// === Description === // Bordrechner (On-Board Unit) nach ETCS Level 2 fuer Eisenbahn- // Triebfahrzeuge. Empfaengt Fahrerlaubnisse (Movement Authorities) vom // Radio Block Center ueber GSM-R / FRMCS, liest Eurobalisen an der // Strecke und ueberwacht permanent die Fahrzeuggeschwindigkeit. Bei // Geschwindigkeitsuebertretung oder Verlust der Fahrerlaubnis loest das // OBU ueber eine fail-safe De-energize-to-brake-Schleife automatisch // eine Zwangsbremsung aus. Dual-Channel European Vital Computer mit // 2oo2-Voter, Triple-Odometrie, redundante Funkanbindung. // Sicherheitsziel SIL 4 nach EN 50128 / EN 50129. // === End Description === // FtaDSL ETCS Level 2 On-Board Unit (OBU) // // Autor: Wolfgang Freese, Overath (Germany) // April 2026 // Version 1.0 // // Safety Class: SIL 4 gemaess EN 50128 / EN 50129 / CENELEC // // Referenzen: // EN 50126 (RAMS), EN 50128 (Software), EN 50129 (Hardware) // ERA UNISIG Subset-026 (ETCS System Requirements Specification) // ERA UNISIG Subset-036 (FFFIS for Eurobalise) // ERA UNISIG Subset-037 (EuroRadio FIS) // TSI CCS (Technical Specification for Interoperability CCS) // // Top Level Event (TLE): // EmergencyBrakeNotApplied - die OBU versaeumt es, die // Schnellbremsung anzufordern, wenn eine Movement Authority // (MA) ueberschritten oder verloren wurde, ein Balise-Telegramm // Halt signalisiert oder eine Kommunikations-Zeitueberschreitung // auftritt. // // Fault Modes (wiederverwendet): // Telegram_Corrupted, Telegram_Missed, Telegram_Spoofed // MA_Missing, MA_Stale, MA_TooPermissive // Position_Drift, Position_Error, Position_Frozen // Speed_Underestimate, Speed_Overestimate // EMB_Cmd_Missing - Schnellbrems-Kommando fehlt (Kern-TLE-Treiber) // ServiceBrake_Missing // Channel_Disagreement, Channel_Silent // Crypto_MAC_Invalid // Power_Lost, Bus_Silent, Data_Stale // // Redundanz-Architektur: // - EVC als 2oo2 Computing (Channel A + Channel B + Voter) // - Odometrie: Dreifach-Fusion (2 Achstacho + Doppler-Radar + INS) // - Kommunikation: GSM-R A + GSM-R B + FRMCS Backup // - Redundante Stromversorgung (A/B) mit USV-Batterie // - Fail-Safe Schnellbrems-Schleife (de-energise = bremsen) FUNCTION ETCS_OBU INPUT Balise_RF_Signal INPUT GSM_R_Signal_A INPUT GSM_R_Signal_B INPUT FRMCS_Signal INPUT Axle_Pulse_1 INPUT Axle_Pulse_2 INPUT Radar_Echo INPUT Accel_Raw INPUT Driver_Input_Primary INPUT Driver_Input_Secondary INPUT Train_Status_FromTIU INPUT Pwr_Train_A INPUT Pwr_Train_B INPUT TimeSource_GPS OUTPUT EmergencyBrake_Cmd OUTPUT ServiceBrake_Cmd OUTPUT TractionCutoff_Cmd OUTPUT DMI_Display_Primary OUTPUT DMI_Display_Secondary OUTPUT JRU_Log OUTPUT GSM_R_Uplink_A OUTPUT GSM_R_Uplink_B // ====================================================== // Stromversorgung // ====================================================== FUNCTION PowerSupply_Train_A INPUT PwrIn_A OUTPUT PwrOut_A OIM PwrOut_A.Power_Lost.PwrIn_A.Power_Lost END FUNCTION FUNCTION PowerSupply_Train_B INPUT PwrIn_B OUTPUT PwrOut_B OIM PwrOut_B.Power_Lost.PwrIn_B.Power_Lost END FUNCTION FUNCTION UPS_Battery INPUT PwrA_UPS INPUT PwrB_UPS OUTPUT PwrOut_UPS OIM PwrOut_UPS.Power_Lost.AND(PwrA_UPS.Power_Lost; PwrB_UPS.Power_Lost) END FUNCTION FUNCTION SafeComputingPlatform INPUT PwrIn_SCP OUTPUT PlatformClock OUTPUT PlatformHealth OIM PlatformClock.Bus_Silent.PwrIn_SCP.Power_Lost OIM PlatformHealth.Bus_Silent.PwrIn_SCP.Power_Lost END FUNCTION // ====================================================== // Eurobalise und Positionsermittlung // ====================================================== FUNCTION EurobaliseAntenna INPUT RF_In OUTPUT AntennaOut OIM