MODELLING OF SAFETY-RELATED COMMUNICATIONS FOR RAILWAY APPLICATIONS

Purpose. The authors according to requirements of the standard valid for safety-related communication between interlocking systems (EN 50159) analyze the situation of message undetected which is transmitted across BSC channel. The main part is orientated to description of model with CRC code used for messages assurance across noise communication channel. Methodology. For mathematical description of encoding, decoding, error detection and error correction is used algebra of polynomials. Findings. The determination of the intensity of dangerous failure caused by the electromagnetic interference was calculated. Originality. To obtain information on the probability of undetected error in transmission code and safety code and on the intensity of dangerous failure from the motel it was created program with graphical interface. To calculate the probability of undetected error for any block code (n, k) was created a supporting program that displays the probability of undetected error for selected interval of error bit rate. Practical value. From the measured and calculated values obtained by the simulation one can see that with increasing error bit rate is increasing also intensity of dangerous failures. Transmission code did not detect all corrupted messages therefore it is necessary to use safety code independent on transmission code in safety-related applications. CRC is not able to detect errors if all bits are logical 0.


Introduction
If the safety-related electronic system transfers information between different entities then the communication system is also part of a safetyrelated system and must be demonstrated that the transfer between end terminals is safe and in compliance with standard EN 50159 [5].Safety-related communication system performs and fulfils safety functions with defined level of safety.Such a system includes a safety-related communication layer which contains all necessary mechanisms to ensure safety-related transfer of data [8].Selection and use of a safety code and other recommended tech-niques depends on whether is the possible unauthorized access to the system or not.This fact is very significant because in case of possible unauthorized access (malicious attacks) it is necessary to use cryptographic techniques with secret key.If there is no possibility of unauthorized access to the transmission system it is used non-cryptographic safety code (type A0).If the unauthorized access is possible we can achieve the safety by the transmission functions related with safety with the use of cryptographic mechanisms (type A1).Further is for this case used term cryptographic safety code.In case of possible unauthorized access can be used separate access protection layer (type B0 or B1).
Corruption of the message during transmission can be caused by the network user, by the failure of transmission medium, by the interference of messages or by electromagnetic noise.Errors of this type are categorized as unintentional attacks.They can be detected by the CRC (Cyclic Redundancy Check) or by the CS (Check Sum).Evidence of safety with respect to the safety integrity level and the nature of the safety-related process must demonstrate appropriateness of: probability of the detection of random error types and ability to detect all types of expected message corruption systematic types.
Safety code must be independent of the transmission code what can be achieved in two ways.One is to use different encryption algorithms and the second is to use different configuration parameters of the same algorithm.To meet the required safety integrity level must be the probability of undetected errors below specified limit.Safety code must be able to detect transmission faults (e.g.impact of EMI) and systematic faults in untrusted transmission system caused by hardware failures.Safety code must also be able to detect typical faults of transmission system.
In the paper we work with the message type A0 because we do not expect unauthorized access to the transmission system.Each message will be secured with non-cryptographic safety code CRC-r.

Characteristic of safety code
Cyclic code is the most used code that can detect several multiple burst of errors.This code is one of the linear codes ( ) , n k , for which is applicable the linearity property and also property that cyclic shift of code word creates again code word belonging to the code [6].This feature is used in the construction of encoders, mainly by the use of linear shift register with feedback.From the group of cyclic codes in most communication protocols are used block systematic CRC codes marked CRC-r (where r is the number of redundant bits in the code word with length of n bits).For mathematical description of encoding, decoding, error detection and error correction is used algebra of polynomials [7].
If is used the safety code in transmission system it is necessary to demonstrate probability of undetected error during transmission below the limit defined by particular application or standard to ensure the required safety level.Therefore it is necessary to calculate the maximum value of probability of undetected error of code word in the transmission system for every safety code.In case of syndrome detecting techniques we look for event when syndrome is zero (error was not detected) but during the transmission of the code word occurred error.This case is mathematically expressed by probability of code word error ned p depending on the error bit rate b p of used channel.In the calculation are used statistical values of error bit rate of particular transmission speeds or if it is possible for particular application the channel is tested.
When calculating the probability of undetected errors are considered only errors arising due to interactions that cause the interchange of symbols.Errors to the improper synchronization are resolved by other safety means.The probability of undetected error for codes with unknown weight function can be calculated by following equation [4]: If the conjunction of n and b p is much smaller than one ( 1 b np ) the sum can be approximated by the first number of the sum.The equation 1 can be adjusted to following: where: n -total number of code bits, k -number of information part bits, min d -minimum Hamming distance, b p -error bit rate of the communi- cation channel.
The minimum Hamming distance min d and the length of code word n are the basis for the construction of block codes.The systematic block code ( ) , n k has the upper limit of achievable minimal Hamming distance given by Varshamov-Gilbert inequality.For odd values of min d applies equation 3 and for even values of min d applies equation 4. Codes where these two equations are equal are called perfect codes [3].
Error probability calculated according to the equation 2 limits to the value , what is the highest residual error rate of the code (equation 5).This value is stated as maximum value of undetected error for CRC-r codes [5].The probability of undetected error can be then calculated by the following equation: . .
where: SC p is the probability of undetected failure of safety code, TC p is the probability of undetected failure of transmission code, 1 TC p = if the transmission system does not include a channel encoder and channel decoder of transmission code, cor f is the frequency of occurrence of corrupted messages.In case of cyclic transmission of messages can be easily determined.In case of non-cyclic transmission of messages is this value estimated or set to the worst case scenario -all messages generated from the source are corrupted.

