CBTC Generic Specification
Introduction The Present document constitutes the particular specification of an automatic train control system (ATC sys
Views 184 Downloads 7 File size 153KB
Recommend stories
- Author / Uploaded
- alescien
Citation preview
Introduction The Present document constitutes the particular specification of an automatic train control system (ATC system) to be implemented using CBTC and moving block technology. The purpose of the CBTC system is to ensure safe, reliable and cost effective unmanned train operation (UTO) of the complete rail system, including Operating Control Centre (OCC) support functions. The CBTC system includes central, trackside and onboard equipment with dedicated software to provide all functions for automatic train protection (ATP), automatic train operation (ATO), and automatic train supervision (ATS). - ATP shall provide the primary protection for passengers, personnel and equipment against hazards of operations. - ATO shall control the operations that otherwise would be performed by a train driver. - ATS shall provide the overall supervision and control of the traffic including status information for the central operator. Communication between onboard and wayside ATC systems shall be supported by continuous, high capacity and bidirectional data communications.
Glossary ATC: Automatic Train Control ATP: Automatic Train Protection ATO: Automatic Train Operation ATS: Automatic Train Supervision UTO: Unmanned Train Operation (GOA4 as per IEC 62290-1) CBTC: Communication Based Train Control (as per standard IEEE 1474.1) FMEA: failure Mode and Effect Analysis LRU: Line Replaceable Units OCC: Operating Control Centre SER: Signal Equipment Room SIL: Safety Integrity Level (as per standard EN 50126) O&M: Operation & Maintenance Movement authority: portion of track over which a train has access at a given time.
Applicable Standards / Documentation The main standards assumed as a reference for the system design are the IEEE and EN 5012X suite of CENELEC standards or equivalent: . CBTC system standard IEEE 1474.1 1999 . EN 50126: Reliability, availability, maintainability, and safety (RAMS) .
EN 50 129: Communications, Signalling, and processing systems: safety related electronic systems for signalling . EN 50128: Communications, Signalling, and processing systems – software for railway control and protection systems . ISO 9001: Model for quality assurance in design, development, production, installing and servicing. . IS0 9000-3: Guidelines for the application of ISO 9001 to the development, supply and maintenance of software. . IEC 1131: Programmable Logic Controllers: General Information. . IEC 1000-5-2 EMC Cabling guideline MIL-HDBK-217 (RAM requirements) . IEEE P1483, draft standard for Verification of safety for processor based systems used in Rail Transit Control EN 50155 Railway appliances – Electronic equipment used on rolling stock Revision 2001 . IEC 61 373 Railway applications – Rolling stock equipment – Shock and vibration tests Revision 1999-01 . IEC 60 529 Degrees of protection provided by enclosures (IP codes) Consolidated edition 2.1 February 2001 . Cables shall be flame retardant, low smoke and non halogen gas emission as per relevant international standards.
System Overview The ATC system shall be based on state-of-art, yet proven in use, designed for very high system safety, reliability and availability. The signalling system shall employ modern CBTC technology as defined in the IEEE 1474.1 standard: a)High-resolution train location determination, independent of track circuits; b)Continuous, high capacity, bidirectional train-to-wayside data communications; c)On board and wayside processors performing vital functions. The system shall be bi-directional in any section of track and automatic traffic shall be provided in any section of the mainline tracks and depots The safe movement of trains on tracks and in yards must be guaranteed by the signalling system automatically, without relying on action taken by operators. The signalling system shall employ the moving block principle, the safe separation behind the preceding train being dynamically calculated based on the maximum operating speeds, braking curves and locations of the trains on the track. The system to be deployed must be UTO - Unattended Train Operation, according to IEC 62290-1, which is characterized by the absence of the driver or train attendant, in both the mainline and operational yard.
Central supervisory computers, the ATS sub-system, shall provide train scheduling, and general operating and control information, to provide optimal system throughput, control and flexibility. The regulation algorithms shall include both timetable and headway regulation. The ATC system shall make provision for the insertion of new stations within the lines as well as provision for lines extension. The train control system is intended to provide short interval, great operational flexibility, safety through continuous overspeed protection, smooth and predictable operation, high reliability and availability, optimised maintenance tasks. The train control system of the rail network shall be communication-based. Equipment reliability, redundancy, and system architecture shall ensure that the operation of the system shall continue in the presence of any single failure. The system architecture shall include redundant hardware for all ATC subsystems. Communication among trackside computers and between trackside computers and the OCC shall be by fibre optic links, encrypted radio frequency or copper links. The ATC system shall be designed such that equipment failure rates shall be sufficiently low to preclude the need for manual driving operation, which shall be exceptional and reserved for train return to yards. ATC, interlocking and train detection subsystems shall form an integrated train control system, with proven in use interfaces between those subsystems. Necessary automatic train control hardware and software shall be provided to achieve safe and efficient fully automated and driverless operation for passenger trains. Under normal operation, ATC automatic mode shall require no OCC staff intervention other than supervision and minimum OCC staff intervention when out of normal operation. Traffic reinforcement steps to meet passengers demand shall be provided. Any equipment failure or line interruption shall be instantly reported to OCC and lead to minimal service disruption, as high availability requirements shall be met. In case of significant failure, the system shall then fallback to alternative modes of operation under OCC staff full supervision. The ATC automated control shall cover mainline and yard operations. The ATC shall facilitate and monitor safe manual mainline and yard operations. The ATC shall provide the OCC staff with user-friendly controls and supervision, and provide all the necessary data and filtering tools to support maintenance activity. The system shall remain opened such as to anticipate further line extensions, in terms of geography and capacity, as well as train extension. Addition of new trains shall not require wayside or communication system changes.
System Design and Architecture
The CBTC System shall be developed based on the Moving Block principle, in which the system creates a 'protection envelope' for each train, dynamically calculated based on train location, speed, and direction. The 'protection envelope' prevents any other controlled train from entering, maintaining a variable safe separation distance between the trains, which is adjusted according to their actual speeds.
System Principles
Operational Safety Consideration for operational safety shall be first and foremost in the design of the CBTC system. Safety is provided by: • Enforcement of safe train separation; • Enforcement of safe train speed limit; • Protection against derailment; • Route Interlock • Interlock between train movement and door status. These functions shall be implemented with the use of vital (checked-redundant) computer subsystems on the train, at the control location and at each wayside interface. Throughout the design and development of the system, checked-redundant fail-safe principles shall be rigorously followed. Failure at any level in the system causes it to revert to safe state. Train Tracking Communicating Train Tracking Overview The localization system is used for tracking of communicating trains. The train position is determined using wayside calibration transponders and positioning transponders on the trackside and transponder interrogators and speed sensors on the On-Board. Equipped trains report their current location to the wayside computers and to the ATS. Train Separation and Movement Authority Movement Authority is calculated by the Zone Controller and defines an area where the train can move safely. Movement Authority is calculated by the wayside computer and defines an area where the train can move safely. The Movement Authority is calculated based on the track device statuses , position of other trains and the end of track locations. The Movement Authority is limited by either an obstruction ahead of the train, or if there is no obstruction, the destination. The On-Board CBTC equipment supervises a controlled train’s ability to stop within the Movement Authority. If the train is at risk of travelling beyond the Movement Authority, the On Board computer commands EBs. Speed Supervision The CBTC system vital functions continuously check that the train respects the most restrictive permitted speed. The most restrictive permitted speed is calculated taking into account the following: • Movement Authority limit; • Civil speed limits defined in On-Board track database (ATP Speed Profile); • Temporary speed restriction; and • Maximum speed for current train operating mode. The speed curves and stopping points that are calculated by the On Board computer are illustrated below.