AntennaOut.Telegram_Corrupted.RF_In.Telegram_Corrupted OIM AntennaOut.Telegram_Missed.RF_In.Telegram_Missed OIM AntennaOut.Telegram_Spoofed.RF_In.Telegram_Spoofed END FUNCTION FUNCTION BTM INPUT BTM_In INPUT BTM_Pwr OUTPUT BTM_Out OIM BTM_Out.Telegram_Corrupted.OR(BTM_In.Telegram_Corrupted; BTM_Pwr.Power_Lost) OIM BTM_Out.Telegram_Missed.OR(BTM_In.Telegram_Missed; BTM_Pwr.Power_Lost) OIM BTM_Out.Telegram_Spoofed.BTM_In.Telegram_Spoofed END FUNCTION FUNCTION TelegramDecoder INPUT DecIn INPUT DecClk OUTPUT DecodedTelegram OIM DecodedTelegram.Telegram_Corrupted.OR(DecIn.Telegram_Corrupted; DecClk.Bus_Silent) OIM DecodedTelegram.Telegram_Missed.OR(DecIn.Telegram_Missed; DecClk.Bus_Silent) OIM DecodedTelegram.Telegram_Spoofed.DecIn.Telegram_Spoofed END FUNCTION FUNCTION BalisePositionEstimator INPUT BPE_Telegram INPUT BPE_OdoFeedback OUTPUT PositionFix OIM PositionFix.Position_Error.OR(BPE_Telegram.Telegram_Corrupted; BPE_Telegram.Telegram_Spoofed) OIM PositionFix.Position_Frozen.AND(BPE_Telegram.Telegram_Missed; BPE_OdoFeedback.Data_Stale) OIM PositionFix.Position_Drift.BPE_OdoFeedback.Data_Stale END FUNCTION // ====================================================== // Odometrie (Dreifach-Fusion) // ====================================================== FUNCTION Axle_Tachometer_1 INPUT Pulse_1 OUTPUT Speed_1 OIM Speed_1.Speed_Underestimate.Pulse_1.Bus_Silent OIM Speed_1.Speed_Overestimate.Pulse_1.Data_Stale END FUNCTION FUNCTION Axle_Tachometer_2 INPUT Pulse_2 OUTPUT Speed_2 OIM Speed_2.Speed_Underestimate.Pulse_2.Bus_Silent OIM Speed_2.Speed_Overestimate.Pulse_2.Data_Stale END FUNCTION FUNCTION DopplerRadar_Odometry INPUT Echo_In OUTPUT Speed_Radar OIM Speed_Radar.Speed_Underestimate.Echo_In.Bus_Silent OIM Speed_Radar.Speed_Overestimate.Echo_In.Data_Stale END FUNCTION FUNCTION AccelerometerINS INPUT AccIn OUTPUT Speed_INS OIM Speed_INS.Speed_Underestimate.AccIn.Bus_Silent OIM Speed_INS.Speed_Overestimate.AccIn.Data_Stale END FUNCTION FUNCTION OdometryFusion INPUT OF_Tach1 INPUT OF_Tach2 INPUT OF_Radar INPUT OF_INS OUTPUT FusedSpeed OUTPUT FusedPosition OIM FusedSpeed.Speed_Underestimate.AND(OF_Tach1.Speed_Underestimate; OF_Tach2.Speed_Underestimate; OR(OF_Radar.Speed_Underestimate; OF_INS.Speed_Underestimate)) OIM FusedSpeed.Speed_Overestimate.AND(OF_Tach1.Speed_Overestimate; OF_Tach2.Speed_Overestimate; OF_Radar.Speed_Overestimate) OIM FusedPosition.Position_Drift.OR(OF_Tach1.Speed_Underestimate; OF_Tach2.Speed_Underestimate; OF_Radar.Speed_Underestimate) OIM FusedPosition.Position_Frozen.AND(OF_Tach1.Speed_Underestimate; OF_Tach2.Speed_Underestimate; OF_Radar.Speed_Underestimate; OF_INS.Speed_Underestimate) END FUNCTION // ====================================================== // Kommunikation (redundant) und Krypto // ====================================================== FUNCTION GSM_R_Modem_A INPUT GSM_A_In INPUT GSM_A_Pwr OUTPUT GSM_A_Out OUTPUT GSM_A_Uplink OIM GSM_A_Out.Channel_Silent.OR(GSM_A_In.Bus_Silent; GSM_A_Pwr.Power_Lost) OIM GSM_A_Out.MA_Stale.GSM_A_In.Data_Stale OIM GSM_A_Uplink.Channel_Silent.OR(GSM_A_In.Bus_Silent; GSM_A_Pwr.Power_Lost) END FUNCTION FUNCTION GSM_R_Modem_B INPUT GSM_B_In INPUT GSM_B_Pwr OUTPUT GSM_B_Out OUTPUT GSM_B_Uplink OIM GSM_B_Out.Channel_Silent.OR(GSM_B_In.Bus_Silent; GSM_B_Pwr.Power_Lost) OIM GSM_B_Out.MA_Stale.GSM_B_In.Data_Stale OIM GSM_B_Uplink.Channel_Silent.OR(GSM_B_In.Bus_Silent; GSM_B_Pwr.Power_Lost) END FUNCTION FUNCTION FRMCS_Modem_Future INPUT FRMCS_In INPUT FRMCS_Pwr OUTPUT FRMCS_Out OIM FRMCS_Out.Channel_Silent.OR(FRMCS_In.Bus_Silent; FRMCS_Pwr.Power_Lost) OIM FRMCS_Out.MA_Stale.FRMCS_In.Data_Stale END FUNCTION FUNCTION