IEC 62280:2014

IEC 62280 ®
Edition 1.0 2014-02
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Railway applications – Communication, signalling and processing systems –
Safety related communication in transmission systems

Applications ferroviaires – Systèmes de signalisation, de télécommunication et
de traitement – Communication de sécurité dans les systèmes de transmission

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing more than 30 000 terms and
Technical Specifications, Technical Reports and other definitions in English and French, with equivalent terms in 14
documents. Available for PC, Mac OS, Android Tablets and additional languages. Also known as the International
iPad. Electrotechnical Vocabulary (IEV) online.

IEC publications search - www.iec.ch/searchpub IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a More than 55 000 electrotechnical terminology entries in
variety of criteria (reference number, text, technical English and French extracted from the Terms and Definitions
committee,…). It also gives information on projects, replaced clause of IEC publications issued since 2002. Some entries
and withdrawn publications. have been collected from earlier publications of IEC TC 37,

77, 86 and CISPR.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Catalogue IEC - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
Application autonome pour consulter tous les renseignements
Le premier dictionnaire en ligne de termes électroniques et
bibliographiques sur les Normes internationales,
électriques. Il contient plus de 30 000 termes et définitions en
Spécifications techniques, Rapports techniques et autres
anglais et en français, ainsi que les termes équivalents dans
documents de l'IEC. Disponible pour PC, Mac OS, tablettes
14 langues additionnelles. Egalement appelé Vocabulaire
Android et iPad.
Electrotechnique International (IEV) en ligne.

Recherche de publications IEC - www.iec.ch/searchpub
Glossaire IEC - std.iec.ch/glossary
Plus de 55 000 entrées terminologiques électrotechniques, en
La recherche avancée permet de trouver des publications IEC
en utilisant différents critères (numéro de référence, texte, anglais et en français, extraites des articles Termes et
comité d’études,…). Elle donne aussi des informations sur les Définitions des publications IEC parues depuis 2002. Plus
projets et les publications remplacées ou retirées. certaines entrées antérieures extraites des publications des

CE 37, 77, 86 et CISPR de l'IEC.
IEC Just Published - webstore.iec.ch/justpublished

Service Clients - webstore.iec.ch/csc
Restez informé sur les nouvelles publications IEC. Just
Published détaille les nouvelles publications parues. Si vous désirez nous donner des commentaires sur cette
Disponible en ligne et aussi une fois par mois par email. publication ou si vous avez des questions contactez-nous:
csc@iec.ch.
IEC 62280 ®
Edition 1.0 2014-02
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Railway applications – Communication, signalling and processing systems –

Safety related communication in transmission systems

Applications ferroviaires – Systèmes de signalisation, de télécommunication et

de traitement – Communication de sécurité dans les systèmes de transmission

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
CODE PRIX XB
ICS 45.060 ISBN 978-2-8322-1383-4

– 2 – 62280 © IEC:2014
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
1 Scope . 8
2 Normative references . 9
3 Terms, definitions and abbreviations . 9
3.1 Terms and definitions . 9
3.2 Abbreviations . 14
4 Reference architecture . 15
5 Threats to the transmission system . 18
6 Classification of transmission systems . 19
6.1 General . 19
6.2 General aspects of classification . 19
6.3 Criteria for the classification of transmission systems . 19
6.3.1 Criteria for Category 1 transmission systems . 19
6.3.2 Criteria for Category 2 transmission systems . 20
6.3.3 Criteria for Category 3 transmission systems . 20
6.4 Relationship between transmission systems and threats . 20
7 Requirements for defences . 20
7.1 General . 20
7.2 General requirements . 21
7.3 Specific defences . 22
7.3.1 General . 22
7.3.2 Sequence number . 23
7.3.3 Time stamp . 23
7.3.4 Time-out . 23
7.3.5 Source and destination identifiers . 24
7.3.6 Feedback message . 25
7.3.7 Identification procedure . 25
7.3.8 Safety code . 26
7.3.9 Cryptographic techniques . 27
7.4 Applicability of defences . 28
7.4.1 General . 28
7.4.2 Threats/defences matrix . 29
7.4.3 Choice and use of safety code and cryptographic techniques . 29
Annex A (informative) Threats on open transmission systems . 30
A.1 System view . 30
A.2 Derivation of the basic message errors . 31
A.3 Threats . 32
A.3.1 General . 32
A.3.2 Repetition . 33
A.3.3 Deletion . 33
A.3.4 Insertion . 33
A.3.5 Re-sequencing . 33
A.3.6 Corruption . 33
A.3.7 Delay . 33
A.3.8 Masquerade . 33

