SIST EN 50159-1:2002

SLOVENSKI SIST EN 50159-1:2002
prva izdaja
STANDARD
marec 2002
Železniške naprave – Komunikacijski, signalni in procesni sistemi – 1. del:
Varnostna komunikacija v zaprtih prenosnih sistemih
Railway applications – Communication, signalling and processing systems – Part 1:
Safety-related communication in closed transmission systems
ICS 35.240.60; 45.020 Referenčna številka
SIST EN 50159-1:2002(en)
©  Standard je založil in izdal Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega dokumenta ni dovoljeno

---------------------- Page: 1 ----------------------

EUROPEAN STANDARD EN 50159-1
NORME EUROPÉENNE
EUROPÄISCHE NORM March 2001
ICS 35.240.60;45.020
English version
Railway applications -
Communication, signalling and processing systems
Part 1: Safety-related communication in closed transmission systems
Applications ferroviaires - Bahnanwendungen -
Systèmes de signalisation, de Telekommunikationstechnik, Signal-
télécommunication et de traitement technik und Datenverarbeitungssysteme
Partie 1: Communication de sécurité sur Teil 1: Sicherheitsrelevante
des systèmes de transmission fermés Kommunikation in geschlossenen
Übertragungssystemen
This European Standard was approved by CENELEC on 1999-01-01. CENELEC members are bound
to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and
notified to the Central Secretariat has the same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Czech Republic,
Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Netherlands, Norway,
Portugal, Spain, Sweden, Switzerland and United Kingdom.
CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: rue de Stassart 35, B - 1050 Brussels
© 2001 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 50159-1:2001 E

---------------------- Page: 2 ----------------------

EN 50159-1:2001 - 2 -
Foreword
This European Standard was prepared by SC 9XA, Communication, signalling and processing
systems, of Technical Committee CENELEC TC 9X, Electrical and electronic applications for
railways.
The text of the draft was submitted to the formal vote and was approved by CENELEC as
EN 50159-1 on 1999-09-01.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2001-10-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2001-10-01
This standard is in close relation to EN 50128:2001, ENV 50129:1998 and EN 50159-2:2001.
The applicability of the standard was also extended from a vehicle bus to all closed transmission
systems with a known maximum number of connectable participants and known topographical
structure.
Annexes designated “informative” are given for information only.
In this standard, annex A is informative.
__________

---------------------- Page: 3 ----------------------

- 3 - EN 50159-1:2001
Contents
Introduction. 4
1 Scope . 5
2 Normative references. 5
3 Definitions. 6
4 Reference architecture. 7
5 Relation between the characteristics of the transmission systems and
safety procedures . 9
5.1 Functional integrity requirement . 9
5.2 Safety Integrity requirements . 10
6 Safety procedure requirements. 10
6.1 General. 10
6.2 Communication between safety-related equipment. 10
6.3 Communication between safety-related and non safety-related equipment. 11
6.4 Communication between non safety-related equipment. 12
7 Safety code requirements . 12
7.1 General requirements . 12
7.2 Safety target . 13
7.3 Length of safety code. 13
Annex A (informative) Length of safety code . 14

---------------------- Page: 4 ----------------------

EN 50159-1:2001 - 4 -
Introduction
This European Standard deals with safety-related communication between safety-related
equipment using a closed transmission system. For those transmission systems which cannot
be considered as closed, EN 50159-2 shall be applied.
Both, safety-related and non safety-related equipment can be connected to the transmission
system.
In the case of errors affecting safety-related communication it is necessary:
- to detect errors
- to initiate a safety reaction
This standard does not impose safety requirements on the non-trusted transmission system
itself, but its properties and its physical characteristics shall be defined.
For safety purposes as considered here, one physical transmission path is sufficient. Safety
aspects are covered by applying safety procedures and a safety code which are implemented
inside safety-related equipment – on top of a non-trusted communication protocol in a
transmission system.
Although reliability is not considered in this standard it is recommended to keep in mind that
reliability is a major aspect of the global safety.

---------------------- Page: 5 ----------------------

- 5 - EN 50159-1:2001
1 Scope
This European Standard is applicable to safety-related electronic systems using a closed
transmission system for communication purposes. It gives the basic requirements needed in
order to achieve safety-related communication between safety-related equipment connected to
the transmission system.
This standard is applicable to the safety requirement specification and design of the
communication system in order to obtain the assigned safety integrity level (SIL).
The safety requirement specification is a precondition of the safety case of a safety-related
electronic system for which the required evidence is defined in EN 50129. Evidence of safety
management and quality management has to be taken form EN 50129. Evidence of functional
and technical safety is the subject of this standard.
This standard is not applicable to existing systems which had already been accepted prior to the
release of this standard. However, as far as is reasonably practicable, this standard shall be
applied to modifications and extensions to existing systems, subsystems and equipment.
This standard applies to a closed transmission system with the following preconditions, for
which evidence shall be provided:
1 Only approved access is permitted.
2 There is a known maximum number of connectable participants.
3 The transmission media is known and fixed.
Closed transmission systems are not necessarily data buses. They can also include for instance
balise links or simple serial links between two safety-related computers.
In particular this standard does not define:
- The transmission system.
- The equipment connected to the transmission system.
- Specific solutions (e.g. for interoperability).
- Which kinds of data are safety-related and which aren’t.
2 Normative references
This European Standard incorporates by dated or undated reference, provisions from other
publications. These normative references are cited at the appropriate places in the text and the
publications are listed hereafter. For dated references, subsequent amendments to or revisions
of any of these publications apply to this European Standard only when incorporated in it by
amendment or revision. For undated references the latest edition of the publication referred to
applies (including amendments).
EN 50126 Railway applications – The specification and demonstration of Reliability,
Availability, Maintainability and Safety (RAMS)
EN 50128 Railway applications – Software for railway control and protection systems
(*)
EN 50129 Railway applications – Safety related electronic systems for signalling
______________
(*)
In preparation, use ENV 50129:1998.

