Y-switch must be detected by the OC
The Y-switch must be removed after the TA Elements have been migrated to the EI or the OC so that no unnecessary
components remain in the productive system (minimum principle working hypothesis)
75 Migration aim Y-switch
The Y-switch must enable a phased migration of the LI
Four phases are assumed in a first approximation
bull Phase 1 Preparation
bull Phase 2 Testing
bull Phase 3 Commissioning (Commissioning or migration)
bull Phase 4 Dismantling of the Y-switch
The OC respective Y-switch must be installed tested and approved before the actual migration phase between LI and
TA
After integrating the Y-switch into the system it must assume a previously defined switching state This must not be
changed without a switching command The switching position must be monitored safely
The Y-switch must be removed as a first priority after migration - together with the unused part of the LI - (if separate
box) or safely deactivated as a second priority If the dismantling can not take place an assessment of the
consequences must be carried out and further measures taken if required
8 Input parameters (Inputs)The following aspects are prerequisites for the successful implementation of the OC concept
Clearly defined interfaces within the OC and to the outside (ASMID and W interface) with the aim of the largest1
possible encapsulation modularization and independence
Determining the size and structure of existing plants and determining meaningful size units of the individual OC2
sections Final definition of the TA Element types which are to be supported by the OC
Advanced SAZ Lifecycle project for streamlining existing element diversity to reduce complexity and diversity3
This should reduce the scope of approval
Clearly defined procedure to incorporate the Y-switch into the existing TA cabling without errors and to ensure4
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
622 SBB CFF FFS 2018-05-27 2224
that no modifications can be made (intentionally or otherwise) until the track migration to the ES has been
completed
Suitable conditions regarding LI (standby mode general behaviour) and ILTIS (required functions)5
9 RequirementsThe currently valid OC requirements are to be found in the OC Requirements Catalog (Anforderungskatalog (V02))
The OC requirements relevant for this sub-concept were identified and the chapter dealing with them was added to the
requirements catalogue
In order to counteract the possibly high number of different TA Module card (map) types an attempt is made to classify
the existing TA Elements and to group them based on their basic properties
10 Functional description CP-to-L Translation and L-to-W interface
101 Overview
Figure 2 Detailed view
The concept envisages that
Each element in the Element layer (Point TDS Axle counter Level crossing ) can be seen as a compilation of1
one or more sub functions These elements are referenced as logical elements and consist of one or more sub-
functions
The following are considered as sub-functions a single point drive a barrier drive a flashing light or the reading2
of a track vacancy detector (freebusy indication)
The sub-functions access one or more TA Managers which constitute the interface to the hardware TA Module3
Each TA Manager operates a TA Module on the hardware layer and can in addition to the necessary hardware-4
specific implementation functions also contain superordinate disclosure functions for the associated hardware
module A TA Manager can be used by several sub-functions This is necessary if the associated TA Module
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
722 SBB CFF FFS 2018-05-27 2224
implements aggregation functions (eg fieldbus connection) or contains several independent hardware elements
(eg several point machines several IO interfaces)
Each TA Module is connected via the logic interface L with a TA Manager which maps all functions properties5
of the TA Module in the software and bundles the communication via the L-interface
102 Software module
The software in the basic module is realized on three levels
At element level an abstract logical representation is configured parameterized for each element in the TA1
This representation uses the Configuration Profile as opposed to the EI and manages the specific sub-functions
accordingly
Logical elements in the Element layer are eg level crossing point train detection etc2
Sub-functions of an TA Element are defined on the sub function layer One or more sub-functions are assigned to3
a higher-level logical element Each sub-function is assigned to one or more TA modules which are each
addressed via a TA Manager Elements of the sub-function layer are eg point drive barrier drive rotating light
The TA Manager layer represents the logical states of the TA Modules in the OC Base module It translates and4
aggregates the commands of the sub-functions to the representation in the L interface and distributes
notifications from the L interface to all assigned sub-functions It is possible to implement functions in the TA
Manager or in the TA Module This aspect is discussed in more detail in the interface L description
The combination of several sub-functions into a logical element takes place by parameterization in the OC Base
module In principle two variants are possible
Specification of the logical element in the maximum expansion stage (eg maximum number of turnout drives for1
fast turnouts maximum number of trackswarning lights for BAST) and reduction of the used elements at
configuration time
Specification of several variants of a logical element depending on the design level (eg point with one two and2
three drives)
Variant 1 means a higher initial creation effort Considering the probably simpler configuration management the easier
maintenance and the aspect of the continuous further development of the TA Elements variant 1 is nevertheless
considered to be more cost effective overall
103 L-Interface
The L-Interface plays a decisive role in the modularization of the OC On the effective path sub-function - TA Manager -
TA Module it is possible to realize the required sub-functions (the list does not claim to be exhaustive)
Control of sub-element level (eg activation of flashing light)1
Control TA module level (eg openingclosing of an IO port)2
Monitoring sub-element level (evaluation of a lamp current)3
TA module level monitoring (eg disclosure of failures at TA module level)4
It is possible to implement the 4 mentioned sub-functions in different levels (element sub-function TA Manager)
Basically three approaches are possible
Concentrating the functionality in the TA Module whereby a higher number of TA Modules and TA Managers1
must be served by the OC Base module This creates the risk of a high number of specialized TA Modules The
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
822 SBB CFF FFS 2018-05-27 2224
extension of the functionality is most likely coupled to a new TA Module When creating the TA Module the
greatest possible flexibility but also application-specific know-how of the TA Module manufacturer is required
Concentration of functionality in the OC Base module offers the chance to minimize the complexity of the2
hardware but requires a very narrow specification of the hardware properties As a result the field of application
of the TA Modules can be very limited which will not open the existing niche market There is a risk of having too
little flexibility in the future required functions which would require a revision of the concept
Implementation of the TA Modules as independent self-assured and application-independent IO modules with3
standardized possibly routable protocol on the data bus By using such a structure it would be possible to adapt
solutions already in the market for the OC or to use modules developed for the OC in other areas of technology
When all approaches are compared the third approach seems to be the most promising The standardized L interface
also makes it possible to integrate future new TA Modules The challenge lies in the definition of the interface L
Assignment of the TA sub-functions to logical elements
An essential point in the configuration of the OC is the binding the unambiguous assignment of the sub-functions of
TA to the logical elements in the OC Base module (and subsequently in the ES TMS) This configuration has to be
done over several layers The following list gives some clues for the safety- analysis to be done again in the OC The
effective distance from the ES to the TA sub-function is represented in the OC across the following sections
Interface A (11) Configuration Profile (1n) logical element1
Logical element (1n) sub-function2
sub-function (nm) TA Manager3
TA Manager (11) L-Adapter4
L-Adapter (1n) L-Interface5
L-Interface (11) TA Module6
TA-Module (1n) Sub-element TA7
This effective path is extremely central to safety
While in sections 1-4 the parameterization can be done in a single system from section 5 the correct configuration of
different transport planes is required This can be solved either by the correct addressing in a network structure or by
correct configuration of a communication port with dedicated cabling
The assignment of a TA module to a sub-function of the TA is clear on the TA side due to the wiring and the resulting
installation location of the TA Module The assignment on the side of the L-interface can be done in three variants
An individual logical identification is parameterized for the TA Module before use One risk associated with this is1
the increased maintenance cost since OC modules have to be individualized before installation
The TA Module is given an individual identifier via the module slot One risk associated with this is the increased2
hardware cost and the associated maintenance work
Each TA Module receives a globally unique identifier This ID already exists in the TA Module as TA Module3
signature but in this case must be correctly processed for safety reasons An advantage of this variant is the
ability to uniquely identify TA Modules over several OC periods
Common to all variants is the fact that the mapping between the logical identification and the TA sub-function must be
present in the OC base module
In addition to the TA Module signature an identification of the hardware via the installation position is also planned A
more detailed explanation needs to be defined In addition to the safety-related communication in command and
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
922 SBB CFF FFS 2018-05-27 2224
monitoring direction diagnostics information for commissioning and maintenance is exchanged via the connection point
L
104 Configuration Profile to L-interface translation
If trafficability vectors are requested via the configuration profile which are currently not secured it is necessary to usethe TA by means of commands to secure the requested vector
To illustrate this a currently closed left simple track point P1 which is to be set to the right (diversion) is considered inFigure 3 Figure 4 shows the corresponding configuration profile
Figure 3 Two-way point with trafficability vectors
Note For ease of reading the description and UML use abbreviated terms for commands and status feedback
Abbreviated form Precise term
Trafficability (P1-1 -gt P1-3Transition)
Field current_state of the XOR-StateSet of the TrafficabilityVectorP1-1-gt P1-3 = Transition
Capability SetSecured(P1-1-gtP1-3) RequestState of the Capability Set-Secured of the vector P1-1-gtP1-3set to requested
Capability LockSecuredState(P1-1-gtP1-3)
RequestState of the Capability LockSecured of the vector P1-1-gtP1-3 set to requested
Table 1 UML Terminology
The following graphic shows the configuration profile of point P1 The description of the configuration profile principlecan be found in the Subconcept Modes of Operation and Configuration
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1022 SBB CFF FFS 2018-05-27 2224
Figure 4 CP Example of track point P1
The left-hand lock on the point causes the TrafficabilityState of the Traffi-cabilityVector P1-1 -gt P1-2 and P1-2 -gt1P1-1 of the infrastructure object P1 (point) to be in the Secured stateBy using the vector P1-1-gt P1-3 Capability SetSecured the point in the TA must be changed The logical2element point makes the following changes
Trafficability state of the vector P1-1 -gt P1-2 is set to transitionaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to transitionTrafficability state of the vector P1-1 -gt P1-3 is set to transitioncUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to transitionThe track point supervision is switched off (Presentation to the TA in the UML)e
The logic element point waits until the supervision current falls below a specified threshold3Set the reference position to rightaCommand to module monitoringbCommand to module drivec
To move the point the logic module point starts the drive4Command to module drivea
The logical element point waits until the motor current rises above a de-fined threshold or the maximum tolerated5round trip time has expired
Notifications from the module to the logical point moduleaThe logical module point switches the drive off6
Command to TA module driveaThe logical module point switches the point monitoring on7
Command to TA module driveaThe logical module point waits until a supervision current is reported8
Notifications from TA module monitoring to logical track point moduleaIf the monitoring current is not reached within a set time the self-healing mechanism will take effect (Notbshown here)
The logical module point makes the following changes9
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1122 SBB CFF FFS 2018-05-27 2224
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
2 Content1 Disclaimer 1
2 Content 2
3 List of Figures 3
4 List of Tables 3
5 Glossary 3
6 Initial position 4
61 General 4
62 CP-to-L Translation and L-to-W interface electronics 4
7 Aims 4
71 General product aim OC and Y-switch 4
72 Modularization OC and Y-switch 5
73 Functional aims OC and Y-switch 5
74 Safety aims OC and Y-switch 6
75 Migration aim Y-switch 6
8 Input parameters (Inputs) 6
9 Requirements 7
10 Functional description CP-to-L Translation and L-to-W interface 7
101 Overview 7
102 Software module 8
103 L-Interface 8
104 Configuration Profile to L-interface translation 10
105 Hardware considerations 12
1051 General 12
1052 Hardware Module 12
1053 Power supply 13
1054 OC Y-switch design 14
1055 Control unit Y-switch (OC external) 15
106 Type approval process 16
11 General functional description 17
111 Operational concept 17
112 Maintenance concept 17
12 Open issues and working hypotheses 18
121 TA controllability 18
122 Y-switch general 18
123 Y-switch monitoring function (Shadow mode) 18
124 Behaviour of the LI during switchover and reset 18
125 TA modules and TA connection 19
13 Sources References 20
14 Appendix Possible approaches Y-switch and TA elements 21
15 Appendix Procedure for moving the points 21
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
222 SBB CFF FFS 2018-05-27 2224
3 List of FiguresFigure 1 OC Reference model (Central processing unit = engl Base Module AA Modul = engl TA Module)
Figure 2 Detailed view
Figure 3 Two-way point with trafficability vectors
Figure 4 CP Example of track point P1
Figure 5 - OC Reference Model
Figure 6 Modularization for type approval
4 List of TablesTable 1 UML Terminology
Table 2 Schematic for Y-switch installation
5 Glossary
Term Abbrev Description
B-Interface Bm Interface to the existing Interlocking (LI) type m (Example m=Do 67) harr OC
ETCS
Interlocking
EI ETCS FSS based interlocking comprising the RBC Its dynamic rule based and geometric safety logic
controls all movements of the objects and all changes of the state of the trackside assets within the EIs
effective range All operational logic is moved to the higher-level systems
L-Interface L OC Internal interface between the Base Module and the TA Modules
Legacy
Interlocking
LI Legacy interlocking system (eg relay and electronic interlocking) that shall be replaced by the ETCS
Interlocking (EI)
Object
Controller
OC The Object Controller connects the ETCS Interlocking (EI) with the trackside assets (TA) by translating
CommandsMessages between ETCS Interlocking and trackside asset (eg point motor)
Trackside
Asset
TA Trackside installations such as rail points level crossing barriers signals etc
W-Interface Wnx OC Interface that connects the TA Modules (through the Y-Switch) to the Trackside Assets of type n
subtype x (eg n=barrier motor x= ASSA engine with coal 110V)
Y-Switch Technical solution that provides during the migration phase a switching mechanism to alternate the
control of trackside elements between the legacy interlocking systems (LI) and the ETCS Interlocking (EI)
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
322 SBB CFF FFS 2018-05-27 2224
6 Initial position
61 General
In the safety systems area (SA or LST) the Trackside Assets (TA) make up the great bulk of the systems and theprovisioning processes They have a huge impact on availability and costs Depending on the architectural scenario30000-70000 TAs of todays 115000 will remain in the long-term target models of Railway Production 40
62 CP-to-L Translation and L-to-W interface electronics
Chapter 9 deals specifically with the topics CP-to-L Translation and (superficially) with the translation of the logical TASignals (L-interface) into the physical (eg 230V ~ power electronics for motor powering) referred to as L-to -Winterface electronics The topics in this context are
HWSW rough design of the OC base module1
Translation of the Configuration Profile2
Hardware considerations3
Y-switch and its control unit4
7 Aims
The following aims are to be addressed with the OC and the Y-switch
General product aim1
Modularization2
Functional aims3
Safety aims4
Migration aims5
71 General product aim OC and Y-switch
The purpose of the OC is to create an independent product which serves as a universal interface to the largest possible
number of TA Types (W interface) In order for larger migrations to be sensibly and economically feasible a Y-switch
must also be provided as a switching element between the old and the new world (switch-over option B and W
interface)
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
422 SBB CFF FFS 2018-05-27 2224
Figure 1 OC Reference model (Central processing unit = engl Base Module AA Modul = engl TA Module)
The OC uses TA Elements as subfunctions These together make up a logical element For example the level crossing
(BUe) consists of the subfunctions of the TA Elements motors of the barriers flashing lights etc These together form
the logical element BUe
In the ES concepts the abstract representations of TA are referred to as infrastructure objects The abstracted
representations are not to be confused with the terms TA and TA Elements which denote the physical assets
72 Modularization OC and Y-switch
The OC should have a modular design and consist of a base module TA Module and the Y-switch (possibly
implemented externally)
The aim is to achieve the greatest possible decoupling within the OC (Base Module TA Modules Y-switches) so that
the results are interfaces which are as simple and manageable as possible
The complex safety logic of the present Legacy Interlocking (LI) should be distributed among TMS ES and OC Base
Module elements and decoupled as far as possible The TA Modules should focus on pure signal processing
73 Functional aims OC and Y-switch
The OC for controlling the TA Elements should be constructed in the simplest possible hardware and software structure
likewise the Y-switch
The Y-switch should switch up to 20 conductors simultaneously between LI and OC The use of several Y-switches
allows the switching of arbitrary track layouts
For the scope of the planned switching (number of TA Elements) the OC or Y-switch must provide a high degree of
switching automation
