ST-AUT_Guidelines_VI3e.pdf

SPENO INTERNATIONAL SA CH-1217 Meyrin. All rights reserved, do not share without written approval. ST-AUT_Guidelines_VI3e.docx
SPENO INTERNATIONAL SA
Energies & Automation Guidelines
for SPENO Trains Control Systems
Version Date Author Verifier Validator
I.3.e 31 Mars 2021 JCP FEH, BeR StA
Control System
for Vehicle
Remote
Access
CMeas CR+CL
L1Synchronous Work Bus
CabAWork
CabBWork
Control System
for Work
CabBVehicle Energies
Traction
L1 Synchronous Vehicle Bus
CabAVehicle
Touch Panels
L2 Asynchronous Common Bus - TCMS
Control System
for Vehicle
Remote
Access
CMeas
CR+CL
CabAWork CabBWork
Control System
for Work
CabBVehicle
Energies Traction
CabAVehicle
Touch Panels
Coupling
Vehicles
Cab A
CReprofiler
CLeaner
Traction Energies
CMeas CReprofiler
CLeaner Traction
Energies
CMeas
Cab B
CReprofiler
CLeaner

E&A Guidelines for Railreprofiler Control Systems
INTRODUCTION Page 1 / 27
Table of Contents
1 INTRODUCTION ......................... 2
Purpose....................................2
1.1.1 Objective..........................................2
1.1.2 Audience..........................................2
1.1.3 Relevance........................................2
Scope .......................................2
1.2.1 References.......................................2
1.2.2 Railways............................................2
2 ENERGIES-SAFETY...................... 3
Energies ...................................3
2.1.1 TermsofUse....................................3
2.1.2 Pipes& Wires..................................3
2.1.3 HotDevices......................................3
2.1.4 Fireproof...........................................3
2.1.5 Labelling...........................................3
2.1.6 Cabinets............................................3
2.1.7 Bonding............................................3
Safety.......................................4
2.2.1 RisksAssessment............................4
2.2.2 ElectricalMainSwitch....................4
2.2.3 Non-ElectricalMainValves............4
2.2.4 SafetyRelatedParts........................4
2.2.5 ActiveSafeGuards..........................4
2.2.6 EmergencyBrakes..........................4
2.2.7 Speed, Mooring andBrakes..........4
3 SYSTEM SECURITY...................... 5
ControlSystem...........................5
3.1.1 IS/IT Policies.....................................5
3.1.2 RemoteAccess................................5
3.1.3 ValidationPlan.................................5
3.1.4 E&ADocuments..............................5
HMIs System ............................6
3.2.1 Hard-wiredHMIs ............................6
3.2.2 Touch-PanelHMIs...........................6
PLCsSystem...............................6
3.3.1 Maintenance...................................6
3.3.2 Instruments.....................................6
3.3.3 Traceability......................................6
IP Address ................................7
3.4.1 L2Asynchronous............................7
3.4.2 L1Synchronous...............................8
Modbus Map............................9
4 SYSTEM MODEL....................... 10
Modes.................................... 10
States..................................... 11
Instances................................ 11
4.3.1 Alarms............................................12
4.3.2 LogicRAMS.........................................12
4.3.3 Segment.........................................13
4.3.4 Stage...............................................13
4.3.5 OEE.................................................13
Semantics............................... 14
4.4.1 DomainVisibility...........................14
4.4.2 PrefixandAttributes....................14
4.4.3 TagsvsI/OQuantities..................15
EN-14033 Features ................. 15
4.5.1 WorkvsPLr....................................15
4.5.2 Vehicle vsPLr.................................16
5 TRAIN INTERFACE.................... 17
TCMS Ability........................... 17
5.1.1 WorkSystems...............................17
5.1.2 UTOReady.....................................17
Train Types............................. 17
5.2.1 PatternType..................................17
5.2.2 PassType.......................................18
5.2.3 PKType..........................................18
5.2.4 ODS Type.......................................18
5.2.5 GPSType........................................18
5.2.6 AGSType........................................18
5.2.7 TractionType................................18
5.2.8 EnergiesType................................18
KPI Types................................ 19
5.3.1 OEEType........................................19
5.3.2 Stoppages......................................19
6 USER INTERFACE ......................20
Intuitiveness .......................... 20
HMIs Basics............................ 20
User Access ............................ 20
6.3.1 UserLogin .....................................20
6.3.2 User Roles.....................................20
HMIs Features........................ 21
6.4.1 ScreenHeader..............................21
6.4.2 Alarms Banner..............................21
6.4.3 NavigationBar..............................21
Conventions........................... 22
6.5.1 Colors.............................................22
6.5.2 Module..........................................22
6.5.3 Equipment ....................................22
6.5.4 Wagon-Unit..................................22
7 APPENDIX.................................23
Energies-Safety ...................... 23
7.1.1 Energies.........................................23
7.1.2 NeutralEarthing...........................23
7.1.3 ColorsandSymbols......................23
7.1.4 SafetyFunctions...........................23
7.1.5 StopCategories............................23
Risks Assessment ................... 24
7.2.1 HazardsInventory........................24
7.2.2 RisksEvaluation............................24
7.2.3 Risks Reduction............................24
7.2.4 PLrCalculation..............................24
Connectivity........................... 25
7.3.1 IIoT Integration.............................25
7.3.2 TCNModel....................................25
Segments Shift ....................... 26
7.4.1 §hiftimevs§mm & km/h ................26
7.4.2 RR12MS1 200mmCase................26
Acronyms............................... 27
Versions
Version Date Modification Description Author Verifier Validator
I.1.* 25 June 2020 §2 Energies-Safety + §3 System Security
§1.1.3 Appliance + §2.1.3 Fireproof
JCP PC, VC
StA
YI
I.2.* 27 July 2020
…
05 Oct. 2020
§2.1 Energies + §3.5 Maintenance
§3.8 Modbus Map + §5 Train Interface
§4.2 States + §5.1.2 UTO Ready
§2.1 Energies + §7.4 Segments Shift
§2.1.6 Bonding + §4.1 Modes + §7.1.1 Energies
§2.2.5 Cabinets + §2.2.7 Speed-Mooring-Brakes
§4.1 Modes + §4.4.3 Tags vs I/O Quantities
JCP BLa, ChM
YD, FEH
BL, VC
MRa
AlC
StA
I.3.a 19 Oct. 2020 §2.1.1 Terms of Use + §5 Train Interface JCP BL, VC StA
I.3.b 27 Oct. 2020 §1.2.2 Railways + §3.3 PLCs + §5.1.1 Work Systems JCP BL, YD StA
I.3.c 30 Nov. 2020 §3.4 IP Address (Diagram with CM-CabA & CR+CR) JCP BeR StA
I.3.d 11 Jan. 2021 §3.4.1 L2 Asynchronous + 6.5.4 Wagon-Unit JCP FEH StA
1.3.e 31 Mars 2021 §3.5 Modbus Map JCP FEH, BeR StA
Contact Persons
Stefan Aeschlimann
Technical Director
Phone : +41 79 269 9131
E-Mail : stefan.aeschlimann@speno.ch
Fouad El Hachemi
Senior Automation Engineer
Phone : +41 79 203 5833
E-Mail : fouad.elhachemi@speno.ch
Jean Claude Pourchet
Automation Group Leader
Phone : +41 79 378 7624
E-Mail : jcpourchet@gmail.com

INTRODUCTION Page 2 / 27
1 INTRODUCTION
Purpose
1.1.1 Objective
This document shares Energies & Automationgoodpractices to integrate controlsystems inrail reprofiler;
those systems aggregate devices in a Train divided by Wagon-units, Equipments and Modules; those
guidelines ensure process Reliability, train Availability, systems Maintainability and user Safety in E&A
domains. The track profile process may cover several technologies like grinding, milling or planing.
1.1.2 Audience
Comité de Direction, Service Technique, Service Maintenance et Service Qualité.
1.1.3 Relevance
Process
Reliability
Reprofiler
Availability
Systems
Maintain.
User
Safety
Cyber
Security
Data
Collection
Applicable for new train only, the existing ones are out of scope.
Concerns
Holistic Matrix
Chapters
ISO / IEC
& EN GAMP IS / IT
Ready
IIoT Edge
Ready
• Energies-Safety
Blue
  
• System Security
Orange
Green     
• System Model
Purple
    
• Train Interface
Green
     
• User Interface    
The right border color in the next pages indicates which chapter paragraph is relevant to which concern.
Scope
1.2.1 References
• MD-2006/42/CE, Essential health and safety requirements relating to design and construction of machinery.
• ISO-12100:2010, Safety of machinery - General Principles for Design - Risk Assessment and Reduction.
• ISO-13849-1:2015, Safety of machinery - Safety related Parts of control systems - Part 1: Principles.
• ISO-13849-2:2012, Safety of machinery - Safety related Parts of control systems - Part 2: Validation.
• ISO-13850:2015, Safety of machinery - Emergency Stop Function - Principles for Design.
• ISO-13855:2010, Safety of machinery - Safeguards position with respect to approach speeds of parts of human body.
• ISO-14118:2017, Safety of machinery - Prevention of Unexpected Startup.
• ISO-14119:2013, Safety of machinery - Guards Interlocking Devices Associated - Design and Selection Principles.
• ISO-27000:2018, Information technology - Information security - management systems - Overview and vocabulary.
• IEC-60204-1:2016, Safety of machinery - Electrical equipment of machines - Part 1: General requirements.
• IEC-61131-3:2013, Programmable controllers - Part 3: Programming languages.
• IEC-61508:2010, Functional safety of electrical/electronic/programmable electronic safety-related systems.
• IEC-62061-A2:2015, Safety of safety-related electrical, electronic and programmable electronic control systems.
• IEC-62443-3-3:2013, Industrial communication network, system security requirements and security levels.
• IEC-62682-1:2014, Management of alarms systems for the process industries.
• IEC-62714-1:2018, Engineering data exchange Pattern - Automation markup language.
• IEC-81346-2:2018, Reference designations - Part 2: Classification of objects and codes for classes.
1.2.2 Railways
• EN-14033-1:2017, Railway applications - Railbound construction and maintenance machines - Part 1: Running Requirements.
• EN-14033-2:2017, Railway applications - Railbound construction and maintenance machines - Part 2: Travelling and Working.
• EN-14033-3:2017, Railway applications - Railbound construction and maintenance machines - Part 3: General safety.
• EN-16185-1:2014, Railway applications - Braking systems of multiple unit trains. Requirements and definitions.
• EN-16186-3:2016, Railway applications - Driver's cab - Part 3: Design of displays.
• EN-17023:2018, Railway applications. Railway vehicle maintenance. Creation and modification of maintenance plan.
• EN-45545:2009, Railway applications - Fire protection on railway vehicles.
• EN-50126:2006, Railway applications - Specification of Reliability, Availability, Maintainability and Safety (RAMS).
• EN-50128:2011, Railway applications - Communication, signalling and processing - Software for control and protection systems.
• EN-50129:2003, Railway applications - Communication, signalling and processing - Safety related electronics systems.
• EN-50153:2014, Railway applications - Rolling stock. Protective provisions relating to electrical hazards.
• EN-50155:2017, Railway applications - Electronic Equipement used in rolling stock.
• EN-50343:2014, Railway applications - Rolling stock. Rules for installation of cabling.
• EN-50567:2017, Railways Applications - Rolling stock applications - Software on Board Rolling Stock.
• EN-61373:2011, Railway applications - Rolling stock equipment - Shock and vibration tests.
• EN-62290:2014, Railway applications - Guided transport control systems - Part 1: System principles and fundamental concepts.

