hima level crossing monitoring standard · 2021. 1. 27. · hima level crossing monitoring standard...

Division / Business Unit: Safety, Engineering & Technology

Function: Signalling

Document Type: Standard

© Australian Rail Track Corporation Limited (ARTC)

Disclaimer

This document has been prepared by ARTC for internal use and may not be relied on by any other party without ARTC’s prior written consent. Use of this document shall be subject

to the terms of the relevant contract with ARTC.

ARTC and its employees shall have no liability to unauthorised users of the information for any loss, damage, cost or expense incurred or arising by reason of an unauthorised user

using or relying upon the information in this document, whether caused by error, negligence, omission or misrepresentation in this document.

This document is uncontrolled when printed.

Authorised users of this document should visit ARTC’s intranet or extranet (www.artc.com.au) to access the latest version of this document.

CONFIDENTIAL

HIMA Level Crossing Monitoring

Standard

ESD-05-02

Applicability

ARTC Network Wide

SMS

Publication Requirement

Internal / External

Primary Source

Document Status

Version # Date Reviewed Prepared by Reviewed by Endorsed Approved

1.0 25 Jan 21 Standards Stakeholders Manager

Signalling

Standards

General Manager

Technical Standards

25/01/2021

Amendment Record

Amendment

Version #

Date Reviewed Clause Description of Amendment

1.0 25 Jan 21 First issue of standard.

http://www.artc.com.au/

HIMA Level Crossing Monitoring Standard

ESD-05-02

Table of Contents

This document is uncontrolled when printed. Version Number: 1.0 Date Reviewed: 25 Jan 21 of 28

Table of Contents

Table of Contents ............................................................................................................................................. 2

1 Introduction ............................................................................................................................................. 4

1.1 Purpose .......................................................................................................................................... 4

1.2 Scope ............................................................................................................................................. 4

1.3 Document Owner ........................................................................................................................... 4

1.4 Reference Documents ................................................................................................................... 4

1.5 Definitions & Abbreviations ............................................................................................................ 5

2 System Architecture .............................................................................................................................. 7

3 Reliability and Maintainability ............................................................................................................... 9

4 Design and data documentation ......................................................................................................... 10

5 Functional Requirements .................................................................................................................... 13

5.1 Environmental .............................................................................................................................. 13

5.2 Automatic start and self-checking ................................................................................................ 13

5.3 Monitoring ..................................................................................................................................... 13

5.4 Logging ......................................................................................................................................... 14

5.5 Digital Outputs .............................................................................................................................. 15

5.6 Digital Inputs................................................................................................................................. 16

5.7 Analogue Inputs ........................................................................................................................... 17

5.8 Internal Variables ......................................................................................................................... 17

5.9 Lamps ........................................................................................................................................... 17

5.10 Boom Barriers .............................................................................................................................. 18

5.11 Pedestrian Gates ......................................................................................................................... 19

5.12 Power Systems ............................................................................................................................ 19

5.13 Start-up ......................................................................................................................................... 19

5.14 Configuration ................................................................................................................................ 19

5.15 Calibration .................................................................................................................................... 19

5.16 Control and Interrogation ............................................................................................................. 19

5.17 Replay requirements .................................................................................................................... 20

6 Interface Requirements ....................................................................................................................... 21

7 Local Maintenance Panel ..................................................................................................................... 23

8 Installation and mounting .................................................................................................................... 24

9 Power Supply Requirements ............................................................................................................... 25


ESD-05-02

Table of Contents


9.1 Surge protection ........................................................................................................................... 25

10 Remote Monitoring and Battery Testing ............................................................................................ 26

10.1 Remote Level Crossing Monitoring Workstation .......................................................................... 26

10.2 Remote Maintenance Workstation ............................................................................................... 26

10.3 Communications .......................................................................................................................... 26

10.4 Time Synchronisation ................................................................................................................... 26

10.5 Battery Testing ............................................................................................................................. 27


ESD-05-02

Introduction


1 Introduction

1.1 Purpose

The purpose of this standard is to specify the minimum requirements for the implementation of the

HIMA HIMatrix control system as a level crossing monitoring device for level crossings fitted with

active protection and warning systems on the ARTC network.

1.2 Scope

Level crossing monitoring systems monitor and record the condition of a level crossing fitted with

visible and audible warnings.

The scope of this standard includes the monitoring system, data logging, remote monitoring and

alarming, battery testing, design, power supply, interface, and functional requirements.

1.3 Document Owner

The General Manager - Technical Standards is the Document Owner. For any query, initial contact to

be made at [email protected].

1.4 Reference Documents

The following documents support this standard:

[1] ARTC ESD-03-01 – Level Crossing Design

[2] ARTC ESC-03-01 – Level Crossing Equipment

[3] ARTC ESM-03-01 – Level Crossing Maintenance

[4] ARTC ESD-09-01 – Signalling Power System

[5] ARTC EGP-03-01 – Rail Network Configuration Management

[6] ARTC SPS 01, Standard Requirements for Signalling Electronic Systems.

[7] ARTC SPS 02 – Environmental Conditions

[8] ARTC SPS 06, Connections for Signalling Interface.

[9] ARTC SPS 04, General Requirements for Labelling of Signalling Equipment.

[10] AS 7770 - Rail Cyber Security

[11] RISSB CoP Rail Cyber Security in Train Control Systems.