Interlocking Principles In order to ensure safe train movement on the guideway, the system follows the following interlocking principles: • Approach Locking; • SWITCH Approach Locking; • Route Locking; • Overswitch Locking; • Flank Protection; • Overrun Locking; and • SWITCH Control
Operations Requirements The trains shall be driverless in nominal mode and unattended in normal circumstances. Train routes shall be set automatically. Coupling of two trains shall be provided for rescue purpose. The wayside is fully reserved for train traffic and does not mix or cross other transportation system path. The system design is to support “single traffic”. Only equipped train shall be operated, along with specific maintenance vehicles. ATC shall control automated yard operation and facilitate manual operation on mainlines and yard. In normal operations, train will stop at every station. Under degraded mode of operation it shall be, however, possible to modify the standard configuration, skip a station or all the stations (through train) for example. Under nominal mode of operation, train shall run in one direction however, the ATC system shall be designed for bi-directional operation in any section of track.
System and Driving Modes System Operation Modes At any point, in any time, the rail system shall be operated in one of the modes defined below: Stationary: This is the initial and default mode. Automatic train movements and manual train movement if requested by OCC are disabled. Normal: The states of the rail subsystems are such that the rail system may perform normally i.e. major operating systems report no failure. The rail is capable of achieving its operational performances requirements. (Such subsystem failures or other conditions which may exist have negligible influence on safety and performance) Degraded One or more ATC subsystems have reported a failure or other condition, such that the rail system is not able to achieve its operational performance requirements (may be due either to a sub-system failure or some external event, such as an infringement of its right of way or obstacle detection) Emergency
One or more ATC subsystems (on board or trackside controller) have reported an emergency condition, possibly indicating a threat to human life (e.g. abnormal degradation of braking performances beyond an acceptable limit), or a major system breakdown requiring for example a train evacuation through manual driving mode. Driving Modes The ATC system shall support a number of train operation modes comprising at least: Automatic operation This mode consists in full driverless unmanned operation and shall be the only mode applicable unless exceptional circumstances occur. This mode shall be available everywhere on the line and the depot except for the maintenance shop. Restricted Manual Operation This is a speed control manual mode under the responsibility of the driver. This mode corresponds to an emergency situation in case of major ATC failure. The train is manually driven under the operator responsibility at a limited speed (provisional value of 18 km/h). Sleeping: Automatic operation requires a heating-up phase, followed by an initialization phase. Immobilized: The train is either faulty or disabled in such a way that operation is not possible without requiring to manual maintenance operation Driving modes are to be in accordance with Operations Rules. Initialization of System Normal Operation Mode Initialization of automatic operation after system start up must be possible without manual intervention locally in each train, nor require OCC operator command to be made for each train. Initialization of automatic operation after a global system failure must be possible without manual intervention in each train, nor require OCC operator command to be made for each train. All parts of the ATC system including trackside and on-board computers shall be capable of being remotely commanded to restart. Transition between any driving modes, in particular between automatic and manual, must be possible continuously and anywhere on the running line and in the yards. The border between manual and automatic areas shall only concern the shop acquisition track or outer rail network acquisition track if applicable
Functional Requirements Core Functions ATC core functions are:
Automatic Train Protection (ATP): the system shall control and supervise automated train operations in such a way as to assure the safety of passengers, operations personnel and vehicles. Automatic Train Operation (ATO): the system shall provide commands to vehicle subsystems to ensure reliable and comfortable service for passengers and convenience for operation staff, within the limits and restrictions imposed by the ATP. Automatic Train Supervision (ATS): the system shall provide all monitoring, control and automated functions necessary to achieve fully supervised automatic operation of trains throughout the line sections, and to support degraded service. This function shall be integrated with the control and monitoring of communications and traction power systems. Automatic Train Protection Train Detection and Tracking The ATP shall detect the presence of designed for use, whether running or control. Presence detection shall be portion of the system, including the track circuits (IEEE 1474)
trains, and any maintenance vehicles stationary, under automatic or manual provided throughout the entire automated yard. The train detection shall not require
It shall not be possible to manually access the safety related database of the train detection function. Loss of presence detection shall result in the ATC commanding the system into a safe condition. For unexpected change of non-occupancy within a movement authority in force, any change of the status of non-occupancy in front of a train, shall immediately and automatically lead to a reduction of authority limits and/or speed in order to prohibit train passage of the obstruction. The presence detection function shall enable the ATC to detect the loss of presence of a previously detected automatic or manual train in all circumstances. If lost presence is detected, the ATC system shall ensure system safety is preserved and provides annunciations to OCC. The time to recover from a lost presence condition, that is the restoration of presence detection, shall be minimized. All trains equipped with ATC system shall have their position, speed, travel direction and length established by the ATC system. The required part of this information shall be exchanged between on board ATC and local zone controller using train-to-trackside bidirectional data communication network. ATC train detection shall establish the position of both the front and the rear of the train. ATC shall verify train length.
The ATC train detection function shall provide sufficient position accuracy to support the performance and safety requirements. In the event of failure, including loss of power both at the trackside and on board the train, the train position function shall be self-initializing. No manual input of data shall be required to locate any train. The ATC shall be capable of detecting and protecting parted trains. The ATC system shall take into account the slipping and sliding of wheels to calculate its position. Speed and position shall be determined in a vital manner. Optional: Complementary/secondary/fallback/minimum train detection In case the option is taken, train detection shall as a minimum determine train positions with the accuracy corresponding to the subdivision of the track system, in sections where the train has to be located according to operation requirements. This minimum train detection shall be effective irrespective of whether a vehicle carries working onboard ATP equipment or not. In case the option is taken, the minimum train detections shall serve as fallback for regular train detection in case of on board ATP failure. Safe Train Separation The ATP shall ensure and maintain safe operation between trains. All following and opposing running shall be protected by safety critical processes. Braking distance shall be derived from a safe braking model that shall consider worst case system response times and failure conditions, consistent with railway industry practice. The safe braking model shall be submitted as part of safe braking calculations. Trains equipped with ATC shall be capable of closing up to the rear of a preceding train, end of track, (work/maintenance) or failed train. Unequipped or failed train shall be controlled by rules and procedures. Safe train separation shall be based upon a principle of an instantaneous (brick wall) stop before a preceding train. The issue of movement authority for opposite train routes in the same track shall continuously maintain a safe train separation that allows both trains to stop without colliding. In case of violation of one’s train end of movement authority limit, an immediate and automatic reduction to zero speed for all endangered movement authorities for other trains shall take place. Overspeed Protection In establishing the ATP profile, the on board ATC equipment shall continuously determine the maximum safe speed at the train location, for comparison with the actual train speed.