62280 © IEC:2014
– 3 –
A.4 Possible approach for building a safety case . 33
A.4.1 General . 33
A.4.2 Structured methods for hazardous events identification . 34
A.4.3 Relationship hazardous events – threats . 36
A.5 Summary . 37
Annex B (informative) Categories of transmission systems . 39
B.1 Categories of transmission systems . 39
B.2 Relationship between the category of transmission systems and threats . 40
Annex C (informative) Guideline for defences . 42
C.1 Applications of time stamps . 42
C.2 Choice and use of safety codes and cryptographic techniques . 43
C.3 Safety code . 48
C.3.1 General . 48
C.3.2 Main block codes . 48
C.3.3 Recommendations for the application of safety codes . 50
C.3.4 Cryptographic techniques . 50
C.4 Length of safety code . 51
C.5 Communication between safety related and non-safety related
applications . 54
Annex D (informative) Guidelines for use of the standard . 55
D.1 Procedure . 55
D.1.1 General . 55
D.1.2 Application . 55
D.1.3 Hazard analysis . 55
D.1.4 Risk reduction . 55
D.1.5 Allocation of SIL and quantitative targets . 55
D.1.6 Safety requirements specifications (SRS) . 56
D.2 Example . 56
D.2.1 General . 56
D.2.2 Application . 56
D.2.3 Hazard analysis . 56
D.2.4 Case 1 . 58
D.2.5 Case 2 . 59
Annex E (informative) Mapping from previous standards . 61
Bibliography . 64

Figure 1 – Reference architecture for safety related communication. 17
Figure 2 – Cyclic transmission of messages . 24
Figure 3 – Bi-directional transmission of messages . 24
Figure A.1 – Hazard tree . 31
Figure A.2 – Causes of threats . 34
Figure C.1 – Classification of safety related communication systems . 44
Figure C.2 – Model of message representation within the transmission system
(Type A0, A1) . 45
Figure C.3 – Use of a separate access protection layer . 46
Figure C.4 – Model of message representation within the transmission system
(Type B0) . 47

– 4 – 62280 © IEC:2014
Figure C.5 – Model of message representation within the transmission system
(Type B1) . 48
Figure C.6 – Basic error model . 51
Figure C.7 – Communication between non-safety related and safety related applications . 54
Figure D.1 – Fault tree for the hazard “accident” . 57
Figure D.2 – Fault tree for case 1 . 58
Figure D.3 – Fault tree for case 2 . 60

Table 1 – Threats/defences matrix . 29
Table A.1 – Relationship between hazardous events and threats . 37
Table B.1 – Categories of transmission systems . 40
Table B.2 – Threat/category relationship. 41
Table C.1 – Assessment of the safety encoding mechanisms (see note) . 50
Table E.1 – Mapping from IEC 62280-1:2002 to IEC 62280 . 61
Table E.2 – Mapping from IEC 62280-2:2002 to IEC 62280 . 62

62280 © IEC:2014
– 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
RAILWAY APPLICATIONS –
COMMUNICATION, SIGNALLING AND PROCESSING SYSTEMS –
SAFETY RELATED COMMUNICATION IN TRANSMISSION SYSTEMS

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62280 has been prepared by IEC technical committee 9: Electrical
equipment and systems for railways.
This standard is based on EN 50159.
This standard cancels and replaces IEC 62280-1 (2002) and IEC 62280-2 (2002).
See Annex E.
The text of this standard is based on the following documents:
FDIS Report on voting
9/1866A/FDIS 9/1885/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.