EuroRadio_Stack INPUT ER_GSM_A INPUT ER_GSM_B INPUT ER_FRMCS INPUT ER_Clk OUTPUT ER_MAPayload OIM ER_MAPayload.MA_Missing.AND(ER_GSM_A.Channel_Silent; ER_GSM_B.Channel_Silent; ER_FRMCS.Channel_Silent) OIM ER_MAPayload.MA_Stale.OR(AND(ER_GSM_A.MA_Stale; ER_GSM_B.MA_Stale); ER_Clk.Bus_Silent) OIM ER_MAPayload.MA_TooPermissive.AND(ER_GSM_A.MA_Stale; ER_GSM_B.MA_Stale) END FUNCTION FUNCTION CryptoModule INPUT CM_Payload INPUT CM_Clk OUTPUT CM_VerifiedMA OIM CM_VerifiedMA.Crypto_MAC_Invalid.OR(CM_Payload.MA_Stale; CM_Clk.Bus_Silent) OIM CM_VerifiedMA.MA_Missing.OR(CM_Payload.MA_Missing; CM_Payload.MA_Stale) OIM CM_VerifiedMA.MA_TooPermissive.CM_Payload.MA_TooPermissive END FUNCTION // ====================================================== // EVC Safety Kernel (2oo2) // ====================================================== FUNCTION EVC_ChannelA INPUT CA_Position INPUT CA_Speed INPUT CA_MA INPUT CA_Pwr INPUT CA_Clk OUTPUT CA_EMB_Cmd OUTPUT CA_SB_Cmd OUTPUT CA_TC_Cmd OIM CA_EMB_Cmd.EMB_Cmd_Missing.OR(AND(CA_Position.Position_Frozen; CA_Speed.Speed_Underestimate); AND(CA_MA.MA_TooPermissive; CA_Speed.Speed_Underestimate); CA_Pwr.Power_Lost; CA_Clk.Bus_Silent) OIM CA_EMB_Cmd.Channel_Silent.OR(CA_Pwr.Power_Lost; CA_Clk.Bus_Silent) OIM CA_SB_Cmd.ServiceBrake_Missing.OR(CA_Position.Position_Frozen; CA_MA.MA_Stale; CA_Pwr.Power_Lost) OIM CA_TC_Cmd.EMB_Cmd_Missing.OR(CA_Pwr.Power_Lost; CA_Clk.Bus_Silent) END FUNCTION FUNCTION EVC_ChannelB INPUT CB_Position INPUT CB_Speed INPUT CB_MA INPUT CB_Pwr INPUT CB_Clk OUTPUT CB_EMB_Cmd OUTPUT CB_SB_Cmd OUTPUT CB_TC_Cmd OIM CB_EMB_Cmd.EMB_Cmd_Missing.OR(AND(CB_Position.Position_Frozen; CB_Speed.Speed_Underestimate); AND(CB_MA.MA_TooPermissive; CB_Speed.Speed_Underestimate); CB_Pwr.Power_Lost; CB_Clk.Bus_Silent) OIM CB_EMB_Cmd.Channel_Silent.OR(CB_Pwr.Power_Lost; CB_Clk.Bus_Silent) OIM CB_SB_Cmd.ServiceBrake_Missing.OR(CB_Position.Position_Frozen; CB_MA.MA_Stale; CB_Pwr.Power_Lost) OIM CB_TC_Cmd.EMB_Cmd_Missing.OR(CB_Pwr.Power_Lost; CB_Clk.Bus_Silent) END FUNCTION FUNCTION EVC_WatchDog INPUT WD_ChA INPUT WD_ChB INPUT WD_Clk OUTPUT WD_Status OIM WD_Status.Channel_Silent.OR(AND(WD_ChA.Channel_Silent; WD_ChB.Channel_Silent); WD_Clk.Bus_Silent) OIM WD_Status.Channel_Disagreement.OR(WD_ChA.Channel_Silent; WD_ChB.Channel_Silent) END FUNCTION FUNCTION EVC_Voter INPUT V_ChA_EMB INPUT V_ChB_EMB INPUT V_ChA_SB INPUT V_ChB_SB INPUT V_ChA_TC INPUT V_ChB_TC INPUT V_WD OUTPUT V_EMB_Out OUTPUT V_SB_Out OUTPUT V_TC_Out OIM V_EMB_Out.EMB_Cmd_Missing.AND(V_ChA_EMB.EMB_Cmd_Missing; V_ChB_EMB.EMB_Cmd_Missing) OIM V_EMB_Out.Channel_Disagreement.OR(V_WD.Channel_Disagreement; AND(V_ChA_EMB.Channel_Silent; V_ChB_EMB.Channel_Silent)) OIM V_SB_Out.ServiceBrake_Missing.AND(V_ChA_SB.ServiceBrake_Missing; V_ChB_SB.ServiceBrake_Missing) OIM V_TC_Out.EMB_Cmd_Missing.AND(V_ChA_TC.EMB_Cmd_Missing; V_ChB_TC.EMB_Cmd_Missing) END FUNCTION // ====================================================== // HMI und Recording // ====================================================== FUNCTION DMI_Primary INPUT DMI_P_In INPUT DMI_P_Driver OUTPUT DMI_P_Out OIM DMI_P_Out.Bus_Silent.OR(DMI_P_In.Bus_Silent; DMI_P_Driver.Bus_Silent) OIM DMI_P_Out.Data_Stale.DMI_P_In.Data_Stale END FUNCTION FUNCTION DMI_Secondary INPUT DMI_S_In INPUT DMI_S_Driver OUTPUT DMI_S_Out OIM DMI_S_Out.Bus_Silent.OR(DMI_S_In.Bus_Silent; DMI_S_Driver.Bus_Silent) OIM DMI_S_Out.Data_Stale.DMI_S_In.Data_Stale END FUNCTION FUNCTION JRU INPUT JRU_EMB INPUT JRU_Pos INPUT JRU_Time OUTPUT JRU_Stream OIM JRU_Stream.Data_Stale.OR(JRU_Pos.Position_Frozen; JRU_Time.Bus_Silent) OIM JRU_Stream.Bus_Silent.JRU_Time.Bus_Silent