The maximum safe speed shall be the most restrictive of the speed limit for current section of track, any temporary speed restriction imposed on that section of track, the maximum speed that would enable the train to stop safely prior to the limit of the train’s movement authority, the maximum speed that would enable the train to safely reduce its speed in conformity with the next speed target and location. Emergency braking shall automatically be initiated if the actual speed of the train is exceeding the ATP profile speed at the actual train location. Note: the ATO shall control the train speed with an operational speed limit lower than the maximum safe speed limit, i.e. ATP profile. If this control fails, ATP must initiate an emergency stopping. The ATP shall support speed limits that vary along the track as a consequence of local conditions. Brake Assurance Service Braking In normal conditions, the ATP profile speed compliance shall be enforced by initiating service braking. If the service brake is insufficient to keep the trains within the ATP profile, the on board ATC equipment shall apply the emergency braking. Emergency Braking Immediate emergency braking of a train shall be initiated automatically upon any violation of safety conditions. Emergency braking shall automatically be initiated if a train is moving without movement authority. Emergency braking shall automatically be initiated if a train is moving against the direction allowed in its current movement authority (anti roll back) Immediate emergency braking of trains shall be initiated automatically upon system failures (including loss of fail safe communication between system units) that might create a dangerous situation. Application of service brake either automatically or manually (in case of work trains) is determined by the ATP to be insufficient to stop the train short of an obstruction. Emergency braking shall also be triggered in case of receipt of an emergency Stop-now command from the OCC. Emergency handle (or any other device such as buttons etc.) shall be available in all trains. Emergency braking, once initiated, shall remain under ATP control and may be removed before the train comes to a complete stop if the emergency brake condition is no longer active. If conditions for the train to move are not fulfilled, the emergency stop shall remain in force, regardless of any reset, unless a switch to manual operation is done.
The on board ATC, emergency braking and traction orders shall be interlocked in such a way, that traction is removed as soon as emergency braking order is initiated. Braking Performance Monitoring The train emergency brake shall be automatically tested when the train is waken up by the OCC. Trains with deficient emergency brakes shall not be injected into the carousel. Alarms and report shall be generated and sent to OCC. Securing of Routes Routes may be defined as any movement authority that goes through a set of one or more switches. Securing of routes shall basically rely on movement authority granting and switch interlocking. No issue of mutually conflicting movement authorities is allowed. The issue, change and cancelling of movement authorities shall be exchanged in a fail safe manner between the issuing instance/entities and the unit that is to utilize the movement authority. Movement authority shall cover any portion of track geometry, except for blocked track sections or failed or blocked switches. Movement authorities as a minimum shall support movements between any predefined departure location and any predefined arrival location over the track geometry. In case of a movement authority cancellation, provisions shall be made to safeguard that the previously authorized train has been brought to a complete stop, before another movement authority or individual switch command is issued that may include change of switch position within the stopping distance of the said train. Movement authorities shall be provided by the ATP function for any unmanned movement of trains, including trains carrying passengers, unmanned supply and removal of empty trains to manned maintenance vehicles or manned (defective) trains, provided that safety functions are fully operational. Automatic release from a movement authority over track sections and switches shall take place immediately, upon train passage or in case of rerouting of train, to allow subsequent movement authorities. Switch Interlocking Detection of switch position shall be done automatically and continuously. Commands shall be provided for change of switch position. The issue of movement authority involving switches shall be conditioned on the correct alignment and locking of the switches within the movement authority boundaries and the correct positioning of switches protecting that movement. No change of switch position by automatic or manual command must take place within a movement authority in force until the switch has been released from its locking by a fully detected passage of the train holding the actual authority, or the movement authority has been cancelled.
If due to an error, a change of switch status away from the correct alignment or correct positioning takes place, movement authority limits and/or speed shall automatically be restricted to prohibit train passage of the switch. Facilities shall exist for handover of control of a switch from the OCC to an operation staff at the switch location and vice versa. Two switch modes of operation, central (automatic or remotely controlled) or local (manual by an operation staff) shall exclude each other at any moment. Blocking of a switch shall prohibit the subsequent issue of associated movement authority. Blocking or unblocking of predefined switches delimited by wayside markers shall be supported by the ATP system. Safe end of Track Approach The ATP shall ensure that the train will not reach the end of track buffer under worst case failure conditions. Speed Detection Actual speed detection: a continuous measurement of the actual real speed of the train shall be provided by the onboard equipment. Zero speed detection: zero speed shall be detected by the onboard ATP equipment. Train Splitting Protection / Train Integrity Protection Facilities shall exist to detect any coupling; detachment and/or separation of detachable units of a train consist. Upon a detection of an unscheduled uncoupling, detachment or separation, an immediate emergency stop shall be imposed on all units of the previously connected train. The ATC shall detect an unexpected split and establish appropriate limits of authority to prevent other trains from entering the pull-apart area. An alarm shall be forwarded to the OCC. Direction Control and Rollback Protection The ATP shall ensure in real time the specific running direction on each track is respected. Reversal of train travel direction shall be prevented until zero speed has been detected. Emergency braking shall automatically be initiated if a train is moving against the direction allowed in its current movement authority. Train and Platform Screen Door Safe Protection Train door protection shall be provided for all passenger trains. Train door status and platform screen door status shall be subject to continuous supervision. If any automatic door or emergency exit door on a train unlocks for any reason while the train is in motion, i.e. above zero speed detection, an emergency stop shall be automatically initiated. In the event of any unscheduled door opening, a local manual reset by authorized personnel shall be required prior to the restoration of train operation, unless door status returns to “close” in the meantime.
Option: remote reset from OCC shall be available after having established, through communication means (on-board camera, passengers' dialogs), the safety of the current situation. A stopped train shall not be permitted to move automatically until all doors of the train are properly closed and locked. The ATP shall monitor the train and platform screen door in order to authorize their opening only if the train speed is zero, vehicle and platform screen doors are properly aligned within the allowable tolerances, the park brakes applied and the propulsion system is disabled. Facilities for emergency opening of train doors (from OCC, from inside train or from outside train) shall exist. Platform screen doors protection shall be provided at all platforms. The status of platform screen doors shall be subject to a continuous supervision. If a platform screen door unlocks for any reason not during passenger exchange with a dwelling train, emergency stop shall be initiated for all trains in predefined sections along the station. In case of unscheduled platform screen door opening the train at station shall apply emergency braking and the incoming train shall apply emergency braking. In the event of any unscheduled platform screen door unlocking, a local manual reset by authorized personnel shall be required prior to the restoration of the operation. A train stopped at station platform shall not be permitted to move automatically until all platform screen doors facing the train are properly closed and locked. The ATP shall monitor the train and platform screen door in order to authorise their opening if train speed is zero, vehicle and platform screen doors are properly aligned within the allowable tolerances, the park brakes applied and the propulsion is disabled. Facilities for controlling the emergency opening of platform screen doors (from OCC, from track side or from platform side) shall exist Temporary Speed Restrictions The ATP shall ensure the compliance of trains to temporary speed restrictions that are introduced and cancelled by the ATS system. Blocking of Track Sections or Switch Areas Blocking and unblocking of predefined track sections delimited by wayside markers shall be supported by the ATP function and supervised by the ATS function. Blocking of track section shall prohibit the subsequent issue of movement authorities in that section. Wet/Dry Rail Reduced Adhesion Operation The ATS shall be able to modify the service braking performance in ATP profile calculations under wet/dry reduced adhesion conditions. The ATS system shall have the capability for the OCC to designate the weather conditions as “wet” or
“dry” a system wide basis or on predefined sections of track, particularly for sections of track in open air. When the OCC changes the condition between “wet” or “dry”, the ATS system shall notify all equipped trains. When in “wet” condition, i.e. whenever or wherever adherence condition changes, on board ATC equipment shall adopt a degraded braking performance. The on board equipment shall ensure that trains do not violate the movement authority given the assumed reduction in braking performance. Obstacle Detection Wayside devices enabling the mitigation of identified hazards shall feed the ATP function with alarms that may bear various levels of severity. Wayside obstacle detection may complete and/or be interfaced with an intrusion detection system. The status of wayside obstacle detectors shall be subject to continuous supervision. If an obstacle is detected, emergency stop shall be initiated for all trains in predefined sections around the obstacle area. Wayside obstacle detection device shall require local manual reset or remote reset depending on the device nature, prior to the restoration of normal operation.