Description of realized model
Realized model of safety-related communication system with transmission code and safety code is shown in Fig. 1.In the figure is the scheme composed of seven blocks.Communication system consists of transmission system and two terminal equipment's TE 1 and TE 2. Transmission system is composed of a communication channel CCH, encoder of transmission code E TC , decoder of transmission code D TC , encoder of safety code E SC and decoder of safety code D SC .The transmission system is untrusted if it contains only a communication channel and transmission code.The safety integrity level can be in this case defined as SIL 0. To achieve higher level of safety integrity SIL 1 to SIL 4 we have to add safety code for elimination of communication errors which are not detected via transmission code.The SIL level depends on the selected safety code.In Fig. 2 is shown the model simulating the transfer of n messages secured with safety code and transmission code which was constructed in software tool Matlab, version 7.10.0(R2010a) and Communications System Toolbox library [2].
The model is constructed to simulate the transmission of messages through safety-related communication system secured by transmission code and safety code for two-point connection.From the point of view of ensuring the transmission we are using the safety code and transmission code based on CRC-r.Length of information part of the message was set to 64 bits.In order to ensure the independence of both types of codes was the generating polynomial of transmission code selected from standardized polynomials.For safety analysis we used generating polynomial of 8th degree type G(x)= x8+x2+x+1, which is used for example in ATM link protocol.Safety code generating polynomial was also selected from standardized polynomials for safety-related applications.There was selected polynomial of 32nd grade G(x)=x32+x30+x27+x25+x22+x20+x13+x12+ x11+x10+x8+x7+x6+x5+x4+1, which is used for example by the European Train Control System ETCS and if used separately it provides integrity level SIL 2. Model is designed so that we can simulate different error pattern.To trigger them we use three switches (S1, S2, S3).If we want to simulate transmission where the messages are affected only by functional block of binary symmetric channel (which generates random errors) S1 must be in position 1, on the position of S2 does not matter and S3 must be in position 1.If we want to simulate transmission where the mes-sages are affected by functional block of binary symmetric channel and subsequently negated the position of switches is as follows: S1 -position 2, S2 -does not matter, S3 -position 1.If we want to simulate transmission where all bits are set to logical 0 the position of switches is as follows: S1does not matter, S2 -position 1, S3 -position 2. If we want to simulate transmission where all bits are set to logical 1 the position of switches is as follows: S1 -does not matter, S2 -position 2, S3position 2.

Results and comments
During the time simulations of safety-related messages we were changing the bit error rate (BER) of the binary symmetric channel (BSC) by changing of BER in the range 1.10-8 to 0,5 (values less than 10-8 have shown very low error rate).Time of the simulation was set to 100000 s for every error bit rate of binary symmetric channel to simulate transfer of 100000 messages with length 104 bits (64 bits of information part, safety code 32 bits and transmission code 8 bits).Each second was sent one message [2].In the Fig. 2 is shown intensity of dangerous failures caused by EMI in closed transmission system which is assured by transmission and safety codes depending on the real BER of the communication channel.The value (3,2742e-9) is the worst intensity of dangerous failure.This is calculated as conjunction of the value of worst probability of transmission code (2 -8 ), value of worst probability of safety code and (2 -32 ) and the frequency of corrupted massages, when all messages are considered as corrupted (3600).This implies that such transmission system complies with requirements for the safety intensity level SIL 4 classified for all system with high demand (10 -9 ≤ THR ≤ 10 -8 ).

Conclusions
The number of applications with higher SIL (Safety Integrity Level) for which is necessary to provide evidence of safety not only for hardware parts and software parts but also for the communication system is growing.The authors are in this papers dealing with the issue of safety-related communication and types of failures that may occur during transmission of safety-related messages.We focused on the requirements for the safety code according to standard EN 50159 with special attention to the cyclic code on the CRC principle.According to requirements of the standard it is necessary to demonstrate that transmission via real communication channel with safety code meets the required safety integrity level.
The main part of the article was orientated to model realization that simulates transmission of safety-related messages via communication system with closed transmission system at the level of two-point connection.We simulated transfer of messages for various settings of bit error rate of communication channel (model BSC).We also simulated transfer of messages in extreme fault condition as inversion of the message, all bits in logical 0 and all bits in logical 1.We applied limited binary error channel to test the integrity of the transfer with CRC-r safety code and transmission