ENERGIES-SAFETY Page 3 / 27
2 ENERGIES-SAFETY
Energies The Energies supplies and distributions shall carry out electrical, hydraulic
and pneumatic containment in conformance with the safety requirements.
2.1.1 Terms of Use All E&A parts shall comply with EN-50155:2017, EN-61373:2011 versus
their location and operative uses with life cycles  20 years (L4 Class) :
• Category Indoor - OT1 Outdoor - OT2 Hot Work - OT5
• Temperatures -25°C to +55°C -40°C to +55°C -25°C to +85°C
• Ingress Protection IP54 IP65
• Vibrations / Shocks 2g / 15g 5g / 25g
• Contact / Air Discharges 1 kV / 2 kV 5 kV / 8 kV
• Relative Humidity 5…95% noncondensing
2.1.2 Pipes & Wires Conduits, Tubes, Pipes, Wires and Cables shall comply with EN-50343:2014 :
• Leave more than 25 mm between electrical and non-electrical pipes.
• Avoid shearing, crushing, sharp edges, rough surfaces and cutting threads.
• Label pipes and wires at each termination point as tagged in the drawings.
• Ensure PE bonding in metallic sheaths andDC-control separationto AC-power.
• Cable trays are open mesh or basket design without cover; minimize, where
possible, horizontal cable trays to reduce dust/debris accumulation; install
pipes and wires on a single layer with single clipping (no cables grouping).
• Hydraulic or pneumatic conduits, tubes or pipes shall withstand bursts over
50% of their nominal pressure without leakage or detachment; the
conduits require sealed end on both sides (silicon is forbidden).
2.1.3 Hot Devices They shall comply with EN-50153:2014; a supply isolating piece (breaker) shall
disconnect each one. For AC devices as motors, servo or VFD's, there shall be
no connection between neutral and PE bonding inside the electrical equipment.
2.1.4 Fireproof All devices in explosive or combustible areas shall provide EN-45545:2009
test reports attesting their burning resistance and/or their ATEX compliance.
2.1.5 Labelling System marking plates shall comply with MD-2006/42/CE. Cabinets, devices,
pipes and wires labels shall comply with EN-50343:2014 and IEC-81346-2:2018 :
• Label every device in and out of cabinets.
• Label every pipe and wire at each termination point.
• Label or engrave each cabinet on the door or front cover.
• Labels shall comply with the directives and tags of provided drawings
such as "+01.002=B3" or "+X01I2=B0" to localize "+" and identify "=".
2.1.6 Cabinets The control and termination cabinets as their devices layouts and cables
trays shall comply with EN-50153:2014 and EN-50343:2014 :
• The cabinet's doors shall have an opening angle greater than 90°.
• The doors or covers hiding electrical Classe III-IV devices (≥ 60 V) shall open
with tools or keys only; electrical hazard warning stickers shall highlight them.
• Fulfill EMC/EMI immunity with a bonded metal divider (plate, grid or mesh)
or insure 100 mm free space between Classe I-II devices to Classe III-IV one's.
• Ensure PE bonding continuity with metallic connectors and cable glands.
• Enter the conduits by the bottoms or sides (not by top, front or back).
• Fulfill Electrical Main Switch and Non-Electrical Main Valves.
2.1.7 Bonding Protective Earth equipotential bonding shall comply with EN-50153:2014 :
• Share selected Neutral Earthing Method at the electrical main supply.
• Identify PE conductors with GREEN-YELLOW or any combination of these.
• Impedance between PE bonding and structural parts shall remain ≤ 50 m.
• Ensure PE bonding continuity in all metallic cables sheaths or armouring.
• Segregate PE, Neutral VAC and 0 VDC in every cabinet and cable tray.
• Do not use system structural parts as PE bonding conductors.

ENERGIES-SAFETY Page 4 / 27
Safety Machinery must be designed and constructed so that it is fitted for its function,
and can be operated, adjusted and maintained without putting persons at risk
when these operations are carried out under the conditions foreseen but also
under any reasonably foreseeable misuse thereof, i.e. MD-2006/42/CE.
2.2.1 Risks Assessment As defined in ISO-12100:2010, the SRP/CS designs (ISO-13849-1:2015) and
validations (ISO-13849-2:2012) shall reach the eligible PLr and category.
The shared Hazards Inventory, Risks Evaluation and Risks Reduction shall be
done by actuators or energies; If irreversible injuries are foreseeable, SRP/CS
shallratePLd/PLeunderCategory#3/#4 insteadof invoking Information-of-Use.
2.2.2 Electrical Main
Switch
It shall comply with IEC-60204-1:2016 and ISO-14118:2018 to filter, isolate
and disconnect any electrical energies with following protective features :
• 3-Phase + Neutral EMC/EMI filter and overload protection at the main drop.
• The I/ON and O/OFF labels shall indicate the switch positions (power status).
• The I/ON position shall keep the main cabinet door closed unless authorized
skilled or instructed persons use a tool or key to bypass it for maintenance.
• The O/OFF position (disconnected state) can be mechanically lock with
padlock or trapped-key to prevent any unexpected Startup .
2.2.3 Non-Electrical
Main Valves
For all pneumatic or hydraulic supplies, provide overload protection, dirt filter,
isolation switch and quick disconnect; add to each of them On-Off valves with
a gradualpressure build-upindownstream position(soft-start / quick exhaust).
2.2.4 Safety Related
Parts
The SRP/CS such as Active Safe Guards, Emergency Brakes or Deadman Switch
shall comply with IEC-61508:2010, IEC-62061-A2, EN-14033-3 and provide :
• Every related paper, specification, certificate, drawing, logic and manual.
• Energies containment in case of safe guard(s) error or emergency brakes.
• Safety Reset to reset Active Safe Guards or Emergency Brakes without
initiating hazardous operation; then only Active Safe Guards feedbacks
shall enable the Startup that initiates the unsafe actuators energization.
• Redundant Air and Hydraulic Valves to cut unsafe non-electrical actuators.
• Redundant 3-Phase Electrical Breakers to cut unsafe electrical actuators.
• Safe-Stop or Safe-Limited-Speed for redundant certified actuators.
2.2.5 Active Safe
Guards
They ActiveSafe Guardsshall prevent any potential hazardousmotionandcomply
with ISO-13855:2010, ISO-14119:2013, IEC-60204-1:2016 and EN-62290:2014.
• Theyrefertoguardinterlocks,presencesensors,lightcurtains,Speed-Mooring-
Brakes or UTO's (U-Sonic scanners, 3D cameras, GPS, INS, LiDAR and MWR).
• Only Two-HandorDeadmanSwitches may bypass Active Safe Guards to enable
the Redundant-Certified-Actuators while all Unsafe-Actuators remain disable.
• Presence-SensorsorLight-Curtains Muting shall complywithISO-13849-1:2015.
• The fixed or moveable Guards interlocks shall offer an escape mean for
anyone trapped inside; padlocks or trapped-keys shall secure inappropriate
guards closing; irreversible fasteners shall avoid any work-around.
2.2.6 Emergency
Brakes
They shall comply with EN-14033-1:2017 and ISO-13850:2015; nothing can
bypass Emergency Brakes ; they shall prevent hazardous motion; their
localizations shall not be next to a Stop/OFF Push-button and prevent
accidental pushing. The driver shall be informed if the system is not in service.
2.2.7 Speed, Mooring
and Brakes
The SRP/CS involved in those features shall comply with EN-14033-1:2017 and
EN-16185-1:2014;that meansacategory#3faultdetectiondesignratedPLd(SIL2)
to stop the train in any operated case and to prevent any unexpected Startup .
In case of Emergency Brakes , the mooring and traction are disable while the
brakes shall absorb the train kinetic energies; in normal operation, the mooring
circuit shall coordinate the braking pressure to the train speed.

SYSTEM SECURITY Page 5 / 27
3 SYSTEM SECURITY
Control System It aggregates HMIs and PLCs to control machineries; every system device shall :
• Provide electronic crash-recovery backup on IS/IT approved media storage.
• Integrate only pieces of hardware or software approved by the original vendor.
• Replace HW/SW pieces before their obsolescence or security support end.
The data access shall avoid OPC-DA and use OPC-UA on L2 Asynchrone Network.
The execution shall provide OPC-UA authentication feature based on certificate
managed by OPC-GDS Push (Global Discovery Server) and implement OPC-UA
authorization, if the control system requires User Roles based on User Login.
3.1.1 IS/IT Policies They claim forService-Level #2 or #3vs ISO-27000:2018 and IEC-62443-3-3:2013.
Every device on L2 Asynchrone Network or public cellular network (like xG) shall :
• Apply security fixes for CVE under following SLO if CVSS ≥ 7 :
• 7 days for systems on public cellular network (like xG).
• 30 days for systems on L2 Asynchrone Network.
• Report once a year following information for every asset :
• IP address, Systems & Applications names, Users roles and credentials.
• Security support end date by original software vendors and by suppliers.
• List of CVSS ≥ 7.0 applicable to the hardware for patches not yet applied.
• Update once a year firmware, operating system and software with latest fixes.
• Change once a year every Psw/Pin with uncompromising credentials policies.
3.1.2 Remote Access 2 choices to keep control systems secure from someone accessing remotely :
• First an SSL-VPN to a Train
Touch-Panel using proper
credentials as SI-Adm.
• As second choice, a Teams
screen sharing as immediate
tactical solution where nothing occur without a local SI-Adm user session.
3.1.3 Validation Plan The next E&A milestones endorse E&A good practices within an approved VMP :
E&A
Milestones
URS
Review
+
FMEA
Functionnal
Review
Design
Specification
PLC
&
HMI
Coding
RCM
Ready
Modular
Testings
Manual
Checkups
Maintenance
Tests
Production
Tests
FAT
Ready
1
st
Run
Successfull
Qualification
Ready
IQ-OQ-PQ
Support
FAT
Successful
SAT
Ready
Offline     
Online     
Release     
E&A
Documents
HDS
V0
DRW
V0
SDS
V0
PRG
V0
TST
V0
HDS
V1
DRW
V1
SDS
V1
PRG
V1
TST
V1
HDS
V2
DRW
V2
SDS
V2
PRG
V2
TST
V2
HW SW QC HW SW QC HW SW QC
3.1.4 E&A Documents Those ones cited in the Validation Plan shall demonstrate that all systems
comply with EN-50155:2017 and endorse the E&A good practices where :
• All tags, aliases and faceplates match the P&IDn drawings names.
• Hardware drawings and Labellings comply with IEC-81346-2:2018.
• Design patterns may endorse good practices such as IEC-62714-1:2018.
• All tags, mnemonics, descriptions, comments and instructions are in English.
The tests sheets require the Risk-Assessment, I/O, Parameters and Alarms lists.
SI Adm
Local Touch-Panel
SI WAN
SSL VPN
3rd
Party
Computer
SI Adm

