Technical field of the invention The present disclosure relates to a safety-critical router particularly, but not necessarily exclusively applicable to installing, testing and operating trackside electrical equipment in a railway.

Background of the invention

Modern railway networks involve the use of a large amount of electrical equipment, both on board railway vehicles and, of more relevance to the invention to be described, installed at and near the track. Such equipment includes, for example, signalling equipment, fault detectors, zone controllers and electrical supply equipment and is referred to below collectively as "railway network equipment". The railway network equipment is connected to a communications network allowing remote control and monitoring. The electrical network constituted by all the various trackside equipment including their communications links is referred to below as the "trackside network". In the case of the UK railway network for example, this is based around the Fixed

Telecom Network (FTN), largely built using optical fiber and currently based around Synchronous Digital Hierarchy (SDH), but is being upgraded to an all-Internet Protocol (IP) network called FTNx. The trackside network is essentially a very large computer network, so techniques known from computer networking, such as switching, routing and private or virtual networks can be applied to it.

Existing methods of installing, testing and bringing into operation new or replacement equipment in the trackside network are laborious and cumbersome. Such installing, testing and making equipment operational is referred to henceforth as "commissioning". Figure 1 outlines steps in a conventional commissioning method 1000 when some new or upgraded equipment is to be installed at a given site. Step 1001 is to physically install the equipment and make a visual inspection on site of the power cables and other connections. Step 1002 is a standalone or no-load test on site, which leads in step 1003 to operational tests at the site. Finally in step 1004, an end-to-end test is performed at the site location when all installed equipment and sub-systems are tested. This stage shows that all the various equipment and sub-systems can functionally operate, thus fulfilling all the performance requirements. As will be apparent, such a method is inefficient and potentially hazardous to engineers as it requires tests to be carried out on a site by site basis, and in phases.

Stringent safety standards are applied to railway electrical equipment. The concept of a Safety Integrity Level (SIL) is employed to assess the relative level of safety required by each component, equipment or system in the trackside network. Each SIL defines a range of values for parameters such as probability of failure per hour (PFH), with an associated risk reduction factor (RRF). Four levels are defined as follows:

SIL I H PFH (power) RRF 1

1 i i.DOOOi-O.OOOOOl 10 ^~5 - 10 ^~6 100,000-1 ,000,000

0.000001-0.0000001 10 ^~6 - 10 ^~7 1 ,000,000- 10.000,000

0.00000 1 -0 00000001 10 ^"7 - 10 ^"8 10,000.000-100,000,000

1 ⁽ 1.00000001 - ^{( )} . ^{( )(} Ό000001 10 ^"8 - 10 ^"9 100,000,000-1 ,000.000,000 For railway applications, the most stringent level, SIL-4 is adopted wherever an equipment failure might result in a likelihood of death or injury. A certification scheme ensures that key equipment used in the trackside network can fulfil this safety level. Equipment which meets the above PFH requirement is referred to as "SIL-4 capable". It would be desirable to provide a method of testing new network equipment in the live railway from a remote location, whilst maintaining the required safety separation of test and live equipment.

Solution according to the invention

According to a first aspect of the present disclosure, there is provided a router for use in commissioning new equipment within a network comprising live equipment, the router having:

a first processing element managing a first Virtual Private Network, VPN, for live equipment which is already operational; and

a second processing element managing a second VPN, separate from said first VPN, for new equipment to be commissioned;

each processing element including a configuration module allowing remote configuration of each VPN by being configured with a mapping defining connections of equipment to any of a plurality of network interfaces, and further including routing algorithm logic allowing testing of said mapping.

In the above router, preferably, there are provided Master and Standby lanes each having respective said first and second processing elements, the router further comprising a configuration manager operable to switch the Master lane to the Standby lane and vice-versa. This configuration manager may be arranged to receive the above mentioned mapping, validate the same using the routing algorithm logic and once the mapping is validated, to effect a lane switch (referred to elsewhere as hot- swapping), thereby bringing the new equipment into operation.

Further preferably, the router (or each lane of the router) comprises a support processing element for interfacing with at least one remote computing device, which includes said configuration manager and receives said remote configuration.

The items of equipment preferably communicate via exchange of data packets, in which case the routing algorithm logic may employ at least one of a routing ID for internal use of the router added to a packet header, and a direction flow control field in a packet payload.