[12] AS7705 – Level Crossing Monitoring systems

[13] AS 7718 – Signal Design Process Management

[14] HIMA HIMatrix Checklist for Inputs v2.00

[15] HIMA HIMatrix Checklist for Outputs v2.00

[16] HIMA HIMatrix Checklist for Programs v2.00

[17] HIMA HIMatrix F Safety Manual for Railway Application, HI 800 437 E, Rev. 3.03.00 (1806)

[18] HIMA HIMatrix System Manual – Compact Systems, HI 800 141 E, Rev. 2.02

[19] HIMA HIMatrix F3 AIO 8/4 01 Manual, HI 800 161 E, Rev. 2.00

[20] HIMA HIMatrix F3 DIO 16/8 01 Manual, HI 800 177 E, Rev 2.00

[21] HIMA HIMatrix F35 03 Manual, HI 800 477 E, Rev. 3.00.00 (1823)


ESD-05-02

Introduction


[22] HIMA HIMatrix F Maintenance Manual for Railway Application, HI 800 673 E Rev. 1.03.00

(1806)

[23] HIMA HIMatrix Safety Manual, HI 800 023 E, Rev. 4.01.01 (1714)

[24] HIMA HIMatrix Safety-Related Application Conditions (SRACs) Addition to the HIMatrix Safety

Manual for Railway Applications, HI 800 575 E, Rev. 3.03.00 (1806)

[25] HIMA HIMatrix H7013: Main Filter, HI 800 269 E, Rev. 1908

[26] HIMA SILWorX Communication Manual, HI 801 101 E, Rev. 6.01 (1351)

[27] HIAM SILWorX First Steps Manual, HI 801 103 E, Rev. 6.04 (1549)

[28] HIMA SILWorX Smart Safety Test Manual, HI 801 495 E, Rev. 1.00.00

1.5 Definitions & Abbreviations

For the purposes of this document, the following terms and definitions apply:

Term or acronym Description

AIO Analogue Input Output Module

ALDS Application Logic Design Specification

ARTC Australian Rail Track Corporation

AS Australian Standard

BL Boot Loader

C Celsius

CBI Computer Based Interlocking

CPU Central Processing Unit

CRC Cyclic Redundancy Check

DC Direct Current

DIO Digital Input Output module

HAZOP Hazard and Operability Study

I/O Input / Output

IP Internet Protocol

LED Light Emitting Diode

mA Milliamp

MTBF Mean Time Between Failure

MTTR Mean Time to Repair

NCC Network Control Centre

NSW New South Wales

NTP Network Time Protocol

OS Operating System

OSL Operating System Loader

PB Push Button


ESD-05-02

Introduction


Term or acronym Description

PCB Printed Circuit Board

RAMS Reliability Availability Maintainability Safety

RTU Remote Telemetry Unit

SA South Australia

SIL Safety Integrity Level

SNTP Simple Network Time Protocol

TCP Transmission Control Protocol

TCS Train Control Systems

V Voltage

VIC Victoria

VDU Visual Display Unit

VPN Virtual Private Network


ESD-05-02

System Architecture


2 System Architecture

The figure below shows the HIMA level crossing monitor system architecture.

ARTC Private WAN(SIG WAN)

Train Control (where required) and 4-site Level Crossing Monitoring Servers

Level CrossingWorkstation

Train ControlVDU (where required)

Remote MaintenanceWorkstation

HIMARemote AIO

HIMARemote DIO

HIMACPU & COM

ExtraDigital IO

(if required)

ExtraAnalogue IO(if required)

OtherAnalogue

and Digital IO

DC Hall Effect

Sensors

Flashing Lights

Voltage Transdusers

LocalMaintenance

Panel

LEDs and Push Buttons

Remote or Local

Web Access

3G/4GRouter

Figure 1: HIMA level crossing monitor system architecture

a) The ARTC HIMA level crossing monitoring system comprises of a HIMA HIMatrix safety controller

Central Processing Unit (CPU) and, depending on the I/O requirements, may also include extra

Remote AIO and/or DIO units to monitor additional analogue and digital I/O.

b) The ARTC HIMA level crossing monitoring system processes the digital and analogue I/O to

generate, record (in a non-volatile event record), and report alarm and events.

c) Alarms and events can, where required, be reported to ARTC’s Train Control System1 and are

mandatorily reported to a Central Level Crossing Monitoring Workstation via a 3G or 4G

1 This may either be through hard wired connections to the interlocking device, or directly to the train control system via

the Genisys TCP protocol, where the HIMA device is the Genisys slave unit. The level crossing monitoring system shall

accommodate both options.


ESD-05-02

System Architecture


communications link. Typically, this connection will be via the Modbus TCP protocol, where the

HIMA acts as the Modbus slave. However, other protocols may also be used and/or implemented in

the future.

d) A 3G/4G network router shall be provided.

e) The event recorder is implemented within the HIMA COM processor as ComUserTask module and is

accessible and configurable by local and remote maintainers via a web interface.

f) The HIMA system can be interrogated locally or remotely via the HIMA SILWorX maintenance tool

via the Remote Maintenance Workstation.

g) A local maintenance panel may be used to show the status of the level crossing monitor and to allow

maintainers to enter maintenance mode (to supress remote alarms) and calibrate the sensors.


