prEN 50159

SLOVENSKI STANDARD
01-marec-2025
Železniške naprave - Komunikacijski, signalni in procesni sistemi - Varnostna
komunikacija v prenosnih sistemih
Railway Applications - Communication, signalling and processing systems - Safety-
related communication in transmission systems
Bahnanwendungen - Telekommunikationstechnik, Signaltechnik und
Datenverarbeitungssysteme - Sicherheitsrelevante Kommunikation in
Übertragungssystemen
Applications ferroviaires - Systèmes de signalisation, de télécommunication et de
traitement - Communication de sécurité sur des systèmes de transmission
Ta slovenski standard je istoveten z: prEN 50159
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
45.020 Železniška tehnika na Railway engineering in
splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
January 2025
ICS 35.240.60; 45.020 Will supersede EN 50159:2010; EN 50159:2010/A1:2020
English Version
Railway Applications - Communication, signalling and
processing systems - Safety-related communication in
transmission systems
Applications ferroviaires - Systèmes de signalisation, de Bahnanwendungen - Telekommunikationstechnik,
télécommunication et de traitement - Communication de Signaltechnik und Datenverarbeitungssysteme -
sécurité sur des systèmes de transmission Sicherheitsrelevante Kommunikation in
Übertragungssystemen
This draft European Standard is submitted to CENELEC members for enquiry.
Deadline for CENELEC: 2025-04-11.

It has been drawn up by CLC/SC 9XA.

If this draft becomes a European Standard, CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which
stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CENELEC in three official versions (English, French, German).
A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to
the CEN-CENELEC Management Centre has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to
provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without notice and
shall not be referred to as a European Standard.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2025 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Project: 79342 Ref. No. prEN 50159 E

Contents Page
13 European foreword . 3
14 Introduction . 4
15 1 Scope . 5
16 2 Normative references . 5
17 3 Terms, definitions and abbreviations . 5
18 3.1 Terms and definitions . 5
19 3.2 Abbreviations . 15
20 4 Reference architecture . 16
21 5 Hazards arising from the transmission system. 17
22 6 Classification of transmission systems . 19
23 6.1 General . 19
24 6.2 General aspects of classification . 19
25 6.3 Specific aspects for the classification of transmission systems . 19
26 6.4 Relationship between transmission systems and the basic message errors . 21
27 7 Requirements for safety defences . 21
28 7.1 Preface . 21
29 7.2 General requirements . 22
30 7.3 Specific defences . 23
31 7.4 Applicability of defences . 29
32 Annex A (informative) Hazards arising from open transmission systems . 30
33 A.1 System view . 30
34 A.2 Derivation of the basic message errors . 31
35 A.3 Network failure modes . 32
36 A.4 A possible approach for hazard identification . 33
37 A.5 Conclusions . 37
38 Annex B (informative) Categories of transmission systems . 39
39 B.1 Categories of transmission systems . 39
40 B.2 Relationship between the category of transmission systems and basic message errors . 39
41 Annex C (informative) Guideline for defences . 41
42 C.1 Applications of time stamps . 41
43 C.2 Choice and use of safety codes and cryptographic algorithms . 42
44 C.3 Safety code . 47
45 C.4 Length of safety code . 49
46 C.5 Communication between safety-related and non safety-related applications . 52
47 Bibliography . 54
49 European foreword
50 This document [prEN 50159:2025] has been preprared by CLC/SC 9XA “Communication, signalling and
51 processing systems”.
52 This document is currently submitted to the Enquiry.
53 The following dates are proposed:
• latest date by which the existence of this (doa) dav + 6 months
document has to be announced at national
level
• latest date by which this document has to be (dop) dav + 12 months
implemented at national level by publication of
an identical national standard or by
endorsement
• latest date by which the national standards (dow) dav + 36 months
conflicting with this document have to be (to be confirmed or
withdrawn modified when voting)
55 This document will supersede EN 50159:2010. and all of its amendments and corrigenda (if any).
56 prEN 50159:2025 includes the following significant technical changes with respect to EN 50159:2010:
57 Introduction
58 If a safety-related electronic system involves communication of information, the transmission system then
59 forms an integral part of the safety-related system, and it is understood that the end to end communication is
60 safe in accordance with EN 50129.