Here, the routing ID can be derived from an identifier of a said processing element and an identifier of a said lane, and the direction control flow field can be determined by setting allowed directions of communication of equipment in said mapping. Each of the above first and second processing elements is preferably controlled by a safety-critical real-time operating system, such as Arinc-653. On the other hand, the support processing element can be controlled using a general-purpose operating system/ Preferably, each processing element is a respective core of a multi-core processor; alternatively separate microprocessors could be used for each processing element.

The router is preferably SIL-4 capable, in other words capable of being certified under the SIL 4 standard. This is achieved by a combination of the above features including separating real and test equipment into distinct VPNs, a hot-swappable lane structure, and use of a safety-critical real-time operating system. According to a second aspect of the present invention, there is provided a network comprising:

the router as defined above;

at least one item of live equipment in the first VPN;

at least one item of new equipment in the second VPN; and

a management device connected to the router for configuring each VPN.

The network preferably includes a gateway connected to the router, wherein other equipment existing in the network communicates with the real equipment and test equipment through the router and gateway.

According to a third aspect of the present invention, there is provided a method of commissioning test equipment in a network comprising:

connecting live equipment to the first VPN of a router as defined above;

connecting new equipment to the second VPN of the router;

remotely configuring the router with a mapping for the new equipment; and validating the mapping by the configuration manager. As already mentioned the router preferably comprises Master and Standby lanes each having respective first and second processing elements. In this case the method may comprise an additional step of bringing the new equipment into operation by switching the Master lane to the Standby lane and vice-versa. Accordingly, embodiments of the present invention relate to a method facilitating testing and commissioning of new network equipment in the live railway without interference to the working of the live railway environment. A multi-core router is provided to manage existing, live equipment (real equipment) and new equipment under test (test equipment), in respective VPNs. Master and Standby lanes are provided in the router to allow hot-swapping from one VPN configuration to another. This provides the means of testing the installed new railway network equipment within the live railway environment, whilst maintaining the required safety separation of the test and live equipment. An additional benefit is the flexibility of testing from a remote location with fewer resources. An embodiment of the present invention can provide, for the first time, a "SIL-4 capable router", in other words a router having a PFH level capable of meeting the SIL-4 standard by separating real and test equipment into distinct VPNs, a hot-swappable lane structure, and use of a safety-critical real-time operating system, and therefore suitable to employ with safety-critical railway network equipment.

An apparatus or computer program according to preferred embodiments of the present invention can comprise any combination of method features referred to above.

Methods or computer programs according to further embodiments can be described as computer implemented in that they require processing and memory capability.

The apparatus according to preferred embodiments is described as configured or arranged to, or simply "to" carry out certain functions. This configuration or

arrangement could be by use of hardware or middleware or any other suitable system. In preferred embodiments, the configuration or arrangement is by software.

According to a further aspect there is provided a program which when loaded onto at least one computer configures the at least one computer to carry out the method steps according to any of the preceding method definitions or any combination thereof. In general the computer may comprise the elements listed as being configured or arranged to provide the functions defined. For example this computer may include memory, processing, and a network interface.

The invention can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. The invention can be implemented as a computer program or computer program product, i.e., a computer program tangibly embodied in a non-transitory information carrier, e.g., in a machine- readable storage device, or in a propagated signal, for execution by, or to control the operation of, one or more hardware modules.

A computer program can be in the form of a stand-alone program, a computer program portion or more than one computer program and can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a data processing environment. A computer program can be deployed to be executed on one module or on multiple modules at one site or distributed across multiple sites and interconnected by a communication network.

Method steps of the invention can be performed by one or more programmable processors executing a computer program to perform functions of the invention by operating on input data and generating output. Apparatus of the invention can be implemented as programmed hardware or as special purpose logic circuitry, including e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).

Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions coupled to one or more memory devices for storing instructions and data.

The invention is described in terms of particular embodiments. Other embodiments are within the scope of the following claims.

To avoid unnecessary duplication of effort and repetition of text in the specification, certain features are described in relation to only one or several aspects or

embodiments of the invention. However, it is to be understood that, where it is technically possible, features described in relation to any aspect or embodiment of the invention may also be used with any other aspect or embodiment of the invention.