The Y-switch must be able to be integrated into the existing interlocking infrastructure with minimal installation effort
The Y-switch must ensure the safe isolation of the LI and the OC system without interference
The type of construction should be so compact that installation on the cable termination frame (CTF) is possible andor
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
522 SBB CFF FFS 2018-05-27 2224
integration in the existing frames is possible
74 Safety aims OC and Y-switch
The OC respective Y-switch is installed in the preparation phase between LI and TA by means of the valid safety
process so that the previous LI and TA functionality is unchanged (= safe in terms of safety)
The OC respective Y-switch have no impact on the reliable and safe functionality of the LI and its TA
The OC respective Y-switch allows the reliable and safe operation and monitoring of the functionalities of the ES and
the switched TA
The OC respective Y-switch enables the safe switching of the connected TA Elements in the sense of safety No
unmanageable hazards are permitted to result from this
The state of the TA Elements must be known before switching through the Y-switch to ensure synchronization (EI and
LI) This is also relevant in terms of increasing security and availability by switching the Y-switch
Incorrect switching of the Y-switch must be detected by the OC
The Y-switch must be removed after the TA Elements have been migrated to the EI or the OC so that no unnecessary
components remain in the productive system (minimum principle working hypothesis)
75 Migration aim Y-switch
The Y-switch must enable a phased migration of the LI
Four phases are assumed in a first approximation
bull Phase 1 Preparation
bull Phase 2 Testing
bull Phase 3 Commissioning (Commissioning or migration)
bull Phase 4 Dismantling of the Y-switch
The OC respective Y-switch must be installed tested and approved before the actual migration phase between LI and
TA
After integrating the Y-switch into the system it must assume a previously defined switching state This must not be
changed without a switching command The switching position must be monitored safely
The Y-switch must be removed as a first priority after migration - together with the unused part of the LI - (if separate
box) or safely deactivated as a second priority If the dismantling can not take place an assessment of the
consequences must be carried out and further measures taken if required
8 Input parameters (Inputs)The following aspects are prerequisites for the successful implementation of the OC concept
Clearly defined interfaces within the OC and to the outside (ASMID and W interface) with the aim of the largest1
possible encapsulation modularization and independence
Determining the size and structure of existing plants and determining meaningful size units of the individual OC2
sections Final definition of the TA Element types which are to be supported by the OC
Advanced SAZ Lifecycle project for streamlining existing element diversity to reduce complexity and diversity3
This should reduce the scope of approval
Clearly defined procedure to incorporate the Y-switch into the existing TA cabling without errors and to ensure4
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
622 SBB CFF FFS 2018-05-27 2224
that no modifications can be made (intentionally or otherwise) until the track migration to the ES has been
completed
Suitable conditions regarding LI (standby mode general behaviour) and ILTIS (required functions)5
9 RequirementsThe currently valid OC requirements are to be found in the OC Requirements Catalog (Anforderungskatalog (V02))
The OC requirements relevant for this sub-concept were identified and the chapter dealing with them was added to the
requirements catalogue
In order to counteract the possibly high number of different TA Module card (map) types an attempt is made to classify
the existing TA Elements and to group them based on their basic properties
10 Functional description CP-to-L Translation and L-to-W interface
101 Overview
Figure 2 Detailed view
The concept envisages that
Each element in the Element layer (Point TDS Axle counter Level crossing ) can be seen as a compilation of1
one or more sub functions These elements are referenced as logical elements and consist of one or more sub-
functions
The following are considered as sub-functions a single point drive a barrier drive a flashing light or the reading2
of a track vacancy detector (freebusy indication)
The sub-functions access one or more TA Managers which constitute the interface to the hardware TA Module3
Each TA Manager operates a TA Module on the hardware layer and can in addition to the necessary hardware-4
specific implementation functions also contain superordinate disclosure functions for the associated hardware
module A TA Manager can be used by several sub-functions This is necessary if the associated TA Module
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
722 SBB CFF FFS 2018-05-27 2224
implements aggregation functions (eg fieldbus connection) or contains several independent hardware elements
(eg several point machines several IO interfaces)
Each TA Module is connected via the logic interface L with a TA Manager which maps all functions properties5
of the TA Module in the software and bundles the communication via the L-interface
102 Software module
The software in the basic module is realized on three levels
At element level an abstract logical representation is configured parameterized for each element in the TA1
This representation uses the Configuration Profile as opposed to the EI and manages the specific sub-functions
accordingly
Logical elements in the Element layer are eg level crossing point train detection etc2
Sub-functions of an TA Element are defined on the sub function layer One or more sub-functions are assigned to3
a higher-level logical element Each sub-function is assigned to one or more TA modules which are each
addressed via a TA Manager Elements of the sub-function layer are eg point drive barrier drive rotating light
The TA Manager layer represents the logical states of the TA Modules in the OC Base module It translates and4
aggregates the commands of the sub-functions to the representation in the L interface and distributes
notifications from the L interface to all assigned sub-functions It is possible to implement functions in the TA
Manager or in the TA Module This aspect is discussed in more detail in the interface L description
The combination of several sub-functions into a logical element takes place by parameterization in the OC Base
module In principle two variants are possible
Specification of the logical element in the maximum expansion stage (eg maximum number of turnout drives for1
fast turnouts maximum number of trackswarning lights for BAST) and reduction of the used elements at
configuration time
Specification of several variants of a logical element depending on the design level (eg point with one two and2
three drives)
Variant 1 means a higher initial creation effort Considering the probably simpler configuration management the easier
maintenance and the aspect of the continuous further development of the TA Elements variant 1 is nevertheless
considered to be more cost effective overall
103 L-Interface
The L-Interface plays a decisive role in the modularization of the OC On the effective path sub-function - TA Manager -
TA Module it is possible to realize the required sub-functions (the list does not claim to be exhaustive)
Control of sub-element level (eg activation of flashing light)1
Control TA module level (eg openingclosing of an IO port)2
Monitoring sub-element level (evaluation of a lamp current)3
TA module level monitoring (eg disclosure of failures at TA module level)4
It is possible to implement the 4 mentioned sub-functions in different levels (element sub-function TA Manager)
Basically three approaches are possible
Concentrating the functionality in the TA Module whereby a higher number of TA Modules and TA Managers1
must be served by the OC Base module This creates the risk of a high number of specialized TA Modules The
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
822 SBB CFF FFS 2018-05-27 2224
extension of the functionality is most likely coupled to a new TA Module When creating the TA Module the
greatest possible flexibility but also application-specific know-how of the TA Module manufacturer is required
Concentration of functionality in the OC Base module offers the chance to minimize the complexity of the2
hardware but requires a very narrow specification of the hardware properties As a result the field of application
of the TA Modules can be very limited which will not open the existing niche market There is a risk of having too
little flexibility in the future required functions which would require a revision of the concept
Implementation of the TA Modules as independent self-assured and application-independent IO modules with3
standardized possibly routable protocol on the data bus By using such a structure it would be possible to adapt
solutions already in the market for the OC or to use modules developed for the OC in other areas of technology
When all approaches are compared the third approach seems to be the most promising The standardized L interface
also makes it possible to integrate future new TA Modules The challenge lies in the definition of the interface L
Assignment of the TA sub-functions to logical elements
An essential point in the configuration of the OC is the binding the unambiguous assignment of the sub-functions of
TA to the logical elements in the OC Base module (and subsequently in the ES TMS) This configuration has to be
done over several layers The following list gives some clues for the safety- analysis to be done again in the OC The
effective distance from the ES to the TA sub-function is represented in the OC across the following sections
Interface A (11) Configuration Profile (1n) logical element1
Logical element (1n) sub-function2
sub-function (nm) TA Manager3
TA Manager (11) L-Adapter4
L-Adapter (1n) L-Interface5
L-Interface (11) TA Module6
TA-Module (1n) Sub-element TA7
This effective path is extremely central to safety
While in sections 1-4 the parameterization can be done in a single system from section 5 the correct configuration of
different transport planes is required This can be solved either by the correct addressing in a network structure or by
correct configuration of a communication port with dedicated cabling
The assignment of a TA module to a sub-function of the TA is clear on the TA side due to the wiring and the resulting
installation location of the TA Module The assignment on the side of the L-interface can be done in three variants
An individual logical identification is parameterized for the TA Module before use One risk associated with this is1
the increased maintenance cost since OC modules have to be individualized before installation
The TA Module is given an individual identifier via the module slot One risk associated with this is the increased2
hardware cost and the associated maintenance work
Each TA Module receives a globally unique identifier This ID already exists in the TA Module as TA Module3
signature but in this case must be correctly processed for safety reasons An advantage of this variant is the
ability to uniquely identify TA Modules over several OC periods
Common to all variants is the fact that the mapping between the logical identification and the TA sub-function must be
present in the OC base module
In addition to the TA Module signature an identification of the hardware via the installation position is also planned A
more detailed explanation needs to be defined In addition to the safety-related communication in command and
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
922 SBB CFF FFS 2018-05-27 2224
monitoring direction diagnostics information for commissioning and maintenance is exchanged via the connection point
L
104 Configuration Profile to L-interface translation
If trafficability vectors are requested via the configuration profile which are currently not secured it is necessary to usethe TA by means of commands to secure the requested vector
To illustrate this a currently closed left simple track point P1 which is to be set to the right (diversion) is considered inFigure 3 Figure 4 shows the corresponding configuration profile
Figure 3 Two-way point with trafficability vectors
Note For ease of reading the description and UML use abbreviated terms for commands and status feedback
Abbreviated form Precise term
Trafficability (P1-1 -gt P1-3Transition)
Field current_state of the XOR-StateSet of the TrafficabilityVectorP1-1-gt P1-3 = Transition
Capability SetSecured(P1-1-gtP1-3) RequestState of the Capability Set-Secured of the vector P1-1-gtP1-3set to requested
Capability LockSecuredState(P1-1-gtP1-3)
RequestState of the Capability LockSecured of the vector P1-1-gtP1-3 set to requested
Table 1 UML Terminology
The following graphic shows the configuration profile of point P1 The description of the configuration profile principlecan be found in the Subconcept Modes of Operation and Configuration
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1022 SBB CFF FFS 2018-05-27 2224
Figure 4 CP Example of track point P1
The left-hand lock on the point causes the TrafficabilityState of the Traffi-cabilityVector P1-1 -gt P1-2 and P1-2 -gt1P1-1 of the infrastructure object P1 (point) to be in the Secured stateBy using the vector P1-1-gt P1-3 Capability SetSecured the point in the TA must be changed The logical2element point makes the following changes
Trafficability state of the vector P1-1 -gt P1-2 is set to transitionaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to transitionTrafficability state of the vector P1-1 -gt P1-3 is set to transitioncUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to transitionThe track point supervision is switched off (Presentation to the TA in the UML)e
The logic element point waits until the supervision current falls below a specified threshold3Set the reference position to rightaCommand to module monitoringbCommand to module drivec
To move the point the logic module point starts the drive4Command to module drivea
The logical element point waits until the motor current rises above a de-fined threshold or the maximum tolerated5round trip time has expired
Notifications from the module to the logical point moduleaThe logical module point switches the drive off6
Command to TA module driveaThe logical module point switches the point monitoring on7
Command to TA module driveaThe logical module point waits until a supervision current is reported8
Notifications from TA module monitoring to logical track point moduleaIf the monitoring current is not reached within a set time the self-healing mechanism will take effect (Notbshown here)
The logical module point makes the following changes9
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1122 SBB CFF FFS 2018-05-27 2224
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
3 List of FiguresFigure 1 OC Reference model (Central processing unit = engl Base Module AA Modul = engl TA Module)
Figure 2 Detailed view
Figure 3 Two-way point with trafficability vectors
Figure 4 CP Example of track point P1
Figure 5 - OC Reference Model
Figure 6 Modularization for type approval
4 List of TablesTable 1 UML Terminology
Table 2 Schematic for Y-switch installation
5 Glossary
Term Abbrev Description
B-Interface Bm Interface to the existing Interlocking (LI) type m (Example m=Do 67) harr OC
ETCS
Interlocking
EI ETCS FSS based interlocking comprising the RBC Its dynamic rule based and geometric safety logic
controls all movements of the objects and all changes of the state of the trackside assets within the EIs
effective range All operational logic is moved to the higher-level systems
L-Interface L OC Internal interface between the Base Module and the TA Modules
Legacy
Interlocking
LI Legacy interlocking system (eg relay and electronic interlocking) that shall be replaced by the ETCS
Interlocking (EI)
Object
Controller
OC The Object Controller connects the ETCS Interlocking (EI) with the trackside assets (TA) by translating
CommandsMessages between ETCS Interlocking and trackside asset (eg point motor)
Trackside
Asset
TA Trackside installations such as rail points level crossing barriers signals etc
W-Interface Wnx OC Interface that connects the TA Modules (through the Y-Switch) to the Trackside Assets of type n
subtype x (eg n=barrier motor x= ASSA engine with coal 110V)
Y-Switch Technical solution that provides during the migration phase a switching mechanism to alternate the
control of trackside elements between the legacy interlocking systems (LI) and the ETCS Interlocking (EI)
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
322 SBB CFF FFS 2018-05-27 2224
6 Initial position
61 General
In the safety systems area (SA or LST) the Trackside Assets (TA) make up the great bulk of the systems and theprovisioning processes They have a huge impact on availability and costs Depending on the architectural scenario30000-70000 TAs of todays 115000 will remain in the long-term target models of Railway Production 40
62 CP-to-L Translation and L-to-W interface electronics
Chapter 9 deals specifically with the topics CP-to-L Translation and (superficially) with the translation of the logical TASignals (L-interface) into the physical (eg 230V ~ power electronics for motor powering) referred to as L-to -Winterface electronics The topics in this context are
HWSW rough design of the OC base module1
Translation of the Configuration Profile2
Hardware considerations3
Y-switch and its control unit4
7 Aims
The following aims are to be addressed with the OC and the Y-switch
General product aim1
Modularization2
Functional aims3
Safety aims4
Migration aims5
71 General product aim OC and Y-switch
The purpose of the OC is to create an independent product which serves as a universal interface to the largest possible
number of TA Types (W interface) In order for larger migrations to be sensibly and economically feasible a Y-switch
must also be provided as a switching element between the old and the new world (switch-over option B and W
interface)
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
422 SBB CFF FFS 2018-05-27 2224
Figure 1 OC Reference model (Central processing unit = engl Base Module AA Modul = engl TA Module)
The OC uses TA Elements as subfunctions These together make up a logical element For example the level crossing
(BUe) consists of the subfunctions of the TA Elements motors of the barriers flashing lights etc These together form
the logical element BUe
In the ES concepts the abstract representations of TA are referred to as infrastructure objects The abstracted
representations are not to be confused with the terms TA and TA Elements which denote the physical assets
72 Modularization OC and Y-switch
The OC should have a modular design and consist of a base module TA Module and the Y-switch (possibly
implemented externally)
The aim is to achieve the greatest possible decoupling within the OC (Base Module TA Modules Y-switches) so that
the results are interfaces which are as simple and manageable as possible
The complex safety logic of the present Legacy Interlocking (LI) should be distributed among TMS ES and OC Base
Module elements and decoupled as far as possible The TA Modules should focus on pure signal processing
73 Functional aims OC and Y-switch
The OC for controlling the TA Elements should be constructed in the simplest possible hardware and software structure
likewise the Y-switch
The Y-switch should switch up to 20 conductors simultaneously between LI and OC The use of several Y-switches
allows the switching of arbitrary track layouts
For the scope of the planned switching (number of TA Elements) the OC or Y-switch must provide a high degree of
switching automation