61 The transmission system considered in this document, which serves the transfer of information between
62 different locations, has in general no particular preconditions to satisfy. It is from the safety point of view not
63 trusted, or not fully trusted.
64 The document is dedicated to the requirements to be taken into account for the communication of safety-
65 related information over such transmission systems.
66 Although the RAM aspects are not considered in this document, it is recommended to keep in mind that they
67 are a major aspect of the operational safety.
68 The safety requirements depend on the characteristics of the transmission system. In order to reduce the
69 complexity of the approach to demonstrate the safety of the system, transmission systems have been
70 classified into three categories:
71 – Category 1: transmission systems are closed,
72 – Category 2 and Category 3: transmission systems are open.
73 Application messages using Category 3 transmission systems need protection against unauthorised access.
74 The specific cybersecurity requirements for Category 3 transmission systems are out of the scope of this
75 document. For such systems, cybersecurity standards are applicable.
76 1 Scope
77 This document is applicable to safety-related electronic systems using for digital communication purposes a
78 transmission system which was not necessarily designed for safety-related applications. For transmission
79 systems where the risk of unauthorized access is not tolerable, the document defines the interface to the
80 applicable cybersecurity standards.
81 Both safety-related equipment and non-safety-related equipment can be connected to the transmission
82 system.
83 This document gives the specific requirements needed to achieve safety-related communication between
84 safety-related equipment connected to the transmission system, while the general system requirements
85 including allocation of safety requirements and content of the safety case are defined in EN 50129.
86 This document is not applicable to existing systems, which had already been accepted prior to the release of
87 this document. However, so far as reasonably practicable, it is applicable to modifications and extensions to
88 existing systems, subsystems and equipment.
89 This document does not specify
90 – the transmission system,
91 – equipment connected to the transmission system,
92 – solutions (e.g. for interoperability),
93 – which kind of data are safety-related and which are not.
94 A safety-related equipment connected through an open transmission system can be subjected to many
95 different IT security threats, against which an overall program is defined, encompassing management,
96 technical and operational aspects.
97 2 Normative references
98 The following documents are referred to in the text in such a way that some or all of their content constitutes
99 requirements of this document. For dated references, only the edition cited applies. For undated references,
100 the latest edition of the referenced document (including any amendments) applies.
101 EN 50129:2018, Railway applications – Communication, signalling and processing systems – Safety related
102 electronic systems for signalling
103 CLC/TS 50701:2023, Railway applications – Cybersecurity
104 IEC 63452, Rail applications - Cybersecurity
105 3 Terms, definitions and abbreviations
106 3.1 Terms and definitions
107 For the purposes of this document, the following terms and definitions apply.
108 ISO and IEC maintain terminology databases for use in standardization at the following addresses:
109 — ISO Online browsing platform: available at https://www.iso.org/obp
110 — IEC Electropedia: available at https://www.electropedia.org

As impacted by EN 5019:2018/AC:2019-04.
Under preparation.
111 3.1.1
112 absolute time stamp
113 time stamp referenced to a global time which is common for a group of entities using a transmission system
114 [SOURCE: IEV 821-11-01]
115 3.1.2
116 access control
117 protection of system resources against unauthorized access
118 Note to entry: In this document, this definition applies only to data transmission.
119 [SOURCE: CLC/TS 50701:2023, modified — Note 1 to entry added]
120 3.1.3
121 additional data
122 data which is not of any use to the ultimate user processes, but is used for control, availability, and safety
123 purposes
124 [SOURCE: IEV 821-11-03]
125 3.1.4
126 attack
127 attempt to gain access to an information processing system in order to produce damage