– 6 – 62280 © IEC:2014
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until the
stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data related to
the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
62280 © IEC:2014
– 7 –
INTRODUCTION
If a safety related electronic system involves the transfer of information between different
locations, the transmission system then forms an integral part of the safety related system, this
includes that the end to end communication is safe in accordance with IEC 62425.
The transmission system considered in this standard, which serves the transfer of information
between different locations, has in general no particular preconditions to satisfy. It is from the
safety point of view not trusted, or not fully trusted.
The standard is dedicated to the requirements to be taken into account for the communication
of safety related information over such transmission systems.
Although the RAM aspects are not considered in this standard it is recommended to keep in
mind that they are a major aspect of the global safety.
The safety requirements depend on the characteristics of the transmission system. In order to
reduce the complexity of the approach to demonstrate the safety of the system, transmission
systems have been classified into three categories:
• Category 1 consists of systems which are under the control of the designer and fixed during
their lifetime.
• Category 2 consists of systems which are partly unknown or not fixed, however
unauthorised access can be excluded.
• Category 3 consists of systems which are not under the control of the designer, and where
unauthorised access has to be considered.
The first category was previously covered by IEC 62280-1:2002, the others by IEC 62280-
2:2002.
When safety related communication systems, which have been approved according to the
previous standards, are subject of maintenance and/or extensions, informative Annex E can be
used for traceability purposes of (sub)clauses of this standard with the (sub)clauses of the
former series.
– 8 – 62280 © IEC:2014
RAILWAY APPLICATIONS –
COMMUNICATION, SIGNALLING AND PROCESSING SYSTEMS –
SAFETY RELATED COMMUNICATION IN TRANSMISSION SYSTEMS

1 Scope
This International Standard is applicable to safety related electronic systems using for digital
communication purposes a transmission system which was not necessarily designed for safety
related applications and which is
• under the control of the designer and fixed during the lifetime, or
• partly unknown or not fixed, however unauthorised access can be excluded, or
• not under the control of the designer, and also unauthorised access has to be considered.
Both safety related equipment and non-safety related equipment can be connected to the
transmission system.
This Internaitonal Standard gives the basic requirements needed to achieve safety related
communication between safety related equipment connected to the transmission system.
This International Standard is applicable to the safety requirement specification of the safety
related equipment connected to the transmission system, in order to obtain the allocated safety
integrity requirements.
Safety requirements are generally implemented in the safety related equipment, designed
according to IEC 62425. In certain cases these requirements may be implemented in other
equipment of the transmission system, as long as there is control by safety measures to meet
the allocated safety integrity requirements.
The safety requirement specification is a precondition of the safety case of a safety related
electronic system for which the required evidence is defined in IEC 62425. Evidence of safety
management and quality management has to be taken from IEC 62425. The communication
related requirements for evidence of functional and technical safety are the subject of this
standard.
This International Standard is not applicable to existing systems, which had already been
accepted prior to the release of this standard.
This International Standard does not specify
• the transmission system,
• equipment connected to the transmission system,
• solutions (e.g. for interoperability),
• which kind of data are safety related and which are not.
A safety related equipment connected through an open transmission system can be subjected
to many different IT security threats, against which an overall program has to be defined,
encompassing management, technical and operational aspects.
In this International Standard however, as far as IT security is concerned, only intentional
attacks by means of messages to safety related applications are considered.