The Y-switch must be able to be integrated into the existing interlocking infrastructure with minimal installation effort
The Y-switch must ensure the safe isolation of the LI and the OC system without interference
The type of construction should be so compact that installation on the cable termination frame (CTF) is possible andor
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
522 SBB CFF FFS 2018-05-27 2224
integration in the existing frames is possible
74 Safety aims OC and Y-switch
The OC respective Y-switch is installed in the preparation phase between LI and TA by means of the valid safety
process so that the previous LI and TA functionality is unchanged (= safe in terms of safety)
The OC respective Y-switch have no impact on the reliable and safe functionality of the LI and its TA
The OC respective Y-switch allows the reliable and safe operation and monitoring of the functionalities of the ES and
the switched TA
The OC respective Y-switch enables the safe switching of the connected TA Elements in the sense of safety No
unmanageable hazards are permitted to result from this
The state of the TA Elements must be known before switching through the Y-switch to ensure synchronization (EI and
LI) This is also relevant in terms of increasing security and availability by switching the Y-switch
Incorrect switching of the Y-switch must be detected by the OC
The Y-switch must be removed after the TA Elements have been migrated to the EI or the OC so that no unnecessary
components remain in the productive system (minimum principle working hypothesis)
75 Migration aim Y-switch
The Y-switch must enable a phased migration of the LI
Four phases are assumed in a first approximation
bull Phase 1 Preparation
bull Phase 2 Testing
bull Phase 3 Commissioning (Commissioning or migration)
bull Phase 4 Dismantling of the Y-switch
The OC respective Y-switch must be installed tested and approved before the actual migration phase between LI and
TA
After integrating the Y-switch into the system it must assume a previously defined switching state This must not be
changed without a switching command The switching position must be monitored safely
The Y-switch must be removed as a first priority after migration - together with the unused part of the LI - (if separate
box) or safely deactivated as a second priority If the dismantling can not take place an assessment of the
consequences must be carried out and further measures taken if required
8 Input parameters (Inputs)The following aspects are prerequisites for the successful implementation of the OC concept
Clearly defined interfaces within the OC and to the outside (ASMID and W interface) with the aim of the largest1
possible encapsulation modularization and independence
Determining the size and structure of existing plants and determining meaningful size units of the individual OC2
sections Final definition of the TA Element types which are to be supported by the OC
Advanced SAZ Lifecycle project for streamlining existing element diversity to reduce complexity and diversity3
This should reduce the scope of approval
Clearly defined procedure to incorporate the Y-switch into the existing TA cabling without errors and to ensure4
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
622 SBB CFF FFS 2018-05-27 2224
that no modifications can be made (intentionally or otherwise) until the track migration to the ES has been
completed
Suitable conditions regarding LI (standby mode general behaviour) and ILTIS (required functions)5
9 RequirementsThe currently valid OC requirements are to be found in the OC Requirements Catalog (Anforderungskatalog (V02))
The OC requirements relevant for this sub-concept were identified and the chapter dealing with them was added to the
requirements catalogue
In order to counteract the possibly high number of different TA Module card (map) types an attempt is made to classify
the existing TA Elements and to group them based on their basic properties
10 Functional description CP-to-L Translation and L-to-W interface
101 Overview
Figure 2 Detailed view
The concept envisages that
Each element in the Element layer (Point TDS Axle counter Level crossing ) can be seen as a compilation of1
one or more sub functions These elements are referenced as logical elements and consist of one or more sub-
functions
The following are considered as sub-functions a single point drive a barrier drive a flashing light or the reading2
of a track vacancy detector (freebusy indication)
The sub-functions access one or more TA Managers which constitute the interface to the hardware TA Module3
Each TA Manager operates a TA Module on the hardware layer and can in addition to the necessary hardware-4
specific implementation functions also contain superordinate disclosure functions for the associated hardware
module A TA Manager can be used by several sub-functions This is necessary if the associated TA Module
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
722 SBB CFF FFS 2018-05-27 2224
implements aggregation functions (eg fieldbus connection) or contains several independent hardware elements
(eg several point machines several IO interfaces)
Each TA Module is connected via the logic interface L with a TA Manager which maps all functions properties5
of the TA Module in the software and bundles the communication via the L-interface
102 Software module
The software in the basic module is realized on three levels
At element level an abstract logical representation is configured parameterized for each element in the TA1
This representation uses the Configuration Profile as opposed to the EI and manages the specific sub-functions
accordingly
Logical elements in the Element layer are eg level crossing point train detection etc2
Sub-functions of an TA Element are defined on the sub function layer One or more sub-functions are assigned to3
a higher-level logical element Each sub-function is assigned to one or more TA modules which are each
addressed via a TA Manager Elements of the sub-function layer are eg point drive barrier drive rotating light
The TA Manager layer represents the logical states of the TA Modules in the OC Base module It translates and4
aggregates the commands of the sub-functions to the representation in the L interface and distributes
notifications from the L interface to all assigned sub-functions It is possible to implement functions in the TA
Manager or in the TA Module This aspect is discussed in more detail in the interface L description
The combination of several sub-functions into a logical element takes place by parameterization in the OC Base
module In principle two variants are possible
Specification of the logical element in the maximum expansion stage (eg maximum number of turnout drives for1
fast turnouts maximum number of trackswarning lights for BAST) and reduction of the used elements at
configuration time
Specification of several variants of a logical element depending on the design level (eg point with one two and2
three drives)
Variant 1 means a higher initial creation effort Considering the probably simpler configuration management the easier
maintenance and the aspect of the continuous further development of the TA Elements variant 1 is nevertheless
considered to be more cost effective overall
103 L-Interface
The L-Interface plays a decisive role in the modularization of the OC On the effective path sub-function - TA Manager -
TA Module it is possible to realize the required sub-functions (the list does not claim to be exhaustive)
Control of sub-element level (eg activation of flashing light)1
Control TA module level (eg openingclosing of an IO port)2
Monitoring sub-element level (evaluation of a lamp current)3
TA module level monitoring (eg disclosure of failures at TA module level)4
It is possible to implement the 4 mentioned sub-functions in different levels (element sub-function TA Manager)
Basically three approaches are possible
Concentrating the functionality in the TA Module whereby a higher number of TA Modules and TA Managers1
must be served by the OC Base module This creates the risk of a high number of specialized TA Modules The
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
822 SBB CFF FFS 2018-05-27 2224
extension of the functionality is most likely coupled to a new TA Module When creating the TA Module the
greatest possible flexibility but also application-specific know-how of the TA Module manufacturer is required
Concentration of functionality in the OC Base module offers the chance to minimize the complexity of the2
hardware but requires a very narrow specification of the hardware properties As a result the field of application
of the TA Modules can be very limited which will not open the existing niche market There is a risk of having too
little flexibility in the future required functions which would require a revision of the concept
Implementation of the TA Modules as independent self-assured and application-independent IO modules with3
standardized possibly routable protocol on the data bus By using such a structure it would be possible to adapt
solutions already in the market for the OC or to use modules developed for the OC in other areas of technology
When all approaches are compared the third approach seems to be the most promising The standardized L interface
also makes it possible to integrate future new TA Modules The challenge lies in the definition of the interface L
Assignment of the TA sub-functions to logical elements
An essential point in the configuration of the OC is the binding the unambiguous assignment of the sub-functions of
TA to the logical elements in the OC Base module (and subsequently in the ES TMS) This configuration has to be
done over several layers The following list gives some clues for the safety- analysis to be done again in the OC The
effective distance from the ES to the TA sub-function is represented in the OC across the following sections
Interface A (11) Configuration Profile (1n) logical element1
Logical element (1n) sub-function2
sub-function (nm) TA Manager3
TA Manager (11) L-Adapter4
L-Adapter (1n) L-Interface5
L-Interface (11) TA Module6
TA-Module (1n) Sub-element TA7
This effective path is extremely central to safety
While in sections 1-4 the parameterization can be done in a single system from section 5 the correct configuration of
different transport planes is required This can be solved either by the correct addressing in a network structure or by
correct configuration of a communication port with dedicated cabling
The assignment of a TA module to a sub-function of the TA is clear on the TA side due to the wiring and the resulting
installation location of the TA Module The assignment on the side of the L-interface can be done in three variants
An individual logical identification is parameterized for the TA Module before use One risk associated with this is1
the increased maintenance cost since OC modules have to be individualized before installation
The TA Module is given an individual identifier via the module slot One risk associated with this is the increased2
hardware cost and the associated maintenance work
Each TA Module receives a globally unique identifier This ID already exists in the TA Module as TA Module3
signature but in this case must be correctly processed for safety reasons An advantage of this variant is the
ability to uniquely identify TA Modules over several OC periods
Common to all variants is the fact that the mapping between the logical identification and the TA sub-function must be
present in the OC base module
In addition to the TA Module signature an identification of the hardware via the installation position is also planned A
more detailed explanation needs to be defined In addition to the safety-related communication in command and
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
922 SBB CFF FFS 2018-05-27 2224
monitoring direction diagnostics information for commissioning and maintenance is exchanged via the connection point
L
104 Configuration Profile to L-interface translation
If trafficability vectors are requested via the configuration profile which are currently not secured it is necessary to usethe TA by means of commands to secure the requested vector
To illustrate this a currently closed left simple track point P1 which is to be set to the right (diversion) is considered inFigure 3 Figure 4 shows the corresponding configuration profile
Figure 3 Two-way point with trafficability vectors
Note For ease of reading the description and UML use abbreviated terms for commands and status feedback
Abbreviated form Precise term
Trafficability (P1-1 -gt P1-3Transition)
Field current_state of the XOR-StateSet of the TrafficabilityVectorP1-1-gt P1-3 = Transition
Capability SetSecured(P1-1-gtP1-3) RequestState of the Capability Set-Secured of the vector P1-1-gtP1-3set to requested
Capability LockSecuredState(P1-1-gtP1-3)
RequestState of the Capability LockSecured of the vector P1-1-gtP1-3 set to requested
Table 1 UML Terminology
The following graphic shows the configuration profile of point P1 The description of the configuration profile principlecan be found in the Subconcept Modes of Operation and Configuration
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1022 SBB CFF FFS 2018-05-27 2224
Figure 4 CP Example of track point P1
The left-hand lock on the point causes the TrafficabilityState of the Traffi-cabilityVector P1-1 -gt P1-2 and P1-2 -gt1P1-1 of the infrastructure object P1 (point) to be in the Secured stateBy using the vector P1-1-gt P1-3 Capability SetSecured the point in the TA must be changed The logical2element point makes the following changes
Trafficability state of the vector P1-1 -gt P1-2 is set to transitionaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to transitionTrafficability state of the vector P1-1 -gt P1-3 is set to transitioncUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to transitionThe track point supervision is switched off (Presentation to the TA in the UML)e
The logic element point waits until the supervision current falls below a specified threshold3Set the reference position to rightaCommand to module monitoringbCommand to module drivec
To move the point the logic module point starts the drive4Command to module drivea
The logical element point waits until the motor current rises above a de-fined threshold or the maximum tolerated5round trip time has expired
Notifications from the module to the logical point moduleaThe logical module point switches the drive off6
Command to TA module driveaThe logical module point switches the point monitoring on7
Command to TA module driveaThe logical module point waits until a supervision current is reported8
Notifications from TA module monitoring to logical track point moduleaIf the monitoring current is not reached within a set time the self-healing mechanism will take effect (Notbshown here)
The logical module point makes the following changes9
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1122 SBB CFF FFS 2018-05-27 2224
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
6 Initial position
61 General
In the safety systems area (SA or LST) the Trackside Assets (TA) make up the great bulk of the systems and theprovisioning processes They have a huge impact on availability and costs Depending on the architectural scenario30000-70000 TAs of todays 115000 will remain in the long-term target models of Railway Production 40
62 CP-to-L Translation and L-to-W interface electronics
Chapter 9 deals specifically with the topics CP-to-L Translation and (superficially) with the translation of the logical TASignals (L-interface) into the physical (eg 230V ~ power electronics for motor powering) referred to as L-to -Winterface electronics The topics in this context are
HWSW rough design of the OC base module1
Translation of the Configuration Profile2
Hardware considerations3
Y-switch and its control unit4
7 Aims
The following aims are to be addressed with the OC and the Y-switch
General product aim1
Modularization2
Functional aims3
Safety aims4
Migration aims5
71 General product aim OC and Y-switch
The purpose of the OC is to create an independent product which serves as a universal interface to the largest possible
number of TA Types (W interface) In order for larger migrations to be sensibly and economically feasible a Y-switch
must also be provided as a switching element between the old and the new world (switch-over option B and W
interface)
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
422 SBB CFF FFS 2018-05-27 2224
Figure 1 OC Reference model (Central processing unit = engl Base Module AA Modul = engl TA Module)
The OC uses TA Elements as subfunctions These together make up a logical element For example the level crossing
(BUe) consists of the subfunctions of the TA Elements motors of the barriers flashing lights etc These together form
the logical element BUe
In the ES concepts the abstract representations of TA are referred to as infrastructure objects The abstracted
representations are not to be confused with the terms TA and TA Elements which denote the physical assets
72 Modularization OC and Y-switch
The OC should have a modular design and consist of a base module TA Module and the Y-switch (possibly
implemented externally)
The aim is to achieve the greatest possible decoupling within the OC (Base Module TA Modules Y-switches) so that
the results are interfaces which are as simple and manageable as possible
The complex safety logic of the present Legacy Interlocking (LI) should be distributed among TMS ES and OC Base
Module elements and decoupled as far as possible The TA Modules should focus on pure signal processing
73 Functional aims OC and Y-switch
The OC for controlling the TA Elements should be constructed in the simplest possible hardware and software structure
likewise the Y-switch
The Y-switch should switch up to 20 conductors simultaneously between LI and OC The use of several Y-switches
allows the switching of arbitrary track layouts
For the scope of the planned switching (number of TA Elements) the OC or Y-switch must provide a high degree of
switching automation
The Y-switch must be able to be integrated into the existing interlocking infrastructure with minimal installation effort
The Y-switch must ensure the safe isolation of the LI and the OC system without interference
The type of construction should be so compact that installation on the cable termination frame (CTF) is possible andor
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
522 SBB CFF FFS 2018-05-27 2224
integration in the existing frames is possible
74 Safety aims OC and Y-switch
The OC respective Y-switch is installed in the preparation phase between LI and TA by means of the valid safety
process so that the previous LI and TA functionality is unchanged (= safe in terms of safety)
The OC respective Y-switch have no impact on the reliable and safe functionality of the LI and its TA
The OC respective Y-switch allows the reliable and safe operation and monitoring of the functionalities of the ES and
the switched TA
The OC respective Y-switch enables the safe switching of the connected TA Elements in the sense of safety No
unmanageable hazards are permitted to result from this
The state of the TA Elements must be known before switching through the Y-switch to ensure synchronization (EI and
LI) This is also relevant in terms of increasing security and availability by switching the Y-switch
Incorrect switching of the Y-switch must be detected by the OC
The Y-switch must be removed after the TA Elements have been migrated to the EI or the OC so that no unnecessary
components remain in the productive system (minimum principle working hypothesis)
75 Migration aim Y-switch
The Y-switch must enable a phased migration of the LI
Four phases are assumed in a first approximation
bull Phase 1 Preparation
bull Phase 2 Testing
bull Phase 3 Commissioning (Commissioning or migration)