END FUNCTION FUNCTION JRU_Recorder INPUT REC_Stream INPUT REC_Pwr OUTPUT REC_Log OIM REC_Log.Bus_Silent.OR(REC_Stream.Bus_Silent; REC_Pwr.Power_Lost) OIM REC_Log.Data_Stale.REC_Stream.Data_Stale END FUNCTION // ====================================================== // Zug-Interface und Bremsschleife // ====================================================== FUNCTION TIU INPUT TIU_Status INPUT TIU_Clk OUTPUT TIU_Out OIM TIU_Out.Bus_Silent.OR(TIU_Status.Bus_Silent; TIU_Clk.Bus_Silent) OIM TIU_Out.Data_Stale.TIU_Status.Data_Stale END FUNCTION FUNCTION BrakeLoop_EmergencyBrake INPUT BL_EMB_In INPUT BL_Pwr OUTPUT EMB_Loop_Out OIM EMB_Loop_Out.EMB_Cmd_Missing.OR(BL_EMB_In.EMB_Cmd_Missing; BL_EMB_In.Channel_Disagreement) OIM EMB_Loop_Out.Bus_Silent.BL_Pwr.Power_Lost END FUNCTION FUNCTION TractionCutoff_Interface INPUT TC_In INPUT TC_TIU OUTPUT TC_Out OIM TC_Out.EMB_Cmd_Missing.AND(TC_In.EMB_Cmd_Missing; TC_TIU.Data_Stale) OIM TC_Out.Bus_Silent.TC_TIU.Bus_Silent END FUNCTION FUNCTION PantographInterface INPUT Pan_Status OUTPUT Pan_Out OIM Pan_Out.Power_Lost.Pan_Status.Power_Lost END FUNCTION FUNCTION DirectionController INPUT Dir_TIU INPUT Dir_MA OUTPUT Dir_Out OIM Dir_Out.Data_Stale.OR(Dir_TIU.Data_Stale; Dir_MA.MA_Stale) END FUNCTION // ====================================================== // Signalfluss (INT - jeweils 7 Segmente) // ====================================================== // Stromversorgung INT ifPwrA.ETCS_OBU.IN.Pwr_Train_A.PowerSupply_Train_A.IN.PwrIn_A INT ifPwrB.ETCS_OBU.IN.Pwr_Train_B.PowerSupply_Train_B.IN.PwrIn_B INT ifPwrA_UPS.PowerSupply_Train_A.OUT.PwrOut_A.UPS_Battery.IN.PwrA_UPS INT ifPwrB_UPS.PowerSupply_Train_B.OUT.PwrOut_B.UPS_Battery.IN.PwrB_UPS INT ifUPS_SCP.UPS_Battery.OUT.PwrOut_UPS.SafeComputingPlatform.IN.PwrIn_SCP INT ifUPS_BTM.UPS_Battery.OUT.PwrOut_UPS.BTM.IN.BTM_Pwr INT ifUPS_GSMA.UPS_Battery.OUT.PwrOut_UPS.GSM_R_Modem_A.IN.GSM_A_Pwr INT ifUPS_GSMB.UPS_Battery.OUT.PwrOut_UPS.GSM_R_Modem_B.IN.GSM_B_Pwr INT ifUPS_FRMCS.UPS_Battery.OUT.PwrOut_UPS.FRMCS_Modem_Future.IN.FRMCS_Pwr INT ifUPS_ChA.UPS_Battery.OUT.PwrOut_UPS.EVC_ChannelA.IN.CA_Pwr INT ifUPS_ChB.UPS_Battery.OUT.PwrOut_UPS.EVC_ChannelB.IN.CB_Pwr INT ifUPS_BL.UPS_Battery.OUT.PwrOut_UPS.BrakeLoop_EmergencyBrake.IN.BL_Pwr INT ifUPS_REC.UPS_Battery.OUT.PwrOut_UPS.JRU_Recorder.IN.REC_Pwr // Clocks INT ifClk_Dec.SafeComputingPlatform.OUT.PlatformClock.TelegramDecoder.IN.DecClk INT ifClk_ChA.SafeComputingPlatform.OUT.PlatformClock.EVC_ChannelA.IN.CA_Clk INT ifClk_ChB.SafeComputingPlatform.OUT.PlatformClock.EVC_ChannelB.IN.CB_Clk INT ifClk_WD.SafeComputingPlatform.OUT.PlatformClock.EVC_WatchDog.IN.WD_Clk INT ifClk_ER.SafeComputingPlatform.OUT.PlatformClock.EuroRadio_Stack.IN.ER_Clk INT ifClk_CM.SafeComputingPlatform.OUT.PlatformClock.CryptoModule.IN.CM_Clk INT ifClk_TIU.SafeComputingPlatform.OUT.PlatformClock.TIU.IN.TIU_Clk // Balise-Kette INT ifBalise_RF.ETCS_OBU.IN.Balise_RF_Signal.EurobaliseAntenna.IN.RF_In INT ifAnt_BTM.EurobaliseAntenna.OUT.AntennaOut.BTM.IN.BTM_In INT ifBTM_Dec.BTM.OUT.BTM_Out.TelegramDecoder.IN.DecIn INT ifDec_BPE.TelegramDecoder.OUT.DecodedTelegram.BalisePositionEstimator.IN.BPE_Telegram // Odometrie INT ifAxle1.ETCS_OBU.IN.Axle_Pulse_1.Axle_Tachometer_1.IN.Pulse_1 INT ifAxle2.ETCS_OBU.IN.Axle_Pulse_2.Axle_Tachometer_2.IN.Pulse_2 INT ifRadar.ETCS_OBU.IN.Radar_Echo.DopplerRadar_Odometry.IN.Echo_In INT ifAccel.ETCS_OBU.IN.Accel_Raw.AccelerometerINS.IN.AccIn INT ifTach1_OF.Axle_Tachometer_1.OUT.Speed_1.OdometryFusion.IN.OF_Tach1 INT ifTach2_OF.Axle_Tachometer_2.OUT.Speed_2.OdometryFusion.IN.OF_Tach2 INT ifRadar_OF.DopplerRadar_Odometry.OUT.Speed_Radar.OdometryFusion.IN.OF_Radar