Automatic Train Operation The ATO function shall provide commands to vehicle subsystems, in particular the propulsion unit, to ensure reliable and comfortable service for passengers as described below. ATO operates under the safety constraint of ATP and shall in no way reduce the safety level of the ATP. Motion Control Train acceleration, deceleration, and station stop shall be controlled by the on board ATO function within the established ATP profile. The ATO shall effect this control by providing commands to the train‘s propulsion and braking units in real time. The ATC equipment shall cause the service brakes to be applied automatically, as required, for speed maintaining, to reduce train speed on approach to a civil work speed reduction or temporary speed reduction, and to bring the train to a stop at a movement authority limit or programmed station stop. (Service braking shall also be applied automatically in manual mode every time the on board ATC detects that the fixed ceiling speed limit is reached) Speed Regulation and Run Time Control The ATO shall control train speed and deceleration rates to stop trains at stations platforms within tolerances defined by safety analysis and enforced by the ATP.
The ATO shall control train braking commands to provide a smooth stop, avoiding jerks as the train comes to rest. An automatic jog forward/back feature may be used, within safety constraints when going backward. Trains which do not succeed in positioning within tolerances at the station platform may perform a forward or reverse jog attempt. The number of jog attempts shall be a maximum of one for every failed positioning. Trains which do not stop (after jog attempts, if so designed) within the correct alignment tolerances shall automatically send a request to OCC along with train stop imprecision information figures in order to be authorized to proceed to next station. The ATO shall control the train speed within an acceptable limit of required speed for the profile defined for a particular operation mode and track location. The ATO shall, in combination with the propulsion and braking control circuits of the train, shall meet the acceleration and jerk limit, avoid unnecessary power/brake transitions, avoid over speed,provide the smoothest practical ride for passengers. Dwell Time and Departure Upon platform train stop, the ATO shall control the station dwell as per service regulation needs. The dwell time shall be either automatically defined according to timetable and headway regulation needs, or may be shortened or extended by means of a straightforward control from OCC or from the local control At the end of the programmed dwell time, the ATO shall automatically command platform screen doors and train doors to simultaneously close, preceded by an audio and visual signal for passenger information. Once all doors are confirmed to be locked, the ATC shall command the train to depart the station. Programmed Station Stop Braking and stopping at a station must be made within a precision allowing the passenger exchange to be done at the predetermined areas through platform screen doors, within the precision defined in the performance requirements. For coupled train passenger unloading, the station stop at the next station must support successive unloading of passengers for both coupled trains. Other Sub Functions The ATO function shall address other functions and their interfacing requirements with ATS, ATP function and communication equipment: request for door opening, train response to OCC controls, train departure testing, passenger information support, train health monitoring
Automatic Train Supervision Automatic train supervisuin shall provide the following functions: Automatic Route Setting Automatic Route Setting is the ATS function that automatically requests routes for trains to implement train movements defined by: • Run assignments;
• • •
Line assignments; Single Destination assignments; and Shuttle assignments.
Turnback Modification The ATS Operator shall be able to establish diversions to change the turnback location for trains on scheduled run assignments or line assignments. This feature allows short turnbacks to be established for specified time period. Conflict Handling Conflict handling shall provide deadlocking prevention of train segments. Manual Route Setting The Route allows the ATS Operator to manually request or cancel any route. Automatic Train Regulation Automatic Train Regulation manages the dwell time and train run type for trains with a run assignment. It also calculates the schedule and headway adherence of each train for presentation to the central operator. Automatic Train Regulation manages the dwell time for trains with a run assignment. Anti-Bunching (Automatic Platform Hold) The ATS shall apply automatically a platform hold to a train at a platform when there is an excessive accumulation of trains on the track downstream. An automatically created platform hold is automatically removed when the concentration of trains downstream has come back to a normal state. The Central Operator shall be able to override an automatic hold by performing an individual train depart or by disabling the automatic hold feature for the platform in question. Schedule Assignment The ATS sall provide a facility to assign a selected operating schedule using the Schedule Selection command. The ATS shall provide a facility to plan the automatic schedule assignment covers a certain duration (e.g. 30 days). Train Launch When the level of service needs to be increased, the ATS shal present to ATS Operator a launch list. This list will be sequential, indicating the expected order of trains to enter into service. Train Exit from Service The Exit List shall be generated when a schedule is assigned by the ATS Operator. The Exit List will indicate the runs to be exited for each Reduction of service for the entire schedule. The ATS shall control each train to the completion of its current route and/or line assignment and trigger the normal completion of service. Junction Priority At places where tracks meet, the schedule can define the rules for selecting which train can proceed into the junction first. The ATS Operator has the option to change the algorithm of managing the trains that meet at a junction. The default rule is based on the first train scheduled to arrive at a junction. Re-Determination The ATS Operator shall have facilities to initiate a re-determination of runs for a schedule. This command is used to bring the system back on schedule following a failure that caused a large delay that cannot be recovered. Online Timetable Editing
The current operating timetable may be edited by the ATS operator to provide temporary service adjustments. Online edits only apply to the currently loaded timetable. Cancel Run/Trip This command allows the ATS operator to cancel a trip or an entire run. This has the effect of removing the trip data from passenger information. When a train arrives at a terminus and the next trip has been cancelled it will go out of service. Train Out of Service The ATS operator shall be able to select a platform to take a train out of service for any trip. This platform will be reflected in passenger information as the new destination. When the train arrives at that designated platform it will go out of service unless it has been formed-to another trip. Slide Trip The Slide Trip command allows the ATS operator to change the departure time for a trip. All of the platform times for the trip are slid by the corresponding time change. Even Out Headway The Even Out Headway command (also know as flex) allows the ATS operator to perform multiple Trip Slides in one command Divert Trip command allows the ATS operator to turn a trip short, extend a trip or send a trip down a different track. Modify Trip This command gives the ATS operator the ability to modify details of a single trip. Add Run This command allows the ATS operator to add a run into the current timetable Modify Entry This command allows the ATS operator to change the entry location for a run. An entry line and revenue start platform must be specified. Modify Exit This command allows the ATS operator to change the exit location for a run. An exit line and revenue end platform must be specified. Revert Run This command reverts all trip modifications that have been made to a run back to the timetable values. Station Bypass The ATS shall be able to direct a train or group of trains to skip a station or group of stations. Train groups shall include a manually specified (click on) group, all trains in a direction, or all trains in service. The ATS system shall provide a trigger to automatically generate Public Announcement on the platform to and onboard concerned trains to notify passengers that the train is not stopping in the station. The on board ATC equipment shall suppress station overrun notices to the OCC or the Local Control room. The ATC system shall allow trains to leave stations being bypassed at the maximum authorized speed. Holding a Train at Station The ATS shall enable the OCC or the Local Control Office to hold a train in a station through an ATS command. Restricting or Stopping a Train “en route”