bull Phase 4 Dismantling of the Y-switch
The OC respective Y-switch must be installed tested and approved before the actual migration phase between LI and
TA
After integrating the Y-switch into the system it must assume a previously defined switching state This must not be
changed without a switching command The switching position must be monitored safely
The Y-switch must be removed as a first priority after migration - together with the unused part of the LI - (if separate
box) or safely deactivated as a second priority If the dismantling can not take place an assessment of the
consequences must be carried out and further measures taken if required
8 Input parameters (Inputs)The following aspects are prerequisites for the successful implementation of the OC concept
Clearly defined interfaces within the OC and to the outside (ASMID and W interface) with the aim of the largest1
possible encapsulation modularization and independence
Determining the size and structure of existing plants and determining meaningful size units of the individual OC2
sections Final definition of the TA Element types which are to be supported by the OC
Advanced SAZ Lifecycle project for streamlining existing element diversity to reduce complexity and diversity3
This should reduce the scope of approval
Clearly defined procedure to incorporate the Y-switch into the existing TA cabling without errors and to ensure4
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
622 SBB CFF FFS 2018-05-27 2224
that no modifications can be made (intentionally or otherwise) until the track migration to the ES has been
completed
Suitable conditions regarding LI (standby mode general behaviour) and ILTIS (required functions)5
9 RequirementsThe currently valid OC requirements are to be found in the OC Requirements Catalog (Anforderungskatalog (V02))
The OC requirements relevant for this sub-concept were identified and the chapter dealing with them was added to the
requirements catalogue
In order to counteract the possibly high number of different TA Module card (map) types an attempt is made to classify
the existing TA Elements and to group them based on their basic properties
10 Functional description CP-to-L Translation and L-to-W interface
101 Overview
Figure 2 Detailed view
The concept envisages that
Each element in the Element layer (Point TDS Axle counter Level crossing ) can be seen as a compilation of1
one or more sub functions These elements are referenced as logical elements and consist of one or more sub-
functions
The following are considered as sub-functions a single point drive a barrier drive a flashing light or the reading2
of a track vacancy detector (freebusy indication)
The sub-functions access one or more TA Managers which constitute the interface to the hardware TA Module3
Each TA Manager operates a TA Module on the hardware layer and can in addition to the necessary hardware-4
specific implementation functions also contain superordinate disclosure functions for the associated hardware
module A TA Manager can be used by several sub-functions This is necessary if the associated TA Module
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
722 SBB CFF FFS 2018-05-27 2224
implements aggregation functions (eg fieldbus connection) or contains several independent hardware elements
(eg several point machines several IO interfaces)
Each TA Module is connected via the logic interface L with a TA Manager which maps all functions properties5
of the TA Module in the software and bundles the communication via the L-interface
102 Software module
The software in the basic module is realized on three levels
At element level an abstract logical representation is configured parameterized for each element in the TA1
This representation uses the Configuration Profile as opposed to the EI and manages the specific sub-functions
accordingly
Logical elements in the Element layer are eg level crossing point train detection etc2
Sub-functions of an TA Element are defined on the sub function layer One or more sub-functions are assigned to3
a higher-level logical element Each sub-function is assigned to one or more TA modules which are each
addressed via a TA Manager Elements of the sub-function layer are eg point drive barrier drive rotating light
The TA Manager layer represents the logical states of the TA Modules in the OC Base module It translates and4
aggregates the commands of the sub-functions to the representation in the L interface and distributes
notifications from the L interface to all assigned sub-functions It is possible to implement functions in the TA
Manager or in the TA Module This aspect is discussed in more detail in the interface L description
The combination of several sub-functions into a logical element takes place by parameterization in the OC Base
module In principle two variants are possible
Specification of the logical element in the maximum expansion stage (eg maximum number of turnout drives for1
fast turnouts maximum number of trackswarning lights for BAST) and reduction of the used elements at
configuration time
Specification of several variants of a logical element depending on the design level (eg point with one two and2
three drives)
Variant 1 means a higher initial creation effort Considering the probably simpler configuration management the easier
maintenance and the aspect of the continuous further development of the TA Elements variant 1 is nevertheless
considered to be more cost effective overall
103 L-Interface
The L-Interface plays a decisive role in the modularization of the OC On the effective path sub-function - TA Manager -
TA Module it is possible to realize the required sub-functions (the list does not claim to be exhaustive)
Control of sub-element level (eg activation of flashing light)1
Control TA module level (eg openingclosing of an IO port)2
Monitoring sub-element level (evaluation of a lamp current)3
TA module level monitoring (eg disclosure of failures at TA module level)4
It is possible to implement the 4 mentioned sub-functions in different levels (element sub-function TA Manager)
Basically three approaches are possible
Concentrating the functionality in the TA Module whereby a higher number of TA Modules and TA Managers1
must be served by the OC Base module This creates the risk of a high number of specialized TA Modules The
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
822 SBB CFF FFS 2018-05-27 2224
extension of the functionality is most likely coupled to a new TA Module When creating the TA Module the
greatest possible flexibility but also application-specific know-how of the TA Module manufacturer is required
Concentration of functionality in the OC Base module offers the chance to minimize the complexity of the2
hardware but requires a very narrow specification of the hardware properties As a result the field of application
of the TA Modules can be very limited which will not open the existing niche market There is a risk of having too
little flexibility in the future required functions which would require a revision of the concept
Implementation of the TA Modules as independent self-assured and application-independent IO modules with3
standardized possibly routable protocol on the data bus By using such a structure it would be possible to adapt
solutions already in the market for the OC or to use modules developed for the OC in other areas of technology
When all approaches are compared the third approach seems to be the most promising The standardized L interface
also makes it possible to integrate future new TA Modules The challenge lies in the definition of the interface L
Assignment of the TA sub-functions to logical elements
An essential point in the configuration of the OC is the binding the unambiguous assignment of the sub-functions of
TA to the logical elements in the OC Base module (and subsequently in the ES TMS) This configuration has to be
done over several layers The following list gives some clues for the safety- analysis to be done again in the OC The
effective distance from the ES to the TA sub-function is represented in the OC across the following sections
Interface A (11) Configuration Profile (1n) logical element1
Logical element (1n) sub-function2
sub-function (nm) TA Manager3
TA Manager (11) L-Adapter4
L-Adapter (1n) L-Interface5
L-Interface (11) TA Module6
TA-Module (1n) Sub-element TA7
This effective path is extremely central to safety
While in sections 1-4 the parameterization can be done in a single system from section 5 the correct configuration of
different transport planes is required This can be solved either by the correct addressing in a network structure or by
correct configuration of a communication port with dedicated cabling
The assignment of a TA module to a sub-function of the TA is clear on the TA side due to the wiring and the resulting
installation location of the TA Module The assignment on the side of the L-interface can be done in three variants
An individual logical identification is parameterized for the TA Module before use One risk associated with this is1
the increased maintenance cost since OC modules have to be individualized before installation
The TA Module is given an individual identifier via the module slot One risk associated with this is the increased2
hardware cost and the associated maintenance work
Each TA Module receives a globally unique identifier This ID already exists in the TA Module as TA Module3
signature but in this case must be correctly processed for safety reasons An advantage of this variant is the
ability to uniquely identify TA Modules over several OC periods
Common to all variants is the fact that the mapping between the logical identification and the TA sub-function must be
present in the OC base module
In addition to the TA Module signature an identification of the hardware via the installation position is also planned A
more detailed explanation needs to be defined In addition to the safety-related communication in command and
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
922 SBB CFF FFS 2018-05-27 2224
monitoring direction diagnostics information for commissioning and maintenance is exchanged via the connection point
L
104 Configuration Profile to L-interface translation
If trafficability vectors are requested via the configuration profile which are currently not secured it is necessary to usethe TA by means of commands to secure the requested vector
To illustrate this a currently closed left simple track point P1 which is to be set to the right (diversion) is considered inFigure 3 Figure 4 shows the corresponding configuration profile
Figure 3 Two-way point with trafficability vectors
Note For ease of reading the description and UML use abbreviated terms for commands and status feedback
Abbreviated form Precise term
Trafficability (P1-1 -gt P1-3Transition)
Field current_state of the XOR-StateSet of the TrafficabilityVectorP1-1-gt P1-3 = Transition
Capability SetSecured(P1-1-gtP1-3) RequestState of the Capability Set-Secured of the vector P1-1-gtP1-3set to requested
Capability LockSecuredState(P1-1-gtP1-3)
RequestState of the Capability LockSecured of the vector P1-1-gtP1-3 set to requested
Table 1 UML Terminology
The following graphic shows the configuration profile of point P1 The description of the configuration profile principlecan be found in the Subconcept Modes of Operation and Configuration
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1022 SBB CFF FFS 2018-05-27 2224
Figure 4 CP Example of track point P1
The left-hand lock on the point causes the TrafficabilityState of the Traffi-cabilityVector P1-1 -gt P1-2 and P1-2 -gt1P1-1 of the infrastructure object P1 (point) to be in the Secured stateBy using the vector P1-1-gt P1-3 Capability SetSecured the point in the TA must be changed The logical2element point makes the following changes
Trafficability state of the vector P1-1 -gt P1-2 is set to transitionaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to transitionTrafficability state of the vector P1-1 -gt P1-3 is set to transitioncUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to transitionThe track point supervision is switched off (Presentation to the TA in the UML)e
The logic element point waits until the supervision current falls below a specified threshold3Set the reference position to rightaCommand to module monitoringbCommand to module drivec
To move the point the logic module point starts the drive4Command to module drivea
The logical element point waits until the motor current rises above a de-fined threshold or the maximum tolerated5round trip time has expired
Notifications from the module to the logical point moduleaThe logical module point switches the drive off6
Command to TA module driveaThe logical module point switches the point monitoring on7
Command to TA module driveaThe logical module point waits until a supervision current is reported8
Notifications from TA module monitoring to logical track point moduleaIf the monitoring current is not reached within a set time the self-healing mechanism will take effect (Notbshown here)
The logical module point makes the following changes9
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1122 SBB CFF FFS 2018-05-27 2224
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
Figure 1 OC Reference model (Central processing unit = engl Base Module AA Modul = engl TA Module)
The OC uses TA Elements as subfunctions These together make up a logical element For example the level crossing
(BUe) consists of the subfunctions of the TA Elements motors of the barriers flashing lights etc These together form
the logical element BUe
In the ES concepts the abstract representations of TA are referred to as infrastructure objects The abstracted
representations are not to be confused with the terms TA and TA Elements which denote the physical assets
72 Modularization OC and Y-switch
The OC should have a modular design and consist of a base module TA Module and the Y-switch (possibly
implemented externally)
The aim is to achieve the greatest possible decoupling within the OC (Base Module TA Modules Y-switches) so that
the results are interfaces which are as simple and manageable as possible
The complex safety logic of the present Legacy Interlocking (LI) should be distributed among TMS ES and OC Base
Module elements and decoupled as far as possible The TA Modules should focus on pure signal processing
73 Functional aims OC and Y-switch
The OC for controlling the TA Elements should be constructed in the simplest possible hardware and software structure
likewise the Y-switch
The Y-switch should switch up to 20 conductors simultaneously between LI and OC The use of several Y-switches
allows the switching of arbitrary track layouts
For the scope of the planned switching (number of TA Elements) the OC or Y-switch must provide a high degree of
switching automation
The Y-switch must be able to be integrated into the existing interlocking infrastructure with minimal installation effort
The Y-switch must ensure the safe isolation of the LI and the OC system without interference
The type of construction should be so compact that installation on the cable termination frame (CTF) is possible andor
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
522 SBB CFF FFS 2018-05-27 2224
integration in the existing frames is possible
74 Safety aims OC and Y-switch
The OC respective Y-switch is installed in the preparation phase between LI and TA by means of the valid safety
process so that the previous LI and TA functionality is unchanged (= safe in terms of safety)
The OC respective Y-switch have no impact on the reliable and safe functionality of the LI and its TA
The OC respective Y-switch allows the reliable and safe operation and monitoring of the functionalities of the ES and
the switched TA
The OC respective Y-switch enables the safe switching of the connected TA Elements in the sense of safety No
unmanageable hazards are permitted to result from this
The state of the TA Elements must be known before switching through the Y-switch to ensure synchronization (EI and
LI) This is also relevant in terms of increasing security and availability by switching the Y-switch
Incorrect switching of the Y-switch must be detected by the OC
The Y-switch must be removed after the TA Elements have been migrated to the EI or the OC so that no unnecessary
components remain in the productive system (minimum principle working hypothesis)
75 Migration aim Y-switch
The Y-switch must enable a phased migration of the LI
Four phases are assumed in a first approximation
bull Phase 1 Preparation
bull Phase 2 Testing
bull Phase 3 Commissioning (Commissioning or migration)
bull Phase 4 Dismantling of the Y-switch
The OC respective Y-switch must be installed tested and approved before the actual migration phase between LI and
TA
After integrating the Y-switch into the system it must assume a previously defined switching state This must not be
changed without a switching command The switching position must be monitored safely
The Y-switch must be removed as a first priority after migration - together with the unused part of the LI - (if separate
box) or safely deactivated as a second priority If the dismantling can not take place an assessment of the
consequences must be carried out and further measures taken if required
8 Input parameters (Inputs)The following aspects are prerequisites for the successful implementation of the OC concept
Clearly defined interfaces within the OC and to the outside (ASMID and W interface) with the aim of the largest1
possible encapsulation modularization and independence
Determining the size and structure of existing plants and determining meaningful size units of the individual OC2
sections Final definition of the TA Element types which are to be supported by the OC
Advanced SAZ Lifecycle project for streamlining existing element diversity to reduce complexity and diversity3
This should reduce the scope of approval
Clearly defined procedure to incorporate the Y-switch into the existing TA cabling without errors and to ensure4
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
622 SBB CFF FFS 2018-05-27 2224
that no modifications can be made (intentionally or otherwise) until the track migration to the ES has been
completed
Suitable conditions regarding LI (standby mode general behaviour) and ILTIS (required functions)5
9 RequirementsThe currently valid OC requirements are to be found in the OC Requirements Catalog (Anforderungskatalog (V02))
The OC requirements relevant for this sub-concept were identified and the chapter dealing with them was added to the
requirements catalogue
In order to counteract the possibly high number of different TA Module card (map) types an attempt is made to classify
the existing TA Elements and to group them based on their basic properties
10 Functional description CP-to-L Translation and L-to-W interface
101 Overview
Figure 2 Detailed view
The concept envisages that
Each element in the Element layer (Point TDS Axle counter Level crossing ) can be seen as a compilation of1
one or more sub functions These elements are referenced as logical elements and consist of one or more sub-
functions
The following are considered as sub-functions a single point drive a barrier drive a flashing light or the reading2
of a track vacancy detector (freebusy indication)
The sub-functions access one or more TA Managers which constitute the interface to the hardware TA Module3
Each TA Manager operates a TA Module on the hardware layer and can in addition to the necessary hardware-4
specific implementation functions also contain superordinate disclosure functions for the associated hardware
module A TA Manager can be used by several sub-functions This is necessary if the associated TA Module
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
722 SBB CFF FFS 2018-05-27 2224