128 Note 1 to entry: The damage can be e.g. destruction, disclosure, alteration, disruption, unauthorized use.
129 Note 2 to entry: In this document, this definition applies only to data transmission.
130 [SOURCE: CLC/TS 50701:2023, modified — Note 2 to entry added]
131 3.1.5
132 authentic message
133 message in which information is known to have originated from the stated source
134 [SOURCE: IEV 821-11-04]
135 3.1.6
136 authenticity
137 state in which information is known to have originated from the stated source
138 [SOURCE: IEV 821-11-05]
139 3.1.7
140 closed transmission system
141 fixed number or fixed maximum number of participants linked by a transmission system with well-known and
142 fixed properties, and where the risk of unauthorised access is negligible
143 [SOURCE: IEV 821-11-06]
144 3.1.8
145 communication
146 information transfer according to agreed conventions
147 [SOURCE: IEV 701-01-04]
148 3.1.9
149 confidentiality
150
151 assurance that information is not disclosed to unauthorized individuals, processes, or devices
152 [SOURCE: CLC/TS 50701:2023]
153 3.1.10
154 corrupted message
155 type of message error in which a data corruption occurs
156 [SOURCE: IEV 821-11-08]
157 3.1.11
158 countermeasure
159
160 action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or
161 preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action
162 can be taken
163 [SOURCE: CLC/TS 50701:2023]
164 3.1.12
165 cryptographic algorithm
166 algorithm based on the science of cryptography, including encryption algorithms, cryptographic hash
167 algorithms, digital signature algorithms, and key agreement algorithms
168 [SOURCE: IEC 62443-1-1]
169 3.1.13
170 cybersecurity
171
172 set of activities and measures taken with the objective to identify, protect, detect, respond, and recover to
173 unauthorised access or cyberattack which could lead to an accident, an unsafe situation, or railway application
174 performance degradation
175 Note 1 to entry: It is recognized that the term “cybersecurity” has a broader meaning in other standards and guidance,
176 often including non-malevolent threats, human errors, and protection against natural disasters. Those aspects, except
177 human errors degrading security countermeasures, are not included in this document.
178 [SOURCE: CLC/TS 50701:2023]
179 3.1.14
180 cyclic redundancy check
181
182 cyclic code, used to protect messages from the influence of data corruption
183 [SOURCE: IEV 821-11-10]
184 3.1.15
185 data
186
187 part of a message which represents some information (see also user data, additional data, redundant data)
188 [SOURCE: IEV 821-11-11]
189 3.1.16
190 data corruption
191 alteration of data
192 [SOURCE: IEV 821-11-13]
193 3.1.17
194 defence
195 measure incorporated in the design of a safety-related communication system to counter particular hazards
196 [SOURCE: IEV 821-11-14]
197 3.1.18
198 delayed message
199 type of message error in which a message is received at a time later than intended
200 [SOURCE: IEV 821-11-15]
201 3.1.19
202 deleted message
203 type of message error in which a message is removed from the message stream
204 [SOURCE: IEV 821-11-16]
205 3.1.20
206 double time stamp
207 case when two entities exchange and compare their time stamps. In this case the time stamps in the entities
208 are independent of each other
209 [SOURCE: IEV 821-11-17]
210 3.1.21
211 encryption
212
213 transformation of data in order to hide their semantic content using cryptography
214 Note 1 to entry: The reverse process is called decryption.
215 Note 2 to entry: In former version of this document the term “enciphering” was used.
216 [SOURCE: IEC 60050-171:2019, 171-08-09, modified — Note 2 to entry added]
217 3.1.22
218 error
219 discrepancy between a computed, observed or measured value or condition and the true, specified or
220 theoretically correct value or condition
221 Note 1 to entry: An error can be caused by a faulty item, e.g. a computing error made by faulty computer equipment.
222 Note 2 to entry: A human error can be seen as a human action or inaction that can produce an unintended result
223 [SOURCE: EN 50129:2018]
224 3.1.23
225 failure
226 loss of ability to perform as required
227 Note 1 to entry: Qualifiers, such as catastrophic, critical, major, minor, marginal and insignificant, may be used to
228 categorize failures according to the severity of consequences, the choice and definitions of severity criteria depending
229 upon the field of application.
