EN 50159-2:2001

SLOVENSKI SIST EN 50159-2:2002
prva izdaja
STANDARD
julij 2002
Železniške naprave – Komunikacijski, signalni in procesni sistemi – 2. del:
Varnostna komunikacija v odprtih prenosnih sistemih
Railway applications - Communication, signalling and processing systems - Part 2:
Safety-related communication in open transmission systems
ICS 35.240.60; 45.020 Referenčna številka
©  Standard je založil in izdal Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega dokumenta ni dovoljeno

EUROPEAN STANDARD EN 50159-2
NORME EUROPÉENNE
EUROPÄISCHE NORM March 2001
ICS 35.240.60; 45.020
English version
Railway applications -
Communication, signalling and processing systems
Part 2: Safety related communication in open transmission systems
Applications ferroviaires - Bahnanwendungen -
Systèmes de signalisation, de Telekommunikationstechnik, Signal-
télécommunication et de traitement technik und Datenverarbeitungssysteme
Partie 2: Communication de sécurité sur Teil 2: Sicherheitsrelevante
des systèmes de transmission ouverts Kommunikation in offenen Übertragungs-
systemen
This European Standard was approved by CENELEC on 2000-01-01. CENELEC members are bound
to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any
other language made by translation under the responsibility of a CENELEC member into its own
language and notified to the Central Secretariat has the same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Czech
Republic, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg,
Netherlands, Norway, Portugal, Spain, Sweden, Switzerland and United Kingdom.
CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: rue de Stassart 35, B - 1050 Brussels
© 2001 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 50159-2:2001 E
Foreword
This European Standard was prepared by SC 9XA, Communication, signalling and processing systems, of
Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways.
The text of the draft was submitted to the formal vote and was approved by CENELEC as EN 50159-2 on
2000-01-01.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2001-10-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2003-01-01
Annexes designated “informative” are given for information only.
In this standard, annexes A, B, C and D are informative.

- 3 - EN 50159-2:2001
Contents
Introduction .4
1  Scope .5
2  Normative references.5
3  Definitions.5
4  Reference architecture .11
5  Threats to the transmission system.13
6  Requirements for defences .13
6.1  Introduction.13
6.2  General requirements.14
6.3  Specific defences .14
7  Applicability of defences against threats.19
7.1  Introduction.19
7.2  Threats/defences matrix .19
7.3  Choice and use of safety code and cryptographic techniques.20
Annex A (informative)  Guideline for defences.21
A.1  Applications of time stamps .21
A.2  Choice and use of safety codes and cryptographic techniques .22
Annex B (informative) Bibliography.28
Annex C (informative) Guidelines for use of the standard.29
C.1  Scope/purpose.29
C.2  Classification of transmission systems.29
C.3  Procedure.31
C.4  Example.32
Annex D (informative) Threats on open transmission systems.36
D.1  System view.36
D.2  Derivation of the basic message errors .37
D.3  Threats.38
D.4  A possible approach for building a safety case.39
D.5  Conclusions.43

Introduction
If a safety-related electronic system involves the transfer of information between different locations, the
communication system then forms an integral part of the safety-related system and it must be shown that
the end to end transmission is safe in accordance with ENV 50129.
The safety requirements for a data communication system depend on its characteristics which can be
known or not. In order to reduce the complexity of the approach to demonstrate the safety of the system
two classes of transmission systems have been considered. The first class consists of the ones over which
the safety system designer has some degree of control. It is the case of the closed transmission systems
whose safety requirements are defined in EN 50159-1. The second class, named open transmission
system, consists of all the systems whose characteristics are unknown or partly unknown. This standard
defines the safety requirements addressed to the transmission through open transmission systems.
The transmission system, which is considered in this standard, has in general no particular preconditions to
satisfy. It is from the safety point of view not or not fully trusted and is considered as a ”black box”.
This standard is closely related to EN 50159-1 ”Safety-related communication in closed transmission
systems” and ENV 50129 ”Safety related electronic systems for signalling”.
The standard is dedicated to the requirements to be taken into account for the transmission of safety-
related information over open transmission systems.
Cross-acceptance, aimed at generic approval and not at specific applications, is required in the same way
as for ENV 50129 ”Safety related electronic systems for signalling”.