implements aggregation functions (eg fieldbus connection) or contains several independent hardware elements
(eg several point machines several IO interfaces)
Each TA Module is connected via the logic interface L with a TA Manager which maps all functions properties5
of the TA Module in the software and bundles the communication via the L-interface
102 Software module
The software in the basic module is realized on three levels
At element level an abstract logical representation is configured parameterized for each element in the TA1
This representation uses the Configuration Profile as opposed to the EI and manages the specific sub-functions
accordingly
Logical elements in the Element layer are eg level crossing point train detection etc2
Sub-functions of an TA Element are defined on the sub function layer One or more sub-functions are assigned to3
a higher-level logical element Each sub-function is assigned to one or more TA modules which are each
addressed via a TA Manager Elements of the sub-function layer are eg point drive barrier drive rotating light
The TA Manager layer represents the logical states of the TA Modules in the OC Base module It translates and4
aggregates the commands of the sub-functions to the representation in the L interface and distributes
notifications from the L interface to all assigned sub-functions It is possible to implement functions in the TA
Manager or in the TA Module This aspect is discussed in more detail in the interface L description
The combination of several sub-functions into a logical element takes place by parameterization in the OC Base
module In principle two variants are possible
Specification of the logical element in the maximum expansion stage (eg maximum number of turnout drives for1
fast turnouts maximum number of trackswarning lights for BAST) and reduction of the used elements at
configuration time
Specification of several variants of a logical element depending on the design level (eg point with one two and2
three drives)
Variant 1 means a higher initial creation effort Considering the probably simpler configuration management the easier
maintenance and the aspect of the continuous further development of the TA Elements variant 1 is nevertheless
considered to be more cost effective overall
103 L-Interface
The L-Interface plays a decisive role in the modularization of the OC On the effective path sub-function - TA Manager -
TA Module it is possible to realize the required sub-functions (the list does not claim to be exhaustive)
Control of sub-element level (eg activation of flashing light)1
Control TA module level (eg openingclosing of an IO port)2
Monitoring sub-element level (evaluation of a lamp current)3
TA module level monitoring (eg disclosure of failures at TA module level)4
It is possible to implement the 4 mentioned sub-functions in different levels (element sub-function TA Manager)
Basically three approaches are possible
Concentrating the functionality in the TA Module whereby a higher number of TA Modules and TA Managers1
must be served by the OC Base module This creates the risk of a high number of specialized TA Modules The
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
822 SBB CFF FFS 2018-05-27 2224
extension of the functionality is most likely coupled to a new TA Module When creating the TA Module the
greatest possible flexibility but also application-specific know-how of the TA Module manufacturer is required
Concentration of functionality in the OC Base module offers the chance to minimize the complexity of the2
hardware but requires a very narrow specification of the hardware properties As a result the field of application
of the TA Modules can be very limited which will not open the existing niche market There is a risk of having too
little flexibility in the future required functions which would require a revision of the concept
Implementation of the TA Modules as independent self-assured and application-independent IO modules with3
standardized possibly routable protocol on the data bus By using such a structure it would be possible to adapt
solutions already in the market for the OC or to use modules developed for the OC in other areas of technology
When all approaches are compared the third approach seems to be the most promising The standardized L interface
also makes it possible to integrate future new TA Modules The challenge lies in the definition of the interface L
Assignment of the TA sub-functions to logical elements
An essential point in the configuration of the OC is the binding the unambiguous assignment of the sub-functions of
TA to the logical elements in the OC Base module (and subsequently in the ES TMS) This configuration has to be
done over several layers The following list gives some clues for the safety- analysis to be done again in the OC The
effective distance from the ES to the TA sub-function is represented in the OC across the following sections
Interface A (11) Configuration Profile (1n) logical element1
Logical element (1n) sub-function2
sub-function (nm) TA Manager3
TA Manager (11) L-Adapter4
L-Adapter (1n) L-Interface5
L-Interface (11) TA Module6
TA-Module (1n) Sub-element TA7
This effective path is extremely central to safety
While in sections 1-4 the parameterization can be done in a single system from section 5 the correct configuration of
different transport planes is required This can be solved either by the correct addressing in a network structure or by
correct configuration of a communication port with dedicated cabling
The assignment of a TA module to a sub-function of the TA is clear on the TA side due to the wiring and the resulting
installation location of the TA Module The assignment on the side of the L-interface can be done in three variants
An individual logical identification is parameterized for the TA Module before use One risk associated with this is1
the increased maintenance cost since OC modules have to be individualized before installation
The TA Module is given an individual identifier via the module slot One risk associated with this is the increased2
hardware cost and the associated maintenance work
Each TA Module receives a globally unique identifier This ID already exists in the TA Module as TA Module3
signature but in this case must be correctly processed for safety reasons An advantage of this variant is the
ability to uniquely identify TA Modules over several OC periods
Common to all variants is the fact that the mapping between the logical identification and the TA sub-function must be
present in the OC base module
In addition to the TA Module signature an identification of the hardware via the installation position is also planned A
more detailed explanation needs to be defined In addition to the safety-related communication in command and
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
922 SBB CFF FFS 2018-05-27 2224
monitoring direction diagnostics information for commissioning and maintenance is exchanged via the connection point
L
104 Configuration Profile to L-interface translation
If trafficability vectors are requested via the configuration profile which are currently not secured it is necessary to usethe TA by means of commands to secure the requested vector
To illustrate this a currently closed left simple track point P1 which is to be set to the right (diversion) is considered inFigure 3 Figure 4 shows the corresponding configuration profile
Figure 3 Two-way point with trafficability vectors
Note For ease of reading the description and UML use abbreviated terms for commands and status feedback
Abbreviated form Precise term
Trafficability (P1-1 -gt P1-3Transition)
Field current_state of the XOR-StateSet of the TrafficabilityVectorP1-1-gt P1-3 = Transition
Capability SetSecured(P1-1-gtP1-3) RequestState of the Capability Set-Secured of the vector P1-1-gtP1-3set to requested
Capability LockSecuredState(P1-1-gtP1-3)
RequestState of the Capability LockSecured of the vector P1-1-gtP1-3 set to requested
Table 1 UML Terminology
The following graphic shows the configuration profile of point P1 The description of the configuration profile principlecan be found in the Subconcept Modes of Operation and Configuration
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1022 SBB CFF FFS 2018-05-27 2224
Figure 4 CP Example of track point P1
The left-hand lock on the point causes the TrafficabilityState of the Traffi-cabilityVector P1-1 -gt P1-2 and P1-2 -gt1P1-1 of the infrastructure object P1 (point) to be in the Secured stateBy using the vector P1-1-gt P1-3 Capability SetSecured the point in the TA must be changed The logical2element point makes the following changes
Trafficability state of the vector P1-1 -gt P1-2 is set to transitionaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to transitionTrafficability state of the vector P1-1 -gt P1-3 is set to transitioncUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to transitionThe track point supervision is switched off (Presentation to the TA in the UML)e
The logic element point waits until the supervision current falls below a specified threshold3Set the reference position to rightaCommand to module monitoringbCommand to module drivec
To move the point the logic module point starts the drive4Command to module drivea
The logical element point waits until the motor current rises above a de-fined threshold or the maximum tolerated5round trip time has expired
Notifications from the module to the logical point moduleaThe logical module point switches the drive off6
Command to TA module driveaThe logical module point switches the point monitoring on7
Command to TA module driveaThe logical module point waits until a supervision current is reported8
Notifications from TA module monitoring to logical track point moduleaIf the monitoring current is not reached within a set time the self-healing mechanism will take effect (Notbshown here)
The logical module point makes the following changes9
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1122 SBB CFF FFS 2018-05-27 2224
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
integration in the existing frames is possible
74 Safety aims OC and Y-switch
The OC respective Y-switch is installed in the preparation phase between LI and TA by means of the valid safety
process so that the previous LI and TA functionality is unchanged (= safe in terms of safety)
The OC respective Y-switch have no impact on the reliable and safe functionality of the LI and its TA
The OC respective Y-switch allows the reliable and safe operation and monitoring of the functionalities of the ES and
the switched TA
The OC respective Y-switch enables the safe switching of the connected TA Elements in the sense of safety No
unmanageable hazards are permitted to result from this
The state of the TA Elements must be known before switching through the Y-switch to ensure synchronization (EI and
LI) This is also relevant in terms of increasing security and availability by switching the Y-switch
Incorrect switching of the Y-switch must be detected by the OC
The Y-switch must be removed after the TA Elements have been migrated to the EI or the OC so that no unnecessary
components remain in the productive system (minimum principle working hypothesis)
75 Migration aim Y-switch
The Y-switch must enable a phased migration of the LI
Four phases are assumed in a first approximation
bull Phase 1 Preparation
bull Phase 2 Testing
bull Phase 3 Commissioning (Commissioning or migration)
bull Phase 4 Dismantling of the Y-switch
The OC respective Y-switch must be installed tested and approved before the actual migration phase between LI and
TA
After integrating the Y-switch into the system it must assume a previously defined switching state This must not be
changed without a switching command The switching position must be monitored safely
The Y-switch must be removed as a first priority after migration - together with the unused part of the LI - (if separate
box) or safely deactivated as a second priority If the dismantling can not take place an assessment of the
consequences must be carried out and further measures taken if required
8 Input parameters (Inputs)The following aspects are prerequisites for the successful implementation of the OC concept
Clearly defined interfaces within the OC and to the outside (ASMID and W interface) with the aim of the largest1
possible encapsulation modularization and independence
Determining the size and structure of existing plants and determining meaningful size units of the individual OC2
sections Final definition of the TA Element types which are to be supported by the OC
Advanced SAZ Lifecycle project for streamlining existing element diversity to reduce complexity and diversity3
This should reduce the scope of approval
Clearly defined procedure to incorporate the Y-switch into the existing TA cabling without errors and to ensure4
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
622 SBB CFF FFS 2018-05-27 2224
that no modifications can be made (intentionally or otherwise) until the track migration to the ES has been
completed
Suitable conditions regarding LI (standby mode general behaviour) and ILTIS (required functions)5
9 RequirementsThe currently valid OC requirements are to be found in the OC Requirements Catalog (Anforderungskatalog (V02))
The OC requirements relevant for this sub-concept were identified and the chapter dealing with them was added to the
requirements catalogue
In order to counteract the possibly high number of different TA Module card (map) types an attempt is made to classify
the existing TA Elements and to group them based on their basic properties
10 Functional description CP-to-L Translation and L-to-W interface
101 Overview
Figure 2 Detailed view
The concept envisages that
Each element in the Element layer (Point TDS Axle counter Level crossing ) can be seen as a compilation of1
one or more sub functions These elements are referenced as logical elements and consist of one or more sub-
functions
The following are considered as sub-functions a single point drive a barrier drive a flashing light or the reading2
of a track vacancy detector (freebusy indication)
The sub-functions access one or more TA Managers which constitute the interface to the hardware TA Module3
Each TA Manager operates a TA Module on the hardware layer and can in addition to the necessary hardware-4
specific implementation functions also contain superordinate disclosure functions for the associated hardware
module A TA Manager can be used by several sub-functions This is necessary if the associated TA Module
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
722 SBB CFF FFS 2018-05-27 2224
implements aggregation functions (eg fieldbus connection) or contains several independent hardware elements
(eg several point machines several IO interfaces)
Each TA Module is connected via the logic interface L with a TA Manager which maps all functions properties5
of the TA Module in the software and bundles the communication via the L-interface
102 Software module
The software in the basic module is realized on three levels
At element level an abstract logical representation is configured parameterized for each element in the TA1
This representation uses the Configuration Profile as opposed to the EI and manages the specific sub-functions
accordingly
Logical elements in the Element layer are eg level crossing point train detection etc2
Sub-functions of an TA Element are defined on the sub function layer One or more sub-functions are assigned to3
a higher-level logical element Each sub-function is assigned to one or more TA modules which are each
addressed via a TA Manager Elements of the sub-function layer are eg point drive barrier drive rotating light
The TA Manager layer represents the logical states of the TA Modules in the OC Base module It translates and4
aggregates the commands of the sub-functions to the representation in the L interface and distributes
notifications from the L interface to all assigned sub-functions It is possible to implement functions in the TA
Manager or in the TA Module This aspect is discussed in more detail in the interface L description
The combination of several sub-functions into a logical element takes place by parameterization in the OC Base
module In principle two variants are possible
Specification of the logical element in the maximum expansion stage (eg maximum number of turnout drives for1
fast turnouts maximum number of trackswarning lights for BAST) and reduction of the used elements at
configuration time
Specification of several variants of a logical element depending on the design level (eg point with one two and2
three drives)
Variant 1 means a higher initial creation effort Considering the probably simpler configuration management the easier
maintenance and the aspect of the continuous further development of the TA Elements variant 1 is nevertheless
considered to be more cost effective overall
103 L-Interface
The L-Interface plays a decisive role in the modularization of the OC On the effective path sub-function - TA Manager -
TA Module it is possible to realize the required sub-functions (the list does not claim to be exhaustive)
Control of sub-element level (eg activation of flashing light)1
Control TA module level (eg openingclosing of an IO port)2
Monitoring sub-element level (evaluation of a lamp current)3
TA module level monitoring (eg disclosure of failures at TA module level)4
It is possible to implement the 4 mentioned sub-functions in different levels (element sub-function TA Manager)
Basically three approaches are possible
Concentrating the functionality in the TA Module whereby a higher number of TA Modules and TA Managers1
must be served by the OC Base module This creates the risk of a high number of specialized TA Modules The
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
822 SBB CFF FFS 2018-05-27 2224
extension of the functionality is most likely coupled to a new TA Module When creating the TA Module the
greatest possible flexibility but also application-specific know-how of the TA Module manufacturer is required
Concentration of functionality in the OC Base module offers the chance to minimize the complexity of the2
hardware but requires a very narrow specification of the hardware properties As a result the field of application
of the TA Modules can be very limited which will not open the existing niche market There is a risk of having too
little flexibility in the future required functions which would require a revision of the concept
Implementation of the TA Modules as independent self-assured and application-independent IO modules with3
standardized possibly routable protocol on the data bus By using such a structure it would be possible to adapt
solutions already in the market for the OC or to use modules developed for the OC in other areas of technology
When all approaches are compared the third approach seems to be the most promising The standardized L interface
also makes it possible to integrate future new TA Modules The challenge lies in the definition of the interface L
Assignment of the TA sub-functions to logical elements
An essential point in the configuration of the OC is the binding the unambiguous assignment of the sub-functions of
TA to the logical elements in the OC Base module (and subsequently in the ES TMS) This configuration has to be
done over several layers The following list gives some clues for the safety- analysis to be done again in the OC The
effective distance from the ES to the TA sub-function is represented in the OC across the following sections
Interface A (11) Configuration Profile (1n) logical element1
Logical element (1n) sub-function2
sub-function (nm) TA Manager3
TA Manager (11) L-Adapter4
L-Adapter (1n) L-Interface5
L-Interface (11) TA Module6
TA-Module (1n) Sub-element TA7
This effective path is extremely central to safety
While in sections 1-4 the parameterization can be done in a single system from section 5 the correct configuration of