230 Note 2 to entry: Qualifiers, such as misuse, mishandling and weakness, may be used to categorize failures according to
231 the cause of failure.
232 Note 3 to entry: “Failure” is an event, as distinguished from “fault”, which is a state.
233 [SOURCE: EN 50129:2018]
234 3.1.24
235 fault
236 abnormal condition that could lead to an error in a system
237 Note to entry: A fault can be random or systematic.
238 [SOURCE: EN 50129:2018]
239 3.1.25
240 feedback message
241 response from a receiver to the sender, via a return channel
242 [SOURCE: IEV 821-11-21]
243 3.1.26
244 hazard
245 condition that can lead to an accident
246 [SOURCE: EN 50129:2018]
247 3.1.27
248 hazard analysis
249 process of identifying hazards and analysing their causes, and the derivation of requirements to limit the
250 likelihood and consequences of hazards to an acceptable level
251 [SOURCE: EN 50129:2018]
252 3.1.28
253 Hazardous event
254 event that can cause harm
255 Note 1 to entry: A hazardous event can occur over a short period of time or over an extended period of time.
256 [SOURCE: IEV 903-01-04]
257 3.1.29
258 implicit data
259 additional data that is not transmitted but is known to the sender and receiver
260 [SOURCE: IEV 821-11-12]
261 3.1.30
262 information
263 knowledge concerning objects, such as facts, events, things, processes, or ideas (including concepts) that,
264 within a certain context, has a particular meaning
265 Note 1 to entry: Information can be represented for example by signs, symbols, pictures or sounds.
266 [SOURCE: IEV 171-01-01]
267 3.1.31
268 inserted message
269 type of message error in which an additional message is implanted in the message stream
270 [SOURCE: IEV 821-11-25]
271 3.1.32
272 integrity
273
274 state in which information is complete and not altered
275 [SOURCE: IEV 821-11-26]
276 3.1.33
277 manipulation detection code
278 function of the whole message without secret key
279 Note to entry: In contrast to a MAC there is no secret key involved. By the whole message is meant also any implicit
280 data of the message which is not sent to the transmission system. The MDC is often based on a hash function.
281 [SOURCE: IEV 821-11-27]
282 3.1.34
283 masqueraded message
284 type of inserted message in which a non-authentic message is intentionally designed to appear to be
285 authentic
286 [SOURCE: IEV 821-11-28]
287 3.1.35
288 message
289
290 information which is transmitted in one or several packets from a sender to one or more receivers
291 [SOURCE: IEV 821-11-29]
292 3.1.36
293 message authentication code
294 cryptographic function of the whole message and a secret or public key
295 Note to entry: By the whole message is meant also any implicit data of the message which is not sent to the
296 transmission system.
297 [SOURCE: IEV 821-11-30]
298 3.1.37
299 message encryption
300 transformation of bits by using a cryptographic technique within a message, in accordance with an algorithm
301 controlled by keys, to render casual reading of data more difficult
302 Note 1 to entry: Message encryption does not provide protection against data corruption.
303 Note 2 to entry: The original definition was for “message enciphering”. However, in this document, encryption is more
304 common.
305 [SOURCE: IEV 821-11-31, modified — Note 2 to entry added]
306 3.1.38
307 message errors
308 set of all possible message failure modes which can lead to potentially dangerous situations, or to reduction in
309 system availability
310 Note 1 to entry: There can be a number of causes of each type of error
311 [SOURCE: IEV 821-11-32]
312 3.1.39
313 message integrity
314 message in which information is complete and not altered
315 [SOURCE: IEV 821-11-33]
316 3.1.40
317 message stream
318 ordered set of messages
319 [SOURCE: IEV 821-11-34]
320 3.1.41
321 negligible risk
322 risk which is so low that it is not reasonable to implement additional measures
323 Note 1 to entry: For negligible risks, no further requirements need to be specified. Negligible risks are considered as
324 insignificant and adequately controlled.