INT ifINS_OF.AccelerometerINS.OUT.Speed_INS.OdometryFusion.IN.OF_INS INT ifOF_BPE.OdometryFusion.OUT.FusedPosition.BalisePositionEstimator.IN.BPE_OdoFeedback // Kommunikation INT ifGSMA_In.ETCS_OBU.IN.GSM_R_Signal_A.GSM_R_Modem_A.IN.GSM_A_In INT ifGSMB_In.ETCS_OBU.IN.GSM_R_Signal_B.GSM_R_Modem_B.IN.GSM_B_In INT ifFRMCS_In.ETCS_OBU.IN.FRMCS_Signal.FRMCS_Modem_Future.IN.FRMCS_In INT ifGSMA_ER.GSM_R_Modem_A.OUT.GSM_A_Out.EuroRadio_Stack.IN.ER_GSM_A INT ifGSMB_ER.GSM_R_Modem_B.OUT.GSM_B_Out.EuroRadio_Stack.IN.ER_GSM_B INT ifFRMCS_ER.FRMCS_Modem_Future.OUT.FRMCS_Out.EuroRadio_Stack.IN.ER_FRMCS INT ifER_CM.EuroRadio_Stack.OUT.ER_MAPayload.CryptoModule.IN.CM_Payload // EVC Inputs INT ifPos_ChA.BalisePositionEstimator.OUT.PositionFix.EVC_ChannelA.IN.CA_Position INT ifPos_ChB.BalisePositionEstimator.OUT.PositionFix.EVC_ChannelB.IN.CB_Position INT ifSpd_ChA.OdometryFusion.OUT.FusedSpeed.EVC_ChannelA.IN.CA_Speed INT ifSpd_ChB.OdometryFusion.OUT.FusedSpeed.EVC_ChannelB.IN.CB_Speed INT ifMA_ChA.CryptoModule.OUT.CM_VerifiedMA.EVC_ChannelA.IN.CA_MA INT ifMA_ChB.CryptoModule.OUT.CM_VerifiedMA.EVC_ChannelB.IN.CB_MA // EVC Voter / WatchDog INT ifChA_WD.EVC_ChannelA.OUT.CA_EMB_Cmd.EVC_WatchDog.IN.WD_ChA INT ifChB_WD.EVC_ChannelB.OUT.CB_EMB_Cmd.EVC_WatchDog.IN.WD_ChB INT ifChA_VEMB.EVC_ChannelA.OUT.CA_EMB_Cmd.EVC_Voter.IN.V_ChA_EMB INT ifChB_VEMB.EVC_ChannelB.OUT.CB_EMB_Cmd.EVC_Voter.IN.V_ChB_EMB INT ifChA_VSB.EVC_ChannelA.OUT.CA_SB_Cmd.EVC_Voter.IN.V_ChA_SB INT ifChB_VSB.EVC_ChannelB.OUT.CB_SB_Cmd.EVC_Voter.IN.V_ChB_SB INT ifChA_VTC.EVC_ChannelA.OUT.CA_TC_Cmd.EVC_Voter.IN.V_ChA_TC INT ifChB_VTC.EVC_ChannelB.OUT.CB_TC_Cmd.EVC_Voter.IN.V_ChB_TC INT ifWD_V.EVC_WatchDog.OUT.WD_Status.EVC_Voter.IN.V_WD // Bremsschleife und Zug-Interface INT ifV_BL.EVC_Voter.OUT.V_EMB_Out.BrakeLoop_EmergencyBrake.IN.BL_EMB_In INT ifTIU_In.ETCS_OBU.IN.Train_Status_FromTIU.TIU.IN.TIU_Status INT ifV_TC.EVC_Voter.OUT.V_TC_Out.TractionCutoff_Interface.IN.TC_In INT ifTIU_TC.TIU.OUT.TIU_Out.TractionCutoff_Interface.IN.TC_TIU INT ifTIU_Pan.TIU.OUT.TIU_Out.PantographInterface.IN.Pan_Status INT ifTIU_Dir.TIU.OUT.TIU_Out.DirectionController.IN.Dir_TIU INT ifMA_Dir.CryptoModule.OUT.CM_VerifiedMA.DirectionController.IN.Dir_MA // DMI / JRU INT ifDMI_P_In.BalisePositionEstimator.OUT.PositionFix.DMI_Primary.IN.DMI_P_In INT ifDMI_P_Drv.ETCS_OBU.IN.Driver_Input_Primary.DMI_Primary.IN.DMI_P_Driver INT ifDMI_S_In.BalisePositionEstimator.OUT.PositionFix.DMI_Secondary.IN.DMI_S_In INT ifDMI_S_Drv.ETCS_OBU.IN.Driver_Input_Secondary.DMI_Secondary.IN.DMI_S_Driver INT ifJRU_EMB.EVC_Voter.OUT.V_EMB_Out.JRU.IN.JRU_EMB INT ifJRU_Pos.BalisePositionEstimator.OUT.PositionFix.JRU.IN.JRU_Pos INT ifJRU_Time.ETCS_OBU.IN.TimeSource_GPS.JRU.IN.JRU_Time INT ifJRU_Rec.JRU.OUT.JRU_Stream.JRU_Recorder.IN.REC_Stream // Top-level OUTPUT Routing INT ifOut_EMB.BrakeLoop_EmergencyBrake.OUT.EMB_Loop_Out.ETCS_OBU.OUT.EmergencyBrake_Cmd INT ifOut_SB.EVC_Voter.OUT.V_SB_Out.ETCS_OBU.OUT.ServiceBrake_Cmd INT ifOut_TC.TractionCutoff_Interface.OUT.TC_Out.ETCS_OBU.OUT.TractionCutoff_Cmd INT ifOut_DMI_P.DMI_Primary.OUT.DMI_P_Out.ETCS_OBU.OUT.DMI_Display_Primary INT ifOut_DMI_S.DMI_Secondary.OUT.DMI_S_Out.ETCS_OBU.OUT.DMI_Display_Secondary INT ifOut_JRU.JRU_Recorder.OUT.REC_Log.ETCS_OBU.OUT.JRU_Log INT ifOut_UpA.GSM_R_Modem_A.OUT.GSM_A_Uplink.ETCS_OBU.OUT.GSM_R_Uplink_A INT ifOut_UpB.GSM_R_Modem_B.OUT.GSM_B_Uplink.ETCS_OBU.OUT.GSM_R_Uplink_B // ====================================================== // Top Level Event // ====================================================== TLE EmergencyBrakeNotApplied.EmergencyBrake_Cmd.EMB_Cmd_Missing