ESD-05-02

Reliability and Maintainability


3 Reliability and Maintainability

a) All manufacturer’s Safety-related Application Conditions (SRACs) are to be followed.

b) The designed Mean Time Between Failures (MTBF) for the Level Crossing monitor shall be

greater than 50,000 hours.

c) The monitoring system shall detect internal faults that indicate a system fault, including firmware,

memory, data storage; processor faults; clock faults; input and output faults and communication

faults.

d) The monitoring system shall be certified to operate correctly where its operating parameters are

within its specifications.

e) A Failure Modes and Effects Analysis (FMEA) shall be provided.

f) Assurance shall be provided that it is improbable that the level crossing monitor will indicate that

the level crossing is operating correctly after the passage of a train without both the monitor and

the Level Crossing equipment operating correctly.

g) The level crossing monitor shall be designed and tested in such a way as to minimise the risk of

providing incorrect information, and of reducing the integrity of the level crossing.

h) The monitoring system shall be designed and tested to minimise the risk of unauthorised or

unintended manipulation of the system

i) Maintenance staff shall be able to temporarily disable the status reporting whilst maintenance

and/or testing is carried out.

j) The monitoring system should have a facility to prevent false alarms being raised during

maintenance activities.

k) The designed Mean Time to Repair (MTTR) for the Level Crossing monitor shall be less than or

equal to 1 hour once a maintainer has arrived on onsite.


ESD-05-02

Design and data documentation


4 Design and data documentation

Design of the HIMA level crossing monitoring system shall include monitoring and logging of operation of the level crossing, visual and audible warning, where applicable boom barriers and/or pedestrian gates, primary power supply, battery testing, test switch, train detection system and remote alarming.

a) Design shall minimise the risk of interfering with the systems being monitored.

b) Designers of a HIMA monitoring system should consult ARTC design standards, Level crossing standards and AS 7718 Signal Design Process Management.

c) Application Logic Design Specification (ALDS) should be developed for projects using the HIMA as a level crossing monitoring device.

d) All generated data documentation must contain the CRCs for all used function blocks.

e) A data control sheet shall be provided, and shall contain:

i. The level crossing site location and ID;

ii. The relevant network control centre;

iii. The current revision and date of the application software;

iv. The designer, checker, independent reviewer, and approver details and their signatures approving the data.

v. What design stage the data is approved for. For example:

i. For simulation testing;

ii. For factory acceptance testing; or

iii. For site acceptance testing.

vi. Details of any modification sheets;

vii. Tester sign off for:

i. Factory acceptance testing; and

ii. Site testing;

viii. A completed HIMA HIMatrix Inputs Checklist should be referenced and attached;

ix. A completed HIMA HIMatrix Outputs Checklist should be referenced and attached;

x. A completed HIMA HIMatrix Program Checklist should be referenced and attached;

xi. A HIMA Rail Safety Application Conditions Checklist should be created, referenced and attached, which should list and demonstrates compliance to all safety related application conditions listed in HIMA document HI 800 575 E.

xii. References to any relevant manuals, which may include those listed below, and any demonstration of compliance to any SARCS not listed in the above checklist:

i. HIMatrix Safety Manual (HI 800 023 E);

ii. SILWorX First Steps Manual (HI 801 103 E);

iii. HIMatrix F35 03 Manual (HI 803 477 E);

iv. HIMatrix F3 DIO 16/8 Manual (HI 800 177 E);

v. HIMatrix F3 AIO 8/4 Manual (HI 800 161 E);

vi. F1 DI 16 01 Manual HIMA HI 800 153

vii. SILWorX Communication Manual (HI 801 101); and

viii. Any other the relevant product manuals.


ESD-05-02



xiii. A list of all references used for the preparation of the data design, including their revisions and dates;

xiv. References to any other relevant design elements, including the circuits.

xv. A reference to the ALDS that was used to produce the data;

xvi. A reference to all relevant tools and their versions, including SILWorX;

xvii. A checklist showing and detailing compliance with all type approval restrictions shall be provided;

xviii. Details of the HIMA application data, including:

i. The Project Configuration CRC;

ii. The Program CRC(s); and

iii. Details of the previous version and a reference to the difference list that was produced.

xix. The CRC and version of the ComUserTask module;

xx. The CRC and version of the ComUserTask user configuration file;

xxi. Details of any HIMA simulation application data;

xxii. The version of firmware used on all HIMA devices2, including:

i. The Boot Loader (BL) version;

ii. The BL CRC;

iii. The Operating System (OS) version;

iv. The OS CRC;

v. The Operating System Loader (OSL) version; and

vi. The OSL CRC.

f) Suitably rated bi-directional transient-voltage-suppression are to be used on digital outputs that drive inductive loads to reduce back EMF.

g) Application specific logic is not to be contained in function blocks and should instead be accessible in the main program.

h) The program cycle time is not be higher than 50ms.

i) Wherever possible, all monitored indications should fail/alarm due to a wire break, power supply failure, or other circuit failure.

j) Installations with Ethernet or serial connections to other vital systems require compliance to the Cybersecurity standards.

k) If connecting to another vital system, all functions that impair the safety integrity of the other system must be implemented as per safety integrity requirement of the vital system in accordance with EN50128. For example, if Frauscher Safe Ethernet is used to obtain track status information from a FAdC, the protocol and any control that could inadvertently sent an axle counter reset or other vital command (e.g. vital IO) must be implemented as per requirement of Frauscher in accordance with EN50128.

l) Data changes require the confirmation of local presence at the level crossing, through the use of the local Maintenance Mode and the Data Change push buttons via digital inputs.