325 3.1.42
326 open transmission system
327 transmission system with an unknown number of participants, having unknown, variable and non-trusted
328 properties, used for unknown telecommunication services and having the potential for unauthorised access
329 [SOURCE: IEV 821-11-36]
330 3.1.43
331 random failure
332 failure that occurs randomly in time
333 [SOURCE: IEV 821-11-38]
334 3.1.44
335 redundancy check
336 type of check that a predefined relationship exists between redundant data and user data within a message, to
337 prove message integrity
338 [SOURCE: IEV 821-11-39]
339 3.1.45
340 redundant data
341 additional data, derived, by a safety-related transmission function, from the user data
342 [SOURCE: IEV 821-11-40]
343 3.1.46
344 relative time stamp
345 time stamp referenced to the local clock of an entity. In general there is no relationship to clocks of other
346 entities
347 [SOURCE: IEV 821-11-41]
348 3.1.47
349 repeated message
350 type of message error in which a single message is received more than once
351 [SOURCE: IEV 821-11-42]
352 3.1.48
353 re-sequenced message
354 type of message error in which the order of messages in the message stream is changed
355 [SOURCE: IEV 821-11-43]
356 3.1.49
357 safe fall back state
358 safe state of a safety-related equipment or system as a deviation from the fault-free state and as a result of a
359 safety reaction leading to a reduced functionality of safety-related functions, possibly also of non safety-
360 related functions
361 [SOURCE: IEV 821-11-44]
362 3.1.50
363 safety
364 freedom from unacceptable levels of risk
365 [SOURCE: EN 50129:2018]
366 3.1.51
367 safety case
368 documented demonstration that the product complies with the specified safety requirements
369 [SOURCE: EN 50129:2018]
370 3.1.52
371 safety code
372 redundant data included in a safety-related message to permit data corruptions to be detected by the safety-
373 related transmission function
374 Note to entry: Also, codes based on cryptographic algorithms may be used as safety codes such as hash block codes or
375 MAC with fixed keys. For such “keyless” or “fixed key” cryptographic safety codes the same requirements apply.
376 [SOURCE: IEV 821-11-45] adapted
377 3.1.53
378 safety integrity level
379 one of a number of defined discrete levels for specifying the safety integrity requirements of safety-related
380 functions to be allocated to the safety-related systems
381 [SOURCE: EN 50129:2018]
382 3.1.54
383 safety reaction
384 safety-related protection taken by the safety process in response to an event (such as a failure of the
385 transmission system), which may lead to a safe fall back state of the equipment
386 [SOURCE: IEV 821-11-47]
387 3.1.55
388 safety-related
389 carries responsibility for safety
390 Note 1 to entry: A function, component, product, system, or procedure is called safety-related if at least one of its
391 properties is used in the safety argument for the system in which it is applied. These properties can be of functional or
392 non-functional nature.
393 [SOURCE: EN 50129:2018]
394 3.1.56
395 safety-related transmission function
396 function incorporated in the safety-related equipment to ensure authenticity, integrity, timeliness and sequence
397 of data
398 3.1.57
399 sequence number
400 additional data field containing a number that changes in a predefined way from message to message
401 [SOURCE: IEV 821-11-48]
402 3.1.58
403 source and destination identifier
404 identifier which is assigned to each entity. This identifier can be a name, number or arbitrary bit pattern. This
405 identifier will be used for the safety-related communication. Usually the identifier is added to the user data
406 [SOURCE: IEV 821-11-49]
407 3.1.59
408 systematic failure
409 failure that occurs repeatedly under some particular combination of inputs, or under some particular
410 environmental condition
411 [SOURCE: IEV 821-11-50]
412 3.1.60
413 threat
414
415 circumstance or event with the potential to adversely affect operations (including mission, functions, image or
416 reputation), assets, control systems or individuals via unauthorized access, destruction, disclosure,