different transport planes is required This can be solved either by the correct addressing in a network structure or by
correct configuration of a communication port with dedicated cabling
The assignment of a TA module to a sub-function of the TA is clear on the TA side due to the wiring and the resulting
installation location of the TA Module The assignment on the side of the L-interface can be done in three variants
An individual logical identification is parameterized for the TA Module before use One risk associated with this is1
the increased maintenance cost since OC modules have to be individualized before installation
The TA Module is given an individual identifier via the module slot One risk associated with this is the increased2
hardware cost and the associated maintenance work
Each TA Module receives a globally unique identifier This ID already exists in the TA Module as TA Module3
signature but in this case must be correctly processed for safety reasons An advantage of this variant is the
ability to uniquely identify TA Modules over several OC periods
Common to all variants is the fact that the mapping between the logical identification and the TA sub-function must be
present in the OC base module
In addition to the TA Module signature an identification of the hardware via the installation position is also planned A
more detailed explanation needs to be defined In addition to the safety-related communication in command and
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
922 SBB CFF FFS 2018-05-27 2224
monitoring direction diagnostics information for commissioning and maintenance is exchanged via the connection point
L
104 Configuration Profile to L-interface translation
If trafficability vectors are requested via the configuration profile which are currently not secured it is necessary to usethe TA by means of commands to secure the requested vector
To illustrate this a currently closed left simple track point P1 which is to be set to the right (diversion) is considered inFigure 3 Figure 4 shows the corresponding configuration profile
Figure 3 Two-way point with trafficability vectors
Note For ease of reading the description and UML use abbreviated terms for commands and status feedback
Abbreviated form Precise term
Trafficability (P1-1 -gt P1-3Transition)
Field current_state of the XOR-StateSet of the TrafficabilityVectorP1-1-gt P1-3 = Transition
Capability SetSecured(P1-1-gtP1-3) RequestState of the Capability Set-Secured of the vector P1-1-gtP1-3set to requested
Capability LockSecuredState(P1-1-gtP1-3)
RequestState of the Capability LockSecured of the vector P1-1-gtP1-3 set to requested
Table 1 UML Terminology
The following graphic shows the configuration profile of point P1 The description of the configuration profile principlecan be found in the Subconcept Modes of Operation and Configuration
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1022 SBB CFF FFS 2018-05-27 2224
Figure 4 CP Example of track point P1
The left-hand lock on the point causes the TrafficabilityState of the Traffi-cabilityVector P1-1 -gt P1-2 and P1-2 -gt1P1-1 of the infrastructure object P1 (point) to be in the Secured stateBy using the vector P1-1-gt P1-3 Capability SetSecured the point in the TA must be changed The logical2element point makes the following changes
Trafficability state of the vector P1-1 -gt P1-2 is set to transitionaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to transitionTrafficability state of the vector P1-1 -gt P1-3 is set to transitioncUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to transitionThe track point supervision is switched off (Presentation to the TA in the UML)e
The logic element point waits until the supervision current falls below a specified threshold3Set the reference position to rightaCommand to module monitoringbCommand to module drivec
To move the point the logic module point starts the drive4Command to module drivea
The logical element point waits until the motor current rises above a de-fined threshold or the maximum tolerated5round trip time has expired
Notifications from the module to the logical point moduleaThe logical module point switches the drive off6
Command to TA module driveaThe logical module point switches the point monitoring on7
Command to TA module driveaThe logical module point waits until a supervision current is reported8
Notifications from TA module monitoring to logical track point moduleaIf the monitoring current is not reached within a set time the self-healing mechanism will take effect (Notbshown here)
The logical module point makes the following changes9
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1122 SBB CFF FFS 2018-05-27 2224
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
that no modifications can be made (intentionally or otherwise) until the track migration to the ES has been
completed
Suitable conditions regarding LI (standby mode general behaviour) and ILTIS (required functions)5
9 RequirementsThe currently valid OC requirements are to be found in the OC Requirements Catalog (Anforderungskatalog (V02))
The OC requirements relevant for this sub-concept were identified and the chapter dealing with them was added to the
requirements catalogue
In order to counteract the possibly high number of different TA Module card (map) types an attempt is made to classify
the existing TA Elements and to group them based on their basic properties
10 Functional description CP-to-L Translation and L-to-W interface
101 Overview
Figure 2 Detailed view
The concept envisages that
Each element in the Element layer (Point TDS Axle counter Level crossing ) can be seen as a compilation of1
one or more sub functions These elements are referenced as logical elements and consist of one or more sub-
functions
The following are considered as sub-functions a single point drive a barrier drive a flashing light or the reading2
of a track vacancy detector (freebusy indication)
The sub-functions access one or more TA Managers which constitute the interface to the hardware TA Module3
Each TA Manager operates a TA Module on the hardware layer and can in addition to the necessary hardware-4
specific implementation functions also contain superordinate disclosure functions for the associated hardware
module A TA Manager can be used by several sub-functions This is necessary if the associated TA Module
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
722 SBB CFF FFS 2018-05-27 2224
implements aggregation functions (eg fieldbus connection) or contains several independent hardware elements
(eg several point machines several IO interfaces)
Each TA Module is connected via the logic interface L with a TA Manager which maps all functions properties5
of the TA Module in the software and bundles the communication via the L-interface
102 Software module
The software in the basic module is realized on three levels
At element level an abstract logical representation is configured parameterized for each element in the TA1
This representation uses the Configuration Profile as opposed to the EI and manages the specific sub-functions
accordingly
Logical elements in the Element layer are eg level crossing point train detection etc2
Sub-functions of an TA Element are defined on the sub function layer One or more sub-functions are assigned to3
a higher-level logical element Each sub-function is assigned to one or more TA modules which are each
addressed via a TA Manager Elements of the sub-function layer are eg point drive barrier drive rotating light
The TA Manager layer represents the logical states of the TA Modules in the OC Base module It translates and4
aggregates the commands of the sub-functions to the representation in the L interface and distributes
notifications from the L interface to all assigned sub-functions It is possible to implement functions in the TA
Manager or in the TA Module This aspect is discussed in more detail in the interface L description
The combination of several sub-functions into a logical element takes place by parameterization in the OC Base
module In principle two variants are possible
Specification of the logical element in the maximum expansion stage (eg maximum number of turnout drives for1
fast turnouts maximum number of trackswarning lights for BAST) and reduction of the used elements at
configuration time
Specification of several variants of a logical element depending on the design level (eg point with one two and2
three drives)
Variant 1 means a higher initial creation effort Considering the probably simpler configuration management the easier
maintenance and the aspect of the continuous further development of the TA Elements variant 1 is nevertheless
considered to be more cost effective overall
103 L-Interface
The L-Interface plays a decisive role in the modularization of the OC On the effective path sub-function - TA Manager -
TA Module it is possible to realize the required sub-functions (the list does not claim to be exhaustive)
Control of sub-element level (eg activation of flashing light)1
Control TA module level (eg openingclosing of an IO port)2
Monitoring sub-element level (evaluation of a lamp current)3
TA module level monitoring (eg disclosure of failures at TA module level)4
It is possible to implement the 4 mentioned sub-functions in different levels (element sub-function TA Manager)
Basically three approaches are possible
Concentrating the functionality in the TA Module whereby a higher number of TA Modules and TA Managers1
must be served by the OC Base module This creates the risk of a high number of specialized TA Modules The
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
822 SBB CFF FFS 2018-05-27 2224
extension of the functionality is most likely coupled to a new TA Module When creating the TA Module the
greatest possible flexibility but also application-specific know-how of the TA Module manufacturer is required
Concentration of functionality in the OC Base module offers the chance to minimize the complexity of the2
hardware but requires a very narrow specification of the hardware properties As a result the field of application
of the TA Modules can be very limited which will not open the existing niche market There is a risk of having too
little flexibility in the future required functions which would require a revision of the concept
Implementation of the TA Modules as independent self-assured and application-independent IO modules with3
standardized possibly routable protocol on the data bus By using such a structure it would be possible to adapt
solutions already in the market for the OC or to use modules developed for the OC in other areas of technology
When all approaches are compared the third approach seems to be the most promising The standardized L interface
also makes it possible to integrate future new TA Modules The challenge lies in the definition of the interface L
Assignment of the TA sub-functions to logical elements
An essential point in the configuration of the OC is the binding the unambiguous assignment of the sub-functions of
TA to the logical elements in the OC Base module (and subsequently in the ES TMS) This configuration has to be
done over several layers The following list gives some clues for the safety- analysis to be done again in the OC The
effective distance from the ES to the TA sub-function is represented in the OC across the following sections
Interface A (11) Configuration Profile (1n) logical element1
Logical element (1n) sub-function2
sub-function (nm) TA Manager3
TA Manager (11) L-Adapter4
L-Adapter (1n) L-Interface5
L-Interface (11) TA Module6
TA-Module (1n) Sub-element TA7
This effective path is extremely central to safety
While in sections 1-4 the parameterization can be done in a single system from section 5 the correct configuration of
different transport planes is required This can be solved either by the correct addressing in a network structure or by
correct configuration of a communication port with dedicated cabling
The assignment of a TA module to a sub-function of the TA is clear on the TA side due to the wiring and the resulting
installation location of the TA Module The assignment on the side of the L-interface can be done in three variants
An individual logical identification is parameterized for the TA Module before use One risk associated with this is1
the increased maintenance cost since OC modules have to be individualized before installation
The TA Module is given an individual identifier via the module slot One risk associated with this is the increased2
hardware cost and the associated maintenance work
Each TA Module receives a globally unique identifier This ID already exists in the TA Module as TA Module3
signature but in this case must be correctly processed for safety reasons An advantage of this variant is the
ability to uniquely identify TA Modules over several OC periods
Common to all variants is the fact that the mapping between the logical identification and the TA sub-function must be
present in the OC base module
In addition to the TA Module signature an identification of the hardware via the installation position is also planned A
more detailed explanation needs to be defined In addition to the safety-related communication in command and
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
922 SBB CFF FFS 2018-05-27 2224
monitoring direction diagnostics information for commissioning and maintenance is exchanged via the connection point
L
104 Configuration Profile to L-interface translation
If trafficability vectors are requested via the configuration profile which are currently not secured it is necessary to usethe TA by means of commands to secure the requested vector
To illustrate this a currently closed left simple track point P1 which is to be set to the right (diversion) is considered inFigure 3 Figure 4 shows the corresponding configuration profile
Figure 3 Two-way point with trafficability vectors
Note For ease of reading the description and UML use abbreviated terms for commands and status feedback
Abbreviated form Precise term
Trafficability (P1-1 -gt P1-3Transition)
Field current_state of the XOR-StateSet of the TrafficabilityVectorP1-1-gt P1-3 = Transition
Capability SetSecured(P1-1-gtP1-3) RequestState of the Capability Set-Secured of the vector P1-1-gtP1-3set to requested
Capability LockSecuredState(P1-1-gtP1-3)
RequestState of the Capability LockSecured of the vector P1-1-gtP1-3 set to requested
Table 1 UML Terminology
The following graphic shows the configuration profile of point P1 The description of the configuration profile principlecan be found in the Subconcept Modes of Operation and Configuration
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1022 SBB CFF FFS 2018-05-27 2224
Figure 4 CP Example of track point P1
The left-hand lock on the point causes the TrafficabilityState of the Traffi-cabilityVector P1-1 -gt P1-2 and P1-2 -gt1P1-1 of the infrastructure object P1 (point) to be in the Secured stateBy using the vector P1-1-gt P1-3 Capability SetSecured the point in the TA must be changed The logical2element point makes the following changes
Trafficability state of the vector P1-1 -gt P1-2 is set to transitionaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to transitionTrafficability state of the vector P1-1 -gt P1-3 is set to transitioncUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to transitionThe track point supervision is switched off (Presentation to the TA in the UML)e
The logic element point waits until the supervision current falls below a specified threshold3Set the reference position to rightaCommand to module monitoringbCommand to module drivec
To move the point the logic module point starts the drive4Command to module drivea
The logical element point waits until the motor current rises above a de-fined threshold or the maximum tolerated5round trip time has expired
Notifications from the module to the logical point moduleaThe logical module point switches the drive off6
Command to TA module driveaThe logical module point switches the point monitoring on7
Command to TA module driveaThe logical module point waits until a supervision current is reported8
Notifications from TA module monitoring to logical track point moduleaIf the monitoring current is not reached within a set time the self-healing mechanism will take effect (Notbshown here)
The logical module point makes the following changes9
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1122 SBB CFF FFS 2018-05-27 2224
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
implements aggregation functions (eg fieldbus connection) or contains several independent hardware elements
(eg several point machines several IO interfaces)
Each TA Module is connected via the logic interface L with a TA Manager which maps all functions properties5
of the TA Module in the software and bundles the communication via the L-interface
102 Software module
The software in the basic module is realized on three levels
At element level an abstract logical representation is configured parameterized for each element in the TA1
This representation uses the Configuration Profile as opposed to the EI and manages the specific sub-functions
accordingly
Logical elements in the Element layer are eg level crossing point train detection etc2
Sub-functions of an TA Element are defined on the sub function layer One or more sub-functions are assigned to3
a higher-level logical element Each sub-function is assigned to one or more TA modules which are each
addressed via a TA Manager Elements of the sub-function layer are eg point drive barrier drive rotating light
The TA Manager layer represents the logical states of the TA Modules in the OC Base module It translates and4
aggregates the commands of the sub-functions to the representation in the L interface and distributes
notifications from the L interface to all assigned sub-functions It is possible to implement functions in the TA
Manager or in the TA Module This aspect is discussed in more detail in the interface L description
The combination of several sub-functions into a logical element takes place by parameterization in the OC Base
module In principle two variants are possible
Specification of the logical element in the maximum expansion stage (eg maximum number of turnout drives for1
fast turnouts maximum number of trackswarning lights for BAST) and reduction of the used elements at
configuration time
Specification of several variants of a logical element depending on the design level (eg point with one two and2
three drives)
Variant 1 means a higher initial creation effort Considering the probably simpler configuration management the easier
maintenance and the aspect of the continuous further development of the TA Elements variant 1 is nevertheless
considered to be more cost effective overall
103 L-Interface
The L-Interface plays a decisive role in the modularization of the OC On the effective path sub-function - TA Manager -
TA Module it is possible to realize the required sub-functions (the list does not claim to be exhaustive)
Control of sub-element level (eg activation of flashing light)1
Control TA module level (eg openingclosing of an IO port)2
Monitoring sub-element level (evaluation of a lamp current)3
TA module level monitoring (eg disclosure of failures at TA module level)4
It is possible to implement the 4 mentioned sub-functions in different levels (element sub-function TA Manager)
Basically three approaches are possible
Concentrating the functionality in the TA Module whereby a higher number of TA Modules and TA Managers1
must be served by the OC Base module This creates the risk of a high number of specialized TA Modules The
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
822 SBB CFF FFS 2018-05-27 2224
extension of the functionality is most likely coupled to a new TA Module When creating the TA Module the