END FUNCTION // ============================================================ // Fehlerraten // ISF: Normalverteilung mu=1e-6, sigma=2.5e-7, clamp [3e-7, 2e-6] // SF: Normalverteilung mu=2.5e-7, sigma=1.375e-7, clamp [5e-8, 5e-7] // TF: Normalverteilung mu=5e-8, sigma=1.5e-8, clamp [1e-8, 1e-7] // ============================================================ // --- ISF (externe Inputs der Top-Function ETCS_OBU) --- ISF ETCS_OBU.Balise_RF_Signal.Telegram_Corrupted 1.1438e-06 ISF ETCS_OBU.Balise_RF_Signal.Telegram_Missed 8.9217e-07 ISF ETCS_OBU.Balise_RF_Signal.Telegram_Spoofed 4.1215e-07 ISF ETCS_OBU.GSM_R_Signal_A.Bus_Silent 1.0872e-06 ISF ETCS_OBU.GSM_R_Signal_A.Data_Stale 7.3128e-07 ISF ETCS_OBU.GSM_R_Signal_B.Bus_Silent 1.2349e-06 ISF ETCS_OBU.GSM_R_Signal_B.Data_Stale 9.4672e-07 ISF ETCS_OBU.FRMCS_Signal.Bus_Silent 1.4612e-06 ISF ETCS_OBU.FRMCS_Signal.Data_Stale 1.0531e-06 ISF ETCS_OBU.Axle_Pulse_1.Bus_Silent 8.6109e-07 ISF ETCS_OBU.Axle_Pulse_1.Data_Stale 1.1789e-06 ISF ETCS_OBU.Axle_Pulse_2.Bus_Silent 9.2743e-07 ISF ETCS_OBU.Axle_Pulse_2.Data_Stale 1.0488e-06 ISF ETCS_OBU.Radar_Echo.Bus_Silent 1.3254e-06 ISF ETCS_OBU.Radar_Echo.Data_Stale 6.9815e-07 ISF ETCS_OBU.Accel_Raw.Bus_Silent 1.1963e-06 ISF ETCS_OBU.Accel_Raw.Data_Stale 8.2441e-07 ISF ETCS_OBU.Driver_Input_Primary.Bus_Silent 7.5823e-07 ISF ETCS_OBU.Driver_Input_Secondary.Bus_Silent 1.0142e-06 ISF ETCS_OBU.Train_Status_FromTIU.Bus_Silent 1.2817e-06 ISF ETCS_OBU.Train_Status_FromTIU.Data_Stale 9.6238e-07 ISF ETCS_OBU.Pwr_Train_A.Power_Lost 1.3581e-06 ISF ETCS_OBU.Pwr_Train_B.Power_Lost 1.1274e-06 ISF ETCS_OBU.TimeSource_GPS.Bus_Silent 8.8466e-07 // --- SF (systemische Fehlerraten der Subfunktionen) --- SF PowerSupply_Train_A.PwrOut_A.Power_Lost 2.8113e-07 SF PowerSupply_Train_B.PwrOut_B.Power_Lost 3.1542e-07 SF UPS_Battery.PwrOut_UPS.Power_Lost 1.8427e-07 SF SafeComputingPlatform.PlatformClock.Bus_Silent 2.4056e-07 SF SafeComputingPlatform.PlatformHealth.Bus_Silent 2.1894e-07 SF EurobaliseAntenna.AntennaOut.Telegram_Corrupted 3.3712e-07 SF EurobaliseAntenna.AntennaOut.Telegram_Missed 2.6481e-07 SF EurobaliseAntenna.AntennaOut.Telegram_Spoofed 1.4928e-07 SF BTM.BTM_Out.Telegram_Corrupted 2.9365e-07 SF BTM.BTM_Out.Telegram_Missed 2.1173e-07 SF BTM.BTM_Out.Telegram_Spoofed 1.6247e-07 SF TelegramDecoder.DecodedTelegram.Telegram_Corrupted 2.5628e-07 SF TelegramDecoder.DecodedTelegram.Telegram_Missed 2.0311e-07 SF TelegramDecoder.DecodedTelegram.Telegram_Spoofed 1.1864e-07 SF BalisePositionEstimator.PositionFix.Position_Error 3.2891e-07 SF BalisePositionEstimator.PositionFix.Position_Frozen 2.4573e-07 SF BalisePositionEstimator.PositionFix.Position_Drift 3.0146e-07 SF Axle_Tachometer_1.Speed_1.Speed_Underestimate 2.7459e-07 SF Axle_Tachometer_1.Speed_1.Speed_Overestimate 2.3612e-07 SF Axle_Tachometer_2.Speed_2.Speed_Underestimate 2.8908e-07 SF Axle_Tachometer_2.Speed_2.Speed_Overestimate 2.2157e-07 SF DopplerRadar_Odometry.Speed_Radar.Speed_Underestimate 3.1126e-07 SF DopplerRadar_Odometry.Speed_Radar.Speed_Overestimate 2.4893e-07 SF AccelerometerINS.Speed_INS.Speed_Underestimate 2.6348e-07 SF AccelerometerINS.Speed_INS.Speed_Overestimate 2.1817e-07 SF OdometryFusion.FusedSpeed.Speed_Underestimate 3.4522e-07 SF OdometryFusion.FusedSpeed.Speed_Overestimate 2.8641e-07 SF OdometryFusion.FusedPosition.Position_Drift 2.5738e-07 SF OdometryFusion.FusedPosition.Position_Frozen 2.2164e-07 SF GSM_R_Modem_A.GSM_A_Out.Channel_Silent 3.0587e-07 SF GSM_R_Modem_A.GSM_A_Out.MA_Stale 2.4812e-07 SF GSM_R_Modem_A.GSM_A_Uplink.Channel_Silent 2.7315e-07 SF GSM_R_Modem_B.GSM_B_Out.Channel_Silent 3.2144e-07 SF