- 5 - EN 50159-2:2001
1  Scope
This European Standard is applicable to safety-related electronic systems using an open transmission
system for communication purposes. It gives the basic requirements needed, in order to achieve safety-
related transmission between safety-related equipment connected to the open transmission system.
This standard is applicable to the safety requirement specification of the safety-related equipment,
connected to the open transmission system, in order to obtain the allocated safety integrity level.
The properties and behaviour of the open transmission system are only used for the definition of the
performance, but not for safety. Therefore from the safety point of view the open transmission system can
potentially have any property, as various transmission ways, storage of messages, unauthorised access,
etc. The safety process shall only rely on properties, which are demonstrated in the safety case.
The safety requirement specification is a precondition of the safety case of a safety-related electronic
system for which the required evidences are defined in ENV 50129. Evidence of safety management and
quality management has to be taken from ENV 50129. The communication related requirements for
evidence of functional and technical safety are the subject of this standard.
This standard is not applicable to existing systems, which had already been accepted prior to the release of
this standard.
This standard does not specify:
- the open transmission system,
- equipment connected to the open transmission system,
- solutions (e.g. for interoperability),
- which kinds of data are safety-related and which are not.
2  Normative references
This European Standard incorporates by dated or undated reference, provisions from other publications.
These normative references are cited at appropriate places in the text and the publications are listed
hereafter. For dated references, subsequent amendments to or revisions of these publications apply to this
European Standard only when incorporated in it by amendment or revision. For undated references the
latest edition of the publication referred to applies.
EN 50126 Railway applications - The specification and demonstration of Reliability, Availability,
Maintainability and Safety (RAMS)
EN 50128 Railway applications - Communications, signalling and processing systems - Software
for railway control and protection systems
ENV 50129 Railway applications - Safety related electronic systems for signalling
3  Definitions
For the purpose of this standard, the following definitions apply:
3.1
access protection
processes designed to prevent unauthorised access to read or to alter information, either within user
safety-related systems or within the transmission system
3.1.1
hacker
a person trying deliberately to bypass access protection

3.2
authenticity
the state in which information is valid and known to have originated from the stated source
3.3
authorisation
the formal permission to use a product/service within specified application constraints
3.3.1
unauthorised access
a situation in which user information or information within the transmission system is accessed by
unauthorised persons or hackers
3.3.2
confidentiality
the property that information is not made available to unauthorised entities
3.4
check
a process to increase assurance about the state of a system
3.4.1
redundancy check
a type of check that a predefined relationship exists between redundant data and user data within a
message, to prove message integrity
3.5
cryptographic techniques
output data are calculated by an algorithm using input data and a key as a parameter. By knowing the
output data, it is impossible within a reasonable time to calculate the input data without knowledge of
the key. It is also impossible within a reasonable time to derive the key from the output data, even if
the input data are known
3.6
data
a part of a message which represents some information
3.6.1
data corruption
the alteration of data
3.6.2
user data
data which represents the states or events of a user process, without any additional data. In case of
communication between safety-related equipment, the user data contains safety-related data
3.6.3
additional data
data which is not of any use to the ultimate user processes, but is used for control, availability, and
safety purposes
3.6.4
redundant data
additional data, derived, by a safety-related transmission process, from the user data

- 7 - EN 50159-2:2001
3.6.4.1
safety code
redundant data included in a safety-related message to permit data corruptions to be detected by the
safety-related transmission process. Suitable encoding techniques may include
3.6.4.1.1
non cryptographic safety code
redundant data based on non cryptographic functions included in a safety-related message to permit
data corruptions to be detected by the safety-related transmission process
3.6.4.1.1.1
cyclic redundancy check (CRC)
the CRC is based on cyclic codes, and is used to protect messages from the influence of data
corruptions
3.6.4.1.2
cryptographic safety code
redundant data based on cryptographic functions included in a safety-related message to permit data
corruptions and unauthorised access to be detected by the safety-related transmission process
3.6.4.1.2.1
message authentication code (MAC)
a cryptographic function of the whole message and a secret or public key. By the whole message is
meant also any implicit data of the message which is not sent to the transmission system
3.6.4.1.2.2
manipulation detection code (MDC)
a function of the whole message, but in contrast to a MAC there is no secret key involved. By the
whole message is meant also any implicit data of the message which is not sent to the transmission
system. The MDC is often based on a hash function
3.6.4.2
sequence number
an additional data
...