417 modification of data and/or denial of service
418 Note to entry: In this document, this definition applies only to data transmission.
419 [SOURCE: CLC/TS 50701:2023, modified — Note 1 to entry added]
420 3.1.61
421 time stamp
422 representation of information concerning time of transmission attached to a message by the sender
423 [SOURCE: IEV 821-11-52]
424 3.1.62
425 timeliness
426 state in which information is available at the right time according to requirements
427 [SOURCE: IEV 821-11-53]
428 3.1.63
429 tolerable risk
430 risk which is accepted in a given context based on the current values of society
431 Note to entry: The terms “acceptable risk” and “tolerable risk” are considered to be synonymous.
432 [SOURCE: IEV 903-01-12]
433 3.1.64
434 transmission code
435 redundant representation of information, added to the safety and non safety message of the transmission
436 system in order to ensure the integrity of the message during transmission
437 [SOURCE: IEV 821-11-54]
438 3.1.65
439 transmission system
440
441 service used by the application to communicate message streams between a number of participants, who
442 may be sources or sinks of information
443 [SOURCE: IEV 821-11-55]
444 3.1.66
445 trusted
446 which has properties used as evidence to support the safety demonstration
447 3.1.67
448 unauthorised access
449 situation in which user information or information within the transmission system is accessed and/or changed
450 by unauthorised persons
451 [SOURCE: IEV 821-11-56]
452 3.1.68
453 user data
454 data which represents the states or events of a user process, without any additional data
455 Note 1 to entry: In case of communication between safety-related equipment, the user data contains safety-related data.
456 [SOURCE: IEV 821-11-57]
457 3.1.69
458 valid message
459 message whose form meets in all respects the specified user requirements
460 [SOURCE: IEV 821-11-58]
461 3.1.70
462 validity
463 state of meeting in all respects the specified user requirements
464 [SOURCE: IEV 821-11-59]
465 3.2 Abbreviations
466 For the purpose of this document, the following abbreviations apply.
BCH Bose, Ray-Chaudhuri, Hocquenghem Code
B.M.E. Basic Message Errors
BSC Binary Symmetric Channel
CAN Controller Area Network
CRC Cyclic Redundancy Check
EC European Community
EMI Electromagnetic Interference
FEC Forward Error Correction
GPRS General Packet Radio Service
GSM-R Global System for Mobile communication – Railways
H.E. Hazardous Events
HW Hardware
IT Information Technology
LAN Local Area Network
MAC Message Authentification Code
MDC Manipulation Detection code
MD4, MD5 Message Digest algorithms
M.H. Main Hazard
MTBF Mean Time Between Failures
MVB Multi-purpose Vehicle Bus
PROFIBUS Process Field Bus
QSC q-nary symmetric channel
RAMS Reliability, Availability, Maintainability and Safety
SIL Safety Integrity Level
SR Security Requirement
SRS Safety Requirements Specifications
SW Software
TS Technical Specification
TX Transmission
UTC Universal Coordinated Time
WAN Wide Area Network
Wi-Fi Wireless Fidelity
467 4 Reference architecture
468 This document defines the safety requirements for the safe communication between safety-related equipment
469 via a transmission system, which can either be closed or open. Both, safety-related and non safety-related
470 equipment can be connected to the transmission system. This clause describes possible configurations of the
471 safety-related communication in transmission systems including the definition of involved functional blocks.
472 Particular requirements to be fulfilled by these blocks are specified in further clauses.
473 A combined view of the principal architecture is shown in Figure 1, where all communication elements are
474 linked according to the information flow to exchange safety-related information between safety-related
475 equipment (A and B in Figure 1). The reference architecture also shows another information exchange (safety
476 or non-safety-related, represented by C that may communicate with any other application X, possibly also A or
477 B) which is not always present. Typical use cases could be for diagnostic messages routed to a maintenance
478 centre, lower integrity messages of other applications or even messages with the same integrity, but for other
479 applications.
