br Overall system architecture In this section we
Overall system architecture In this Thiomyristoyl section we provide a description of the system under study, and its surrounding environment, on an “as is” basis. The architecture presented in the following is the one currently adopted on-field by ASTS (e.g., at Rome train station). The Train Management System (TMS) – being investigated in this work – is part of a larger and more complex set of subsystems needed for the train monitoring that goes under the name of Railway Traffic Control System (RTCS). The RTCS, used by ASTS, is a hierarchically structured system designed to monitor railway traffic, control railroad signals, and track switches in order to regulate trains movements and prevent fatal accidents. The overall architecture of the RTCS (Fig. 1) is composed by the following layers: Sensors/Actuators - Multiple sensors and actuators are deployed on rail tracks, trains, traffic lights, and the surrounding environment to receive monitoring information and send controlling signals. European Rail Traffic Management System (ERTMS) Euroradio - A safety communication protocol used to transfer data between sensors and the Radio Block Center. Radio-Block Center (RBC) - A component responsible of collecting signals coming from or directed to field sensors through a GSM-R radio transmission (at 900MHz). Interlocking (IXL) - A Safety-Critical System made of multiple signal apparatus able to prevent trains from conflicting movements by only allowing trains to receive authority to proceed, when routes have been set, lock and detected in safe combinations. The IXL is a vital subsystem with hard real-time constraints. A missed deadline of the IXL may cause catastrophic failures. For this reason, ASTS designed the IXL with HW&SW dedicated to hard real-time systems, which were certified with a SIL4 level. Train Management System (TMS) - The TMS provides non-vital functions that oversee and automatize trains movements and support the dispatcher in operations of train traffic control and management in a wide area of a railways network. The TMS communicates with the distributed IXL signaling system to monitor the railways area and send control signals. Data received from the IXL is, e.g., stored in databases or sent to multiple Human Machine Interfaces (HMIs) workstations. The TMS is installed in a central control center where operators take decisions. The TMS is considered failed if either the monitoring application provides to the operator wrong information that do not reflect the real railways status (functional failure), or if the service completely stops being provided (non-functional failure). The architecture currently adopted by ASTS, therefore, aims at achieve a high grade of availability through redundancy. However, the only usage of redundant HW subsystem units is not satisfactory for the SIL2 certification, especially if the system brings into it COTS components. Unlike the IXL, the TMS provides non-vital functions. A failure of the TMS could lead, as an example, to the planning of colliding routes. In such a case the underlying SIL4 fail-safe IXL would prevent loss of life avoiding the actual impact, e.g. by stopping the trains. However, the shutdown of trains would result in degradation of QoS and reduction of service availability, which turn in loss of money and reputation for the train company. For this reason, the TMS is classified as a Safety-Related System. The TMS is based on a client-server architecture. It is a collection of commercial redundant equipment (dual application servers, dual data base servers and at least dual workstations) connected to a high speed LAN. Core of the TMS subsystem is the Application Server which runs most important SW modules. The TMS Application Server – for simplicity, from now on only TMS – is composed by two server machines clustered in a Active/Standby configuration to provide uninterrupted service. To further enhance reliability, redundancy is not only applied in terms of replicated machines but also in terms of subsystem units (e.g. RAM, Disks, Fans, Power Supply) in order to eliminate Single Points of Failure (SPF). Units replicas are equal, that is, ASTS does not enforce a diversity fault-tolerant mechanism which involves the usage of subsystems of different technologies. Each server node, connected to its motherboard, has: 2 hot-swap power supplies, 2 hot-swap fans, 2 RAMs, 1 CPU, 2 HDDs in RAID1 configuration, 1 Network Interface Card (NIC).