2 For HIMA controller units the details of both the CPU and COM firmware must be included.


ESD-05-02



m) All HIMA unit’s temperature states, power states, and CRCs are to be monitored and recorded in the event log, and continuously reported back to the level crossing monitoring system.

n) All Program CRCs are to be monitored and recorded in the event log, and continuously reported back to the level crossing monitoring system.

o) The ComUserTask User Configuration CRC shall be monitored and recorded in the event log, and continuously reported back to the central the level crossing monitoring system.

p) The forcing states of all HIMA CPUs are to be monitored, recorded, reported and alarmed. This includes the Force Switch State, Forcing Active, and Global Forcing Started bits.

q) All HIMA controllers are to be set to Auto Start.

r) Access to the HIMA controllers via SILWorX shall be restricted via PADT User Management, including:

i. The provision of Administration, Engineering, and Maintenance accounts with suitable access levels.

ii. The use of passwords provided and documented in the ALDS.

iii. Passwords must be at least 10 characters in length and must contains numbers, special characters, capital and lowercase letters.

s) Warning: Care should be taken when setting passwords on HIMA projects with laminated PCB boards (which all railway specification HIMA units have), as it may not be possible to reset a unit if the password is lost or insufficient permissions are granted. It is therefore recommended that simulation testing take place on non-laminated PCB board HIMA units in the factory, such that they can be reset during the test in process if this occurs. If a laminated HIMA unit is disabled due to this, then HIMA should be contacted as they may be able to recover the unit.

t) Appropriate firewalling and other Cybersecurity techniques, in accordance with Australian Standard AS7770, and HIMA’s Cybersecurity Manual are to be implemented, particularly for the access to any vital communications and to the controllers PADT (SILWorX) port.

u) The automatic Temperature Monitoring setting for all HIMA units shall be set to “No warning at temperature thresholds” to avoid warning lights showing on the HIMA units. The temperature states of each unit are instead required to be manually monitored and reported.

v) Each HIMA unit is required to have a unique System and Rack ID. These IDs are to be unique across ARTC’s network. These must be obtained from ARTC, such that they can ensure they can ensure unique numbers are issued and keep their HIMA ID database update to date.

w) For both local and remote data changes, procedures and processes for programming new and

existing HIMA units, and the protection mechanisms for preventing units from being installed or

configured with the incorrect data shall be in place.


ESD-05-02

Functional Requirements


5 Functional Requirements

5.1 Environmental

All HIMA level crossing monitoring equipment shall comply to the following requirements:

i. Rated for -20C to +70C continuous operating temperatures

ii. Have laminated PCB boards

iii. Water and dust ingress – IP20 standard

The Level Crossing monitor should not require forced cooling to meet the environmental requirements.

5.2 Automatic start and self-checking

The HIMA level crossing monitoring system shall:

a) automatically start and commence monitoring on initiation of electrical power.

b) continuously check that the software, and real time clock are operating correctly.

c) log events with a time stamp.

d) check all configuration data on start-up and indicate a system fault if it is invalid.

e) automatically re-start if software ceases to operate correctly.

f) alarm if a number of re-starts occur within a defined period is exceeded.

5.3 Monitoring

a) The HIMA level crossing monitor shall check the digital inputs and analogue inputs for correct

relationship, sequence, and timing.

b) The HIMA level crossing monitor application data shall be configurable for each individual level

crossing.

c) The HIMA level crossing monitor shall determine:

i. the number of lamps operating on each lamp circuit.

ii. the number of lamps operating against the number that should be operating.

d) The HIMA level crossing monitor shall provide:

i. a warning indication when the number of lamps detected is one less than the expected, and:

ii. a fault indication when the number of lamps detected is more than expected on any

individual lamp circuit, or two or more less than the expected.

e) The HIMA level crossing monitor shall log the start and end time of each level crossing operation.

f) The HIMA level crossing monitor shall provide for the use of additional fault or warning inputs.

This shall be indicated via the local maintenance panel indications.

g) The HIMA level crossing monitor shall provide an indication that remote battery testing is in

progress. This shall be indicated via the local maintenance panel indications.

h) The HIMA level crossing monitor shall monitor track circuits and any function that qualifies the

operation of the Level Crossing (for example approach signals).


ESD-05-02



i) The HIMA level crossing monitor shall provide an indication that local maintenance mode has

been activated.

j) The HIMA level crossing monitor shall provide indications that lamp calibration is invalid or in

progress.

k) The HIMA level crossing monitor shall report a NO FAULT and NO WARNING indication along

with a FAULT and WARNING indication when it detects a change in the status of the crossing.

These indications shall be displayed on the local maintenance panel and remote level crossing

monitoring workstation.

l) The HIMA level crossing monitor shall be configured as follows:

i. In normal operation the level crossing monitor will display two green LEDs which indicate

NO FAULT and NO WARNING. If the monitor reports its status to a level crossing

monitoring system computer these two indications are combined to give a status of

NORMAL.

ii. If a designated FAULT occurs, then the LED for NO FAULT shall extinguish indicating that a

FAULT has occurred. If a designated WARNING occurs, then the LED for NO WARNING

shall extinguish indicating that a WARNING has occurred. As well as WARNINGS or

FAULTS being indicated on the front panel appropriate messages are reported via the

Ethernet port to allow remote reporting of FAULTS and WARNINGS.

iii. The NO FAULT status indicates that:

i. the battery voltage is not low;

ii. no more than one lamp is out;

iii. more lamps than expected have not been found, and;

iv. that there is no other designated fault condition detected by the level crossing

monitor logic.

iv. The Fault indication (i.e. The NO FAULT Indication extinguished) is latched until the fault

reset push button is pressed or the fault reset command is received.

v. The NO WARNING status indicates that none of the designated warning conditions are

present.

vi. The Warning indication (i.e. The NO WARNING Indication extinguished) is latched until the

fault reset push button is pressed or the fault reset command is received.