HMIs System The HMIs requirements are splitted in two chapters; this one describes
Connectivity to IT Network; the next User Interface chapter describes features
such as Basics, User Access and Navigation Bar for the visualization application.
3.2.1 Hard-wired HMIs If hazardous operations may cause irreversible injuries, all push-buttons shall
be hard-wired. See §User Interface HMIs Basics on how the stack-lights and
the push-buttons shall comply with IEC-60204-1:2016.
3.2.2 Touch-Panel
HMIs
To integrate the L2 Asynchrone Network if database access is required. IT
provides Touch-Panel HMIs Hardware and Operating System. IT shall validate
the visualization software. Any Not IT validated software requires a risk
assessment to identify risks versus IT security.
The visualization application shall integrate User Access Active Directory
while its life cycle management has to be set-up to ensure compatibility with
IS/IT Policies validated hardware and software roadmap.
The project tool shall handle multiple targets held by multiple programmers.
PLCs System In addition, the supplier shall integrate PLCs with following features :
• Minimum of 20% spare for PLC memory, Tags and I/O Quantities.
• A safety logic (hardware or software) to control Safety Related Parts.
• The PLCs shall permit a remote access for diagnostic and troubleshooting
through L1 Synchrone Network with one Ethernet port.
• A separate Ethernet port using a different IP address with potential IO-Link
gateways shall link to the L0 Synchrone Fieldbus.
The project tool shall handle multiple targets held by multiple programmers
and comply with IEC-61131-3:2013 for ST, LD or FBD programming languages.
3.3.1 Maintenance AsmentionedinEN-17023:2018,thePLCssystemshallsharewithTrainInterface
shall give Condition-Based Monitoring's (CBM) to collect and contextualize data
for production improvement as for Maintenance, Repair & Overhaul (MRO);
such data may establish trends, predict failures and calculate remaining life; this
curative dependability management is more efficient for Reliability, Availability,
Maintenability & Safety (RAMS) than the old-school palliative maintenance.
3.3.2 Instruments As specific parts of PLCs, the instruments associated to CCPs (Critical Control
Points) and OPRPs (Operational Pre-Requisite Points) belong to an approved
bill of materials, other choices require individual approvals.
The previously mentioned instruments shall come with their calibration
certificates and their maintenance/validation plans. If calibration is not
applicable, a gage R&R (repeatability & reproducibility) is required.
The supplier shall provide energies consumption monitoring such as Electricity
in KWh, Hydraulic in liters or Air Pressure in m3, etc...). At least the energies
that are mentioned in §System Model Energies or §Train Interface Energies.
3.3.3 Traceability The control system shall provide logics to build unique traceable Identifiers for
each railroad pass PK that are updated segment by segment.
The PKs Trace may record contextual information (segment, parameters,
reports, status, configurations, timestamp, content, authentication, etc...)
that characterize reprofiled PKs; see §Train Interface PK Type.

IP Address They are two kindsof communication bus,the asynchronous andthe synchronous.
3.4.1 L2 Asynchronous It serves high-level data sharing; ".xxx." is different from one train to another.
Features IP Address Features IP Address
Reserved 192.168.xxx.00 PC Supervisor Cab A 192.168.xxx.20
PC-UTO Cab A 192.168.xxx.01 Probe MPT 0 Cab A 192.168.xxx.21
PC-UTO Cab B 192.168.xxx.02 Probe MPT 1 Cab A 192.168.xxx.22
Touch-Panel Cab A 192.168.xxx.03 PC Supervisor Cab B 192.168.xxx.23
Touch-Panel Cab B 192.168.xxx.04 Probe MPT 0 Cab B 192.168.xxx.24
ESA-Panel Cab A 192.168.xxx.05 Probe MPT 1 Cab B 192.168.xxx.25
ESA-Panel Cab B 192.168.xxx.06 T° Recorder Cab A 192.168.xxx.26
Train Laptop 192.168.xxx.07 T° Recorder Cab B 192.168.xxx.27
Reserve 192.168.xxx.08 PC AGS Cab A 192.168.xxx.28
Remote Access 192.168.xxx.09 PC AGS Cab B 192.168.xxx.29
Work PLC Master 192.168.xxx.10 PC KLD Cab A 192.168.xxx.30
Work PLC Slave 1 192.168.xxx.11 PC KLD Cab B 192.168.xxx.31
Work PLC Slave 2 192.168.xxx.12 Printer Cab A 192.168.xxx.32
Work PLC Slave 3 192.168.xxx.13 Printer Cab B 192.168.xxx.33
Work PLC Slave 4 192.168.xxx.14 PC HC Cab A 192.168.xxx.34
Contactless SlaveA 192.168.xxx.15 PC HC Cab B 192.168.xxx.35
Contactless SlaveB 192.168.xxx.16 PC ODS Cab A 192.168.xxx.36
GPS-Receiver Cab A 192.168.xxx.17 PC ODS Cab B 192.168.xxx.37
GPS-Receiver Cab B 192.168.xxx.18 PC ODS Elag Cab A 192.168.xxx.38
Vehicle PLC Master 192.168.xxx.19 PC ODS Elag Cab B 192.168.xxx.39
To complete the range, 255.255.000.000 is the subnet mask.
Vehicle PLC
Master
Remote
Access
Work PLC
Master
Touch Panels
+CabBvehicule
+CMeas
=TPM
=LPM
=TGM
=Mrm
=Rets
=Panel
+Vehicle
+Energies
=Engine
rpm
T
=Hydraulic
bar
T
=AirPressure
bar
T
=Safety
Emergency
Power-cut
=Electrical
Hz
V
A
=HVAC-Lights
V
=Batteries
%
V
A
A
T
Fire-warn =Warn
+Traction
=Vehicle
Max
Safe-Park
Km/h
=Brake
Normal
Manual
Emergency
=Mode
Travel
%
Reverse
Neutral
Drive
Manual
Maintain
Produce
Run
+CabBwork
+Work
+Network
=Panel
=GPS
=AGS
=ODS
=Panel
+Chariot
=Spacer-Y
=Unlock
=Down
+Cleaner
=LevelCross
=Firewall
=Purge
=Down
+CR+CL
+M12
+M02
+M01
=Spndl-C
=Servo-Z
=Servo-A
=Spacer-Y
+Chariot
=LevelCross
=Spacer-Y
=Curve-Y
=Curve-C
=Chuck
=Down
=Unlock
=UTO
+Coupling
=Panel
+CabAvehicule
+Vehicle
=Panel
+Network
=Panel
=Warn
=UTO
=State
Exec
Stop
StUp
Reset
E-stop
Cab A
CReprofiler
CLeaner
Traction Energies Cab B
CMeas
CMeas
+CabAwork
+Work
+Network
=Panel
=Panel
+Chariot
=Spacer-Y
=Unlock
=Down
=WaterTank

3.4.2 L1 Synchronous It serves low-level data control; Those addresses are the same on every train.
Features IP Address Subnet Mask
Work PLC Master (+192.168.xxx.10) 10.00.00.00 255.00.00.00
CabB Work.InpOut 10.00.00.01 255.00.00.00
Touch-Panel (+192.168.xxx.04) 10.00.00.99 255.00.00.00
. . . ... 255.00.00.00
Slave CMeasB 10.00.01.00 255.00.00.00
Chariot.InpOut 10.00.01.01 255.00.00.00
. . . ... 255.00.00.00
Slave CReprofiler01 10.01.00.00 255.00.00.00
Chariot.InpOut 10.01.00.01 255.00.00.00
Cleaner.InpOut 10.01.00.02 255.00.00.00
. . . ... 255.00.00.00
M01.InpOut 10.01.01.01 255.00.00.00
M01.SpndlC 10.01.01.02 255.00.00.00
M01.ServoZ 10.01.01.03 255.00.00.00
M01.ServoA 10.01.01.04 255.00.00.00
. . . ... 255.00.00.00
Mee.InpOut 10.01.ee.01 255.00.00.00
Mee.mm 10.01.ee.mm 255.00.00.00
. . . ... 255.00.00.00
M12.InpOut 10.01.12.01 255.00.00.00
M12.SpndlC 10.01.12.02 255.00.00.00
M12.ServoZ 10.01.12.03 255.00.00.00
M12.ServoA 10.01.12.04 255.00.00.00
. . . ... 255.00.00.00
Slave CReprofileruu 10.uu.00.00 255.00.00.00
Chariot.InpOut 10.uu.00.01 255.00.00.00
Cleaner.InpOut 10.uu.00.02 255.00.00.00
. . . ... 255.00.00.00
M01.InpOut 10.uu.01.01 255.00.00.00
M01.SpndlC 10.uu.01.02 255.00.00.00
M01.ServoZ 10.uu.01.03 255.00.00.00
M01.ServoA 10.uu.01.04 255.00.00.00
. . . ... 255.00.00.00
Mee.InpOut 10.uu.ee.01 255.00.00.00
Mee.mm 10.uu.ee.mm 255.00.00.00
. . . ... 255.00.00.00
M12.InpOut 10.uu.12.01 255.00.00.00
M12.SpndlC 10.uu.12.02 255.00.00.00
M12.ServoZ 10.uu.12.03 255.00.00.00
M12.ServoA 10.uu.12.04 255.00.00.00
. . . ... 255.00.00.00
Slave CMeasA 10.99.98.00 255.00.00.00
Chariot-InpOut 10.99.98.01 255.00.00.00
. . . ... 255.00.00.00
CabA Work.InpOut 10.99.99.01 255.00.00.00
Touch-Panel (+192.168.xxx.03) 10.99.99.99 255.00.00.00
Vehicle Bus may use the same address as Work Bus due to the separation.
Vehicle PLC Master (+192.168.xxx.19) 10.00.00.00 255.00.00.00
CabB Vehicle.InpOut 10.00.00.01 255.00.00.00
Panel 10.00.00.99 255.00.00.00
. . . ... 255.00.00.00
. . . ... ...

Modbus Map The L2 Asynchronous Network hosts the Modbus TCP/IP.
The Work-PLCMaster (192.168.xxx.10) acts as Data Server :
It means every client initiate periodicaly (in ms) their own queries to the
Work-PLCMaster reading or writing at the Offset with the Attributes defined
below. Each client may size its own range inside the 1000 bytes limit.
• One Boolean Read-Only table where to READ status.
Clients Bit Offset Attributes (period & size)
Alarms&StatusfromWork-PLCMaster 0000-… 10ms 1500bits
Commands to Vehicle-PLCMaster 1500-… 100ms 500bits
Commands to SupervisorMeas 2000-… 100ms (36km/h) 500bits
Commands to HMI 3000-… 500ms 500bits
Commands to ODS 4000-… 10ms (36km/h §200mm) 500bits
Commands to GPS 5000-… 100ms (36km/h) 500bits
Commands to AGS 6000-… 100ms (36km/h) 500bits
• One INTeger Read-Only table where to READ values.
Clients Byte Offset Attributes (period & size)
Reports from Work-PLCMaster 0000-… 20ms 800bytes
Parameters to Vehicle-PLCMaster 1500-… 200ms 400bytes
Parameters to SupervisorMeas 2000-… 200ms (36km/h) 200bytes
Parameters to HMI 3000-… 1000ms 1000bytes
Parameters to ODS 4000-… 20ms (36km/h §200mm) 200bytes
Parameters to GPS 5000-… 200ms (36km/h) 200bytes
Parameters to AGS 6000-… 200ms (36km/h) 1000bytes
• One Boolean Read/Write table where to WRITE status.
Clients Bit Offset Attributes (period & size)
Alarms&Status to Work-PLCMaster 0000-… 10ms 1500bits
Status from Vehicle-PLCMaster 1500-… 100ms 500bits
Status from SupervisorMeas 2000-… 100ms (36km/h) 500bits
Status from HMI 3000-… 500ms 500bits
Status from ODS 4000-… 10ms (36km/h §200mm) 500bits
Status from GPS 5000-… 100ms (36km/h) 500bits
Status from AGS 6000-… 100ms (36km/h) 500bits
• One INTeger Read/Write table where to WRITE values.
Clients Byte Offset Attributes (period & size)
Parameters to Work-PLCMaster 0000-… 20ms 800bytes
Reports from Vehicle-PLCMaster 1500-… 200ms 400bytes
Reports from SupervisorMeas 2000-… 200ms (36km/h) 200bytes
Reports from HMI 3000-… 1000ms 1000bytes
Reports from ODS 4000-… 20ms (36km/h §200mm) 200bytes
Reports from GPS 5000-… 200ms (36km/h) 200bytes
Reports from AGS 6000-… 200ms (36km/h) 1000bytes
Boolean Read-Only
Bit Offset 1
Bit Offset 2
Bit Offset n
Boolean Read/Write
Bit Offset 1
Bit Offset 2
Bit Offset n
Integer Read-Only
Byte Offset 1
Byte Offset 2
Byte Offset n
Integer Read/Write
Byte Offset 1
Byte Offset 2
Byte Offset n
Client 1
Client 2
Modbus Server - Work-PLCMaster
Boolean
Integer Boolean
Integer
Boolean
Integer Boolean
Integer