Brief Description of the Drawings

The above mentioned attributes, features, and advantages of this invention and the manner of achieving them, will become more apparent and understandable (clear) with the following description of embodiments of the invention in conjunction with the corresponding drawings, wherein:

Figure 1 outlines a conventional method of commissioning railway network equipment; Figure 2 shows an interconnection architecture of railway network equipment applicable to the present invention; Figure 3 shows hardware resources of a SIL4 Capable Router focussing on one lane thereof;

Figure 4 illustrates a user interface employed for mapping Ethernet interfaces to network equipment;

Figure 5 outlines a method of commissioning railway network equipment by use of the present invention; and

Figure 6 is a schematic view of a computing device capable as being employed as, for example, a maintenance computer for configuring the router. Description of the preferred embodiments

Figure 2 shows an example railway network equipment inter-connection architecture considered for the present invention, in which real equipment 10, 1 1 , 12 and 13 (that is, live equipment which is already in operation at a site), test equipment 15, 16, 17 and 18 (that is, new equipment in the process of being tested/commissioned, for adding to or taking over from the real equipment) and adjacent equipment 31 and 32 (real equipment at another site) are connected together. In this architecture, these connections are made through a gateway 20 and SIL4 Capable Router 100. As can be seen from the Figure, the real equipment and test equipment are grouped into respective Virtual Private Networks (VPNs) 14 and 19, and the adjacent equipment connected via respective VLANs 22 and 24 to the gateway 20. It may be helpful to briefly define these terms.

A gateway, in the present context is one form of switch used to link network devices together and to forward data from one port to another based on information read from data packets being transmitted. Types of switch include "Layer 2" and "Layer 3" switches, these Layers being defined in the OSI (Open Systems Interconnection) seven-layer model. The term gateway is applied to a switch or router at the connecting point of two or more networks.

Layer 2 switches can read MAC addresses of packets but are not aware of the use or priority of those packets. By contrast, Layer 3 switches (also called routers) are able to use Network Layer (Layer 3) information to apply intelligence when forwarding packets. Based on the address of the destination network in the incoming packet and an internal routing table, the router determines on which of its ports to send out the packet, each port being typically connected to an Ethernet cable. Routers require packets formatted in a routable protocol, the most common being Internet Protocol (IP). In this way, a router can forward packets based on IP address or to prioritise packets sent by particular applications. Routers and Layer 3 switches also have the ability to logically segment a network into two or more Virtual local area networks (VLANs).

A VLAN is a switched network that is logically segmented on an organizational basis, for example by function, rather than on a physical or geographical basis. For example, all test equipment to be commissioned at a given site can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other, real equipment. VLANs allow logical network topologies to overlay the physical switched infrastructure such that any arbitrary collection of LAN ports can be combined into a desired grouping. In this way, there is no need to physically unplug and replug cables to move equipment from one network to another: this can be achieved in software, by configuring a port into the appropriate VLAN.

A virtual private network (VPN) provides an encrypted connection over a less secure network. The benefit of using a secure VPN is it ensures the appropriate level of security to the connected systems when the underlying network infrastructure alone cannot provide it. The most common types of VPNs are remote-access VPNs and site- to-site VPNs.

The architecture of Figure 2 displays the following characteristics. Firstly, the central real and test network equipment 10-13 and 15-18 are all connected to a single SIL4 Capable Router 100 (see below).

Second, all communications between the central real/test network equipment and adjacent systems 31 , 32 are routed via a single gateway 20, for example a Layer-3 managed switch.

Third, the test equipment 15-18 (equipment to be tested/commissioned) is grouped into a VPN 19. Real equipment 10 - 13 (i.e. equipment which is already in use) is separated into a different VPN 14. In this example, there is one VPN 14 for the set of real equipment 10-13 and another VPN 19 for the set of test equipment 15-18. Other sets of test or real equipment could be present in further VPNs. Although sets of equipment are illustrated in Figure 2, at a minimum one VPN could contain one item of equipment.

As explained below, the SIL4 Capable Router employs multiple processor cores to handle routing of signals, and each of these VPNs is handled by a different core. In this way, isolation is provided between the real equipment and test equipment.

The core of the architecture is the SIL4 Capable Router and this will now be described in more detail. The SIL4 Capable Router is based around the concept of "lanes", which are distinct paths through the router. The SIL4 Capable Router provides three lanes, and is referred to as a hot-swap 2oo3 (2 out of 3) system because only two out of the three lanes are active at one time. Each lane consists of SIL-4 capable hardware which, combined with the hot-swappable ability of the lanes, makes the router as a whole able to meet the SIL-4 standard, in other words SIL-4 capable.