a) Stop at next station. The ATS system shall provide a means to stop trains en route either immediately or at the next station. The ATS system shall allow the OCC to designate a train, group of trains,section of track, or the whole system, and define whether the stop is to be at the next station or immediate. In the case of a next-station stop the on board ATC equipment shall determine whether the train can physically stop in service braking mode by the next station. If the train is in the process of departing a station, it shall continue to the next station and stop there. If the train is in the process of bypassing a station and the ATC system determines that the train cannot stop at that station under normal service braking, the train shall be allowed to run to the next station where it will stop. Once stopped at the station, each train movement authority shall be pulled back by the ATC system to the stopped location. The OCC shall be able to release the stop-at-next-station command by a group command, either a single train, group of trains, all trains in a section of track or all trains on the line. Once released, the ATC system shall allow movement authorities to be advanced, and the ATS system shall set routes for trains through interlocking process. b) Stop Now function (emergency). The ATS system shall provide a means for the OCC to designate a train, group of trains, all trains in a section of track, all trains on the line, to be stopped immediately with emergency braking. This command shall cause the on board ATC equipment to immediately apply the brakes, and notify the train in manual driving mode if any. The on board ATC shall adjust the train movement authority consistent with the actual stop. The OCC shall be able to release the stop-immediately command on one train at a time, or a group of trains, all trains in a section of track, or all trains on the line. Once released, the on board ATC equipment shall release the emergency brake command, the ATC shall allow movement authorities to be advanced, and ATS system shall set routes for trains. c) Stop Now function (service). This function is identical to the emergency Stop Now function except that trains are brought to stop with service braking. Track Maintenance Support The ATS system shall provide a mean for the OCC to block track and switches, and apply temporary speed restrictions (TSR) and remove them as necessary. Track and Switching Blocking The ATC system shall not grant movement authorities to trains to operate into or out of blocked track sections or switches areas. The ATS system shall include facilities to allow the OCC to block and unblock track sections and switches. Temporary Speed Reductions The temporary speed restriction shall be enforced in a similar manner to civil work speed limits. Trains that already have authority through the TSR order area and can comply with the speed limit shall do so. In the event that a TSR is received by a train that encompasses an area within a safe braking distance of the train, and the restriction would place the train in an overspeed condition, the on board ATC
equipment shall brake the train into compliance; if the train fails to respond to the service brakes, the on board ATC equipment shall apply the emergency brakes. Temporary speed reductions are under ATP control.
Passenger and Staff Information ATS must generate data about time schedules and deviations in time schedules to inform passengers and staff. Automatic Depot Operations Control General The depot shall be equipped for automatic train movement in all locations except for the designated shop tracks. Trains shall move automatically between storage tracks, the main line and shop transfer track(s). From the shop transfer tracks to the maintenance shop, it shall be possible to hand over the automatic train movement control to manual control. Option: for maintenance ease, trains may be remotely driven between shop transfer track and maintenance shop from a local shop panel control. Trains shall be routed within the yards by automatic means or by remote command from the OCC. Safe manual driving of trains within the Depot shall be possible within limitation fixed by on-board ATP (Optional) Automation of train movement initiation between the Depot and main line and vice versa shall be maximized. The system design principles for the Depot shall be the same to those for the main line. All mainline functions shall be available in the depot. Depot to Main Line Operation Every time a train has gone through the sleep state, which is the normal state for train storage, a train shall be subjected to series of static safety and functional tests which are conducted automatically to ensure that critical systems are fully operational. The ATC system shall possess a self testing capacity. If the tests are passed successfully, the train can proceed to the main line for revenue operation. If one or more of the tests fail, train insertion is put on standby and the OCC is alerted to the nature of the failure. The location of entry tests, also depending on track lay-out, should be chosen such that failure of entry tests does not block further access for trains to and from the mainline. Main Line to Yard Operation Trains shall return to the Depot from revenue service in accordance with automatic schedule requirements, or upon OCC request. The scheduled destination shall be capable of being overridden from the OCC. The return to the Depot requested from the OCC may concern one or more trains. Train Storage The necessary movements shall be automatically achievable.
When trains are to be put to sleep, the OCC shall be able to trigger the sleep mode only for trains in the correct position in their storage track. A command shall be available to initiate sleep mode in and section of storage track outside the depot. The train awakening shall be made by the OCC automatically from the schedule or manually initiated via operator command. Spare Parts The Contract supply shall include the delivery of sufficient amount of spare parts to secure that the rail system will be self-sustained with spare parts, especially during the test period, the trial run, and during the critical early stages of commercial operation. The Contractor shall indicate and itemized list of spare parts including total value for a maintenance period of 3 years following completion of the specified period of operation and maintenance.
Detailed description of the entire ATC system The contractor shall submit a detailed description of the ATC system delivered. The description shall address all functional and technical requirements and shall explain in detail how each of these is achieved, including control tables (as applicable) and safety braking model. (Safety distance calculations) Description and drawings of all items of hardware Description and drawings of all interface arrangements Fully detailed operating diagrams for normal time-table scenario
Trackside and Wayside ATC Characteristics
General Requirements The trackside and wayside ATC subsystem The shall consist essentially of a network of highly reliable, distributed vital area computer (local trackside ATC) The trackside intelligence for train tracking, movement authority setting, interlocking function and other ATC related ATP functions is resident in the trackside computer(S). Trackside systems shall also include primary train location devices, (transponders) which are able to provide a unique identity to the on board ATC positioning system. Each trackside ATC shall be microprocessor based and shall be responsible for the control of trains, being in driverless or manual mode, and facilitate the passage of unequipped vehicles. Each trackside ATC shall interface with the data communication network and/or the multi-service backbone network, to the ATS server at the OCC, to the other adjacent trackside ATC, and to the trackside equipment. The Contractor shall determine the architecture for the trackside ATC network which shall form the basis of his design in order to meet the functional, and performance requirements of these specifications. The length of track, number of allowable trains in a section, the number of stations, and the number of interlocking and other trackside elements with witch the ATC must interface, combined with the degree of redundancy incorporated in each trackside ATC, shall constrain the ability of the ATC system to meet these aforementioned
requirements along with the safety, availability, reliability, and maintainability criteria set in the System Assurance Program Plan. Restricted Manual Mode In the event of a loss of vital information (such as train location, movement authority, etc) as a result of failure of the ATC on board system, a failed train to track communication link, or a failed trackside ATC, the ATC shall cause an emergency brake application. Further movement of the train shall be possible in restricted manual mode, which selection shall disconnect all non required subsystems The train operator will be able to select restricted manual mode using a switch on the driving panel, the result of this action shall bypass the ATC functions and insure the removal of the movement authority restriction. The train can then be operated at a restricted speed (18 km/h) by propulsion subsystem or by on board ATC. It shall be possible in RM mode to reset, or reinitialize, the on board ATC equipment. If the reset is successful and full ATC functions, including train location determination, are restored, a message shall be indicated to the train operator and to the OCC. The train operator may then select the driverless mode to resume normal operation. Level of Safety The global safety shall depend on a system whose safety has been definitely proved independently of any application software. In order to insure the safety of the systems used in the field of railway signalling, it is required to fulfill two main conditions: - the system used has to ensure a faultless and complete function in the sense of the task definition - it has to show a vital behaviour in case of failures and faults referring to the system itself or to components directly connected with it. Vital Subsystems The vital subsystems shall be designed as to be fail-safe. The architecture and this relevant equipment implemented to ensure the processing safety shall be described clearly by the contractor, such as: - coded mono processor - bi or tri-processor with comparison or majority vote - mono-processor with bi-software. Hot redundancy or 2-out-of-3 polling a concept is recommended for high availability. An alarm alerts the maintenance which is able to intervene without interrupting system operation. In case of power supply defect, the system will shut-down in an orderly manner, locking points in the current position. The stored functions will be memorized for a pre-determinate time of 4 hours at least. When power supply recovers, the system resumes automatically if there is no loss of information stored, if not, a restart manual by the maintainer will be necessary. Software Architecture The contractor shall distinguish between basic software and application software.
