Project:
TETRA Secury System
TETRA- Personal Emergency Signal System
Part A Functional Overview
1. Basis of the System
1.1. Communication Infrastructure
The system is based on a multi-channel radio communication system using the TETRA standard. To provide the entire project area consistently with radio coverage a two-cell radio system is necessary. To achieve the required traffic capacity (availability of channels for voice communication and data traffic), each base station of the individual cells is to be equipped with two transceiver units (TETRA carriers).
It shall be generally possible to operate only one transceiver per base station as an active unit and the second transceiver as a redundant unit. In case of failure of the first transceiver, the redundant transceiver shall be activated automatically on the same frequency.
Each TETRA carrier provides four independent voice channels, each consisting of a frequency for the downlink (stationary to mobile) and a frequency for the uplink (mobile to stationary). Each base station uses one channel as a control channel for organisational purposes and to transmit short data.
The system shall guarantee the voice communication among the handheld terminals and with all other units of a telephone interphone system connected to the system and into the directly or indirectly connected public telephone network. For connections to PABX units an interface according to SIP standard must be available.
Group calls and individual calls are registered as semi-duplex connections and controlled using the PTT button, incl. direct gating of the handheld terminals’ loudspeakers. With these connections only one participant of the relevant group can speak at a time. Duplex connections which allow both talking parties to talk simultaneously can be established between two handheld terminals or one handheld terminal and a subscriber.
The system architecture shall also allow the system to be extended after commissioning. Radio base stations shall each be upgradeable to 4 carriers and the TETRA system infrastructure shall be upgradeable within the whole system to at least 3 base stations with a total of at least 6 carriers.
An application interface shall be available for the connection of additional applications.
The components of the TETRA base station and the associated central components of the system are to be stored / assembled in 19-inch racks.
Assemblies of exterior antennas are to be equipped with the required lightning arrester and relevant over-voltage lines / devices.
1.1.1. Redundancy
The system architecture must be designed in such a way that failures of individual system components (e.g. a defective carrier) do not result in a total failure of the entire system. In the event of the main transceiver being defective, the redundant transceiver assumes the complete operation of the base station in “Hot Standby”.
To ensure voltage supply even in the case of mains power failures the TETRA base stations and the central components must be equipped with uninterruptible emergency power systems for an operating time of min. 30minutes.
1.2. Messaging and Transmission of Emergency Signals
In addition to voice communication, it must be possible to transmit text messages in the form of SDS (text messaging service) as defined by the TETRA standard, as well as to transmit status messages.
Beyond that, a messaging process must be implemented which allows text messages to be transmitted directly, and also with a voice connection established (group and individual calls). These are reported using different signalling sequences (short call / normal call / warning call / alert call ...). In the case of unavailability (then routing to another agent) or non-readiness e.g. for providing help (then routing to another helper) it must be possible to provide individual messages with real automatic and manual acknowledgements.
In addition to voice and messaging communication, the system must guarantee the transmission of Personal Security Telegrams including the associated localisation information and the data transmission required by comprehensive Personal Security Operations for acknowledgement, telecontrol and monitoring functions.
The system must be equipped with functional characteristics that ensure the transmission of Personal Security Messages in each operating state of the Emergency Signal Devices (even during existing group or individual connections) as well as distributing prioritisable Emergency Messages to the Emergency Signal Devices.
1.3. Handheld Terminals
The TETRA handheld terminals shall ensure an efficient group communication and must also support dual functionality for their use as Personal Emergency Signal Devices. The handheld terminals can freely move through the cells of the system. They are accessible from each cell and can establish voice connections from all cells. If a mobile device is moved through cells while a voice connection is established, the cells are automatically changed. Here the voice connection is not terminated. For each mobile device it must be possible to allocate individual authorisations that define the services accessible to the relevant user (group call, individual call, duplex call, SDS delivery, dial into the TK system, dial into the public telephone network).