62280 © IEC:2014
– 9 –
This International Standard does not cover general IT security issues and in particular it does
not cover IT security issues concerning
• ensuring confidentiality of safety related information,
• preventing overloading of the transmission system.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
IEC 62278 (all parts), Railway applications – Specification and demonstration of reliability,
availability, maintainability and safety (RAMS)
IEC 62425:2007, Railway applications – Communication, signalling and processing systems –
Safety related electronic systems for signalling
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1.1
absolute time stamp
time stamp referenced to a global time which is common for a group of entities using a
transmission system
3.1.2
access protection
processes designed to prevent unauthorised access to read or to alter information, either within
user safety related systems or within the transmission system
3.1.3
additional data
data which is not of any use to the ultimate user processes, but is used for control, availability,
and safety purposes
3.1.4
authentic message
message in which information is known to have originated from the stated source
3.1.5
authenticity
state in which information is valid and known to have originated from the stated source
3.1.6
closed transmission system
fixed number or fixed maximum number of participants linked by a transmission system with
well known and fixed properties, and where the risk of unauthorised access is considered
negligible
3.1.7
communication
transfer of information between applications

– 10 – 62280 © IEC:2014
3.1.8
confidentiality
property that information is not made available to unauthorised entities
3.1.9
corrupted message
type of message error in which a data corruption occurs
3.1.10
cryptographic techniques
producing output data, calculated by an algorithm using input data and a key as a parameter
Note 1 to entry: By knowing the output data, it is impossible within a reasonable time to calculate the input data
without knowledge of the key. It is also impossible within a reasonable time to derive the key from the output data,
even if the input data are known.
3.1.11
cyclic redundancy check
cyclic code, used to protect messages from the influence of data corruption
3.1.12
data
part of a message which represents some information
Note 1 to entry: See also definitions 3.1.64: user data, 3.1.3: additional data and 3.1.42: redundant data.
3.1.13
data corruption
alteration of data
3.1.14
defence
measure incorporated in the design of a safety related communication system to counter
particular threats
3.1.15
delayed message
type of message error in which a message is received at a time later than intended
3.1.16
deleted message
type of message error in which a message is removed from the message stream
3.1.17
double time stamp
case when two entities exchange and compare their time stamps. In this case the time stamps
in the entities are independent of each other
3.1.18
error
deviation from the intended design which could result in unintended system behaviour or failure
3.1.19
failure
deviation from the specified performance of a system
Note 1 to entry: A failure is the consequence of a fault or an error in the system.