5.4 Logging

g) The HIMA level crossing monitor system shall detect changes in its analogue inputs, digital inputs,

digital outputs, and relevant key internal logic and alarm states. Details of these changes shall be

stored with their date and time (to the tenth of second) of occurrence. At least the last 15000

changes shall be stored.

h) The log shall be maintained in a non-volatile storage of the HIMA ComUserTask memory. The log

must still be retrievable after the Level Crossing monitor has been removed from service, transported

to another location, and left without power for at least 31 days.

i) The oldest event shall be automatically replaced by the next new event when the event log is full.

j) Changes to the state of the flasher inputs may not be logged. This is solely to prevent wasting log

space. Instead, flashing alarm(s) are to be created and logged, which alarm when an unhealthy

state is detected.


ESD-05-02



5.5 Digital Outputs

The following outputs are always allocated on the HIMA level crossing monitor and shall be configured as

detailed in the table below.

Output Name Quiescent

State

Initial

Value

Description

1 Battery Test3 FALSE FALSE True when the battery test is enabled.

2 No Fault TRUE FALSE

This output is directly connected to a 24Vdc green LED.

True where there are no faults.

False where there is a fault. The fault remains until reset.

3 No Warning TRUE FALSE

This output is directly connected to a 24Vdc green LED.

True when there are no warnings.

False where there is a warning. The warning remains until

reset.

4 System FALSE TRUE

This output is directly connected to a 24Vdc red LED.

True when there is a system fault. When this output is

true, the No Fault output will be false.

5 Battery FALSE TRUE


True when there is a battery fault or warning. This output

operates in conjunction with the No Fault and No Warning

outputs. This output is ON when a fault or warning

condition has been detected with the level crossing

battery. The output remains on until the fault or warning

condition has been reset.

6 Lamp FALSE TRUE


This output operates in conjunction with the No Fault and

No Warning outputs. This output is ON when a fault or

warning condition has been detected with the level

crossing lamps. This output remains on until the correct

number of working lamps is detected. It cannot be turned

off until the correct number of lamps have been detected

running for at least 10 seconds.

7 Logic FALSE TRUE This output is directly connected to a 24Vdc red LED.

8 Maintenance

Mode FALSE FALSE


True when in maintenance mode.

3 As the HIMA system is a vital system, no external time or timer test relay is required and the HIMA is able to perform

these functions safely with a single output.


ESD-05-02



5.6 Digital Inputs

The following digital inputs are to be monitored:

a) The Fault Reset, Warning Reset, Data Change, Calibrate, and Maintenance push buttons from

the Local Maintenance Panel.

b) All available track circuits that control the operation of the level crossing.

c) Direction stick relays.

d) Level crossing control and repeat relays.

e) Level crossing normal relay.

f) Level crossing timer functions

g) Test Switch, Emergency Switch (if provided) and Manual Operation Switches (if provided).

h) Gate (Boom Arm) Up state.

i) Gate (Boom Arm) down state.

j) If applicable, pedestrian crossing gate indications, including:

i. Open detection (Open state);

ii. Closed detection (Closed state);

iii. The status of any pedestrian gate light specific flasher or timer unit(s);

iv. Magnetic lock state (if provided), and;

v. Control relay state (if different from the level crossing control relay).

k) Lights, Bell and Gate (Boom Arm) emergency switches.

l) AC supply state.

m) Battery Voltage monitor indication.

n) Any other function that qualifies the operation of the Level Crossing (e.g. signal).

o) The front contact of the Level Crossing normal relay.

p) Reset fault or warning.

q) The health status of each flasher (if available).

r) Output state of each flasher.

s) Power Supply Unit failure alarm contacts.

t) Interfaces to traffic light functions, including:

i. Traffic Light Train Demand (TD) function

ii. Traffic Light Response (TLR) function

iii. Pre-emption functions (if separate to the crossing control)

iv. Advanced Warning Lights (AWL) status

u) Other relays/contacts of interest and any other ancillary systems (e.g. ELDs, Network Router etc.)


ESD-05-02



5.7 Analogue Inputs

The following analogue inputs are to be monitored4:

a) All bus bar voltages are to be monitored, including:

i. The level crossing flashing light buses; and

ii. All battery buses; and

iii. The HIMA Level Crossing monitor bus.

b) Galvanic isolation shall be provided for all bus bar voltage inputs.

c) Lamp currents are to be monitored, including pedestrian lights (at all locations where there are no

pedestrian gates, and only at other sites where specifically requested by ARTC) using current

sensors.

d) The Bell state and currents are to be monitored when specified, using a current sensor. The Bell’s

state and current should be monitored where it is the only form of protection for vision impaired

users of a pedestrian crossing.

e) Where required by ARTC, the temperature within the location case shall be monitored using an

isolated 4mA to 20mA sensor.

f) Where required by ARTC, the rail temperature shall be monitored using an isolated 4mA to 20mA

sensor.

g) All analogue inputs sensors are to behave linearly across their measurement range at all

operating temperatures (-20C to +70C) unless appropriate temperature compensation is provided

programmatically.

5.8 Internal Variables

a) The error codes for all used inputs and outputs are to be monitored and included in a controller

health indication, which when true indicates that the controller, and all of its remote I/O are

healthy and have no system or input or output errors. If the controller health indication is false, a

warning or error (as appropriate) shall be indicated on the Local Control Panel.

b) The error codes for all HIMA modules are be monitored and included in the controller health

indication.

c) All communication links are to be monitored, including any redundant connections, and an alarm

generated if any link is down.

d) If a ComUserTask module is used, a health bit for establishing.

e) All program, controller and configuration CRCs are to be shared over the link to level crossing

monitoring system.