Each lane has its own responsibility. One lane acts as the Master lane and is responsible for the actual operation of the SIL4 Capable Router. The other two lanes act as Standby lanes. Either standby lane can take over as the Master lane at any time ("hot-swappable"). This enables the two VPNs shown in Figure 2 to be swapped over so that VPN 19 replaces VPN 14, making test equipment 15-18 operative in the network as real equipment. It should be noted that the numbers of items of equipment and the number of VLANs are arbitrary. Although Figure 2 shows two VPNs, one for real equipment and one for test equipment, this is not essential: for example there may be no real equipment already in place at the site, or no need for isolating real from test equipment, in which case there would be a single VPN comprised of the test equipment.

As explained above, Master and Standby Lanes are provided to allow switchover to happen smoothly when configuration is changed and validated. That is, one of the Standby lanes handles the change in the router configuration performed by the administrator (see below), validates, and applies to itself. Then it takes over as the Master lane and performs syncing with other lanes.

Figure 3 is a schematic block diagram showing a combination of hardware and software modules, focussing on one lane. Each lane has its own Main Processor (the elements of which are above the chain line across Figure 3, labelled 1 10-13 and 1 15) and a support processor (the elements 125 and 126 below the chain line). Figure 3 also shows peripheral items including a logger 202, remote monitor 203, config data manager 205, public network 201 and maintenance laptop 200. These units, which are conventional in themselves and whose functions will be familiar to those of skill in the art, are not part of the SIL4 Capable Router but have to be connected to the router for configuration purposes and so forth as explained below.

Connections of such external equipment, as well as the connection of the Gateway to the SIL4 Capable Router in Figure 2, can be made via the Public Network 201 , for example a Wi-Fi or Ethernet network

Thus, the hardware resources available to each Lane comprise two Microprocessors: a Main processor and a Support processor. The Main microprocessor has 4 cores 1 10, 1 1 1 , 1 12 and 1 13 in this example, assuming a quad-core processor is used. Each core can handle one VPN shown in Figure 2. Thus, each Lane can provide as many VPNs as the number of cores in the Main microprocessor (less one for housekeeping).

The Main processor is responsible for safety critical functions, up to SIL4, and uses Arinc-653 Interface Standard OS, indicated by 1 15 in the Figure, in order to partition applications with different SILs. Arinc-653 is a software specification (originally developed for the aerospace industry) for partitioning applications in real-time operating systems. Each application is given its own partition in memory and its own dedicated time slot, allowing different applications to be combined in the same computing platform whilst containing faults within each application. Use of an Arinc-653 Interface Standard OS therefore contributes to making the router SIL-4 capable. As shown in Figure 3, the Arinc-653 OS 1 15 has various sub-modules including an XML configuration module 1 151 , health management module 1 152, ARIC ports 1 153 and PCIe driver 1 154. The Support processor can be a single-core processor and employs a general purpose operating system, such as Linux, as indicated at 125 in Figure 3. It provides functionality like latest secure networking solutions, flexibility and performance advantages. Functional modules of the Linux kernel include a driver 1251 , security software 1252, a flash file system 1253 and network interface 1254 linking the Support processor to the Public network 201. The two processors are linked via a multi-core hardware platform 116 in the Main processor and a single hardware platform 126 in the Support processor, each of these comprising known functional units and interfaces including Ethernet, Serial and PCIe (PCI express) as indicated in the Figure.

In the Main processor, one Core 1 10 (also labelled Core 0) is responsible for bookkeeping activity, and each of the remaining Cores 1 1 1 , 1 12 and 1 13 are responsible for managing an individual private network (see Figure 2) and routing of the data within that private network. Since each private network is handled by a separate Core, this helps to eliminate the cross-communication between individual private networks. This provides a safe isolation within the network equipment and contributes to the SIL4 capability of the router 100. As already mentioned, multiple VPNs are not essential. If isolation is not required between the network equipment (in other words, if both test equipment and real equipment can be handled by one lane), then a single Core will perform the normal routing operation and rest of the Cores will remain idle. This would correspond to removing the dashed divider line in Fig. 2.