62280 © IEC:2014
– 11 –
3.1.20
fault
abnormal condition that could lead to an error in a system
Note 1 to entry: A fault can be random or systematic.
3.1.21
feedback message
response from a receiver to the sender, via a return channel
3.1.22
hacker
person trying deliberately to bypass access protection
3.1.23
hazard
condition that can lead to an accident
3.1.24
hazard analysis
process of identifying hazards and analysing their causes, and the derivation of requirements
to limit the likelihood and consequences of hazards to an acceptable level
3.1.25
implicit data
additional data that is not transmitted but is known to the sender and receiver
3.1.26
information
representation of the state or events of a process, in a form understood by the process
3.1.27
inserted message
type of message error in which an additional message is implanted in the message stream
3.1.28
integrity
state in which information is complete and not altered
3.1.29
manipulation detection code
function of the whole message without secret key
Note 1 to entry: In contrast to a MAC there is no secret key involved. By the whole message is meant also any
implicit data of the message which is not sent to the transmission system. MDC is often based on a hash function.
3.1.30
masqueraded message
type of inserted message in which a non-authentic message is designed to appear to be
authentic
3.1.31
message
information which is transmitted from a sender (data source) to one or more receivers (data
sink)
– 12 – 62280 © IEC:2014
3.1.32
message authentication code
cryptographic function of the whole message and a secret or public key
Note 1 to entry: By the whole message is meant also any implicit data of the message which is not sent to the
transmission system.
3.1.33
message enciphering
transformation of bits by using a cryptographic technique within a message, in accordance with
an algorithm controlled by keys, to render casual reading of data more difficult. Does not
provide protection against data corruption
3.1.34
message errors
set of all possible message failure modes which can lead to potentially dangerous situations, or
to reduction in system availability. There can be a number of causes of each type of error
3.1.35
message integrity
message in which information is complete and not altered
3.1.36
message stream
ordered set of messages
3.1.37
non-cryptographic safety code
redundant data based on non-cryptographic functions included in a safety related message to
permit data corruption to be detected by the safety related transmission function
3.1.38
open transmission system
transmission system with an unknown number of participants, having unknown, variable and
non-trusted properties, used for unknown telecommunication services and having the potential
for unauthorised access
3.1.39
public network
network with unknown users, especially not under control of the railways
3.1.40
random failure
failure that occurs randomly in time
3.1.41
redundancy check
type of check that a predefined relationship exists between redundant data and user data within
a message, to prove message integrity
3.1.42
redundant data
additional data, derived, by a safety related transmission function, from the user data
3.1.43
relative time stamp
time stamp referenced to the local clock of an entity. In general there is no relationship to
clocks of other entities
62280 © IEC:2014
– 13 –
3.1.44
repeated message
type of message error in which a single message is received more than once
3.1.45
re-sequenced message
type of message error in which the order of messages in the message stream is changed
3.1.46
safe fall back state
safe state of a safety related equipment or system as a deviation from the fault-free state and
as a result of a safety reaction leading to a reduced functionality of safety related functions,
possibly also of non-safety related functions
3.1.47
safety
freedom from unacceptable levels of risk
3.1.48
safety case
documented demonstration that the product (e.g. system/sub-system/equipment) complies with
the specified safety requirements
3.1.49
safety code
redundant data included in a safety related message to permit data corruptions to be detected
by the safety related transmission function
3.1.50
safety integrity level
number which indicates the required degree of confidence that a system will meet its specified
safety functions with respect to systematic failures
3.1.51
safety reaction
safety related protection taken by the safety process in response to an event (such as a failure
of the transmission system), which may lead to a safe fall back state of the equipment
3.1.52
safety related
carries responsibility for safety
3.1.53
safety related transmission function
function incorporated in the safety related equipment to ensure authenticity, integrity,
timeliness and sequence of data
3.1.54
sequence number
additional data field containing a number that changes in a predefined way from message to
message
3.1.55
source and destination identifier
identifier which is assigned to each entity. This identifier can be a name, number or arbitrary bit
pattern. This identifier will be used for the safety related communication. Usually the identifier
is added to the user data
– 14 – 62280 © IEC:2014
3.1.56
systematic failure
failure that occurs repeatedly under some particular combination of inputs, or under some
particular environmental condition
3.1.57
threat
potential violation of safety
3.1.58
time stamp
information concerning time of transmission attached to a message by the sender
3.1.59
timeliness
state in which information is available at the right time according to requirements
3.1.60
transmission code
redundant information, added to the safety and non-safety message of the non-trusted
transmission system in order to ensure the integrity of the message during transmission
3.1.61
transmission system
service used by the application to communicate message streams between a number of
participants, who may be sources or sinks of information
3.1.62
trusted
which has properties used as evidence to support the safety demonstration
3.1.63
unauthorised access
situation in which user information or information within the transmission system is accessed
and/or changed by unauthorised persons or hackers
3.1.64
user data
data which represents the states or events of a user process, without any additional data. In
case of communication between safety related equipment, the user data contains safety related
data
3.1.65
valid message
message whose form meets in all respects the specified user requirements
3.1.66
validity
state of meeting in all respects the specified user requirements
3.2 Abbreviations
BCH Bose, Ray-Chaudhuri, Hocquenghem Code
BME Basic Message Errors
BSC Binary Symmetric Channel
62280 © IEC:2014
– 15 –
CAN Controller Area Network
CRC Cyclic Redundancy Check
EC European Community
ECB Electronic CodeBook mode
EMI Electromagnetic Interference
FTA Fault Tree Analysis
GPRS General Packet Radio Service
GSM-R Global System for Mobile communication – Railways
HE Hazardous Events
HW Hardware
IT Information Technology
LAN Local Area Network
MAC Message Authentification Code
MDC Manipulation Detection code
MD4, MD5 Message Digest algorithms
MH Main Hazard
MTBF Mean Time Between Failures
MVB Multi-purpose Vehicle Bus
PROFIBUS Process Field Bus
QSC q-nary symmetric channel
RAMS Reliability, Availability, Maintainability and Safety
SIL Safety Integrity Level
SR Safety Related
SRS Safety Requirements Specifications
SW Software
TX Transmission
UTC Universal Coordinated Time
WAN Wide Area Network
Wi-Fi Wireless Fidelity
4 Reference architecture
This International Standard defines the safety requirements for the safe communication
between safety related equipment via a transmission system, which can either be closed or
open. Both, safety related and non-safety related equipment can be connected to the
transmission system. This clause describes possible configurations of the safety related