The function of the basic software is to keep the application software independent of the hardware and to provide high-performance services. The basic software mainly governs the operating system and communications. Input/Output Safety A restrictive status of each input and output shall be defined by the contractor. Serious faulty operation detection at the level of an input or an output shall involve its restrictive status. Serious faulty operation detection at the level of the system shall involve the system stop and the outputs restrictive status. In addition, the system outputs shall be systematically maintained in restrictive status before the complete initialization. Maintenance Facilities of the Module Diagnostics and maintenance subsystem consists of a personal computer based tool that provides support for the maintenance staff. A comprehensive range of diagnostic facilities shall be built into the system. It shall be possible for maintenance staff to interrogate the system at any time and check the current state of any specified signalling functions, or list any current fault reports. The memorization on appropriated support of all relevant events (changes of state, operator requests) shall be maintained several days for further analysis. Protection against electromagnetic interferences is required. Module Failures Failure of whole unit. In case of a redundant unit failure, the unit shall automatically switch to the other redundant unit. An alarm shall be transmitted to the OCC and to the Local Control Office. Any failure shall be considered as a light failure if a vital part of the unit intervening directly on safety is not concerned. Generally, it would be advisable to avoid unjustified stopping. As far as possible, a faulty element shall not stop the operation of the module.
Environmental Conditions Climatic Conditions All components used in electronic apparatus must be capable of operating faultlessly, according to IEC 60068-1,IEC 60068-2-1,IEC 60068-2-2,IEC 60068-2-3. EMC Compliance Standards The Contractor shall perform all factory and site measurements in order to show the EMC compliance of the ATC equipment according to the following standards: EN 50155 Railway appliances – Electronic equipment used on rolling stock
EN 50121-1Railways applications – Electromagnetic compatibility – All applicable parts EN 61000-4Electromagnetic compatibility
ATC System Safety Safety Objectives The design shall include provisions which are specific for the safety and security of passengers, Operation and Maintenance staff, Emergency and Security Staff, and the public. No single failure, event or likely combination of events, shall cause a critical or catastrophic hazard to any of the above or to system equipment. Non-critical and non-catastrophic hazards are to be minimized and/or controlled. The bjective shall be to prevent train collision and derailment. The required level that shall be obtained must be very high. The Contractor shall identify, assess and classify risk inherent to each kind of technology, to each kind of method used in the system. Safety Performance Requirements. Achievement of System Safety is a primary design and performance requirement for the Supplied System, which must perform in a safe manner under all operating conditions. The design of safety-homologated equipment shall meet one of the following three safety types: intrinsic safety, controlled safety or probabilistic safety. Controlled Safety A piece of equipment is said to have "controlled safety" with respect to certain malfunctions or failures when consequences detrimental to safety are inhibited by another independent device which detects these and controls passage to a restrictive status. As for intrinsic safety, experience shows that the degree of safety reached is better than 10-9 per hour. Probabilistic Safety A piece of equipment is said to possess "probabilistic safety" when the probability of its operating in a manner detrimental to safety is smaller than a pre-determined value. The probability of occurrence of a catastrophic failure (which may lead to collision or derailing) must be smaller than 10-9. Requirements Supplied System shall provide a level of safety such that any single, independent hardware, software or communication failure, or any combination of such failures, with the potential for causing death or severe injury to customers or staff shall not occur with a frequency greater than once per 10-9 system operating hours. System operating hours is defined as the time that the system is turned on and operating. This safety requirement includes failures of all types, both random hardware failures and systematic design/software failures. The Contractor shall identify, analyse and classify inherent risks in each type of technology used in the
Supplied System. For the software elements of the Supplied System this shall include the risks inherent in each part of the software (for example: operating system, application software, databases and firmware), and to the methodologies and tools used for their development. Safety critical (vital) functions shall be verified through any/all of the following: analysis, factory testing, environmental testing, or field verification. All hardware or software designs, techniques, or methodology shall require documented verification of proven safety for approval. Safety analysis shall include hazard identification and justification of acceptable risk. Hazard identification shall be exhaustive. The Contractor shall document the principles, strategies and tools used to implement the safety requirements. The safety measures incorporated in the Supplied System shall be traceable to the safety requirements and identified hazards. Design Requirements Overall Requirements Elements of system which are not directly concerned with safety shall be kept separate from the safety part of the system All credible failure modes for each hardware and software element of the architecture shall be identified. The Design shall ensure that no failure can induce a critical situation: in case of a failure or an error, the system shall return to a recognized safe state. Faults shall be detected with on-line, high diagnostic coverage. A Fail-Safe architecture very much depends on the effectiveness of its fault detection measures, it may not need any on-line diagnostics. However, a fail-operational architecture needs detailed on-line diagnostic coverage to achieve its integrity and reliability, because without this it is very difficult to implement any recovery mechanism. The architecture shall be designed to increase the availability of the system by using a combination of well tried and well defined fault avoidance and fault tolerant measures. The design specification shall identify the components and modules of the architecture, and describe their functional and other characteristics (such as their integrity levels, failure rates, performance). It shall also describe interfaces, internally and with external equipment. The design shall ensure that the architecture operate correctly in all foreseeable environmental conditions, such as EMC, noise, heat, etc. The envelope for the environmental conditions and requirements is defined in the requirements specification. The architecture of the Supplied System shall be such that a clear segregation can be made between safety critical (vital) equipment and functions, and nonsafety critical (non-vital) equipment and functions. All data communication subsystems within the Supplied System that are used to transfer safety-critical data shall be designed to provide adequate levels of error detection for this purpose.