SYSTEM MODEL Page 10 / 27
4 SYSTEM MODEL
Standardized
Modes, States,
Alarms, Instances,
OEE and Semantics,
simplify implementations
of multiple suppliers
systems as claimed
by EN-50128:2011
& EN-50567:2017.
This rationale model eases
IIoT Integration and provides
Condition-based Monitoring's (CBM) for Maintenance, Repair & Overhaul (MRO).
Modes Those apply totally to Trains or Wagon-Units and partially to Equip. or Modules.
System Modes Access Description Colors based on EN-16186-3:2016
vs
Vehicle
Travel
Latent
 Oper. A locomotive hauls the railreprofiler in a normal
traffic according to EN-14033 for Speed, Mooring
and Brakes. All profile features shall be in E-Stop.
Run
Latent
 Oper. The railreprofiler runs as a normal train in a normal
traffic according to EN-14033 for Speed, Mooring
and Brakes. All profile features shall be in E-Stop.
vs
Work
UTO
Automatic
 Oper. Production vs Unattended Train Operation (U-Sonic
scanners, 3D cameras, GPS, INS, LiDAR and MWR).
Production
Automatic
Any one It reprofiles segments following the ordered Pass
constraints; the Train synchronizes OEE and
Pattern. All profile stages shall be in Automatic.
Maintenance
Planned
 Oper. It reprofiles segments without any ordered Pass
constraints.ItallowsMaintenance,repair,overhaul,
adjustment or bypass. It refers to Planned activities.
Manual
Latent
 Sup. It controls every system if protective guardings
neutralize known dangers (i.e. commissioning or
setting). No Execute compared to Maintenance.
Sub-modes
associated
to
Work
modes
Pattern  Oper. Switching from one Pattern to another one.
Clean  Oper. Cleaning the systems vs standard procedures.
Slow-Speed Any one It reduces systems speed to adjust Pass rate.
Single-Cycle Any one It executes systems segment by segment with
Start button pushed each time by operator.
Limp-Home  Sup. Allow the systems to bypass selected devices (*).
CoMot
Jog
 Sup. Cooperative Motion Speed versus distance (*) :
• Nobody inside - Nominal or Slow Motion Speed.
• Somebody inside - Safe-Speed with Deadman.
• Unguard or no Deadman switch - Safe-Stop.
Setup  Sup. It operates mechanical adjustments, trials and
testing; this mode scrap every reprofiled PK (*).
Dry-Work  Sup. Let systems working without profile devices (*).
Hibernate Any one Switching-off all Unsafe-Actuators energies after
a pre-defined delay without profile or moving.
FailSafe  Sup. Switching controls to be as tolerant as possible to
likely failure with devices embedded logics (*).
• The Work Modes are mutually exclusive (Production, Maintenance, Manual).
• TheothersarenotmutuallyexclusivebuttheyaretiedtooneWorkModeatatime.
(*) means “this mode can be set from Maintenance or Manual modes only”.
0...*
0...*
specialization
specialization
Mdl_Actuator
Mdl_Instrument
base class
base class
Wu_Eq_Mdl Inst...
Wu_Eq_Mdl Act...
_Wu_ WagonUnit
0...*
specialization
Mgr_OEE
1...*
base class
_Wu_Eq_ Equip.
1...*
specialization Mgr_Logic
Mgr_Alms
base class
base class
Mgr_Stage Mgr_Segment
T_ Train
specialization 1...*
0...* 1...*
1...*
Admin
Cfg, Cmd, Sts,
Params, Reports
TrainAdm
TrainCmd TrainSts
base class base class
1...*

States Those apply totally to Trains or Wagon-Units and partially to Equip. or Modules.
System States Stop Cat. Description compliant with IEC-60204-1:2016.
Safe
Guarding
Produce
Exec. Produce PKs versus downloaded Pattern. Leave it as
soon as an Alarm different than Alert occurs.
Wait
Hold
Cat. #2 Halt due to a control system cause request. Back to
execute when the control system cause disappears.
Stopped Cat. #2 Control stop of a system. Press again on Start button
to produce or go to E-Stopping with Stop button.
Stopping Go to a controlled stop and then go to Stopped.
Startup(ing) On Start button, synchronize OEE and Pattern with
ordered Pass while setting system ready to produce.
Safe
Access
In Reset(ting) Active Safe Guards and release energies without
hazardous motion. With Start button and visual-
acoustic warn, the system goes to Startup.
E-Stopped Cat. #0 Disable Safe Guards whenenergies are contained. With
the Reset button,gotoResetifsafeguardsareactive.
E-Stopping Cat. #1 Go to an immediate stop; when the system ends,
containEnergiesofunsafe-actuatorsandgotoE-Stop.
• One Stop button push stops the system and from stop state, a 2nd
push
contains unsafe-actuators energies before disabling Active Safe Guards.
• A Resetbutton pushclearstheAlarmsandenablesActiveSafeGuardswithout
initiating hazardous motion; A safe guarding feedback enables Start button .
• One Start button push start-up the system and from stop state, a 2nd
push
or a "keep pressed" begins the system work.
Instances It frames data in the PLC versus devices (Train, Wagon-unit, Equip. and Module).
Attribute Type Description vs level of the Devices T Σu Eq M
InOut
Adm_... Ref_... To share data with any levels.   
Logic Typ_Logic Manage the Segment/Stage logic.   
Segmt Typ_Segmt[n] Manage the Segmented PK data. 
Stage Typ_Stage[n] Manage the Equipment Stage data. 
KPIs Typ_KPI Share KPI's withTrainInstance.  
Cfg_... BOOLDint[n] To share data with lower levels.    
Input
Cmd_... BOOLDint[n] For signals coming into the device.    
Train Typ_Train Set data from Train Instance.  
Inp_... DINT[n]Bool[n] For signals coming from physics. 
Par_... DINT[n] For data coming into the device.    
Output
Rep_... DINT[n] For data going out of the device.    
Out_ BOOLDint[n] For signals going out to physics. 
Sts_... BOOLDint[n] For signals going out of the device.    
Train Typ_Train Get data for Train Instance.  
Alms Typ_Alm[n] Get Device pending alarm(s).   
OEE Typ_OEE[n] Get Device effectiveness data.    
Safe Access
Startup E-Stopped
E-Stopping
Stopped
Stopping
Keep
Pressed
Execute
Wait
Safe Guarding
Reset

4.3.1 Alarms The control systems shall provide an alarms detection with relevant protective
measures to prevent risk. The alarms rationalization shall share the What vs
Priority#, the Where vs P&IDn, the Why vs Stoppages cause and the When vs
time stamp; those relevant information allow faster troubleshooting to reach
higher systems availability; they are keys for an efficient Root Cause Analysis.
They shall be compatible with IEC-62682-1:2014.
Stop
Category
I
EC-60204-1:2016
User
Action
User
Acknow.
Safe
Access
In
Current States
Priority# of Alarm
E-Stop
Startup
Stop
Wait
Exec.
System
States
Effect
#1 - Crash     E-Stop 0/1   
#2 - Fail   Stop 2  
#3 - Wait-Hold  Wait 2 
#4 - Alert-Warn   No Issue N/A
• Any alarm that is not a Warn or Alert cause a system state change (#1 to #5).
• Crash initiates an emergency stop that ends with the Safe Guards Unactive.
• Down and Fail initiate a normal stop but Fail does not require recovery logic.
• Hold and Pause initiate a normal stop and self-restarts when Ĉause ends.
• Warn and Alert displays information without changing system state.
It displaysrationalizedmessages inAlarms Banneratwagon-unit andequip. levels.
a3_ 3_02_002_B0:0, Load Grab Sensor Fail Dec. 24 • 08:11:47
Multilingual description Multiformat time stamp
ĈodeĈause versus IEC-81346-2:2018, see Stoppages for details.
P&IDn to localize issue versus _Wagon-Unit#_Equipment#_Module#.
Priority of alarm such as Crash, Down, Fail, Hold, Pause, Warn or Alert.
4.3.2 LogicRAMS It frames robust logic data for upper devices (N/A for modules); one device
owns only one instance. It manages states and attributes for sequential logic.
Attribute Type Description
_.Par_Tmr DINT To set logic timeout parameter.
_.Cfg_On BOOL To share active configuration.
_.Cfg_Safe BOOL To share user safe configuration.
_.Cfg_Failsafe BOOL To share failsafe mode configuration.
_.Cfg_Jog BOOL To share jog logic configuration.
_.Ctl_Jog BOOL To set jog step over control.
_.Ctl_Seq DINT To set sequence control.
_.Ctl_State DINT To set state control.
_.Sts_State DINT To get state status.
_.Sts_FailID DINT To get last failure Identifier status.
_.Sts_Seqp DINT To get previous sequence status.
_.Sts_Seq DINT To get current sequence status.
_.Sts_Lag DINT To get slowest sequence status.
_.Rep_dT DINT To get working time report.
_.Sts_StateOns BOOL To sign state change status.
_.Sts_SeqOns BOOL To sign sequence change status.
_.Sts_Failsafe BOOL To sign failsafe mode status.
_.Sts_NoAlm BOOL To sign no alarm status.
_.Sts_Estop BOOL To sign e-stop status.
_.Sts_Done BOOL To sign timeout status.
_.Sts_Safe BOOL To sign safe status.
_.Sts_End BOOL To sign end status.
_.Sts_Jog BOOL To sign jog status.