– 16 – 62280 © IEC:2014
communication in transmission systems including the definition of involved functional blocks.
Particular requirements to be fulfilled by these blocks are specified in further clauses.
A combined view – open and closed transmission system – of the principal architecture is
shown in Figure 1, where all communication elements are linked according to the information
flow to exchange safety related information between safety related equipment. The reference
architecture also shows a non-safety related interface which is not always present. A typical
use could be for diagnostic messages routed to a maintenance centre.
Besides the source and destination of safety related communication the reference architecture
deals with a safety related communication system, which can be divided into
• safety related transmission functions incorporated in the safety related equipment. These
functions ensure authenticity, integrity, timeliness and sequence of data,
• safety related cryptographic techniques which protect the safety related message. These
can either be realised by incorporating them in the safety related equipment or having them
outside of the safety related equipment but checked by safety techniques. These
techniques protect the safety related message in a Category 3 transmission system and are
not needed in the case of a Category 1 or 2 transmission system,
• a non-safety related, open or closed transmission system which may itself include
transmission protection functions and/or access protection functions.
The characteristics of closed transmission systems (Category 1) are as follows:
• the number of pieces of connectable equipment – either safety related or not – to the
transmission system is known and fixed;
• the risk of unauthorized access is considered negligible;
• the physical characteristics of the transmission system (e.g. transmission media,
environment according to design hypothesis, etc.) are fixed and unchanged during the life
cycle of the system.
The open transmission system (Category 2 and/or 3) can contain some or all of the following:
• elements which read, store, process or re-transmit data produced and presented by users
of the transmission system in accordance with a program not known to the user. The
number of users is generally unknown, and safety related and non-safety related
equipment, and equipment which is not related to railway applications, can be connected to
the open transmission system;
• transmission media of any type with transmission characteristics and susceptibility to
external influences, which are unknown to the user;
• network control and management systems capable of routing (and dynamically re-routing)
messages via any path made up from one or more than one type of transmission media
between the ends of open transmission system, in accordance with a program not known to
the user;
• other users of the transmission system, not known to the safety related application
designer, sending unknown amounts of information, in unknown formats.
The open transmission system of Category 3 may be subject to unauthorised access to the
transmission system for malicious purposes.

62280 © IEC:2014
– 17 –
Non-safety
Safety related
related Non-safety
information
information
related
Safety related Safety related
application
application application
Safety related Safety related
message message
Non-safety
Safety related Safety related
related
transmission transmission
message
function function
Safety related Safety related
cryptographic cryptographic
technique technique
Safety related message Non-safety related message
Non-safety related transmission system

Implemented in safety related equipment according to IEC 62425

Implemented for Category 3 transmission systems in

- Safety related equipment according to IEC 62425, or
- Non-safety related equipments, checked by safety related techniques
Implemented in
- Non-safety related equipment, or
- Safety related equipment (interface between safety related and non-
safety related functions assessed according to IEC 62425)
IEC  0022/14
Figure 1 – Reference architecture for safety related communication
The reference architecture is not intended to restrict implementations; different structures are
possible, see examples in the
...