480 As a concrete example the train-borne part of an automated train control system may be considered, where all
481 components are connected by the same train bus as a transmission system. The messages exchanged may
482 be train control data (usually SIL 4), automated train operation data (often SIL 2), juridical recording data (for
483 example basic integrity) and diagnostic data (non safety-related).
484 Besides the source and destination of safety-related communication the reference architecture deals with a
485 safety-related communication system, which can be divided into
486 — safety-related transmission functions incorporated in the safety-related equipment. These functions
487 ensure authenticity, integrity, timeliness and sequence of data,
488 — safety-related access control functions which protect the safety-related message. These can either be
489 realized by incorporating them in the safety-related equipment or having them outside of the safety-
490 related equipment but checked by safety techniques. These techniques protect the safety-related
491 message in a Category 3 transmission system and are not needed in the case of a Category 1 or 2
492 transmission system,
493 — a non safety-related, open or closed transmission system which may itself include transmission protection
494 functions and/or access control functions.
495 The characteristics of closed transmission systems (Category 1) are as follows:
496 — the number of pieces of connectable equipment – either safety-related or not – to the transmission
497 system is known and fixed;
498 — the risk of unauthorized access is negligible;
499 — the physical characteristics of the transmission system (e.g. transmission media, environment according
500 to design hypothesis, etc.) are fixed and unchanged during the life cycle of the system.
501 The open transmission system (Category 2 and/or 3) can contain some or all of the following:
502 — elements which read, store, process or re-transmit data produced and presented by users of the
503 transmission system in accordance with a program not known to the user. The number of users is
504 generally unknown, and safety-related and non safety-related equipment, and equipment which is not
505 related to railway applications, can be connected to the open transmission system;
506 — transmission media of any type with transmission characteristics and susceptibility to external influences,
507 which are unknown to the user;
508 — network control and management systems capable of routing (and dynamically re-routing) messages via
509 any path made up from one or more than one type of transmission media between the ends of open
510 transmission system, in accordance with a program not known to the user;
511 — other users of the transmission system, not known to the safety-related application designer, sending
512 unknown amounts of information, in unknown formats.
513 The difference between Category 2 and Category 3 is that in Category 2 the risk of unauthorized access is
514 negligible, while the open transmission system of Category 3 is subject to unauthorised access to the
515 transmission system for malicious purposes.
517 Figure 1 — Reference architecture for safety-related communication
518 The reference architecture is not intended to restrict implementations; different structures are possible, see
519 examples in the informative Annex C and in particular Clause C.5 for communication between safety and non
520 safety-related messages.
521 5 Hazards arising from the transmission system
522 The main hazard to safety-related communication is the failure to obtain a valid message in terms of
523 authenticity, integrity, sequence and timeliness at the receiving end. This document considers basic message
524 errors impacting these message properties arising from the transmission system. EN 50129 shall be followed
525 in relation to hazards to the safety-related equipment.
526 However, meeting the requirements of this document does not give protection against intentional or
527 unintentional misuse coming from authorized sources. It is necessary for the safety case according to
528 EN 50129 to address these aspects.
529 Further guidance on hazard analysis and safety case is included in informative Annex A. It shall be
530 emphasized that an analysis shall be made for each project, so although the methodology for message errors
531 of Annex A can be included, it will not on its own necessarily be complete.
532 Hazardous events identified can include the following:
533 — systematic failure,
534 — broken wires,
535 — cabling errors,
536 — antenna misalignment,
537 — performance loss,
538 — HW random failure and ageing,
539 — human error,
540 — maintenance error,
541 — EMI,
542 — cross-talk,
543 — thermal noise,
544 — fading effects,
545 — overloading of transmission system,
546 — magnetic storm,
547 — fire,
548 — earthquake,
549 — lightning,
550 as well as deliberately-caused events such as
551 — wire-tapping,
552 — damage or unauthorised change to HW,
553 — unauthorised change to SW,
554 — monitoring of channels,
555 — transmission of unauthorised messages.
556 However, although there can be a wide range of hazardous events, the basic message errors, are one of the
557 following:
558 — repetition;
559 — deletion;
560 — insertion;
561 — re-sequencing;
562 — corruption;
563 — delay;
564 — masquerade.