---------------------- Page: 6 ----------------------

EN 50159-1:2001 - 6 -
3 Definitions
For the purpose of this standard, the following definitions apply:
3.1
authenticity
the state in which information is valid and known to have originated from the stated source
3.2
closed transmission system
a fixed number or fixed maximum number of participants linked by a transmission system with
well known and fixed properties, and where the risk of unauthorised access is considered
negligible
3.3
CRC
cyclic redundancy check: procedure to calculate redundant data to be added to the message in
order to detect errors which may arise during the transmission from the influence of physical
data corruptions
3.4
EMI
electromagnetic interference
3.5
integrity
the state in which information is complete and correct and not altered or corrupted
3.6
message
information, which is transmitted from a sender (data source) to one or more receivers (data
sink)
3.7
non-trusted
no specific precautions towards safety
3.8
safe fall back state
safe state of a safety-related equipment or system as a deviation from the fault-free state and
as a result of a safety reaction leading to a reduced functionality of safety-related functions,
possibly also of non safety-related functions
3.9
safety code
redundant data included in a message to permit data corruptions to be detected by redundancy
checks
3.10
safety reaction
an action which may be taken by safety process in response to an event (such as a failure of
the communication system) which leads to a safe fall back state of the equipment

---------------------- Page: 7 ----------------------

- 7 - EN 50159-1:2001
3.11
transmission code
redundant information, added to the safety and non safety message of the non trusted
transmission system in order to ensure the integrity of the message during the transmission
3.12
transmission system
a service used by the application to communicate message streams between a number of
participants, who may be sources or sinks of information
3.13
user data
data which represents the states or events of a user process, without any additional data. In the
case of communication between safety-related equipment, the user data contains safety-related
data
4 Reference architecture
This standard defines the safety requirements for a special class of communication systems.
The characteristics of this class are defined as preconditions (Pr1, Pr2, Pr3).
In general safety-related and non safety-related equipment may be connected to a transmission
system, which is from a safety point of view non-trusted (see Figure 1).
The safety-related transmission system is defined as:
- The non-trusted transmission system (including the transmission functions implemented in
highly integrated circuits).
- The safety-related transmission functions.
The safety case for the safety process shall be prepared in accordance with EN 50129. The
evidence of functional and technical safety of the safety-related transmission functions shall
comply with this standard.
No safety requirements are placed upon the non-trusted transmission system. Safety aspects
are covered by applying safety procedures and safety code which are running inside safety-
related equipment (see Figure 2).

---------------------- Page: 8 ----------------------

EN 50159-1:2001 - 8 -
Figure 1 - Structure of safety-related system using a non trusted transmission system
Figure 2 - Model of message representation on the transmission media

---------------------- Page: 9 ----------------------

- 9 - EN 50159-1:2001
Therefore this standard is applicable to the defined architecture if the following preconditions
are fulfilled.
Pr1 The transmission system is closed.
Pr2 The number of pieces of connectable equipment – either safety-related or not – to the
transmission system has to be known and fixed. As the safety of the safety-related
transmission system depends on this parameter, the maximum number of participants
allowed to communicate together shall be put into the safety requirement specification as
1)
a precondition.
Pr3 The physical characteristics of the transmission system (e.g. transmission media,
environment under worst case conditions, …) are fixed. They shall be kept during the life
cycle of the system. If major parameters are to be changed, all safety-related aspects
shall be reviewed.
The requirements regarding these preconditions are defined in the following clauses.
5 Relation between the characteristics of the transmission system and safety
procedures
The evidence of functional and technical safety follows the same process as applied in
EN 50129. Nevertheless, the use of a non-trusted transmission system restricts the process to a
functional approach. Therefore the safety-related transmission system shall be characterised by
a functional specification together with an overall error model. A safety integrity requirement
specification shall be produced by functional analysis of the error model.
5.1 Functional integrity requirement
This mandatory analysis consists of the functional hazard analysis.
From the view point of the receiver, the following faults may lead to a hazardous situation:
• Erroneous information (transmitter identity error, type error, value error),
• Time errors (data delayed too long, sequencing error).
To avoid such situations it is necessary to detect erroneous dat
...