The manner in which items of test equipment or real equipment are assigned to VPNs (and thus to Cores) will now be explained with respect to Figure 4. Figure 4 shows a screen display 220 as part of a user interface presented to an administrator (referred to below simply as "admin"), i.e. a human user of the maintenance laptop 200 who is responsible for commissioning the test equipment. As shown in the Figure, the display includes tabbed windows for each of Core 1 , Core 2 and Core 3 (1 1 1 - 1 13 in Figure 3). For each Core (and thus, for each VPN 14 and 19 of Figure 2), a left-hand panel 221 represents the N available Ethernet interfaces of that Core, ethO to eth(N-1 ). The right-hand panel 222 is a list of equipment to be connected, each item of equipment having a name Label 0, Label 1 and so forth. Although N items of equipment are listed, there may be less than N items in practice. To assign a connection (or mapping) between equipment and interfaces, the admin drags an arrow between the two panels. The arrows may be bidirectional such as the arrow labelled 228 joining ethO to LabelO, or unidirectional as illustrated by arrow 229 joining eth2 to Label 3. This reflects the desired modes of communication (duplex, TX-blocked or RX-blocked as noted below), which are confirmed as part of a validation process explained below. The above process, called Network Equipment Mapping, allows mapping of the Ethernet interfaces to the network equipment in the live railway network, and is re- configurable depending upon the functional need by the admin. The User Interface provides the following facilities shown by the buttons 224 to 227 displayed at the bottom of the user interface 220:- Save 224 - Admin can save the intermediate changes to the mapping configuration data locally

Cancel 225 - Admin can cancel the changes performed if needed

Validate 226 - Validates the mapping configuration data (see below)

Commit 227 - Cross-compiled binary image of the mapping configuration data is sent to the Support processor of one of the Standby lanes, which in turn passes the binary image to Core 0 of the Main processor via PCIe link 1 154 and 1 155. A configuration client 1 1 1 1 , 1 121 or 1 131 in the appropriate Core is responsive to the Configuration Manager 1 101 of CoreO to implement the changes. In addition, the admin can switch between Cores (and thus, between the VPNs 14 and 19) by selecting the tabs at the top of the display. The mapping may be made separately for each Core, but a copy facility could be provided to copy settings for one Core over to another Core. It will be noted from the above that there is no need for the admin to be concerned with which Lanes are operational in the SIL4 Capable Router. He or she need only consider the mapping of Ethernet interfaces to equipment, after which the router will switch the Lanes to effect the mapping once the Commit button is pressed.

As will be apparent from the above, data is handled by the router in the form of Ethernet packets. As part of the above mentioned validation, to protect packets from erroneous assignment to the wrong destination Ethernet address, the present embodiment provides Routing Algorithm Logic, using a Routing Protection Scheme to ensure that packet data is correctly routed from source network equipment to the destination network equipment. This includes checking if any real or test equipment is not to receive data (RX-blocked) or not allowed to transmit data (TX-blocked). The Routing Algorithm Logic is present in each core 1 1 1 , 1 12 and 133 of Figure 3 as indicated at 1 1 12, 1 122 and 1 132.

The Routing Protection Scheme defines a Lane ID, Core ID and Routing ID for routing the data between the network equipment. The Routing ID is formed by Exclusively ORing Lane ID and Core ID and is managed as a mask of bits. The Routing ID is assigned to each Core of the Main processor and added to the Ethernet header of each packet so as to identify the correct routing, and is for internal use within the router 100. The Lane ID forms part of the Routing ID so that data cannot be incorrectly handled by Routing Algorithm Logic of another lane via the inter-lane links. The Core ID forms part of the Routing ID so that data cannot be incorrectly handled by Routing Algorithm Logic of another core. For example, Routing ID of Corel in Lane 1 is set to 0x1 1 as indicated in Table 1 . The Routing ID is an 8-bit unique identifier assigned to each core of the Main processor and is initialised at the system start-up by default. The Routing ID can be reconfigurable by the admin with sufficient rights while router is operational in the live Railway network. The Routing Algorithm Logic uses Routing ID to validate the source and destination address of the network equipment for the data exchange via the SIL4 Capable Router. It is assumed that each of the source and destination is an item of real equipment or test equipment attached to the SIL4 Capable Router. In this context, to validate the destination address means to check if the Routing ID is an ID corresponding to a Core and Lane of the SIL4 Capable Router. Likewise, validating the source address is done using a Routing ID derived from the relevant Lane ID and Core ID of the router 100.