4.3.3 Segment It samples each PK's trackside as sized portions; the segment may size as the
Greatest Common Divisor of length between all profile stages; the §egments
§hiftime depends on the train speed : §ℎ𝑖𝑓𝑡𝑖𝑚𝑒 [𝑚𝑠] = 3.6 ×
§𝑚𝑚
𝑘𝑚/ℎ
[#]._ DINT Multiple positions to expose multiple instances.
_.Mgr_Stage Typ_Stage To refer the stage that reprofiles this segment.
_.Par_Lenght DINT [mm] To set GCD of length between all stages (§mm).
_.Par_PKA DINT To set PK identified from cabin A.
_.Par_PKB DINT To set PK identified from cabin B.
_.Par_Nbr DINT To set segments number from cab A to B (§nbr).
_.Sts_PassID DINT To get current pass identifier status.
_.Sts_SideID DINT To get current trackside identifier status.
_.Sts_Enable BOOL To sign active segment status (obstacle).
_.Sts_Fail BOOL To sign failed segment status.
_.Rep_GapA DINT [mm] To get distance from cabin A = (§nbr-§#) x §mm.
_.Rep_GapB DINT [mm] To get distance from cabin B = (§nbr-§#) x §mm.
4.3.4 Stage A station carries out a finite number of specific actions on related modules to
perform finite tasks; the stage interface frames the data linked to one station.
_.Mgr_Logic Typ_Logic To refer with logic instance.
_.Par_Angle DINT[deg°
] To set profile angle.
_.Par_Current DINT [Amp] To set profile current.
_.Par_Pressure DINT [PPa
] To set profile pressure.
_.Par_Length DINT [mm] To set profile stage lenght.
_.Par_GapA DINT [mm] To set distance between stage and cabin A.
_.Par_GapB DINT [mm] To set distance between stage and cabin B.
_.Cfg_DirA BOOL To share vehicule direction from cabin A.
_.Cfg_DirB BOOL To share vehicule direction from cabin B.
_.Cfg_ZerOEE BOOL To share OEE data initialization configuration.
_.Cfg_PatternID DINT To share current pattern identifier configuration.
_.Cfg_StageID DINT To share current stage identifier configuration.
_.Sts_State DINT To get logic state status.
_.Sts_Enable BOOL To sign active stage status.
_.Sts_Fail BOOL To sign failed stage status.
_.Rep_OEE… DINT[n] See OEE data for details.
4.3.5 OEE It frames KPI's data by device; the devices may ownmore thanone OEE instance.
Attribute Type UnitDescription vs level of the devices T Σu Eq M
_.Rep_TotalTime DINT[sec-ms] Total time.  
 
_.Rep_ProdTime DINT[sec-ms] Producing time.  
_.Rep_TotalPKs DINT [PK] Total PKs counter.  
_.Rep_ProdPKs DINT [PK] Produced PKs counter.   
_.Rep_FailPKs DINT [PK] Failed PKs counter.   
_.Rep_ProdActs DINT [action] Produced actions counter. 
_.Rep_FailActs DINT [action] Failed actions counter. 
_.Rep_MTTF DINT[sec-ms] Mean Time To Fail.    
_.Rep_MTtR DINT[sec-ms] Mean Time To Repair.    
_.Rep_Availability DINT [%x100] RatioofProdTimetoTotalTime.  
_.Rep_Performance DINT [%x100] RatioofTotalPKsActstoProdTimexSpd    
_.Rep_Quality DINT [%x100] RatioofProdPKsActstoTotalPKsActs.    
_.Rep_OEE DINT [%x100] RatioofProdPKsActstoTotalTimexSpd    
_.Rep_dT DINT [ms] Last Cycle Time (i.e. speed).    

Semantics Based on MSDN General Naming Conventions.
• CHOOSE easily readable identifier names and favor readability over brevity.
• USE an English noun or noun phrase to name devices and/or attributes.
• USE Pascalcase notation, NOTHungarian. AVOID conflict withcodingkeywords.
4.4.1 Domain Visibility The domain defines tags visibility as Public-Global or Private-Local.
Public Tag (global visibility) Private Tag (local visibility)
_Tag = "_Wu_Eq" + "Private_Tag"
Ex: "_1_02_003_Grind_Sts_End“
_Tag = "_Mdl_" + "Prefix_Attribute"
Ex: "_003_Grind_Sts_End"
"_Wu" for wagon-unit ID "_Eq" for equipment ID "_Mdl" module ID
4.4.2 Prefix and
Attributes
Prefix_ - _Attributes Description Dir.
_Ack Acknowledge To sign single alarm acknowledgements.
Adm__Adm Administrate To share data anywhere with all devices. InOut
_Alm Alarm To sign alarm (crash, fail, wait or alert).
_Ana Analog To sign an analog device logic.
_Cam Camshaft To sign a camshaft/modulo device logic.
Cfg__Cfg Configuration To share setup data below the cell level. InOut
Cmd__Cmd Command For data coming in logic from upper level. Input
_Cons Consecutive To sign consecutive process failures.
_Ctl Control To sign PLC's firmware specific data.
_Ctr Counter To increment numerical data.
_Dgt Digital To sign a digital device logic.
_Dgx Digital eXt To sign an extended digital device logic.
_Fail Failure To sign fail product (againstgoodproduct).
_Failsafe Failsafe As failsafe mode (recoveryoremulation).
_...ID Identifier To sign multiple identifier.
Inp__Inp Input To sign physical input from control device. Input
_IPCs Sample As Inner Process Control sampling.
_Jog Co-Motion To sign cooperative motion or step-by-step.
_Lgc Logic To manage a logic of a procedural device.
_Log Login "User" To sign User Login linked to credentials.
Mdl_ Module To specify physical aggregate to control.
Mgr_ Manager To specify wagon-unit or equipments.
_Mode Mode To sign the chosen mode of the logic.
_OEE O.E.E. Used for overall equipment effectiveness.
Out__Out Output To sign physical output to control device. Output
Par__Par Parameter For numerical data coming in the logic. Input
_Pls Pulse To sign a pulse (flip-flop) device logic.
_PK PK Data To trace a kilometric point on the rail tack.
_Prb Probe To sign a probe/gauge device logic.
Ref__Ref Reference For data structures going through logics. InOut
Rep__Rep Report For numerical data going out of the logic. Output
_Rst Reset To sign a reset for acknowledged alarms.
_...s Array of ... To sign data array (one or more axises).
_Safe Safety To sign a process safe or user safety data.
_Segmt Segment Data To specify segmentedPKinfrontofastage.
_Seq Sequencer To sign a step in a sequenced Logic.
_Stage Equip. Data To specify stage(s) of equip attributes.
_State State To sign the chosen state of the logic.
_Str String To sign alphanumeric characters chain.
Sts__Sts Status For data going out of the logic to up level. Output
_Tmr Timer To sign timer driven by clock or ticks.
Typ_
Udt_
User
Data Type
Custom data structures adding different
types used to pass data to or from logic.
InOut

4.4.3 Tags vs I/O
Quantities
The I/O quantity depends on the vehicule (cabins, traction and energies), the
chariots and the reprofiler motors quantities. The tags quantity depends on
the I/O quantity and type (Wu=Wagon-Unit, Eq.=Profile Equipement).
I/O
Types
Digital Analog
Total
Quantity
I/O
Types
Digital Analog
Total
Quantity
DI DO AI AO DI DO AI AO
Vehicle 152 136 24 8 Vehicle 152 136 24 8
12 x Eq. 200 152 72 56 All
I/O
All
Tags
8 x Eq. 152 96 56 40 All
I/O
All
Tags
Wu Eq. With 10% Safety I/O Wu Eq. With 10% Safety I/O
1 12 352 288 96 64 800 2600 1 08 304 232 80 48 664 2200
3 36 752 592 240 176 1760 5900 4 32 760 520 248 168 1696 6000
6 72 1352 1048 456 344 3200 10900 9 72 1520 1000 528 368 3416 12400
EN-14033
Features
They are two kinds, those for profile work and those for driven vehicle; the
tables below list the relevant features with their Safety Performance Level
Rating in compliance with EN-14033:2017; see Risks Assessment for details.
4.5.1 Work vs PLr Features Descriptions and Types PLr
_CMeas Measurement Unit. -
_TPM Transversal Profil Measure Equipment. -
_LPM Longitudinal Profil Measure Equipment. -
_Rets Rotating Eddy Current Test Equipment. -
_Mrm Metal Removal Measure Equipment. -
_TGM Trackside Gauge Measure Equipment. -
_CabBWork Cabin B Work Unit. -
_Network Network Equipment. PLc
_Panel Wagon Switches Module. PLc
_Work Work Control Equipment. PLc
_Panel Operator Panel Module. PLc
_ODS Obstacles Detection System Module. -
_GPS General Positioning System Module. -
_AGS Automatic Grinding System Module. -
_Chariot Measurement Chariot Control Equipment. PLc
_Spacer-Y Transversal Alignment Module. PLc
_Unlock Chariot Release Module. PLc
_Down Chariot at Work Module. PLc
_CReprofiler Reprofiler Chariot Unit. -
_Mxx Reprofiler Motor xx Control Equipment. PLc
_Spacer-Y Transversal Alignment Module. PLb
_Servo-A Longitudinal Angle Module. PLb
_Servo-Z Motor Up/Down Module. PLc
_Spndl-C Motor Rotate Module. PLc
_Chuck Profile device Chuck/Clutch Module. PLb
_Chariot Reprofiler Chariot Control Equipment. PLc
_LevelCross Level Crossing Up/Down Module. PLc
_Spacer-Y Transversal Alignment Module. PLc
_Curve-Y Transversal Trackside Select Module. PLc
_Curve-C Left-Turn or Right-Turn Module. PLc
_Unlock Chariot Release Module. PLc
_Down Up/Down Position Module. PLc
_CLeaner Dust Cleaner Unit. PLc
_WaterTank Water tank Level Module. PLb
_LevelCross Level Crossing Up/Down Module. PLc
_Firewall Cleaner Fire Protection Module. PLc
_Purge Purge Position Module. PLc
_Down Up/Down Module. PLc
_CabAWork Cabin A Work Unit. -
_Work Work Control Equipment PLc
_Panel Operator Panel Module. PLc

4.5.2 Vehicle vs PLr Features Descriptions and Types PLr
_CabBVehicle Cabin B Vehicle Unit. -
_Network Network Equipment. PLc
_Panel Switches of the Wagon Module. PLc
_Vehicle Vehicle Information Equipment. PLd
_Panel Operator Panel Module. PLd
_Warn Warning Panel Module. PLc
_UTO Unattended Train Module. PLd
_Traction Traction Information Unit. -
_Mode Modes Selector Equipment. PLc
_Run Train moves without profile Module. PLc
_Travel Train is hauled by locomotive Module. PLc
_Manual In depot for repair Module. PLc
_Maintenance In depot for maintenance Module. PLc
_Production Train moves with profile Module. PLc
_Vehicle Vehicle Information Equipment. PLc
_Safe-Park Parking Lock Module. PLc
_Reverse Move Backward Module. PLc
_Neutral Move Free Module. PLc
_Drive Move Forward Module. PLc
_Km/h Speed Value Module. PLb
_Max Speed Maximum Module. PLb
_% Speed Potentiometer Module. PLb
_Brake Brakes Information Equipment. PLd
_Emergency Brakes in emergency mode Module. PLd
_Manual Brakes in manual mode Module. PLd
_Normal Brakes in normal mode Module. PLd
_Energies Energies Information Unit. -
_Safety Versus Safety Equipment. PLd
_Emergency E-Stop Information Module. PLd
_Power-Cut Power Cut Information Module. PLd
_Fire-Warn Fire detection Information Module. PLd
_Engine Engine Information Equipment. PLb
_Gauge Tank FuelOil level. -
_Tons Engine FuelOil Consumption. -
_rpm Engine Rotation per minute Module. PLb
_T° Engine Temperature Module. PLb
_Electrical Electrical Information Equipment. PLb
_kWh Electrical Consumption. -
_Hz Generated Frequency Module. PLb
_V Generated Voltage Module. PLb
_A Consumed Current Module. PLb
_Batteries Batteries Information Equipment. -
_kWh Batteries Consumption. PLb
_% Load Percentage Module. PLb
_V Available Voltage Module. PLb
_A Consumed Current Module. PLb
_Hydraulic Hydraulic Information Equipment. PLb
_Liters Oil Consumption. -
_bar Oil Pressure Module. PLb
_T° Oil Temperature Module. PLb
_AirPressure Air Pressure Information Equipment. PLb
_m3 Air Pressure consumption. -
_bar Air Pressure Module. PLb
_T° Air Temperature Module. PLb
_HVAC-Light Air Conditionner & Lightning Equipment. PLb
_kWh Utilities Consumption. -
_V Utilities Voltage Module. PLb
_A Utilities Current Module. PLb
_T° Utilities Temperature Module. PLb
_CabAVehicle Cabin A Vehicle Unit. PLd
_Coupling Network Equipment. PLd
_Panel Switches of the Wagon Module. PLd
_Vehicle Vehicle Information Equipment. PLd
_Panel Operator Panel Module. PLd
_Warn Warning Panel Module. PLc
_UTO Unattended Train Module. PLd
_State States Selector Equipment. PLd
_Exec. Train is working/moving. PLb
_Stop Train is stopped and ready. PLb
_StUp Train is starting to be ready. PLb
_Reset Train reset safety related parts. PLc
_E-Stop Train energies are cut-off or contained. PLd