GSM_R_Modem_B.GSM_B_Out.MA_Stale 2.3527e-07 SF GSM_R_Modem_B.GSM_B_Uplink.Channel_Silent 2.8036e-07 SF FRMCS_Modem_Future.FRMCS_Out.Channel_Silent 3.5418e-07 SF FRMCS_Modem_Future.FRMCS_Out.MA_Stale 2.6149e-07 SF EuroRadio_Stack.ER_MAPayload.MA_Missing 3.8211e-07 SF EuroRadio_Stack.ER_MAPayload.MA_Stale 2.9345e-07 SF EuroRadio_Stack.ER_MAPayload.MA_TooPermissive 2.0128e-07 SF CryptoModule.CM_VerifiedMA.Crypto_MAC_Invalid 2.4687e-07 SF CryptoModule.CM_VerifiedMA.MA_Missing 3.1523e-07 SF CryptoModule.CM_VerifiedMA.MA_TooPermissive 1.8264e-07 SF EVC_ChannelA.CA_EMB_Cmd.EMB_Cmd_Missing 3.6412e-07 SF EVC_ChannelA.CA_EMB_Cmd.Channel_Silent 2.7184e-07 SF EVC_ChannelA.CA_SB_Cmd.ServiceBrake_Missing 2.9137e-07 SF EVC_ChannelA.CA_TC_Cmd.EMB_Cmd_Missing 2.5648e-07 SF EVC_ChannelB.CB_EMB_Cmd.EMB_Cmd_Missing 3.3871e-07 SF EVC_ChannelB.CB_EMB_Cmd.Channel_Silent 2.5229e-07 SF EVC_ChannelB.CB_SB_Cmd.ServiceBrake_Missing 2.7812e-07 SF EVC_ChannelB.CB_TC_Cmd.EMB_Cmd_Missing 2.4336e-07 SF EVC_WatchDog.WD_Status.Channel_Silent 2.1148e-07 SF EVC_WatchDog.WD_Status.Channel_Disagreement 2.8562e-07 SF EVC_Voter.V_EMB_Out.EMB_Cmd_Missing 2.6945e-07 SF EVC_Voter.V_EMB_Out.Channel_Disagreement 2.0218e-07 SF EVC_Voter.V_SB_Out.ServiceBrake_Missing 2.3418e-07 SF EVC_Voter.V_TC_Out.EMB_Cmd_Missing 2.1837e-07 SF DMI_Primary.DMI_P_Out.Bus_Silent 2.4126e-07 SF DMI_Primary.DMI_P_Out.Data_Stale 1.8713e-07 SF DMI_Secondary.DMI_S_Out.Bus_Silent 2.5831e-07 SF DMI_Secondary.DMI_S_Out.Data_Stale 1.9648e-07 SF JRU.JRU_Stream.Data_Stale 2.2175e-07 SF JRU.JRU_Stream.Bus_Silent 1.7352e-07 SF JRU_Recorder.REC_Log.Bus_Silent 2.0318e-07 SF JRU_Recorder.REC_Log.Data_Stale 1.6248e-07 SF TIU.TIU_Out.Bus_Silent 2.7514e-07 SF TIU.TIU_Out.Data_Stale 2.2823e-07 SF BrakeLoop_EmergencyBrake.EMB_Loop_Out.EMB_Cmd_Missing 3.2617e-07 SF BrakeLoop_EmergencyBrake.EMB_Loop_Out.Bus_Silent 1.9412e-07 SF TractionCutoff_Interface.TC_Out.EMB_Cmd_Missing 2.4867e-07 SF TractionCutoff_Interface.TC_Out.Bus_Silent 1.7926e-07 SF PantographInterface.Pan_Out.Power_Lost 2.3145e-07 SF DirectionController.Dir_Out.Data_Stale 2.1518e-07 // --- TF (Transfer-Fehlerraten der Schnittstellen) --- TF ifPwrA.Power_Lost 4.8213e-08 TF ifPwrB.Power_Lost 5.3142e-08 TF ifPwrA_UPS.Power_Lost 4.1287e-08 TF ifPwrB_UPS.Power_Lost 5.7361e-08 TF ifUPS_SCP.Power_Lost 4.4815e-08 TF ifUPS_BTM.Power_Lost 5.2497e-08 TF ifUPS_GSMA.Power_Lost 4.8936e-08 TF ifUPS_GSMB.Power_Lost 5.5128e-08 TF ifUPS_FRMCS.Power_Lost 4.3712e-08 TF ifUPS_ChA.Power_Lost 5.6428e-08 TF ifUPS_ChB.Power_Lost 4.7315e-08 TF ifUPS_BL.Power_Lost 5.1623e-08 TF ifUPS_REC.Power_Lost 4.2861e-08 TF ifClk_Dec.Bus_Silent 4.9528e-08 TF ifClk_ChA.Bus_Silent 5.3874e-08 TF ifClk_ChB.Bus_Silent 4.6192e-08 TF ifClk_WD.Bus_Silent 5.2817e-08 TF ifClk_ER.Bus_Silent 4.4365e-08 TF ifClk_CM.Bus_Silent 5.1238e-08 TF ifClk_TIU.Bus_Silent 4.7614e-08 TF ifBalise_RF.Telegram_Corrupted 5.8126e-08 TF ifBalise_RF.Telegram_Missed 4.5817e-08 TF ifBalise_RF.Telegram_Spoofed 3.2418e-08 TF ifAnt_BTM.Telegram_Corrupted 4.8635e-08 TF ifAnt_BTM.Telegram_Missed 4.2157e-08 TF ifAnt_BTM.Telegram_Spoofed 2.9846e-08 TF ifBTM_Dec.Telegram_Corrupted 4.4728e-08 TF ifBTM_Dec.Telegram_Missed 3.8512e-08 TF ifBTM_Dec.Telegram_Spoofed 2.7418e-08 TF ifDec_BPE.Telegram_Corrupted 5.1326e-08 TF ifDec_BPE.Telegram_Missed 4.3178e-08 TF ifDec_BPE.Telegram_Spoofed 3.1564e-08 TF ifAxle1.Bus_Silent 5.3418e-08 TF ifAxle1.Data_Stale 4.6128e-08 TF ifAxle2.Bus_Silent 5.1827e-08 TF ifAxle2.Data_Stale 4.4263e-08 TF ifRadar.Bus_Silent 5.5712e-08 TF ifRadar.Data_Stale 4.8136e-08 TF ifAccel.Bus_Silent 5.2348e-08 TF ifAccel.Data_Stale 4.5819e-08 TF