For charging the mobile Personal Emergency Signal Devices, cascadable and space-saving quad charging units for wall mounting or system charging units for mounting in depot or compartment systems are to be installed.. Alternatively, the Emergency Signal Devices can be charged in a desktop charger, which provides charging slots for one mobile device and for an additional replacement battery, including the required charging management in one unit.
2. Personal Emergency Signal System (PES)
The Personal Emergency Signal functions described in the following are to be implemented based on interactions between the stationary TETRA infrastructure and the central Personal Emergency Signal Security Server, the inductive localisation units and the mobile Personal Emergency Signal Devices connected to it.
Definitions according to PES standard "DIN V VDE V 0825-1":
· PES: Personal Emergency Signal System
· PND: Personal Emergency Signal Device
· PEC: Personal Emergency Signal Centre
2.1. General PES requirements, certification
The Personal Emergency Signal System offered must comply completely with the requirements of the relevant Directive of the Government Safety Organisation concerning the safety of persons working on dangerous individual workplaces "BGR139".
For the system it is necessary to submit a certificate which proves that the system was tested by an accredited test laboratory and does completely comply with the relevant Directive of the Government Safety Organisation BGR139 and with all checkpoints of the PES test standard DIN V VDE V 0825-1.
2.2. PES-System Architecture
The central PES entity should to be created according to the Server-Client Principle. Processing software is a browser-based emergency management software which can be retrofitted using OPC interfaces and API interfaces.
The central PES functionality is implemented using a PES server connected to the TETRA switch. This server communicates with the application layer of the mobile Personal Emergency Signal Devices (PND). It manages and monitors the functions of the PND, accepts alerts and forwards them to the relevant alert processing units (PES-Clients). It controls, contacts and automatically forwards alarm messages to other Emergency Signal Devices either as e-mail to connected computers or as SMS to GSM mobile phones accessible via e-mail.
2.3. PES-Alarm Types
2.3.1. Manual Alarm Types
The mobile Personal Emergency Signal Devices are provided with two manual alarm types, namely pressure alarm 1 and pressure alarm 2, both of which may be triggered using different buttons on the Emergency Signal Carrier.
In addition to these manual alarm types, it is necessary to provide 2 warning alarm levels which can, additionally, be triggered by manual actuation from the carrier.
Each of these four manual triggering types can be assigned with a different meaning, e.g. identification of a (potentially) escalating situation threatening the unit itself, identification of an escalating situation threatening other units, identification of individual personal emergency situations, or identification of a medical patient emergency.
2.3.2. Automatic Alarm Types
For the automatic identification of emergency situations the PNDs are to be equipped with automatic alarm triggering units using a position sensor (position alarm), motion sensor (immobility alarm) and time monitoring (time alarm). A sensor is used to trigger a tear-off alarm in order detect attack situations where the safety unit is stolen from the user.
The alarm types automatically detected are, at first, reported locally by aural signals (pre-alarm) by the triggered PND and can be cancelled by pressing an acknowledgement key and by removing the alarm criterion in order to avoid false alarms. The acknowledgement key must not be the Emergency Signal or the Warning Signal key.
2.3.3. Alarm Handling
For all alarm types it is possible to program the response time, the pre-alarm time and the reporting behaviour “Loud” / "Silent", "Pitch of signal tone", “Vibration” or “Mute” for each alarm type individually and for each device individually. It may make sense to program the warning alarm and the tear-off alarm mute (to avoid escalation within the attacking situation) and the position alarm loud (accident, dizzy spell, to find casualties) on all devices used to secure personnel in attack-prone environments.
For each device state detected as an alarm event, the possibility of acknowledging the pre-alarm, acceptance of an alarm from the Control Centre personnel must be displayed in the display of the Personal Emergency Signal Device.
It must only be possible to reset triggered Personal Alarms if accepted/released by the Control Centre personnel at the mobile Personal Emergency Signal Device (to avoid tampering with the PND). It must only be possible to mark personal alarms accrued in the Control Centre as processed if they are accepted/released and subsequently reset at the PND in the Control Centre (to avoid violation of alarm situations in the Control Centre).