5.9 Lamps

a) Level crossing lamps are to be monitored to allow detection of any lamp failure.

4 A scan time of less than or equal to 30ms is required for any analogue inputs that require filtering.


ESD-05-02



b) The failure of any level crossing lamp shall be alarmed.

c) Whenever the crossing activates or deactivates, the current status of the lamp monitoring and

any related alarms are to be recorded in the event log.

d) Flashing light lamp currents are to be monitored using isolated DC Hall Effect current sensors.

These sensors are to be 4mA to 20mA, as they allow a sensor failure to be detected.

e) Lamp current sensor analogue inputs are to be directly connected to the HIMA CPU’s analogue

inputs; such they can be filtered at a higher frequency than would be possible if using a remote

unit’s analogue inputs.

f) All battery buses that supply lamps and/or their flashing units shall be monitored using isolating

voltage transducers. If the bus voltage drops below a voltage that will reliably turn the lamp on,

then a critical flashing light alarm shall be generated.

g) All lamp currents are to be adjusted for changes in the lamp bus bar voltages.

h) A minimum time-based filter with a 200ms filter window shall be applied to all measured lamp

currents to filter out noise and start-up spikes in the lamp current sensor readings.

i) Separate lamp monitoring should be provided for:

i. The up side left flashing lights

ii. The up side right flashing lights

iii. The down side left flashing lights

iv. The down side right flashing lights

v. The boom barrier tip lights

vi. Optionally, and where specified by ARTC, the left boom barrier flashing light bank(s)

vii. Optionally, and where specified by ARTC, the right boom barrier flashing light bank(s)

j) The following flashing light alarms to be provided:

i. A non-critical (warning) alarm when a single flashing light lamp or any boom barrier lights

are detected out;

ii. A critical alarm (fault) when more than one flashing light lamp is detected out. Multiple boom

barrier lights being out is considered a non-vital failure, and thus shall not cause a critical

alarm to be raised; and

iii. Individual indications for the up and downside flashing lights must be provided to allow

maintainers to distinguish whether a flashing light failure has occurred on either the up or

downside of the crossing.

5.10 Boom Barriers

a) Wherever possible, and in all new installations, both the up and down state of the boom barriers

are to be monitored.

b) Boom barrier drive and fall times are to be monitored using the boom barrier detection. Alarms

should be generated whenever the drive or fall times are outside a configurable time window. To

enable predicative maintenance, separate non-critical alarms are also to be provided when the

system detects the boom barriers rise or fall times have drifted over a number of measurements

by a configurable percentage from their last calibrated values.


ESD-05-02



c) Where boom barrier up detection is provided, a failed to rise alarm shall be raised after a

configurable period of time after it has been commanded to rise.

d) Where boom barrier down detection is provided, a failed to drop alarm shall be raised after a

configurable period of time after it has been commanded to drop.

5.11 Pedestrian Gates

a) Wherever possible, and in all new installations, both the open and closed state of the pedestrian

gates are to be monitored individually.

b) If the pedestrian gate control relay differs from the level crossing control relay, it shall be

monitored and recorded.

c) Where pedestrian gate open (85-90 degree state) detection is provided, a failed to open alarm

shall be raised after a configurable period of time after it has been commanded to open.

d) Where pedestrian gate closed (0-10 degree state) detection is provided, a failed to closed alarm

shall be raised after a configurable period of time after it has been commanded to close.

5.12 Power Systems

a) The voltage of the 110/120Vac and/or 240Vac supplies may be monitored using isolated voltage

transducers connected to analogue or multipurpose inputs, or by non-vital power relay contacts

connected to digital inputs.

b) The power and rectified OK bits of all battery chargers are to be monitored.

5.13 Start-up

a) All alarms are to be appropriately conditioned during the application start-up to avoid false

alarms.

b) All indications, including all digital input and output statuses, are to be logged at start-up.

c) All start-up events are to be recorded in the Event Log.

5.14 Configuration

a) All alarm thresholds are to be configurable.

b) All analogue thresholds are to be configurable.

5.15 Calibration

a) All calibration data shall be stored in non-volatile memory, using retain variables in the Application

Data.

b) The calibration parameters for each lamp shall be configured, this shall include the calibration

curve for the item (e.g. a lamp). This may be used for voltage or temperature adjustment, based

on readings from a voltage (e.g. the flashing light or battery bus voltage) or temperature sensor.

5.16 Control and Interrogation

a) The SILWorX application can be used remotely or locally to interrogate the level crossing monitor.


ESD-05-02



b) A web browser can be used to view and download the current crossing status, alarms, and

events from the ARTC HIMA Level Crossing Monitor ComUserTask module.

5.17 Replay requirements

The level crossing monitoring system should be capable of providing a local and remote replay so

that events stored in the system memory can be graphically represented following an incident to

assist with the investigation.