If the validation fails, the admin is informed of this fact and then Routing Algorithm Logic ignores the data. The different source and destination equipment can be identified by different label names and its mapping to different Ethernet interfaces as shown in the following Table 1 , which corresponds to the GUI representation shown in Figure 4. That is, based on the VPN to which an item of equipment belongs (Figure 2), the corresponding Lane ID is set for that equipment as the source Lane ID. In Table 1 , x indicates hexadecimal representation and dots indicate arbitrary values. To save space, the values are not filled in for Cores 2 and 3 (0x02 and 0x04), but these would correspond to the values for Core 1 (0x01 ). As already mentioned, Core 0 is reserved for housekeeping purposes and therefore does not have a routing configuration. Lane ID Core ID Routing ID = Equipment Ethernet IP Direction (8 Bits) (8 Bits) (Lane ID Label Interface Address (None = 0,

XOR (32 chars) Name RX-Blocked = 1, Core ID) TX-Blocked = 2,

ALL-Blocked = 3)

0x00 0x10 NA NA NA NA

LabelO ethO 0

Label 1 ethl 1

0x01 0x11 Label3 eth2 2

ethN-1 0 ethO 0

0x10 ethl 0

0x02 0x12

ethN-1 0 ethO 0 ethl 0

0x04 0x14

ethN-1 0

0x20

0x40

Table 1 - Routing Algorithm Logic Configuration Table

A further aspect of data exchange among items of equipment attached to the SIL4 Capable Router, is the permitted directions of communication, as indicated in Figure 4 by the unidirectional and bidirectional arrows. This is referred to as Directional Flow Control and is indicated by a field added to the payload of each Ethernet packet, which takes a value as shown in Table 2 below: Value Direction Note

0 None This is assigned by default, enables the equipment to communicate in Duplex mode.

1 RX-Blocked Enables the equipment to block from receiving data.

2 TX-Blocked Enables the equipment to block from transmitting data.

3 ALL-Blocked Blocks the equipment from both transmitting and receiving data.

Table 2 - Direction Flow Control

It should be noted that this field (and the Routing Algorithm Logic in general) is only used for the data exchange between items of equipment connected to the SIL4 Capable Router, and not to other equipment.

Having described the functional parts of the router, a method of commissioning test equipment by use of an embodiment of the present invention will now be outlined with respect to Figure 5 showing a simplified operation flow 2000.

Step 2001 , as is in the conventional method of Figure 1 , is to install the test equipment on site and perform a visual check that the units are powered, communication cables plugged in and so on. In contrast to the conventional method, however, the subsequent steps are carried out remotely, as indicated by the dashed line and the label ff-Site".

In step 2002, the admin (administrator) logs in to the Maintenance computer 200 that performs a secure connection to the SIL4 Capable Router 100 remotely. To be specific, the connection is from computer 200 over Public network 201 to the network interface 1254 of the Support processor. The Maintenance computer 200 can only be operated by administrative personnel with sufficient rights, and is encrypted and also public key infrastructure (PKI) protected. Once the Maintenance computer 200 establishes the communication with router 100 successfully, software in the Maintenance computer reads the existing configuration data and the configuration screen depicted in Figure 4 is presented, to display the existing equipment mapping to the admin. In step 2003, the admin revises or updates the mapping of the Ethernet interfaces to the network equipment as described above and finally selects "Commit" (button 227) to effect the changes. This is achieved through communication between the maintenance computer 200 and Support Processor of router 100 to Core 0 of the Main Processor via their PCIe link, and using a Lane Synchronization module 1 102.

In step 2004, in response the Config Manager 1 101 in Core 0 of the Main processor validates and then commits the changes. Then that Standby lane restarts itself, overtakes the existing Master lane and performs synchronization operation.

The test equipment is now ready for use. The SIL4 Capable Router can be disconnected and taken to another test site.

As will be apparent, this solution simplifies testing and commissioning of new network equipment simpler before commissioning. Advantages include the following:

(a) Automation of testing method used before commissioning by providing guaranteed logical separation of the test and real network equipment in live railway environment. The logical separation is ensured by maintaining separate VPNs by each Core, and thus doesn't disrupt the existing operation of the Railway network.

(b) The router itself guarantees the logical separation of test equipment from other kinds of equipment, and doesn't involve any unplugging of the cables for the testing and then plugging it back.