TRAIN INTERFACE Page 17 / 27
5 TRAIN INTERFACE
TCMS Ability A TCN shall link several kinds of Wagon-Units in a safe and flexible way. It shall
split asynchronous and synchronous data bus to avoid IT/OT conflicts. It may
split work and vehicle roles between two PLC-Masters; the Work PLC-Master
aggregates and controls every Wagon-Unit that measure and reprofile Pass
versus Patterns; the Vehicule PLC-Master manages both Traction and Energies.
5.1.1 Work Systems Consider the following list as a baseline for configuration and prices quoting :
Devices Qty Devices Qty
SCADA-Web-Server 2 Remote I/O Board Ethernet Coupler 16 X1
HMI 23'' Touch-Screen 2 I/O Board - Digital Inputs x 8 84 X8
PLC Work Master with Memory 1 I/O Board - Digital Outputs x 8 70 X8
PLC Work Slave with Memory 3 I/O Board - 4-20mA Inputs x 4 12bits 60 X4
Asynchrone Ethernet Switch x8 2 X8 I/O Board - 4-20mA Outputs x 4 12bits 44 X4
Synchrone Ethernet Switch x8 4 X8 I/O Board - Safe Digital Inputs x 4 20 X4
xG Wireless IP Ethernet Router 1 I/O Board - Safe Digital Outputs x 2 16 X2
5.1.2 UTO Ready The Unattended Train Operation is essential for next unattended railreprofilers
claimed by EN-62290:2014. UTO leads remote-controlled sensors acting like
the driver eyes and ears; it requires high-end Active Safe Guards such as
U-Sonic scanners, 3D cameras, GPS, INS, LiDAR and MWR able to detect static
and moving objects up to 800m, day or night, regardless of weather conditions.
Train Types The Train data manage the Patterns to produce Pass. They provide Condition-
based Monitoring's (CBM) for Maintenance, Repair & Overhaul (MRO); such
data may establish trends, predict failures and calculate remaining life.
Typ_Traincmd-sts For commands mirrored by status system feedback.
Pattern Typ_Pattern[n] Mirror Setpoints related to Pattern.
Pass Typ_Pass[n] Mirror Pass attributes.
PKs Typ_PK[n] Mirror kilometric Points.
ODS Typ_ODS Mirror Obstacles Detection System.
GPS Typ_GPS Mirror General Positioning System.
AGS Typ_AGS Mirror Automatic Grinding System.
Traction Typ_Traction Mirror data between Traction & Work.
Energies Typ_Energies Mirror data between Energies & Work.
ModeTrain DINT See §System Model Modes.
StateTrain DINT See §System Model States.
Typ_KPIs For key performance indicators by system events.
Effeciency Typ_OEE[n] Share OEE's vs train Modes and States.
Stoppage Typ_STP Share stoppages cause vs Alarms.
TrainID STRING Share Train Identifier.
UserID STRING Share User Identifier.
5.2.1 Pattern Type It frames the setpoints data link to a Pass for each profile equipment.
_.ID TBD Parameter Identifier versus device P&IDn.
_.Angle DINT [°deg] Parameter for profile angle.
_.Current DINT [Amp] Parameter for profile current.
_.Pressure DINT [PPa
] Parameter for profile pressure.
_.RPM DINT [t/min] Parameter for profile rotation per minute.
Master
Vehicle
Work
Master
L1 WORK Network
L1 VEHICLE Network
Cab A
CReprofiler
CLeaner
Traction Energies
CMeas
Cab B
CMeas CReprofiler
CLeaner Cab B
CMeas
CReprofiler
CLeaner
L0 WORK Bus

5.2.2 Pass Type It frames data used to synchronize wagon-units pass by pass.
_.PassID STRING Work Pass Identifier.
_.TrackID STRING Work Track Identifier.
_.OrderID STRING Work Order Identifier.
_.PatternID STRING Work Pattern Identifier.
5.2.3 PK Type It frames Traceable data by contextualizing each kilometric point record.
_.PK STRING Relative Kilometric Point.
_.PKABS STRING Absolute Kilometric Point.
_.FailID STRING Failure Identifier.
_.PassID STRING Work Pass Identifier.
_.RefGPS Typ_GPS Geographical Position.
_.TimeStamp DINT Date & Time of kilometric point occurrence.
5.2.4 ODS Type It frames obstacle detection interface for volume dimension and position.
State DINT Feature current state.
XOn DINT X axis first coordinate vs kilometric point.
XOff DINT X axis second coordinate vs kilometric point.
YRight DINT Y axis right coordinate vs lateral.
YLeft DINT Y axis left coordinate vs lateral.
ZUp DINT Z axis, Upper Heigth.
ZDn DINT Z axis, Lower Heigth.
5.2.5 GPS Type It frames Global Positioning System interface.
Longitude STRING Longitudinal position.
Latitude STRING Latitudinal position.
Altitude DINT [m] Sea level elevation.
Speed DINT [Km/h] Machinery speed.
Cape DINT [°deg] Cape direction.
5.2.6 AGS Type It frames Automatic Grinding System interface.
PassID STRING Work Pass Identifier.
OrderID STRING Work Order Identifier.
PatternID STRING Work Pattern Identifier.
SectionID STRING Work Section/Sub-section Identifier.
5.2.7 Traction Type It frames the data for Traction interface through TCMS; see Vehicle Features.
ModeTrain DINT See §System Model Modes.
StateTrain DINT See §System Model States.
Vehicle._ DINT[n] To control and monitor vehicle functions.
Brake._ DINT[n] To control and monitor brakes systems.
UTO._ DINT[n] To remote control unattended train.
5.2.8 Energies Type It frames the data for Energies interface through TCMS; see Vehicle Features.
Safety._ DINT[n] To control and monitor Energies-cut.
Engine._ DINT[n] To control and monitor diesel engine.
Electrical._ DINT[n] To control and monitor electrical supply.
Batteries._ DINT[n] To control and monitor batteries supply.
Hydraulic._ DINT[n] To control and monitor hydraulic supply.
AirPressure._ DINT[n] To control and monitor air pressure supply.
HVAC-Light._ DINT[n] To control and monitor HVAC & Lights utilities.

KPI Types The Overall Equipment Effectiveness monitors KPI's vs rationalized Stoppages.
5.3.1 OEE Type It frames OEE data at the train level, when the train is not in transfer mode.
Attribute Type Unit Description
_.ModeTrain DINT See §System Model Modes.
_.StateTrain DINT See §System Model States.
_.TotalTime DINT [sec] Total time.
_.ProdTime DINT [sec] Producing time.
_.TotalPKs DINT [part] Total PKs counter.
_.ProdPKs DINT [part] Produced PKs counter.
_.FailPKs DINT [part] Failed PKs counter.
_.MTTF DINT [sec-ms] Mean Time To Fail.
_.MTtR DINT [sec-ms] Mean Time To Repair.
_.Availability DINT [%x100] Ratio of ProdTime to TotalTime.
_.Performance DINT [%x100] Ratio of TotalPKs to ProdTime x Speed.
_.Quality DINT [%x100] Ratio of ProdPKs to TotalPKs.
_.OEE DINT [%x100] Ratio of ProdPKs to TotalTime x Speed.
_.Speed DINT [ppm] System Speed (i.e. Last Cycle Time).
5.3.2 Stoppages The table below shows how a stoppage relates to Modes, Alarm#, P&IDn and
ĈodeĈause; the stoppage links to the device IEC ĈodeĈause that causes the
failure while system is producing (Unplanned) or to the stoppages screen
selection while system is in maintenance (Planned) or in manual (Latent).
IEC-81346 ĈodeĈause
B-B
ool
Sensor
C-Level
E-Energies
F-Safety
P-Probe
S-Signal
X-Network
O.E.E.
Pass
Alarms #
versus
IEC-62682
Index
versus
DeviceID
Effectiveness
versus
Modes
Crash "1"
P&IDn
      Major Stop
Unplanned

Fail "2"       Minor Stop
Wait-Hold "3"     
Speed Loss
Alert-Warn"4"    
Set
from
HMI
screen
"5" • Setup - Warm-Up - Labor Stoppage
• Maintenance - Repair - Overhaul
Planned Stop
x
"6" • No Demand - Spare Shortage
• Transfert - Labor Shortage
Latent Period
Attribute Type Unit Description
_.StopTotal DINT Report Change-of-Stoppage incrementation.
_.StopCause DINT/STRING "Alarm#-P&IDn-ĈĈ", see Stoppages.
Latent
Period
Manual
Planned
Stop
Maintenance
Availability Loss Performance Loss Quality Loss Good Production
E-Stop + Reset + Startup + Stop Transient States + Hold Failed PKs Produced PKs at Full Speed
End
End
Reset Wait
Startup Stop Execute
E-Stop
Efficiency
Effectiveness

USER INTERFACE Page 20 / 27
6 USER INTERFACE
Intuitiveness The interface between users and control systems shall be designed and realized
such that no person is endangered during all intended use and reasonable
foreseeable misuse of the machine. The interface ergonomic shall be easy to use
so the user is not tempted to act in hazardous manners, i.e. ISO-13849-1:2015 :
• Display any information with no more than three clicks through flat design.
• Toggle from the screen header of the visual application between :
• Local spoken language and English (dates, units and text).
• Nighttime and Daytime colors themes.
• Portrait and Landscape orientations.
HMIs Basics ShallcomplywithIEC-60204-1andEN-16186-3;see§AppendixColorsandSymbols.
Active Safe Guards States Stack-Lights Push-Buttons
If
hazard
may
cause
irreversible
injuries.
Disable SRP/CS E-Stop Flashing
Red
Enable SRP/CS Safe-Reset Steady
Continuously check all
Safety Related Parts
of Control System
to ensure user's
Safe Guarding
Startup Flashing
Yellow
Stop Steady
Wait Flashing Blue
Exec. Flashing
Steady
Green
Horn in Startup if unable to see all. Buzzer
Flash in Reset or Stop, Steady in Execute. Start Light
Flash in E-Stop or if an Alarm is pending. Reset Light
Flash in Execute or Stop, Steady in E-Stop. Stop Light
Those require physical buttons if any hazard may cause irreversible injuries.
• Flashing push-buttons induces user action to start, reset or stop the system.
• Additional reset button for a specific function shall not be blue.
• Additional start button for a sub-system shall be white.
• Additional stop button for a sub-system shall be black.
User Access The IS/IT Policies require regular passwords changes. A centrally managed
User Access as Active Directory reduces time for password changes.
6.3.1 User Login The IT Network domain manages user's names and passwords.
• Auto-logout after a delay of inactivity and switch to Guest-Access #1.
• Electronic Signature and Audit Trails are available and time stamped.
• This function is robust, fast and easy to use as company-badges or ID-cards.
6.3.2 User Roles
HMIs Controls
(*) some mainWagon-unit may be the TrainManager also.
Guest
Access
#1
Operator
Access
#2
Supervisor
Access
#3
Admin.
Access
#4
• Administrate language, date and units rules.    
Administrate System Security versus IS/IT Policies. x x x 
• Access to Stop button and Wagon-units Screens (*).    
Access to Reset and Start buttons. x   
Select Wagon-units modes, states and reports (*). x   
Control Wagon-units parameters and configurations. x x  
• Access to Sub-systems Screens. x   
Select Sub-systems status and reports. x   
Control Sub-systems states, parameters and configurations. x x  