The accuracy, resolution, and integrity of the train location system shall be consistent with limits established for safe braking distance, enforcement of speed zones, switch protection, and other safety functions. Hardware Requirements Safety critical components shall be Fail-Safe or Checked Redundant: Fail-Safe means that any frequent component failure (that is likely to occur more often than once in 10-9 system operating hours) shall not result in a condition known to be unsafe. Checked Redundant means that the probability of any failure or combination of failures is low enough to provide a level of safety at least comparable to that provided by a fail safe design. The Contractor shall produce a full and comprehensive definition of the application of these safety elements. Software Requirements The Contractor shall identify, assess and classify risk inherent to each kind of software: operating system, application software, to each kind of new technology and new tools, Design of software must take into account hardware systematic, random failure and common mode failure, Data-driven software (including parametric or configurable software) shall be protected against possible errors arising from entry of incorrect data through accepted procedures, If vital and non-vital software is to be implemented on a single hardware platform, then all of the software shall meet the requirements for vital software unless appropriate techniques, are used to ensure vital software is unaffected by the non-vital software, Safety critical (vital) functions shall be implemented in a manner which is Fail-Safe, The general requirements for Fail-Safe designs are outlined below. Fail-Safety Design: Safety of system design shall be assured by the incorporation of Fail-Safe principles in the design of safety-critical modules. Fail-Safe designs shall ensure that any failure, or combinations of failures, shall result in a condition that is known to be safe. . Certain equipment and components are declared to be Fail-Safe by their compliance with existing codes and standards for these particular devices (e.g. vital signalling relays) and may be used, in an appropriate manner, in the design of a safety critical system element. Devices of this type are considered to be conventional in their approach to achieving fail-safety. It shall be the responsibility of the Contractor to, present the safety certifiable evidence of the inherent fail-safety-of the devices to be used.
Fail-Safe Equivalence Design: Designs which are equivalent to Fail-Safe shall be considered for safety critical functions when their Fail-Safe equivalence is explicitly proven by undertaking safety engineering nalysis and verification in accordance with this Specification. Such a safety proof shall demonstrate that the probability of any failure, or combinations of failures, which could result in an unsafe condition shall satisfy the safety design requirement defined in the previous section. Checked-Redundant Design: Designs which are checked-redundant in their configuration may be proven to be Fail-Safe equivalent, providing these checkedredundant designs incorporate the following design principles: The checking process, in itself, shall be either Fail-Safe or checked-redundant. The checking process shall encompass the complete subsystem, and/or all components, related to performing the safety-critical function. The checking process shall detect any failure of the subsystem which may degrade the integrity of the safety function. Where software is used to implement a system function, then software errors shall be considered as failures. The checking process shall be comprehensive and frequent. It shall be performed at least as often as the function which is being checked, and sufficiently frequently that the probability of an unsafe failure shall satisfy the safety design requirement defined in the previous section. . The design and development of critical software shall be in accordance with recognized international software standards applicable to critical, high integrity systems. Where software is employed to perform a function which is shown to be directly pertinent to System Safety, then that software shall have been developed to a rigorous interpretation of these design and development processes, Critical decision processes, which directly impact the System Safety, within the software program shall be structured to ensure minimum complexity, and thus allow for review and explicit testing of the logic paths. The dependence of safety of the system on a single software decision process, logic path, or critical data element should be avoided, where possible, by incorporating diversity within the software design. Databases which contain information that can impact the safety performance of the Supplied System, shall be considered safety critical, and shall be appropriately protected during data storage, retrieval, communications, and processing. The Supplied System shall be designed to ensure that all such data is accurate during initial data entry, processing, utilisation, and update, and a process shall be established for appropriate data management of this safety critical data. Software Safety Case The Software safety case shall describe and justify the software safety analyses. Process The Contractor shall establish a software safety case. It shall include: an overall description of functions, the software architecture and design principles, requirements related to software defined from the various safety analysis, safety functions, interfaces, means of implementations. The software safety case shall provide information to assess that:
the software requirements are verified, the software is correctly designed. Software Specific Safety Documentation The following documents shall be established by the Contractor: Security and Safety Management Plan (SSMP), System Safety Plan Software Safety Plan (SIL4 requirement) Preliminary Hazard Analysis, Test Plan, Test Reports, Safety Case, Software Safety case RAM Failure Categories for ATC system The following table defines RAM failure categories: Failure Category Definition Significant (immobilising failure) a failure that generates a hazard and/or prevents train movement or causes a delay to service greater than a specified time and/or generates a cost greater than a specified level Major (service failure)a failure that must be rectified for the system to achieve its specified performance and does not generate a hazard and/or a delay or cost greater than the minimum threshold specified for a significant failure Minor a failure that does not prevent a system achieving its specified performance and, does not meet criteria for significant or major failure Reliability, Availability and Maintainability Requirements Overall Reliability Requirements The Reliability of each LRU directly related to Safety shall be greater than 109 failures per hour Each LRU of a system whose failure would be significant shall have Reliability greater than 2.10-5 failures per hour Each LRU of a system whose failure would be major shall have Reliability greater than 10-4 failures per hour Each LRU of a system whose failure would be minor shall have Reliability greater than 5.10-4 failures per hour A LRU considered as being related to Safety is a LRU whose failure would be critical for Safety. These LRU shall be defined through Safety activities. The Contractor shall develop an analysis (failure analysis and assessment) in order to determine which Reliability requirements are applicable for each LRU. Overall Availability Requirements The overall Availability of a system whose failure would be significant shall not be less than 0.9999. The overall Availability of a system whose failure would be major shall not be less than 0.9995. The overall Availability of a system whose failure would be minor shall not be less than 0.999. Failure of a single item shall not cause failure of the overall system The Contractor shall develop a FMEA analysis (RAM analysis and assessment) in order to determine which Availability requirements are applicable for each equipment.
Overall Maintainability Requirements Means of failure detection shall be defined: power-up self test, continual background test, requested self test etc. The Contractor shall present a complete list of preventative maintenance recommendations for each type of equipment supplied. More specific Maintainability Requirements whose applicability has to be defined because depending on each type of equipment are presented: . The equipment whose failure would be significant or major shall be installed, so that removal and replacement of each of its LRUs can be achieved within 30 minutes . The equipment whose failure would be minor shall be installed, so that removal and replacement of each of its LRUs can be achieved within 60 minutes The Contractor shall develop a FMEA analysis (failure analysis and assessment) in order to determine which maintainability requirements are applicable for each equipment. Spare Part Requirements Replacement of a LRU shall not require the equipment to be powered down Spare parts shall be interchangeable with their corresponding part An adequate supply of spare parts shall be available for at least 10 years from completion of the works. The Contractor shall undertake to notify the Client in advance of the intended cessation of spares Availability Spares for repairable items shall be supplied and quantities shall be determined from in agreement with the Client Spares for consumables and non-repairable items shall be supplied for three years of maintenance and quantities shall be determined in agreement with the Client Generic name, trade name, description, drawing references and correlation with the maintenance manuals shall be provided.
Software Assurance
The ATC system shall be assigned with an overall SIL 4 level implying at least: All corresponding requirements as per EN50128 standard shall be fully considered. The Contractor shall propose, and undertake if approved by the Engineer, a software development life cycle based on those proposed in the EN50128 standard. . The Contractor documentation shall necessarily include: - Software Safety Plan Software - Quality Assurance Plan - Software safety case The Contractor may apportion some part of the systems with inferior SIL levels after safety analysis to be approved by the Engineer.