565 Table A.1 suggests which basic message errors to the transmission system can be caused by each type of
566 hazardous event. Having identified the hazardous events – not protected by other means – that can occur for
567 a particular system, the table can be used as a guide to identify the basic message errors to be considered for
568 that system.
569 Table A.1 does not contain probabilities of occurrence; this shall be part of hazard analysis.
570 6 Classification of transmission systems
571 6.1 General
572 This clause defines the process to be used to classify all transmission systems, identifying the basic message
573 errors relevant for such systems that affect the choice of defences for inclusion in the safety application.
574 6.2 General aspects of classification
575 There are many factors which can influence the hazards to a safety-related communication system.
576 For example, it is possible that transmission services can be obtained by the signalling system user from
577 private or public telecommunications service providers. Under such service provision contracts, the
578 responsibility of the service provider for guaranteeing performance of the transmission system can be limited.
579 Therefore, the significance of basic message errors (and hence the requirements for defences) depend on the
580 extent of control exercised by the user over the transmission system, including the following issues:
581 — the technical properties of the system, including guarantees of reliability or availability of the system, the
582 extent of storage of data inherent in the system (which could affect delay or re-sequencing of messages);
583 — the consistency of the performance of the system over its life (e.g. as changes to the system, and
584 changes to the user base are made), and traffic loading effects of other users;
585 — access to the system, depending on whether the network is private or public, the degree of access control
586 exerted by the operator over other users, the opportunity for misuse of the system by other users, and the
587 access available to maintainers to reconfigure the system, or gain access to the transmission medium
588 itself.
589 Following these issues three categories of transmission systems can be defined.
590 6.3 Specific aspects for the classification of transmission systems
591 6.3.1 Category 1 transmission systems
592 If a transmission system shall be classified as Category 1 then the following preconditions (to be checked as
593 requirements) apply.
594 Pr1:
595 a) The number and type of pieces of connectable equipment – either safety-related or not – to the
596 transmission system is known and fixed and shall be put into the safety requirement specification as a
597 precondition.
598 b) The configuration of the system shall be defined/ embedded in the safety case.
599 c) Any subsequent change to that configuration shall be preceded by a review of their effects on the safety
600 case.
601 Pr2:
602 a) The characteristics of the transmission system (e.g. transmission media, environment under worst case
603 conditions, etc.) are known and fixed. They shall be maintained during the life cycle of the system.
604 b) If major parameters which were used in the safety case are to be changed, all safety-related aspects
605 shall be reviewed.
606 Pr3: The risk of unauthorised access to the transmission system is negligible. The risk shall be reviewed for
607 change of major parameters during the life cycle of the system.
608 If a transmission system satisfies all the above preconditions, it may be considered as Category 1 and a
609 closed system and, if so, it shall comply with a generally reduced set of processes and requirements given in
610 Clause 7. All for the safety argumentation necessary properties of the system are under the control of system
611 designer.
612 If a closed network (category 1) is connected to any other network (even another closed network) the
613 preconditions 1, 2 and 3 shall be checked again.
614 6.3.2 Category 2 transmission systems
615 If a transmission system does not satisfy the preconditions 1 or 2 (Pr1 or Pr2) of 6.3.1, but fulfils
616 precondition 3 (Pr3) it shall be considered as Category 2 and an open system and shall be assessed with a
617 more comprehensive set of processes and requirements given in Clause 7. Differently from category 1, the
618 transmission system is not fully under the control of the system designer and the risk of unauthorized access
619 shall be reviewed at least after each change of the transmission system and its participants.
620 6.3.3 Category 3 transmission systems
621 If a transmission system does not satisfy the precondition 3 (Pr3) of 6.3.1 it shall be considered as Category 3
622 and an open system. Still the requirements for category 2 networks apply, but additional requirements related
623 to category 3 need to be added.
624 If unauthorized access to the transmission system is reasonably foreseeable and cannot be judged as
625 negli
...