ESD-05-02

Interface Requirements


6 Interface Requirements

a) Analogue and Digital inputs may be provided by physical inputs, or via an Ethernet or serial

connection(s) via protocols such as Modbus, DNP3, HDLC over UDP/IP, Genisys, HIMA Safe

Ethernet, Frauscher Safe Ethernet, or the Microlok Peer Protocol.

b) Where an Ethernet or serial protocol is used to supply an input to the level crossing monitor:

i. The safety level of the protocol, and all devices within the system loop, must be the same as

or higher than the safety level required by the digital input.

ii. The worst-case system response time of the system, including any delays of the link are to

be considered and the system designed such that no reliability or safety issues are caused

by any such delays.

iii. The typical latency of the Ethernet or serial link must be less than 100ms unless it is

demonstrated that a larger latency would be suitable.

b) Analogue inputs that require filtering or rapid processing, such as flashing light monitoring

circuits, must be directly connected to the HIMA CPU device, such that rapid polling of the

analogue input can occur.

c) All digital and analogue inputs are to be electrically isolated from all other power supplies. This

isolation may be provided by:

i. Using a voltage free contact; or

ii. An isolating voltage transductor; or

iii. An isolating current transductor.

d) All analogue and digital inputs are to be protected from:

i. Over-voltages outside of the limits specified; and

ii. Reverse polarity (i.e. any negative voltages, or voltages below 0Vdc).

e) Due to the very short cycle time of the HIMA devices, which can be lower than 10ms, suitable

methods for debouncing digital inputs shall be implemented for inputs that might otherwise be

experienced. These should be implemented on a function by function basis and may include the

use of:

i. Rising or falling edge triggers; or

ii. Slow to pick or slow to drop timers; or

iii. Other logic suitable for the application.

f) Suitable filtering functions on analogue inputs are required to minimise false alarms, this may

include but are not limited to a time-based:

i. Minimum filter; or

ii. Maximum filter; or

iii. Median filter; or

iv. Average filter.

g) For analogue inputs that may vary significantly due to fluctuations in a voltage of a bus bar, such

that the false alarms or indications may result, the level crossing monitor shall monitor the

respective bus bar voltage and compensate the respective analogue input(s) for any fluctuations.


ESD-05-02

Interface Requirements


Where there is not a linear relationship between the voltage of the bus and the analogue input

value, then a configurable compensation coefficient lookup table shall be used.

h) For analogue inputs that may vary significantly due to fluctuations in temperature, such that the

false alarms or indications may result, the level crossing monitor is to monitor the respective

temperature and compensate the respective analogue input(s) for any fluctuations. Where there

is not a linear relationship between the temperature and the analogue input value, then a

configurable compensation coefficient lookup table shall be used.

i) Analogue inputs are to be protected against reverse polarity connections and surges.

j) Where a digital output interfacing to external circuits, or equipment of different voltages, an

isolated DC to DC converter should be used.


ESD-05-02

Local Maintenance Panel


7 Local Maintenance Panel

a) A local maintenance panel displaying all the diagnostics LEDs may be provided in conjunction with a

centralised level crossing monitoring workstation.

b) The maintenance panel is also to be fitted with each of the level crossing monitor’s push buttons.

c) The maintenance panel is required to be laser or water cut, and laser etched in 316 stainless steel

with rounded corners and have no sharp edges.

d) The name of each output and push button shall be labelled on the panel.

e) A legend is to be laser etched to show the meaning, and wave form, of each flashing diagnostics

indication.

f) All components on the front panel should be rated for IP67 or IP68.

g) All LEDs and Pushbuttons are to use screw type terminals.

h) All connections to the panel are to be insulated so that water or condensation cannot create a short

circuit to the panel.

i) The panel shall be mounted inside a location case or annexure box.

j) The installation of the panel should ensure that rain while it is being used, or condensation while it is

not, cannot cause water ingress on any other electronic or water sensitive components of the level

crossing.

k) All pushbuttons, especially the Data Change pushbutton, are to be protected from accidental

activation.

l) The mechanical design of the panel is approved by ARTC local signal maintenance engineer prior to

fabrication. A concept layout for this panel is shown below, where red lines indicate the laser or

water cut pattern. The push button (PB) and LED mounting holes are also required to be laser or

water cut.

PB PB

NO WARNING

NOFAULT

SYSTEM BATTERY LAMP

FAULTRESET

WARNINGRESET

PB

CALIBRATE

Instructions on how to enter maintenance mode, reset warnings and faults, calibrate lights and a flashing rate

legend shall be provided here.

PB

DATACHANGE

LOGIC

PB

MAINTENANCE

MAINTENANCE MODE

Figure 2 - Local Maintenance Panel Concept Layout


ESD-05-02

Installation and mounting


8 Installation and mounting

a) The installation and mounting requirements in the HIMA HIMatrix Compact Systems Manual are

to be adhered to.

b) To ensure efficient cooling HIMA devices must maintain:

i. A clear distance of at least 100 mm above and below the devices; and

ii. A clear distance of at least 20mm to the left and right of the devices.

c) The ventilation slots of the housings must not be obstructed.

d) HIMA devices are to be mounted horizontally.

e) Mechanical coding pins shall be used for all HIMA I/O plugs and sockets. Standard coding pin

configurations, provided by or developed with by ARTC, are to be used for each HIMA unit type,

such that consistent of coding of ARTC’s HIMA units can be maintained for each type.


ESD-05-02

Power Supply Requirements


9 Power Supply Requirements

a) The HIMA equipment’s 24V DC power supply shall be:

i. Electrically isolated from all other equipment.

ii. Supplied by a suitable isolating DC to DC converter.

iii. Isolated from earth.

iv. Isolated from all other signalling busbars, with a separate busbar for hardwired inputs into

the Level Crossing monitor.

v. The level crossing monitor and its power supply are to have a breakdown voltage to earth of

greater than 500 Volts DC.

vi. The power supply must be smoothed. Any ripple must be confirmed to be within the limits

allowed by each HIMA device.

vii. Meet the requirements of the HIMA manual.

b) The HIMA’s 24V DC power supply shall be monitored by an Earth Leakage Detector.

c) The HIMA H 7013 24Vdc external surge filter is required on the HIMA device’s 24Vdc bus,

unless:

i. An approved surge absorber from another manufacturer if used, which provides equal or

better protection and filtering and is rated for at least -20°C to 70°C operation; or

ii. The HIMA is supplied from an internal 24Vdc bus, with no external circuits fed from that bus,

and the DC to DC converter supplying that bus, filters the power supply with equivalent or

better protection and filtering.