greatest possible flexibility but also application-specific know-how of the TA Module manufacturer is required
Concentration of functionality in the OC Base module offers the chance to minimize the complexity of the2
hardware but requires a very narrow specification of the hardware properties As a result the field of application
of the TA Modules can be very limited which will not open the existing niche market There is a risk of having too
little flexibility in the future required functions which would require a revision of the concept
Implementation of the TA Modules as independent self-assured and application-independent IO modules with3
standardized possibly routable protocol on the data bus By using such a structure it would be possible to adapt
solutions already in the market for the OC or to use modules developed for the OC in other areas of technology
When all approaches are compared the third approach seems to be the most promising The standardized L interface
also makes it possible to integrate future new TA Modules The challenge lies in the definition of the interface L
Assignment of the TA sub-functions to logical elements
An essential point in the configuration of the OC is the binding the unambiguous assignment of the sub-functions of
TA to the logical elements in the OC Base module (and subsequently in the ES TMS) This configuration has to be
done over several layers The following list gives some clues for the safety- analysis to be done again in the OC The
effective distance from the ES to the TA sub-function is represented in the OC across the following sections
Interface A (11) Configuration Profile (1n) logical element1
Logical element (1n) sub-function2
sub-function (nm) TA Manager3
TA Manager (11) L-Adapter4
L-Adapter (1n) L-Interface5
L-Interface (11) TA Module6
TA-Module (1n) Sub-element TA7
This effective path is extremely central to safety
While in sections 1-4 the parameterization can be done in a single system from section 5 the correct configuration of
different transport planes is required This can be solved either by the correct addressing in a network structure or by
correct configuration of a communication port with dedicated cabling
The assignment of a TA module to a sub-function of the TA is clear on the TA side due to the wiring and the resulting
installation location of the TA Module The assignment on the side of the L-interface can be done in three variants
An individual logical identification is parameterized for the TA Module before use One risk associated with this is1
the increased maintenance cost since OC modules have to be individualized before installation
The TA Module is given an individual identifier via the module slot One risk associated with this is the increased2
hardware cost and the associated maintenance work
Each TA Module receives a globally unique identifier This ID already exists in the TA Module as TA Module3
signature but in this case must be correctly processed for safety reasons An advantage of this variant is the
ability to uniquely identify TA Modules over several OC periods
Common to all variants is the fact that the mapping between the logical identification and the TA sub-function must be
present in the OC base module
In addition to the TA Module signature an identification of the hardware via the installation position is also planned A
more detailed explanation needs to be defined In addition to the safety-related communication in command and
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
922 SBB CFF FFS 2018-05-27 2224
monitoring direction diagnostics information for commissioning and maintenance is exchanged via the connection point
L
104 Configuration Profile to L-interface translation
If trafficability vectors are requested via the configuration profile which are currently not secured it is necessary to usethe TA by means of commands to secure the requested vector
To illustrate this a currently closed left simple track point P1 which is to be set to the right (diversion) is considered inFigure 3 Figure 4 shows the corresponding configuration profile
Figure 3 Two-way point with trafficability vectors
Note For ease of reading the description and UML use abbreviated terms for commands and status feedback
Abbreviated form Precise term
Trafficability (P1-1 -gt P1-3Transition)
Field current_state of the XOR-StateSet of the TrafficabilityVectorP1-1-gt P1-3 = Transition
Capability SetSecured(P1-1-gtP1-3) RequestState of the Capability Set-Secured of the vector P1-1-gtP1-3set to requested
Capability LockSecuredState(P1-1-gtP1-3)
RequestState of the Capability LockSecured of the vector P1-1-gtP1-3 set to requested
Table 1 UML Terminology
The following graphic shows the configuration profile of point P1 The description of the configuration profile principlecan be found in the Subconcept Modes of Operation and Configuration
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1022 SBB CFF FFS 2018-05-27 2224
Figure 4 CP Example of track point P1
The left-hand lock on the point causes the TrafficabilityState of the Traffi-cabilityVector P1-1 -gt P1-2 and P1-2 -gt1P1-1 of the infrastructure object P1 (point) to be in the Secured stateBy using the vector P1-1-gt P1-3 Capability SetSecured the point in the TA must be changed The logical2element point makes the following changes
Trafficability state of the vector P1-1 -gt P1-2 is set to transitionaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to transitionTrafficability state of the vector P1-1 -gt P1-3 is set to transitioncUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to transitionThe track point supervision is switched off (Presentation to the TA in the UML)e
The logic element point waits until the supervision current falls below a specified threshold3Set the reference position to rightaCommand to module monitoringbCommand to module drivec
To move the point the logic module point starts the drive4Command to module drivea
The logical element point waits until the motor current rises above a de-fined threshold or the maximum tolerated5round trip time has expired
Notifications from the module to the logical point moduleaThe logical module point switches the drive off6
Command to TA module driveaThe logical module point switches the point monitoring on7
Command to TA module driveaThe logical module point waits until a supervision current is reported8
Notifications from TA module monitoring to logical track point moduleaIf the monitoring current is not reached within a set time the self-healing mechanism will take effect (Notbshown here)
The logical module point makes the following changes9
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1122 SBB CFF FFS 2018-05-27 2224
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
extension of the functionality is most likely coupled to a new TA Module When creating the TA Module the
greatest possible flexibility but also application-specific know-how of the TA Module manufacturer is required
Concentration of functionality in the OC Base module offers the chance to minimize the complexity of the2
hardware but requires a very narrow specification of the hardware properties As a result the field of application
of the TA Modules can be very limited which will not open the existing niche market There is a risk of having too
little flexibility in the future required functions which would require a revision of the concept
Implementation of the TA Modules as independent self-assured and application-independent IO modules with3
standardized possibly routable protocol on the data bus By using such a structure it would be possible to adapt
solutions already in the market for the OC or to use modules developed for the OC in other areas of technology
When all approaches are compared the third approach seems to be the most promising The standardized L interface
also makes it possible to integrate future new TA Modules The challenge lies in the definition of the interface L
Assignment of the TA sub-functions to logical elements
An essential point in the configuration of the OC is the binding the unambiguous assignment of the sub-functions of
TA to the logical elements in the OC Base module (and subsequently in the ES TMS) This configuration has to be
done over several layers The following list gives some clues for the safety- analysis to be done again in the OC The
effective distance from the ES to the TA sub-function is represented in the OC across the following sections
Interface A (11) Configuration Profile (1n) logical element1
Logical element (1n) sub-function2
sub-function (nm) TA Manager3
TA Manager (11) L-Adapter4
L-Adapter (1n) L-Interface5
L-Interface (11) TA Module6
TA-Module (1n) Sub-element TA7
This effective path is extremely central to safety
While in sections 1-4 the parameterization can be done in a single system from section 5 the correct configuration of
different transport planes is required This can be solved either by the correct addressing in a network structure or by
correct configuration of a communication port with dedicated cabling
The assignment of a TA module to a sub-function of the TA is clear on the TA side due to the wiring and the resulting
installation location of the TA Module The assignment on the side of the L-interface can be done in three variants
An individual logical identification is parameterized for the TA Module before use One risk associated with this is1
the increased maintenance cost since OC modules have to be individualized before installation
The TA Module is given an individual identifier via the module slot One risk associated with this is the increased2
hardware cost and the associated maintenance work
Each TA Module receives a globally unique identifier This ID already exists in the TA Module as TA Module3
signature but in this case must be correctly processed for safety reasons An advantage of this variant is the
ability to uniquely identify TA Modules over several OC periods
Common to all variants is the fact that the mapping between the logical identification and the TA sub-function must be
present in the OC base module
In addition to the TA Module signature an identification of the hardware via the installation position is also planned A
more detailed explanation needs to be defined In addition to the safety-related communication in command and
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
922 SBB CFF FFS 2018-05-27 2224
monitoring direction diagnostics information for commissioning and maintenance is exchanged via the connection point
L
104 Configuration Profile to L-interface translation
If trafficability vectors are requested via the configuration profile which are currently not secured it is necessary to usethe TA by means of commands to secure the requested vector
To illustrate this a currently closed left simple track point P1 which is to be set to the right (diversion) is considered inFigure 3 Figure 4 shows the corresponding configuration profile
Figure 3 Two-way point with trafficability vectors
Note For ease of reading the description and UML use abbreviated terms for commands and status feedback
Abbreviated form Precise term
Trafficability (P1-1 -gt P1-3Transition)
Field current_state of the XOR-StateSet of the TrafficabilityVectorP1-1-gt P1-3 = Transition
Capability SetSecured(P1-1-gtP1-3) RequestState of the Capability Set-Secured of the vector P1-1-gtP1-3set to requested
Capability LockSecuredState(P1-1-gtP1-3)
RequestState of the Capability LockSecured of the vector P1-1-gtP1-3 set to requested
Table 1 UML Terminology
The following graphic shows the configuration profile of point P1 The description of the configuration profile principlecan be found in the Subconcept Modes of Operation and Configuration
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1022 SBB CFF FFS 2018-05-27 2224
Figure 4 CP Example of track point P1
The left-hand lock on the point causes the TrafficabilityState of the Traffi-cabilityVector P1-1 -gt P1-2 and P1-2 -gt1P1-1 of the infrastructure object P1 (point) to be in the Secured stateBy using the vector P1-1-gt P1-3 Capability SetSecured the point in the TA must be changed The logical2element point makes the following changes
Trafficability state of the vector P1-1 -gt P1-2 is set to transitionaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to transitionTrafficability state of the vector P1-1 -gt P1-3 is set to transitioncUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to transitionThe track point supervision is switched off (Presentation to the TA in the UML)e
The logic element point waits until the supervision current falls below a specified threshold3Set the reference position to rightaCommand to module monitoringbCommand to module drivec
To move the point the logic module point starts the drive4Command to module drivea
The logical element point waits until the motor current rises above a de-fined threshold or the maximum tolerated5round trip time has expired
Notifications from the module to the logical point moduleaThe logical module point switches the drive off6
Command to TA module driveaThe logical module point switches the point monitoring on7
Command to TA module driveaThe logical module point waits until a supervision current is reported8
Notifications from TA module monitoring to logical track point moduleaIf the monitoring current is not reached within a set time the self-healing mechanism will take effect (Notbshown here)
The logical module point makes the following changes9
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1122 SBB CFF FFS 2018-05-27 2224
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
monitoring direction diagnostics information for commissioning and maintenance is exchanged via the connection point
L
104 Configuration Profile to L-interface translation
If trafficability vectors are requested via the configuration profile which are currently not secured it is necessary to usethe TA by means of commands to secure the requested vector
To illustrate this a currently closed left simple track point P1 which is to be set to the right (diversion) is considered inFigure 3 Figure 4 shows the corresponding configuration profile
Figure 3 Two-way point with trafficability vectors
Note For ease of reading the description and UML use abbreviated terms for commands and status feedback
Abbreviated form Precise term
Trafficability (P1-1 -gt P1-3Transition)
Field current_state of the XOR-StateSet of the TrafficabilityVectorP1-1-gt P1-3 = Transition
Capability SetSecured(P1-1-gtP1-3) RequestState of the Capability Set-Secured of the vector P1-1-gtP1-3set to requested
Capability LockSecuredState(P1-1-gtP1-3)
RequestState of the Capability LockSecured of the vector P1-1-gtP1-3 set to requested
Table 1 UML Terminology
The following graphic shows the configuration profile of point P1 The description of the configuration profile principlecan be found in the Subconcept Modes of Operation and Configuration
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1022 SBB CFF FFS 2018-05-27 2224
Figure 4 CP Example of track point P1
The left-hand lock on the point causes the TrafficabilityState of the Traffi-cabilityVector P1-1 -gt P1-2 and P1-2 -gt1P1-1 of the infrastructure object P1 (point) to be in the Secured stateBy using the vector P1-1-gt P1-3 Capability SetSecured the point in the TA must be changed The logical2element point makes the following changes
Trafficability state of the vector P1-1 -gt P1-2 is set to transitionaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to transitionTrafficability state of the vector P1-1 -gt P1-3 is set to transitioncUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to transitionThe track point supervision is switched off (Presentation to the TA in the UML)e
The logic element point waits until the supervision current falls below a specified threshold3Set the reference position to rightaCommand to module monitoringbCommand to module drivec
To move the point the logic module point starts the drive4Command to module drivea
The logical element point waits until the motor current rises above a de-fined threshold or the maximum tolerated5round trip time has expired
Notifications from the module to the logical point moduleaThe logical module point switches the drive off6
Command to TA module driveaThe logical module point switches the point monitoring on7
Command to TA module driveaThe logical module point waits until a supervision current is reported8
Notifications from TA module monitoring to logical track point moduleaIf the monitoring current is not reached within a set time the self-healing mechanism will take effect (Notbshown here)
The logical module point makes the following changes9
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1122 SBB CFF FFS 2018-05-27 2224
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
Figure 4 CP Example of track point P1
The left-hand lock on the point causes the TrafficabilityState of the Traffi-cabilityVector P1-1 -gt P1-2 and P1-2 -gt1P1-1 of the infrastructure object P1 (point) to be in the Secured stateBy using the vector P1-1-gt P1-3 Capability SetSecured the point in the TA must be changed The logical2element point makes the following changes
Trafficability state of the vector P1-1 -gt P1-2 is set to transitionaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to transitionTrafficability state of the vector P1-1 -gt P1-3 is set to transitioncUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to transitionThe track point supervision is switched off (Presentation to the TA in the UML)e
The logic element point waits until the supervision current falls below a specified threshold3Set the reference position to rightaCommand to module monitoringbCommand to module drivec
To move the point the logic module point starts the drive4Command to module drivea
The logical element point waits until the motor current rises above a de-fined threshold or the maximum tolerated5round trip time has expired
Notifications from the module to the logical point moduleaThe logical module point switches the drive off6
Command to TA module driveaThe logical module point switches the point monitoring on7
Command to TA module driveaThe logical module point waits until a supervision current is reported8
Notifications from TA module monitoring to logical track point moduleaIf the monitoring current is not reached within a set time the self-healing mechanism will take effect (Notbshown here)
The logical module point makes the following changes9
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1122 SBB CFF FFS 2018-05-27 2224
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
Trafficability state of the vector P1-1 -gt P1-2 is set to NotSecuredaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-2 -gt P1-1 to bebset to not securedTrafficability state of the vector P1-1 -gt P1-3 is set to securedcUsing the vector state dependency ruleset causes the trafficability state of the vector P1-3 -gt P1-1 to bedset to secured
If the trafficability of the now established diversion is to be used in a Traffi-cability Vector then the instance which10controls the OC must lock the se-cured vector This is analogous to how the vector was requested The Ca-pability LockSecuredState is used
Trafficability state of the vector P1-1 -gt P1-3 is set to Secured-LockedaUsing the vector state dependency ruleset causes the trafficability state of the vector P1-1 -gt P1-3 to bebset to SecuredLocked
The logical module point supervises the monitoring current and changes the Configuration Profile accordingly11
The Track point transfer procedure can be found as a UML diagram in the Appendix
105 Hardware considerations
1051 General
An OC should be able to control every possible variation and combination of the current installed TAs
The technical variability of the OC system must be compatible with the existing infrastructure This means that the
existing cable distribution infrastructure is generally adopted