ifTach1_OF.Speed_Underestimate 4.7213e-08 TF ifTach1_OF.Speed_Overestimate 4.1527e-08 TF ifTach2_OF.Speed_Underestimate 4.8345e-08 TF ifTach2_OF.Speed_Overestimate 4.2618e-08 TF ifRadar_OF.Speed_Underestimate 5.0124e-08 TF ifRadar_OF.Speed_Overestimate 4.4716e-08 TF ifINS_OF.Speed_Underestimate 4.6928e-08 TF ifINS_OF.Speed_Overestimate 4.0215e-08 TF ifOF_BPE.Position_Drift 4.9127e-08 TF ifOF_BPE.Position_Frozen 4.3458e-08 TF ifGSMA_In.Bus_Silent 5.4316e-08 TF ifGSMA_In.Data_Stale 4.6827e-08 TF ifGSMB_In.Bus_Silent 5.2148e-08 TF ifGSMB_In.Data_Stale 4.5238e-08 TF ifFRMCS_In.Bus_Silent 5.6812e-08 TF ifFRMCS_In.Data_Stale 4.9318e-08 TF ifGSMA_ER.Channel_Silent 4.7926e-08 TF ifGSMA_ER.MA_Stale 4.2138e-08 TF ifGSMB_ER.Channel_Silent 4.8617e-08 TF ifGSMB_ER.MA_Stale 4.3528e-08 TF ifFRMCS_ER.Channel_Silent 5.0413e-08 TF ifFRMCS_ER.MA_Stale 4.4716e-08 TF ifER_CM.MA_Missing 4.6128e-08 TF ifER_CM.MA_Stale 4.1238e-08 TF ifER_CM.MA_TooPermissive 3.8127e-08 TF ifPos_ChA.Position_Error 4.8619e-08 TF ifPos_ChA.Position_Frozen 4.3128e-08 TF ifPos_ChA.Position_Drift 4.6215e-08 TF ifPos_ChB.Position_Error 4.9318e-08 TF ifPos_ChB.Position_Frozen 4.4527e-08 TF ifPos_ChB.Position_Drift 4.7138e-08 TF ifSpd_ChA.Speed_Underestimate 4.5827e-08 TF ifSpd_ChA.Speed_Overestimate 4.1218e-08 TF ifSpd_ChB.Speed_Underestimate 4.6315e-08 TF ifSpd_ChB.Speed_Overestimate 4.2628e-08 TF ifMA_ChA.Crypto_MAC_Invalid 3.9127e-08 TF ifMA_ChA.MA_Missing 4.4316e-08 TF ifMA_ChA.MA_TooPermissive 3.6218e-08 TF ifMA_ChB.Crypto_MAC_Invalid 4.0238e-08 TF ifMA_ChB.MA_Missing 4.5128e-08 TF ifMA_ChB.MA_TooPermissive 3.7315e-08 TF ifChA_WD.EMB_Cmd_Missing 4.3618e-08 TF ifChA_WD.Channel_Silent 4.1238e-08 TF ifChB_WD.EMB_Cmd_Missing 4.4827e-08 TF ifChB_WD.Channel_Silent 4.2316e-08 TF ifChA_VEMB.EMB_Cmd_Missing 4.7128e-08 TF ifChA_VEMB.Channel_Silent 4.3918e-08 TF ifChB_VEMB.EMB_Cmd_Missing 4.8216e-08 TF ifChB_VEMB.Channel_Silent 4.4728e-08 TF ifChA_VSB.ServiceBrake_Missing 4.2317e-08 TF ifChB_VSB.ServiceBrake_Missing 4.3528e-08 TF ifChA_VTC.EMB_Cmd_Missing 4.1627e-08 TF ifChB_VTC.EMB_Cmd_Missing 4.2815e-08 TF ifWD_V.Channel_Silent 4.0318e-08 TF ifWD_V.Channel_Disagreement 4.3126e-08 TF ifV_BL.EMB_Cmd_Missing 4.9617e-08 TF ifV_BL.Channel_Disagreement 4.5128e-08 TF ifTIU_In.Bus_Silent 5.1328e-08 TF ifTIU_In.Data_Stale 4.6715e-08 TF ifV_TC.EMB_Cmd_Missing 4.7213e-08 TF ifTIU_TC.Bus_Silent 4.4816e-08 TF ifTIU_TC.Data_Stale 4.1328e-08 TF ifTIU_Pan.Power_Lost 4.3628e-08 TF ifTIU_Dir.Data_Stale 4.5127e-08 TF ifMA_Dir.MA_Stale 4.0836e-08 TF ifDMI_P_In.Position_Error 4.8216e-08 TF ifDMI_P_In.Position_Frozen 4.3917e-08 TF ifDMI_P_In.Position_Drift 4.6328e-08 TF ifDMI_P_Drv.Bus_Silent 4.2517e-08 TF ifDMI_S_In.Position_Error 4.9127e-08 TF ifDMI_S_In.Position_Frozen 4.4817e-08 TF ifDMI_S_In.Position_Drift 4.7238e-08 TF ifDMI_S_Drv.Bus_Silent 4.3628e-08 TF ifJRU_EMB.EMB_Cmd_Missing 4.6317e-08 TF ifJRU_EMB.Channel_Disagreement 4.2817e-08 TF ifJRU_Pos.Position_Error 4.5128e-08 TF ifJRU_Pos.Position_Frozen 4.1627e-08 TF ifJRU_Pos.Position_Drift 4.3815e-08 TF ifJRU_Time.Bus_Silent 4.0218e-08 TF ifJRU_Rec.Data_Stale 4.2716e-08 TF ifJRU_Rec.Bus_Silent 4.0317e-08 TF ifOut_EMB.EMB_Cmd_Missing 5.2817e-08 TF ifOut_EMB.Bus_Silent 4.8126e-08 TF ifOut_SB.ServiceBrake_Missing 4.5218e-08 TF ifOut_TC.EMB_Cmd_Missing 4.3618e-08 TF ifOut_TC.Bus_Silent 4.0817e-08 TF ifOut_DMI_P.Bus_Silent 4.1528e-08 TF ifOut_DMI_P.Data_Stale 3.8213e-08 TF ifOut_DMI_S.Bus_Silent 4.2716e-08 TF ifOut_DMI_S.Data_Stale 3.9128e-08 TF ifOut_JRU.Bus_Silent 4.0318e-08 TF ifOut_JRU.Data_Stale 3.7816e-08 TF ifOut_UpA.Channel_Silent 4.3128e-08 TF ifOut_UpB.Channel_Silent 4.4217e-08