9.1 Surge protection

a) Surge protection shall be used on all external or ‘dirty’ inputs and outputs. ‘Dirty’ inputs and

outputs are those that may have induced voltages from other circuits or equipment greater than

+/- 1V ac or dc.

b) Surge protection must be active and effective when the circuit is energized or de-energized and

must remain active whenever any contact is made or broken within the circuit.


ESD-05-02

Remote Monitoring and Battery Testing


10 Remote Monitoring and Battery Testing

10.1 Remote Level Crossing Monitoring Workstation

a) A remote level crossing monitoring workstation(s) shall be used for the centralised monitoring of

the level crossing warning, alarm status and retrieve event logs.

b) The indications on the remote level crossing monitoring workstation shall relate to the level

crossing maintenance panel indications. However, separate warning (yellow) and alarm (red)

indications shall be provided for the following status indications:

a. System;

b. Battery;

c. Lamp, and;

d. Logic.

c) Alarms shall remain active and be repeated and/or escalated until the alarm has been

acknowledged.

10.2 Remote Maintenance Workstation

a) A remote Maintenance Workstation with a SILWorX license, for remote access to the HIMA units

via SILWorX, and a web browser, will also be provided to allow for remote diagnostics. The

Maintenance Workstation will also allow for remote data changes, providing the local Data

Change button is pressed on-site.

b) A dedicated programming port shall be provided on the network router in the level crossing

monitor’s locations. This port shall be a secured layer 2 VPN connection, which is only used

when a HIMA unit needs to be re-programmed remotely.

10.3 Communications

a) Unless otherwise approved by ARTC, all communications shall take place over Ethernet.

b) An approved 3G or 4G router shall be used and connected to the ARTC Private Network unless

another communication link is specified by ARTC.

c) The HIMA CPU/COM device shall be configured as a Modbus TCP Slave unless otherwise

specified by ARTC.

d) The Modbus bit list for each site shall be agreed with ARTC and shall detail the codes reported to

the Network Control Centre.

10.4 Time Synchronisation

a) The HIMA CPU device is required to be setup as:

i. An SNTP client, which connects and synchronises with ARTC’s NTP time server.

ii. An SNTP server, which allows remote IO devices to connect to the CPU to synchronise their

time.

b) All time synchronisation events are to be recorded in the Event Log.


ESD-05-02



10.5 Battery Testing

a) The level crossing monitor shall have the facility for testing the current state of the level crossing

battery bank and reporting the results to a remote location via a 3G or 4G router. It is noted that

not all level crossings require a remote battery testing function as the health and condition of the

battery bank can be monitored by the level crossing charger and the performance of battery cell

technology has improved, potentially negating the requirement for a daily test. However, the

remote battery testing function shall be provided and can be disabled if required.

b) The level crossing monitor shall use outputs 1 to control the battery test. These output controls

either a vital contactor Q-style relay, which cuts off the AC supply to the level crossing battery

charger5 and connect a test load for the level crossing battery.

c) The process of testing the level crossing battery and the level crossing monitor when requested

shall be as follows:

i. Check battery voltage to determine if it is within limits. If it is too low, then abort the battery test, indicate a battery Fault, and report it.

ii. Check that the battery test current is less than 1.0 amps and the Battery test cut-off indication is ON.

iii. If the crossing is operating or has been operating or a battery test has recently been performed, delay until at least 10 minutes after the crossing has stopped operating and any previous battery test has been complete.

iv. Report that the test is about to begin and wait at least 10 seconds to allow the remote level crossing monitor to receive that indication.

v. Turn output 1 ON for 4 minutes.

vi. Monitor that the Battery test current is greater than 6 amps and battery voltage remains greater than alarm voltage.

vii. If the battery voltage drops below the alarm voltage during the test, stop the test, and indicate a battery fault.

viii. If the battery test current drops below 6 amps for more than 7 seconds during the test, stop the test, and indicate a battery fault; otherwise terminate the test at the end of 4 minutes and indicate and report that the test passed, and the current state of the level crossing.

ix. The previous step is terminated if the crossing starts operating and the process is restarted at “Turn output 1 ON for 4 minutes”, at least 10 minutes after the crossing has stopped operating.

d) The contactor relay circuit shall be designed to fail safe, such that if the HIMA unit shuts

down during the battery test the power will be re-applied.

e) A battery test cannot occur until after the start-up timer6 has completed.

5 Where a battery charger is used with an inhibit function, such as an Enatel battery charger, the two front contacts of the

contactor relay may instead be connected to this inhibit function. These two contacts must be from different stacks on

the contactor relay.

6 The start-up timer is defined in the application data and is designed to mask alarms and false indications while the

HIMA and other devices in the location case are starting up. This start-up timer shall be further documented in the ALDS

and verified as part of the application data design process.


ESD-05-02



f) Back contacts of both stacks of the Q-style contactor relay shall be monitored by the HIMA level

crossing monitor. If the Q-style contactor relay fails to de-energise on either stack when a battery

test is not being performed, then a critical alarm shall be raised, recorded, and reported.