Depending on the hardware configuration the OC will be assigned a determined maximum number of TA elements
One can distinguish between four different OC spaces
OC space 1 TA elements which are autonomously controlled on the line1
OC space 2 TA elements within a station An OC is sufficient for the entire station2
OC space 34 TA elements within a station Several OCs have to be in-stalled depending on the number of TA to3
be controlled
We differentiate between the following module types OC Base Module OC TA Modules OC SV and OC Y-switch
The separation into module types should allow a high degree of flexibility in design and procurement
The hardware must be based on current standards (eg 19 rack design) to provide flexibility compatibility and
interchangeability
The power electronics are realized according to the state of the technology (redundancy etc) and are not dealt with in
depth in this concept
The logical translation of the L interface to the TA signals are realized by means of a SIL4 microprocessor system
1052 Hardware Module
The TA Modules have at least the connection points L and W The connection point B with the connection to the
inventory control station can be omitted if the Y-switch does not take place in the TA module
The connection point for the power supply S can be integrated into the connection point W or else completely omitted
depending on the type of TA
Safety-related commands and notifications as well as diagnostic notifications are exchanged at connection point L
Each TA Module is provided with the information about the installation location (module space in the OC cabinet) via the
connection point L
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1222 SBB CFF FFS 2018-05-27 2224
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
The functions switching current measuring and voltage measuring are available at connection point W via a generic
interface or specialized interfaces eg drive functionality The elements are connected via an TA-type specific wiring in
order to adapt the generic interface of the TA Module to the TA type
The control is based on the logical elements that pass on the logical commands to the sub functions The function is
assigned to the associated TA Module in the sub-functions and the command is forwarded to the responsible TA
Managers The TA Manager forwards the commands via connection point L to the associated TA Modules which in turn
output the commands via the W interface (eg openingclosing a contact outputting a motor voltage)
This can be used on the OC TA Module types 2 3 4 and 5
The state of the TA Element is permanently available to the TA Module via the sensor inputs (currentvoltage) The TA
Module digitizes the measured values These are routed periodically via the L-link to the TA-Manager who in turn
passes them on to the sub-function module
The assignment of the measured value to a logical subelement takes place in the sub function module Monitoring
current of a light signal which is then evaluated in the logical element together with the state of the logic element and
the other sensor values
All logical elements of an OC are processed further in the Configuration Profile
Alternatively in addition to the periodic approach an event-based model can also be implemented in which the TA
Modules pass messages via the connection point L in the event of changes in sensor values in previously set threshold
values
In this approach the OC computing load is lower but requires consideration so that in the event of frequently occurring
messages the time requirements for the processing can still be meet Both methods can be applied to the OC TA
Module types 1 3 and 5
1053 Power supply
Figure 5 below shows a more refined section of the OC reference model In particular the connection of the powersupply is shown in more detail
Figure 5 - OC Reference Model
The power supply S is divided into the partial supplies S for the logic part and the partial supply SAA for the TA The
necessary availability on the S interface can be achieved by standard cabinet power supplies
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1322 SBB CFF FFS 2018-05-27 2224
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
On the interface SAA the supply voltages must be provided according to the TA Elements As well as the usual
220V380V this also includes all other voltages that are necessary for the connection of the TA and at least
24V DC1
48V DC2
50V to 73V AC3
60V DC4
90V DC5
Even though the 220V380V in the public Swiss grid has been increased to 230V400V in the meantime the power
supply to the signal boxes is always provided by the companys own power supplies with emergency generators which
can draw the energy from the public grid but they require a voltage level to be locally created or adapted
These voltages can be generated by the redundant OC power supply feeders
Redundancy can be ensured here by several inverterrectifiers connected in parallel in the central power supply of the
system
If new 230400V should be installed instead of 220V380V the insulation coordination is considerably more expensive if
the tolerance of the 230V supply is not within 5 An alignment to 230400V should not be excluded because of the
future direction of the market
The lamp circuits are defined by the current The available voltage levels are normally only one starting point The
reason for this lies in the direct dependence on light and electricity which is relevant for the detection of locomotive
drivers The voltage levels are varied for different daynight illumination at 2 different levels
1054 OC Y-switch design
In the case of the OC TA Module shown in Figure 1 the TA is switched between the legacy interlocking and the OC in
the OC TA Module In this chapter this is compared with the alternative of a generic external Y-switch independent
from the OC
The Y switchover is to ensure the secure one-to-one assignment of the TA Elements to the LI or the EI The following
features should be considered
Secure assignment All external elements should be safely and reliably assigned to the LI or the ES1
Interference-free The Y-switch should ensure the safe and reliable disconnection of the inactive signal box2
Remote Control The switching should be able to be remote controlled and automated3
Remote monitoring The status of the Y-switch should be able to be remotely controllable4
The safe failure direction is to be determined from the following selection In case of failure the following fail-safe5
states are possible A decision which state shall be realized is still required
All connections are disconnecteda
The current connection will be retainedb
The connection will be assigned to the EIc
The connection will be assigned to the ILd
The behaviour is still to be determined Due to the different states a bi-stable device should be used that will6
switch back to the LI prior to migration and switch to the EI after migration The first priority is to look at the LI
The proposed variant is therefore option 2
Electric strength The electric strength between the connected and non-connected equipment should be7
determined based on current and future requirements This requirement needs further detailing
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1422 SBB CFF FFS 2018-05-27 2224
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
Conductivity The Y-switch including wiring should not exceed a total resistance of 1Ohm8
Usability The Y-switch should be universally applicable for all existing elements of the TA9
Recoverability After conversion it should be possible to simply remove the Y-switch from the existing cabling10
Alternatively the plan could also be to maintain the Y-switch to reuse it in future redevelopment
1055 Control unit Y-switch (OC external)
In the present Y-switch schematics an OC TA module is intended as a controlling element of the Y-switch The
following considerations should be further explored before implementing this concept
Aspect Integrated in the TA module External to the TA Modules
eg on the cable end frame
Number of OC
TA Module
versions
The OC TA Modules contain additional functionality
and must be developedmanufactured in at least
two versions
Two devices will be developed
manufactured
The devices for the Y-switching are
only needed during the
conversiontest phase
Built-in volumes The required volume of the OC switch cabinet (and
the OC TA Modules) must be designed in such a
way that it accommodates the OC as well as the Y
switchover Reducing the cabinet volume after
removing the Y-switch is unrealistic
Both the volume of the OC cabinet
and the available space at the CTF
are to be considered The Y-switch
and the control device of the Y-
switch are dismantled after
migration
Early
reconstruction
measures
In order to prepare the interlocking for test
operation the cabling is converted from the CTF to
the OC before the OC has been
implementedapproved An intermediate bridging
switching must be provided here
The Y-switch can be realized and
tested when detached from the OC
If the period between installation
and test mode is very long it may
be necessary to test the Y-switch in
the interim
Exchange OC
TA Modules
If an OC TA Module is replaced the reliable
operation of the LI can not be guaranteed because
the signals are routed via the OC TA Module
The OC system does not
interference with the LI due to the
external Y-switch Necessary
construction measures can be
carried out without affecting the LI
Approval of the
Y-switch
The approval can only be done in combination with
OC central and EI
The approval for the Y-switch can
be done independent of the OC and
EI
Table 2 Schematic for Y-switch installation
From the current perspective implementation externally to the TA modules is preferred The decisive factor here is
above all the possibility of installing and timing the installation of the Y-switch independently of the OC
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1522 SBB CFF FFS 2018-05-27 2224
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
106 Type approval process
The type approval process should be modularized as in the figure below
Figure 6 Modularization for type approval
The effective distance in the command direction in the OC extends from attachment point A to attachment point W and
then into the TA The opposite way results in reporting direction In order to be able to modularize the type approval the
OC internal connection point L is specified and revealed
The following safety cases are created for type approval
Element approvals
SC of the OC Base Module at the A-L points of attachment
SC of the OC TA Module type 1-5 at the L-W points of attachment
Partial integration
Integration and SC OC Base Module with all OC TA Module
Integration and SC OC TA Module type X with all TA types TAXY
Total integration
Whole effective distance Integration and SC OC Base Module OC TA Module Type X - TAn Type TAxy
The OC Base Module as well as the OC TA Modules Type 1-5 can be provided by different manufacturers
The functionality of the OC TA Modules as well as the OC Base Module can be shown in the laboratory via automated
test facilities
The automated test facilities can support the approval in order to subsequently allow OC TA Modules of the same type
from different manufacturers
The total integration of the entire effective distance including all possible configurations can be carried out centrally or
clearly divided among several manufacturers This process is also kept open by standardized test environments and
test kits that are used on all sides so that if one manufacturer fails the service can be taken over by another
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1622 SBB CFF FFS 2018-05-27 2224
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
manufacturer
11 General functional description
111 Operational concept
The general aspects regarding the operating concept can be found in the superordinate OC Concept Umbrella
Document
From todays point of view OCs intended manually triggerable self-healing aspects in particular have to be agreed
with the operations The current view is these are the only interactions that are initiated directly by the railway
operations (ZVL) at the OC (via TMS-L -gt ES) The assessment is carried out in a later phase
Our current point of view is the following aspects have to be agreed with the technical operation
Regular OC operation (Base Module TA Module) with respect to the usual aspects (FCAPS)1
Fault Management trouble shooting bug fixing workarounds etca
Configuration Management Configure Base Modules and TA Modules Import New SW Releasesb
Backup Restore etc
Accounting Management Access and modification permissions on PC systems user managementc
Performance Management Observation analysis and optimization of the system etcd
Security ManagementeExceptional operation of the OC and Y-switch during the preparation and commissioning phases2
Necessary knowledge for preparation phase (Y-switch without OC etc)a
Operation of the Y-switch along the lines of regular OC operation (FCAPS aspects)b
Operating knowledge for Y-switchesc
To what extent and in which period of time the exceptional technical operation of the OC and in particular of the Y-
switch should be a project organization matter is still to be decided This is to be considered at a later stage
If the exceptional technical operation is assigned to project organization the minimum training for the technical operator
(OCT) shall be provided
112 Maintenance concept
The general aspects regarding the maintenance concept can be found in the superordinate OC Concept Umbrella
Document
The current point of view is that maintenance and servicing aspects (corrective and preventive) are similar to those for
the technical operation which must be defined and agreed upon
OC operation Exceptional and regular operating phase1
Y-switch Exceptional operational phase2
To what extent the exceptional maintenance of the Y-switch should be a project organization matter is still to be
decided This is to be considered at a later stage
If the maintenance is allocated to project organization in the exceptional operating phase a minimum amount of training
is required for maintenance
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1722 SBB CFF FFS 2018-05-27 2224
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
12 Open issues and working hypotheses
121 TA controllability
It is assumed that the TA switchovers are basically controllable ie a safe (-gt safety) and consistent state (eg switch
position) can be determined and the TA activation basically works analogously to the LI
122 Y-switch general
Whether the Y-switch is an integral part of the OC or realized as a separate box has not yet been completely clarified
according to the current version of the part-concept In an external implementation further considerations must be
made eg how the OC can operate the Y-switch (-gt via connection to channel of the TA modules) Current working
hypothesis is an implementation as an external box so that it can be disassembled
A future use of the Y-switch for a migration to an ES Next Generation is therefore not considered as an TA element
interface standardization in terms of renewal is considered more meaningful This new interface definition makes
sense integrally with migration aspects thus making a Y-switch obsolete
The Y-switch is not simultaneously connected to a central controller (presumably OC) once it has been installed into the
existing system
Since the Y-switch is installed as the first element in the existing system it must be assumed that its switching control
unit - presumably the OC - is not yet available at this time This means that the Y-switch must assume a secure one-
to-one and as far as possible unmanipulatable basic position for this case This situation needs to be expanded on In
the current subproject creation as a working hypotheses it is assumed that this does not represent a problem or is
solvable
123 Y-switch monitoring function (Shadow mode)
It is assumed that a listening function will only be realized if
Monitoring can be realized (is not possible with external or internal Y switch without disproportionate effort)1
Monitoring can be realized without interference (approval can be obtained)2
The monitored data (sensor values actuator control commands and feed-back messages) can be used profitably3
during the simulations and migration phase
124 Behaviour of the LI during switchover and reset
A double switching of both the TA and the LI indoor unit by the Y-switch in order to emulate a given TA state to the LI
unit (principle of a service replacement plug) is not currently being considered The reason for this is that the Y-switch
would be much more complex and the appropriate positioning on the route TA - LI system more difficult since TA and
LI must be considered
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1822 SBB CFF FFS 2018-05-27 2224
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
125 TA modules and TA connection
Presently as a current working hypothesis it is assumed that TA modules are realized with high packing density that is
to say that for certain module functions specialized card types are developed which offer n-m channels of the same
type However this would mean that a TA module can affect failure up to n-m TA The acceptance of this behaviour has
to be determined
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
1922 SBB CFF FFS 2018-05-27 2224
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
13 Sources References
Document
OC Concept Umbrella Document
Subconcept OC TOPO
Subconcept Interlocking Switchover
Subconcept Transfer System
Subconcept Transfer System Connector
Subconcept Transfer System Module
Subconcept Configuration Profile Synchronization
Subconcept Modes of Operation and Configuration
Subconcept CP-to-L Translation
Subconcept Clear Track Signalling Installation
Subconcept Block
Subconcept Level Crossing
Subconcept Point Controller
Subconcept Signal Controller
Transitions under EI
Subconcept M-D-I-Interface
OCs in ELEKTRA_SimisW
Monitoring Concept
Subconcept - SBB W Interface OC-TA
Anforderungskatalog (V02)
OC_Hazardsxlsx
M5 Migrationsprinzip und Uumlbergaumlnge
M6 Bauverfahren Gebaumlude Uumlberlagerung
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2022 SBB CFF FFS 2018-05-27 2224
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
14 Appendix Possible approaches Y-switch and TA elements
15 Appendix Procedure for moving the points
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2122 SBB CFF FFS 2018-05-27 2224
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-
ES Object Controller
Subconcept CP-to-L Translation (rev 76432)
2222 SBB CFF FFS 2018-05-27 2224
- 1 Disclaimer
- 2 Content
- 3 List of Figures
- 4 List of Tables
- 5 Glossary
- 6 Initial position
-
- 61 General
- 62 CP-to-L Translation and L-to-W interface electronics
-
- 7 Aims
-
- 71 General product aim OC and Y-switch
- 72 Modularization OC and Y-switch
- 73 Functional aims OC and Y-switch
- 74 Safety aims OC and Y-switch
- 75 Migration aim Y-switch
-
- 8 Input parameters (Inputs)
- 9 Requirements
- 10 Functional description CP-to-L Translation and L-to-W interface
-
- 101 Overview
- 102 Software module
- 103 L-Interface
- 104 Configuration Profile to L-interface translation
- 105 Hardware considerations
-
- 1051 General
- 1052 Hardware Module
- 1053 Power supply
- 1054 OC Y-switch design
- 1055 Control unit Y-switch (OC external)
-
- 106 Type approval process
-
- 11 General functional description
-
- 111 Operational concept
- 112 Maintenance concept
-
- 12 Open issues and working hypotheses
-
- 121 TA controllability
- 122 Y-switch general
- 123 Y-switch monitoring function (Shadow mode)
- 124 Behaviour of the LI during switchover and reset
- 125 TA modules and TA connection
-
- 13 Sources References
- 14 Appendix Possible approaches Y-switch and TA elements
- 15 Appendix Procedure for moving the points
-