2.4. PES Safety Functions
2.4.1. Cyclical Supervision, Technical Alarm
To monitor the Personal Emergency Signal Function during ongoing operations it is necessary to cyclically check all PNDs according to DIN V VDE V 0825-1 requirements. With hardware breakdown, such as an interrupted radio connection or the breakdown of static components necessary to transmit the alarm, it is necessary to signal and display a visual and aural technical alarm at the relevant PND in the Control Centre.
2.4.2. Monitored Personal Emergency Signal Operation
The PNDs must be programmed in such a way that the PES operation monitored by the PES server is automatically activated based on any removal from the charging box and that it can only be terminated by putting it back again into a charging box (automatic PES log-in mandatory). The active PES operation must be displayed using a symbol in the PND display during the entire time of the log-in process.
2.4.3. Presentation PND Operating States
To indicate to the personnel in the Control Centre which PNDs are currently in a secure PES operation (information of presence: which persons are within the emergency area / which persons can be called for help in the case of emergency) it is necessary to create a table of the device states in the Control Centre. Additionally, it is necessary to provide a bold representation of the device states, using differently coloured surfaces in the Control Centre (absent, in secured PES operation, in alarm state, PND with technical malfunction). Based on this representation the Centre Personnel shall be able to keep track of things (here grouped PND states) even in more complex emergency situations (such as the location of the secured persons and who can help).
2.4.4. Start-up Test
Prior to taking up the monitored PES operation, the sensor test must automatically start. This tests all activated PES sensors and push buttons for operational reliability. The process of the sensor test as well as the test results must be displayed in the display. If the sensor test fails, the PND must not indicate readiness for operation.
2.4.5. Function Test / 24h Test
After at least 24 hours of operation the required repetition of the sensor test must be signalled and shown in the display.
2.4.6. Localisation Test
In addition to the sensor test, it is necessary to test the functions of the localisation units of the PND prior to starting the PES operation. The test result must be shown in the display. If the localisation test fails, the PND must not indicate readiness for operation.
2.4.7. Secured Personal Emergency Signal Operation
The logins and logouts acknowledged by the PES server in the monitored PES operation must be shown in the display of the PND.
In the monitored PES operation it must not be possible to switch off the PND or to leave the TMO mode.
It must not be possible to leave the secured Personal Emergency Signal Operation even if the device battery was disconnected and reinserted.
2.4.8. Loss of Field Strength Message
The strength of the radio signal currently available must be displayed in the display of the Emergency Signal Device using an indicator with a 6-stage symbolic representation. Breakdown of radio signals needs to be aurally and visually signalled and displayed as a warning message by the mobile device.
2.4.9. Battery level monitor
The battery level currently available must be displayed in the display of the Emergency Signal Device using an indicator. Any shortfall in the minimum charge level must be visually and aurally signalled and displayed as a warning message by the mobile device. Prior to actually switching off the mobile Personal Emergency Signal Device, a technical warning message needs to be transmitted to the Control Centre to be displayed there.
2.4.10. Remotely controlled Eavesdropping
The capability must exist for the Control Centre to eavesdrop via a PND Device, without any action by the user being required.
This operation must be controlled directly from the Alarm Control Workstation and not from a separate workstation, so that the alarm management and eavesdropping functions can be processed and executed via a single user interface.
2.4.11. Hostage /Mute
In the event of hostage taking, the Control Centre must be able to switch the device to the Hostage / Mute mode by remote control. In this way, unauthorised persons (e.g. hostage takers) must be prevented from monitoring operational communication (voice + messaging). In addition, this prevents communication within a group of unauthorised persons.
2.4.12. Presence Integration in the Control Centre
All PND Devices logged into the Personal Emergency Signal System mode must be indicated by means of colours in the Control Centre and must be grouped according to the functional units.