HMIs Features The screen patterns or templates shall provide the following features.
6.4.1 Screen Header This screen area shall display the following information :
• Profile ID's of current Pass and Pattern as shared in the Train Instance.
• Language for multiformat dates/units and multilingual text information.
• User Login as defined in User Roles with an auto-logout.
• Current Modes for the train and the selected wagon-unit.
• Screen Title based on device P&IDn, role and task.
T R12MS1_Train • Train Task... R12MS1 N/A N/A N/A
W R12MS1_1_Reprofiler • Wagon-Unit Task... ' ' _1_ N/A N/A
E R12MS1_1_00_Energies • Equipment Task... ' ' ' ' _00_ N/A
M R12MS1_1_00_031_Metering • Module Task... ' ' ' ' ' ' _031
_
• Date & Time
• The IT Network time service synchronizes every HMI.
• A Clock Update Tools synchronizes HMIs and PLCs date and time.
6.4.2 Alarms Banner This screen area shall toggle between Alarms Pending and Alarms Log. The
messages and the date shall be able to switch between local and English; the
message shall merge all alarm attributes as described in Alarms.
"Priority_Wagon_Equipment_Module_Ĉode:Ĉause, Description - Date & Time".
6.4.3 Navigation Bar An agile navigation shall make find any information with no more than three
clicks through a flat designed visual application for the Touch-Panel HMIs.
One Bar to select focus level Another Bar to select contextual task
To get ID's of
Pass and Pattern.
To get Modes versus
Device instances.
To set focus
on Train.
To get States versus
Device instances.
To set focus
on Wagon-unit.
To get OEE versus
Device Instances.
To set focus
on Equipment.
To get diagnostics versus
Device instances.
To set focus
on Module.
To get Patterns versus
Device instances.
To send screenshot
to anyone anywhere.
To get settings versus
Device instances.
To select
Stoppages.
To see pending/logged
alarms or alerts on
train(s) or wagon-unit(s).
The user interface shall use MVC design pattern to offer an agile navigation.
Supervisor
a6_3_02_010_C2:1, Load Feed Level Warn Dec. 24  07:49:11

States

Reports

Status

Parameters

Configurations
OPTI
Line

Execute
_
Machine
_
Station
_
Actuator

Stoppages Alarms

Shares
Chateleu
123456789 Production
Production
ID's
Pass
Pattern
Train
Car-Unit
Modes
01:11
English
Dec. 24  07:49:11
RR12MS01_1_00_031_Metering  Reports
_001_Servo
NoAlm 100%
_000_Rig
NoAlm 143%
_002_LubOil
NoAlm 128%
_003_Check
NoAlm 100%
_031_Energy
NoAlm 100%
Energy - NRG
Mode Maintenance
State Run
Speed 60
Electricity [kWh] 44154
ThrustAir [m3] 141
N2Gas [m3] 17
Water [m3] N/A
WasteWater [m3] N/A
ChilledWater [kWh] N/A
HotWater [kWh] N/A
FuelOil [Ton] N/A
Steam [Ton] N/A

Reports
_1_Grinder
Car-Unit
Execute
_00_Energy
Equipment
_031_Metering
Module
NoAlm
NoAlm
08
06
07
09
05
10
04
11
03
12
02
14
0 1
4
1
0
7
1 3
0 2
1 2
0 3
1 1
0 4
1 0
0 5
0 9
13
01
0 6
0 8
Full Fail
OFF Slow
Stations Movers
ON Alm
Supervisor
a6_3_02_010_C2:1, Load Feed Level Warn Dec. 24  07:49:11

States

Reports

Status

Parameters

Configurations
RR12MS1
Train

Run
_
Car-Unit
_
Equipment
_
Module

Stoppages Alarms

Shares
Chateleu
123456789 Production
Production
ID's
Pass
Pattern
Train
Car-Unit
Modes
01:11
English
Dec. 24  07:49:11
RR12MS1_1_00_031_Metering  Reports
_001_Servo
NoAlm 100%
_000_Rig
NoAlm 143%
_002_LubOil
NoAlm 128%
_003_Check
NoAlm 100%
_031_Energy
NoAlm 100%
Energy - NRG
Mode Maintenance
State Run
Speed 60
Electricity [kWh] 44154
ThrustAir [m3] 141
N2Gas [m3] 17
Water [m3] N/A
WasteWater [m3] N/A
ChilledWater [kWh] N/A
HotWater [kWh] N/A
FuelOil [Ton] N/A
Steam [Ton] N/A

Reports
_1_Car
Car-Unit
Run
_00_Energy
Equipment
_031_Metering
Module
NoAlm
NoAlm
08
06
07
09
05
10
04
11
03
12
02
14
0 1
4
1
0
7
1 3
0 2
1 2
0 3
1 1
0 4
1 0
0 5
0 9
13
01
0 6
0 8
Full Fail
OFF Slow
Stations Movers
ON Alm

Conventions To design an HMI display, it is very important to have a very good
understanding about how to use colors. Color is a very powerful tool for
visual presentations. It can cause danger in operation if misused. Therefore,
choosing the right color for the background, control buttons, alarms and
words is very critical for good HMI design compliant with EN-16186-3:2016.
6.5.1 Colors The table provides a matrix with §Appendix Colors for modes and states.
6.5.2 Module This diagram shares background and foreground colors for a basic Module.
6.5.3 Equipment This diagram shares background and foreground colors for an Equipment.
6.5.4 Wagon-Unit This diagram shares background and foreground colors for a Σagon-Unit.
Blue
Red
Yellow
Green
White
Enable
Disable Manual
or Jog
Wait
or Reset
Alarm or
Emergency
Off/Stop
or StartUp
On/Exec
or Start
N / A
Neutral or
Out of Order
Modes
Colors
N / A
N / A
N / A
Modes
States
Disable
OoO
Enable
OoO
Enable
Off
Enable
Reset
Enable
On
Enable
Alarm
Mode Grinding Stone Axe Z Spindle C Visualization
Enable
Off
Off
Off
On
On
Reset
On
Alarm
Manual Off
Off
Off
Reset
On
Mode Unlock Down Visualization
Disable Off Off
Manual On Reset
Enable On On

APPENDIX Page 23 / 27
Safe or Clean Air
Safety Reset Control
Main Air
Supply
Valve
Redundant
Air-Supply
Valve
Uncut Air-Supply
Pressure will decay in/time
Cut-Off Air-Supply Unsafe
Air-Actuators
Unsafe
E-Actuators
Cut 3P-Electrical
Safety Shut-Off Control
Uncut 3P-Electrical Safe
E-Actuators
Electrical Main Switch
Overload Protection
EMC/EMI Filter
Cooperative Motion - Safe Limited Speed Control
SAFETY LOGIC (HW or SW)
to control Safety-Related-Parts
Safe
Air-Actuators
Dead Man Switch for
Cooperative Motion
Guard Interlock
Safety signals
from/to Control System
Main Air
Pressure
E-Stop
Redundant 3P-Electrical-Breakers
Safety Certified
E-Actuators
• Yellow-Green : Equipotential bonding
• Black / Grey / Brown : AC / DC power
• Orange : light / socket / ...
• Light Blue : AC neutral
• Dark Blue : DC control
• Red : AC Control
Presence
Sensor
TN-S Network
•L1
•L2
•L3
•N
•PE
Zn
7 APPENDIX
Energies-Safety
See References for
conformances.
7.1.1 Energies
The safety related parts
of control systems SRP/CS include all
Energies that could cause injuries; it shall maintain the system in a safe state if guards are disable, see Safety.
The energies distributiondesign shall be ableto manage CoMot modewith device(s) such as DeadmanSwitch.
The values of Earth Fault Currents must be limited to reduce their effects. The neutral of a medium or
low voltage network can be earthed by five different methods, according to type (resistive, inductive)
and value (zero to infinity) of the impedance Zn connected between the neutral and the earth :
7.1.2 Neutral Earthing Zn = ∞ Resistance Reactance Capacitance Zn = 0
• Damages Very Low Low Low Very Low Very high
• Temporary over voltages High Medium Medium Medium Low
• Transient over voltages High Low High High Low
• Touch and step voltages Very Low Low Low Low High
7.1.4 Safety Functions See IEC-61800-5-2:2016.
SBC SafeBrakeControlinconjunctionwithSTO. SLT-STR Safely-LimitedTorquecheckandstopovertorque.
SDI SafemotionDIrectioncheckandSS1iferror. SOS SafetyOperatingStopandzero-speed,Noshutoff.
SFX SafeFeedbackScalingcheckpositionand
speed.
SS1 SafeStop1inaccordancewithstopcategory#1.
SLP SafeLimitedPositioncheckaxisposition. SS2 SafeStop2inaccordancewithstopcategory#2.
SLS Safely-Limited Speed check over speed. STO Safe TorqueOff shuts off power but not control.
7.1.5 Stop Categories See §System Model Alarms and IEC-60204-1:2016.
#0 Uncontrolled stop with immediate unsafe energies containment on all actuators.
#1 Controlled stop with all energies and then starts unsafe energies containment.
#2 Controlled stop with all energies remaining available on all actuators.
7.1.3 Colors and Symbols See §User Interface Basics and IEC-60204-1:2016.
Colors code assigns particular meanings to visual and tactile signals from simple cases such as buttons
or LEDs to extensive controls such as screens. It improves visual-tactile dangers awareness due to :
• An intuitive recognition of control conditions and devices positions to avoid unintended misuse.
• A proper monitoring, control and maintenance of the procedures or devices with less confusion.
Color Symbol Meaning Explanation Action by Operator States
Red Emergency Critical condition Immediate action to
deal with hazard E-Stop
Yellow Abnormal Abnormal condition Cautious action to
recover from hazard
Startup
Stop
Blue Mandatory Careful Condition Mandatory action to
care with process
Wait
Hold
Green Normal Normal condition Optional action to
predict or prescribe
Exec.
Run
White Neutral Other conditions whenever
doubt exists on previous colors Monitoring N/A

