CENELEC EN 50159: Safety communications in railway systems

The CENELEC EN 50159 standard is used in electronic systems that have secure communications with other systems and in which SIL level will be applied. Therefore, CENELEC EN 50159 standard is highly related to EN 50126, EN 50128 and EN 50129 standards.

The standard is divided into closed systems (EN 50159-1) and open systems (EN 50159-2). Typically in railway applications, we will work in closed systems. They are characterised by authorised access only, all participants in the communication system are known and the transmission medium is defined at the design stage and will not be changed during the entire life cycle.

CENELEC EN 50159 Standard identifies the following defects as being at risk: (a) receiving incorrect information, i.e. receiving incorrectly the identity of the issuer, the type of information being received or, of course, the value of the information; (b) errors associated with the time variable, i.e. receiving data sequenced differently from the issuer or data delayed for too long. Due to real-time characteristics of the application, this information received will be no longer valid.

Moreover, it identifies 6 central protection measures to be included in the communications system:

CENELEC EN 50159 standard defines general requirements for secure communications between security systems. Compliance with these requirements, together with compliance with EN 50126, EN 50128 and EN 50129 standards, will ensure that a safe system with a defined safety integrity level is available:

• Source identification to know the source of the sender of a given message is imperative. When we have two teams in a communications network, we know for sure that a message can only come from the other team. However, in systems with more than one message sender, a source identifier must be added to the message to authenticate who has sent the message.
• The receiver must be able to verify that the data received is the same as the one sent by the sender. Therefore, we refer to the verification of the integrity of the data received. In this sense, a supplementary security code must be added to the application or user data. In addition, it is imperative that analysis of the safety code will be carried out by secure systems (not application because there is no certainty, they are secure) for assuring the integrity of application data on the receiver side.
• A "timestamp" must be included in each message, in the form of the sequential number of the message sent or including the date the message was sent. This will allow the receiver to know if all the messages are being received correctly and in an acceptable time or belatedly according to the needs of the system or the application that we must carry out.
• In the event that the same mean is used to transmit secure and non-secure data, or in other words, in the event that secure and non-secure transmission systems coexist on the same channel, then messages with security requirements and those that do not, shall have a sufficiently different structure so that a non-secure message will be never transformed into a message that could be confused with a security message.

Compliance with these requirements must be covered by a safety system or sub-system because they are considered safety requirements. In addition, the border between the safe and unsafe part must be perfectly defined, ensuring the influence of unsafe parts on safety functions.

On the other hand, in parallel with all these requirements, it will be of great importance to define associated degraded modes. In other words, when the reception of data in the communication network fails to meet established requirements -in a very simplified way: authenticity, integrity and correct time- both communication systems themselves and the application must have strategies to contain both safety and reliability of the service offered by the system.

CENELEC EN 50159 Standard identifies two sources of basic errors: The first source is the one produced by the transmission or reception system that generates or understands incorrectly a message. The second source of error is due to external sources such as electromagnetic interference on the transmission medium. This will cause the value of messages to change due to its impact on such medium.

CENELEC EN 50159 Standard identifies two sources of basic errors: The first source is the one produced by the transmission or reception system that generates or understands incorrectly a message. The second source of error is due to external sources such as electromagnetic interference on the transmission medium. This will cause the value of messages to change due to its impact on such medium.

EN 50159 standard gives a set of design strategies that are described below. They are useful to solve the possible threats that we have seen previously:

• Sequence number. The objective of this design strategy is to add a sequential number to each exchanged message. This number will allow the receiver to verify that the message being received is the expected one, that is, the one that the sender correctly sent.

Sequence number allows protection against threats that are defined in the following standard: repetition, deletion, insertion, and reception problems.

• Dating Closely related to the sequence number, dating serves to mark a temporary validity for a message. Certainly, it is logical to assume that depending on the validity of information is subject to time and that this time also depends largely on the application. In some applications, for instance, we can receive an information from some minutes ago as current. This could be useful and harmless. However, on some occasions, it can generate a situation of risk against safety. Therefore, we must always study time factor in our applications and include dating techniques, having into account which application we must serve.

Dating allows protection against threats that are defined in the following standard: repetition and reception problems.

• Time Limit Exceeded (TLE) Normally, for safety systems, there will always be an acknowledgment to a received message. In this case, the sender can count the time between the moment the message is sent, and the acknowledgment is received, in order to verify that the transmission/ reception process has been correct.

Time limit exceeded (TLE) allows protection against threats that are defined in the following standard: delay.

• Source and destination identifiers. As mentioned above, the objective is to include additional information to know exactly the source and destination of the message.

Source and target identifiers allow protection against threats defined in the following standard: insertion.

• Return message. It allows the destination to confirm to the source that the message has been received correctly. The content of the message may include original data received or even be altered by a function known by both systems; data added by the recipient from information generated from its own process and relevant to the issuer, additional security data.

Feedback message allows protection against threats defined in the following standard: insertion and masking.

• Identification procedure. It is only applicable to open transmissions when such transmissions are being carried out by unknown users, so that a user ID will not be confused by information from a known source.

Identification procedure allows protection against threats defined in the following standard: insertion and masking.

• Safety procedures. Used for the detection and reconstruction of failures at bit or frame level. It is important to ensure that reconstruction is carried out by a secure system, in the case of safety communications.

Safety code allows protection against threats defined in the following standard: corruption.

• Cryptographic techniques. Logically and as it is well known, it is used if a malicious attack on a data transmission network could not be excluded.

Cryptographic techniques allow protection against threats that are defined in the following standard: corruption and masking.

Our company is a specialist in the application of RAMS and ILS (Integrated Logistics Support)  system engineering, covering the complete life cycle, from a RAMS point of view, in products and installations in railway, aerospace, defence and naval industry.