(c) The testing using router is more secure and cannot be hacked because logical separation of the test and real network equipment in live railway environment is performed within the router itself and risk of human error is extremely low.

(d) The router and testing method can be used with any type of network equipment from other providers as well in live railway system because they do not depend on externally connected network equipment data.

(e) The proposed method and router drastically reduce the cost, saves time and requires fewer resources for testing of test equipment during commissioning. (f) The test equipment can be tested remotely sitting at one place with less dependency on other resources.

(g) The present invention provides safe testing environment since not much physical presence is required at the location of site testing.

Figure 6 is a block diagram of a computing device which may be used as a maintenance computer 200 as referred to above in order to implement a method of an embodiment. The computing device 200 comprises a computer processing unit (CPU) 993, memory, such as Random Access Memory (RAM) 995, and storage, such as a hard disk, 996. The computing device also includes a network adapter 999 for communication with other such computing devices of embodiments. For example, an embodiment may be composed of a network of such computing devices. Optionally, the computing device also includes Read Only Memory 994, one or more input mechanisms such as keyboard and mouse 998, and a display unit 997 such as one or more monitors. The components are connectable to one another via a bus 992. The CPU 993 is configured to control the computing device and execute processing operations, such as presenting the GUI depicted in Figure 4. The RAM 995 stores data being read and written by the CPU 993. The storage unit 996 may be, for example, a non-volatile storage unit, and is configured to store data.

The CPU 993 may include one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. The processor may include a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or a processor implementing other instruction sets or processors implementing a combination of instruction sets. The processor may also include one or more special- purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. In one or more embodiments, a processor is configured to execute instructions for performing the operations and steps discussed herein.

The storage unit 996 may include a computer readable medium, which term may refer to a single medium or multiple media (e.g., a centralized or distributed database and/or associated caches and servers) configured to carry computer-executable instructions or have data structures stored thereon. Computer-executable instructions may include, for example, instructions and data accessible by and causing a general purpose computer, special purpose computer, or special purpose processing device (e.g., one or more processors) to perform one or more functions or operations. Thus, the term "computer-readable storage medium" may also include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methods of the present disclosure. The term "computer-readable storage medium" may accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media. By way of example, and not limitation, such computer-readable media may include non-transitory computer-readable storage media, including Random Access Memory (RAM), Read-Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM) or other optical disk storage, magnetic disk storage or other magnetic storage devices, flash memory devices (e.g., solid state memory devices).

The display unit 997 displays a representation of data stored by the computing device and displays a cursor and dialog boxes and screens enabling interaction between a admin and the programs and data stored on the computing device, including but not limited to the mapping process of Figure 4. The input mechanisms 998 enable a admin to input data and instructions to the computing device.

The network adapter (network l/F) 999 is connected to the public network (e.g. FDN/FDNx), and is connectable to the router 100 and to other such computing devices via the network. The network adapter 999 controls data input/output from/to other apparatus via the network. Other peripheral devices such as microphone, speakers, printer, power supply unit, fan, case, scanner, trackball etc may be included in the computing device 200. To summarise, embodiments of the present invention facilitate commissioning of new network equipment in the live railway without interference to the working of the live railway environment. In embodiments, this is done using a router which maintains separate VPNs in different processor cores, including one VPN for live equipment and one for test equipment. A user can remotely configure the VPN of the test equipment and, once the configuration has been validated, Master and Standby Lanes within the router are switched over to effect the configuration. This provides the means of testing the installed new railway network equipment within a live railway environment through the use of a router, whilst maintaining the required safety separation of the test and live equipment. This invention adds the flexibility of testing from a remote location with fewer resources. Further, by making the router SIL4 Capable the required safety level can be assured for critical applications.

The invention can also be used for routine testing of already commissioned network equipment if required. Various modifications are possible within the scope of the invention.

In Figure 3, a Quad-core processor is used as the Main processor for illustration purposes. As will be understood by a person of skill in the art, a different number of cores may be used.

With respect to Figure 3, it is described that a Support processor is provided for each Lane. However, this is not essential and a common support processor could serve multiple Lanes. It will be appreciated by those skilled in the art that although the invention has been described with reference to one or more exemplary examples, it is not limited to the disclosed examples and that alternative examples could be constructed without departing from the scope of the invention as defined by the appended claims.