Risks Assessment
Machinery must be designed and constructed so that it is fitted for its function, and can be operated,
adjusted and maintained without putting persons at risk when these operations are carried out under
the conditions foreseen but also under any reasonably foreseeable misuse thereof, i.e. MD-2006/42/CE.
7.2.1 Hazards Inventory
First, the risk assessment defines
the machinery limits; it includes any
required workspace for machinery,
user interaction and move ranges.
A risk assessment team shall obtain
all machinery specifications, design
drawings (i.e. mechanic, electric,
pneumatic, hydraulic,…), manuals
and checklists (materials, spares
parts, parameters, alarms, etc…).
Within this machinery limits, it is
essential to locate all hazards related
to and caused by machinery. All
foreseeable hazards shall be identified in all tasks of all life phases performed by all involved users. An Index
shall rank each inventoried risk through a risk evaluation; a risk index higher than 2 requires a risk reduction.
7.2.2 Risks Evaluation 7.2.3 Risks Reduction
It aims to estimate and evaluate all risks related to
any pre-identified hazards. It evaluates the harm
Severity, the event Frequency, the occurrence
Probability and possible Avoidance by limiting
harm. It provides a Risk Index by inventoried risk.
A risks reduction shall achieve a tolerable leveI of
safety with appropriate measures; it leads first to
eliminate by design, second to protect by active
safe guard(s) and last to indicate by information-
of-use where residual risks persist.
7.2.4 PLr Calculation
IFA tool SISTEMA calculates and reports the system Performance Level.
Quasi-Static
280
N/cm2
600
N/cm2
Transient
110
N/cm2
300
N/cm2
Severity
N/cm2
Frequency
Shot/day
Probability
3 cm/sec
Avoidance
N / Y Risk Index PLr
1
2
3
4
5
6
Normal PLa
Careful PLa
Unusual PLb
Abnormal PLc
Critical PLd
Fatal PLe

Connectivity
Connectivity with Train is the foundation of IT/OT convergence; it merges asynchrone information
technology (IT) systems used for data-centric computing with synchrone operational technology (OT)
systems used to monitor events, procedures or devices while mastering manufacturing and operations.
7.3.1 IIoT Integration
• Train Interface means
communication with
Train server to handle
Patterns, to trace PK's
Pass, to track Alarms
and to monitor OEE's.
• A digital knowledge
made from a deep
enough connectivity
gives Condition-based
Monitoring's (CBM)
for Maintenance,
Repair & Overhaul
(MRO).
The TCN, Train Communication Network, merges multi-purpose TCMS's, Train Control & Monitoring Systems.
• L3 Administration Network hosts SI Servers to
handle Patterns, to trace railroad PK's Pass to
track Alarms and monitor railreprofilers OEE's;
it includes Active Directory for all systems to
vault User Access credentials.
• L2 Asynchronous Common Bus - TCMS hosts
hardware and operating systems compliant
with IS/IT Policies; its role is to provide timely
undetermined data through the PLC-Masters :
• Touch-Panels to manage HMIs and SSN-VPN
Remote Access link to 3rd Party Computers
to achieve remote monitoring and control.
• PLC-Masters to control trains and provide
the gateway to the L1 Synchronous Bus; an
added IIoT Edge features decrease
communications bandwidth use between
sensors and servers by performing analytics
and knowledge generation near the data
available on Synchrone Network.
• L1 Synchronous Bus synchronize data between
PLC's and smart devices for real-time
sequential logic and shares complex
asynchronous data to L2 Asynchronous
Common Bus through a PLC-Master; the safety
devices required for UTO as GPS, 3D cameras,
U-Sonic scanners, MWR, LiDAR and INS may
belong to this one.
• L0 Synchrone Fieldbus synchronize physical
inputs and outputs to PLCs for real-time
imperative logic (timely determined).
7.3.2 TCN Model See System Security policies.
WagonUnit
Page
Equip. Recipes
Parameters
Sequences
Equip.-Module
Data Logs
WagonUnit Patterns
Parameters
Sequences
Equipment
Page
Train
Page
Data Servers
HMI Hierarchy
Wagon-Unit
Data Logs
Bidirectional Real-Time
Bidirectional Event based
Unidirectional Event based
Embedded Read/Write
Alarms /
Train
Alarms /
WagonUnit
Alarms /
Equip.
MES Train
Control
Module
Page
Interface
Train Logic
Car-Unit
Logic
Equip.
Logic
Module
Logic
Equip.
Tags
WagonUnit
Tags
Interface
Train Tags
Module
Tags
Logic Model
IIoT Integration
'White
Box'
'Balck
Box'
M
E
C
T
Train
1 minute
WagonUnit
1 second
Equip.
1 msec
Modules
1 sec
Safety
Quality
Durability
Vehicle PLC
Master
Remote
Access
CM CR2 CR1
L1 Synchronous Work Bus
Cab BWork
Cab AWork
Work PLC
Master
Touch Panels
L0 Synchronous Field Bus
L3 Administration Network
SI Servers
CabAVehicle Energies
Traction CabBVehicle
3D Cam
U-Sonic MWR
LiDAR
GPS
INS
Cab A
CReprofiler
CLeaner
Traction Energies Cab B
CMeas
CMeas

Segments Shift
7.4.1 §hiftime vs §mm & km/h
The §egments sample each
PK's trackside in sized portions;
the segment type may size as
the Greatest Common Divisor
of length between every profile
stage; the segment shiftime
depends on the train speed :
§ℎ𝑖𝑓𝑡𝑖𝑚𝑒 [𝑚𝑠] = 3.6 ×
§𝑚𝑚
𝑘𝑚/ℎ
7.4.2 RR12MS1 200mm Case
Total Length Фiameter Grindstone Total Length
300
mm
§egment §egment 200 mm mm mm mm mm mm 200 §egment §egment
# mm # mm mm # mm #
       
48 9600 9600 1 200 200 1 9600 9600 48
16
17 3400 3510 3590 3400 17
18 3600 3600 18
30 6000 19 19 6000 30
29 5800 5790 20 4000 4150 340 270 4160 4000 20 5710 5800 29
28 21 4200 4200 21 28
27 5400 22 22 5400 27
26 5200 5150 23 23 5140 5200 26
25 24 4800 4860 4870 4800 24 25
24 25 5000 5000 25 24
23 4600 26 26 4600 23
22 4400 4440 27 27 4430 4400 22
21 28 5600 5730 5740 5600 28 21
20 29 5800 5800 29 20
19 30 30 19
18 3600 3570 31 31 3560 3600 18
17 3400 32 6400 6440 6450 6400 32 3400 17
16 33 6600 6600 33 16
15 3000 34 34 3000 15
14 2800 2860 35 7000 7010 270 340 7090 7000 35 2850 2800 14
13 36 7200 7200 36 13
12 2400 2400 12
11 2200 2290 2210 2200 11
1 200 48 9600 9600 9600 9600 48 200 1
       
3664
2436
300
2360
640
3660
640
3510
300
300
640
711
869
711
569
410
570
410
2290
300
300
300
300
710
870
710
570
2440
300
300
300
3590
410
570
410
300
711
869
711
640
2364
710
870
2670
14940
14940
14940
14940
14940
14940
2210
710
570
3740
300
3736
569
2670 2670 2670 2670 2670
2670
2670 2670 2670 2670 2670
180
120
72
51
36
20
15
9
3 2
11 17 28 39 56 100
133
222
611
1000
0
100
200
300
400
500
600
700
800
900
1000
1100
-20
0
20
40
60
80
100
120
140
160
180
200
4 6 10 14 20 36 48 80 220 360 km/h
200mm §egment §hiftime vs train speed in [ms]
Dynamic need on Z Axis for 100mm Move-Up [mm/s]

Acronyms
Keys Definition Keys Definition
AI Artificial Intelligence. MVC Model-View-Controller pattern.
AR Augmented Reality. MWR Redundant Millimetric Wave Radar.
ATEX ATmospheres EXplosives NEMA National Electrical Manufacturers Association.
CBM Condition-Based Monitoring (link to MRO). OEE Overall Equipment Effectiveness.
CCPs Critical Control Points. OEM Original Equipment Manufacturer.
CTQ Critical to Quality. OPC Open Platform Communication DA or UA.
CVE Common Vulnerability Exposure. OPRPs Operational Pre-Requisite Points.
CVSS Common Vulnerability Scoring System. OQ Operational Qualification.
DQ Design Qualification. OT Operational Technologies.
DRW Harware Drawings or schematics. P&IDn Process & Instruments Design IDentifier.
EMC Electromagnetic Compatibility. PE Protective Earth (Ground).
EMI Electromagnetic Interference. PLr Performance Level of the SRP/CS.
EN European Norms, CEN, CENELEC or ETSI. PLC Programmable Logic Controller.
ERP Enterprise Resource Planning. PQ Performance Qualification.
FAT Factory Acceptance Test. PRCR Problem Report and Change Request.
FDS Functional Design Specification. PRG Software Programs for PLC's and HMI's.
FMEA Failure Mode and Effects Analysis. QC Quality Control Management.
GAMP Good Automated Manufacturing Practice. RAMS Reliability, Availability, Maintainability &
Safety.
GPS Global Positioning System (link to INS). RCA Root ĈĈause Analysis.
GTIN Global Trade Item Number given by GS1. RCM Release Candidate for Manufacturing.
HDS Hardware Design Specification. R Requirements Traceability Matrix.
HMI Human Machine Interface. SAT Site Acceptance Test.
I/O PLC Physical Inputs and Outputs. SCADA Supervisory Control and Data Acquisition.
IEC International Electrotechnical Commision. SDS Software Design Specification.
IIoT Industrial Internet of Things for Digitalized
Factory.
SHE Safety, Health and Environmental.
INS Inertial navigation System (link to GPS). SLO Service Level Objective.
IP Ingress Protection against intrusion, IEC-
60529.
SRA Software Risk Assessment.
IPC Industrial Personal Computer. SRP/CS Safety Related Parts of Control Systems.
IPS In-Process Sampling (Quality Audit). SSL Secure Sockets Layer protocol (i.e. TLS).
IQ Installation Qualification. TBD To Be Defined between Supplier & User.
ISO International Organization for
Standardization.
TCMS Train Control and Monitoring System.
IT Information Technology. TCN Train Communication Network.
KPI Key Performance Indicator(s). TST Testing Lists for Qualification.
KQI Key Quality Indicator(s). URS User Requirements Specification.
LiDAR Redundant Light Detection and Ranging. UTO Unattended Train Operation vs UITP.
MD Machinery Directive for European Market. VFD Variable Frequency Drive / Variable Speed
Drive.
MQTT Message Queuing Telemetry Transport. VMP Validation Master Plan
MRO Maintenance, Repair & Overhaul (link to
CBM).
VPN Virtual Private Network.
International IT Regulations and Compliance :
The most primitive life cycle model is trial&error, also called build&fix. In this life cycle model, the first version of
the system is built without prior plan, documentation or control. If the product is accepted, the developers face an
interminable period of confusion, frustration and drudgery as they fix an endless stream of problems.
Unfortunately, the build&fix life cycle model, which hardly deserves its title, is all too common in practice; however,
continued pressure from customers is forcing it to be abandoned. So just keep away from build&fix dead-end !
Good Automation Manufacturing Practices Guide :
GAMP aim to achieve control systems that are fit for intended use and
meet current regulatory requirements by building upon existing industry
good practices in an efficient and effective manner.
It provides recommended good practices based on a life cycle approach for
the development and management of control systems. It is applicable
across the full system life cycle from concept to retirement.
It recognizes that Good Engineering Practices meet most of the applicable
compliance requirements. The guide also emphasizes that in order to be
efficient, appropriate specification and verification activities should be an
integral part of the normal system life cycle.
The good manufacturing practices do help :
• To improve workforce skills and technology use.
• To short time to market by reducing design risk.
• To improve quality by reducing assembly waste.
• To increase income by reducing overhead costs.

ST-AUT_Guidelines_VI3e.pdf

More Related Content

Similar to ST-AUT_Guidelines_VI3e.pdf (20)

More from Pourchet Jean Claude (9)

Recently uploaded (20)

ST-AUT_Guidelines_VI3e.pdf