Performance Requirements
General The contractor shall determine the theoretical minimum travel times between terminus stations using 20 seconds dwell time at each intermediate stations, tightest acceleration figures with propulsion limited to passenger comfort constraints, and nominal service brake rates. The contractor shall submit the minimum run time determination report, which shall include simulations and all assumptions, for approval. The ATC system shall contribute no more than 3% to the theoretical minimum run time established in the “minimum run time determination report” (as described above)The ATC contribution to the run time shall include, but not be limited to delays in initiating trains start from a station after door closed status is established, ATP determination process for safety, headway and other requirements; the resolution of speed commands, the tolerances between ATO and ATP profiles to ensure that a train does not normally exceed the ATP profile, passenger comfort constraints, train position resolution constraints, system response times, for trackside equipment, on board equipment and combination of both; communication delays in all communication links, and constraints on the station stopping profile to ensure the stopping accuracy and profile coherence required by this specification. The above ATC tolerances and response times shall be defined by the contractor for approval. Design Headways The ATC system shall provide the closest feasible safe operating headways for equipped trains in normal directions, on all track supporting passenger service and terminus operations (including intermediate terminus) The design headway shall be such as to allow an operational headway of 90 seconds for a station dwell time of 20 seconds. Trackside ATC equipment lay-out and installation shall be dimensioned in coherence with train characteristics and performances, with possibilities for an upgrade in train length. The achievable design headway shall be determined by the time required by for safe braking, station dwells and other physical parameters, plus a maximum allowance for all ATC system latencies and tolerances, including ATS, ATC, and wayside signalling and communication equipment of 3 seconds. The ATC system contribution to headway shall include, but not be limited to; delays in initiating trains start from a station after door closed status is established; ATP profile determination process for safety, headway and other requirements of this specification; the resolution of speed commands, the tolerances between ATO and ATP profiles to ensure that a train does not normally exceed the ATP profile, passenger comfort constraints, train position resolution constraints, system response times, for trackside equipment, on board equipment and combination of both; communication delays in all communication links, and constraints on the station stopping profile to ensure the stopping accuracy and profile coherence required by this specification. The above ATC tolerances and response times shall be defined by the contractor for approval. The design headway shall be calculated based upon normal operation of a preceding train not interfering with the performance of a following train.
The contractor shall determine the variation (reduction) in headway that the ATC system supports against a reduction in train speed, due to leading trains interfering with the operation of following train(s). The contractor shall submit an analysis of headway against train speed for approval. Operating Headway The target scheduled peak service operating headway is 90 seconds. The ATC system shall support a full service operating at the minimum design headway at any point on the line with no degradation of system performance. Reductions in headway shall be achievable through changes to schedule according available ATS strategies, including increase to the operating train fleet. Train Performance Parameters A maximum operating speed for trains of 90 km/hour shall be enforced by the ATC system. The ATC system shall be capable of commanding a variety of braking rates from the brake subsystem in order to meet different speed profiles required to meet the performance and functional required to meet the performance and functional requirements of these specifications. The Contractor shall determine the safe braking model for the ATC system, which shall be submitted for approval. The design life of all ATC equipment in service shall be 20 years ATC shall provide automatic station stopping. ATO station stops shall be accurate within: +/- 0.25 metres of the designated stop location at least 99.90 % of the time. +/- 0.5 metre of the designated stop location at least 99.99 % of the time. Document submittal recapitulation: Minimum run time determination report ATC system tolerances and response times Analysis of headway against speed Safe braking model. Stop Now function. The time between the OCC initiating the command at the ATS workstation, and the on board ATC commanding the application of the brakes shall be of less than 3 seconds. The time necessary to the initialization of a sub-system (trackside ATC, on board ATC, interlocking, track to train transmission, train detection) shall be as short as possible and no greater than 40 seconds Temporary speed reduction area resolution: less than 250 meters. The Contractor shall outline any significant variance from the usual parameters of IEEE standard 1474 ATC performance target. System Performance Safety Requirements Achievement of System Safety is a primary design and performance requirement for the for the ATC system, which must perform in a safe manner under all operating conditions. Safety performances are dealt with in the safety section of the present document. The two following points can however be outlined.
Qualitative Safety Requirements The Contractor shall accomplish the design and implementation of the ATC system including the development of procedures and other means in such a manner to assure: the system safely performs the correct safety critical functions within the normal range of input and other operating conditions and with no component failures. This includes showing to the extent reasonably possible that the system is free of unsafe systematic failures – those failures which can be attributed to human error that could occur throughout the design/implementation process and result in an unsafe condition. This also requires that all applicable hazards are shown, in the Hazard Log to be eliminated or having their associated risks mitigated to acceptable levels. . the system performs the correct safety critical functions in a fail-safe manner under conditions of hardware failure with normal input and operating conditions. This requires that all hazards associated with the design implementation are shown, via the Hazard Log, to be eliminated or have their associated risks mitigated to acceptable levels. . the system performs the correct safety critical functions in a fail-safe manner under conditions of hardware failure with normal input and operating conditions. This requires that all hazards associated with the design implementation are shown, via the Hazard Log, to be eliminated or have their associated risks mitigated to acceptable levels. . the system performs the correct safety critical functions under conditions of abnormal/improper inputs and other external influences such as electrical, mechanical and environmental factors as specified in these Technical Specifications. This requires that all applicable hazards are shown, via the Hazard Log, to be eliminated or having their associated risks mitigated to acceptable levels. Safety-critical functions are those cited in these Technical Specifications and those identified by performing the required safety analysis activities. During normal ATC operating, system safety shall not depend on the correctness of actions taken or procedures used by operation personnel. Procedures shall not be considered a substitute for safety functions that are to be vested in specific components, equipment, or facilities. The impact of the safety of processes and procedures which relate to the ATC project installation shall be analyzed as part of the system safety plan. Quantitative System Safety Requirements The achievement of system safety requires that the ATC system as installed provide an adequate level of safety assurance. The Contractor’s design and implementation of the ATC system, including the development of hazard mitigation procedures and other means, shall provide a quantitative level of safety such that any single, independent hardware, software or communication failure, or any combination of such failures, with the potential of causing death or severe injury to customers or staff, shall not occur with a frequency greater than once per 10-9 system operating hours. This shall be expressed as the Mean Time Between Hazardous Events (MTBE) or THA Tolerable Hazard Rate. “System operating hours” is defined as the time that the
system is operating (24 hours a day in normal operation) This safety requirement includes contributions from random hardware failures, systematic failures due to human error, and procedural and other means employed to ensure safety. Failure Management General This section details the requirements for the mitigation of the impact on operations of ATC system and equipment failures. The ATC system shall provide graceful degradation of performances, i.e. the loss or degradation of functions due to equipment failure shall aim the system towards a progressive, coherent and controlled shutdown, providing maintenance staff with the necessary time and information to reverse back to full system availability. Failure Detection The ATC shall include appropriate maintenance and diagnostic provisions to detect and react to equipment failures. This shall include remote diagnostics at the maintenance facility and at the OCC, the ability to remotely interrogate trackside and on board equipment from these facilities, along with fault displays for troubleshooting and the timely identification of failed components and functions. Failure Assessment The ATS function shall include routines for assessing and establishing recommended responses to detected failures. Operating procedures and regulations shall govern the staff reactions in function of the type of failures, (remote or local reset, automatic rescue, manual driving, passenger evacuation etc). Train Failures This section summarizes the requirements for ATC response to train failures. Train Doors Failure Primary responsibility to detect and respond to train door failures, specifically failures which result in a loss of door closed status, shall remain with the train subsystems (rolling stock)The on board ATC equipment shall monitor door closed status. Loss of closed door status shall trigger emergency braking. In manual degraded mode, loss of closed door status shall result in a visual alarm on the driving panel display.
Brake Failures Primary responsibility for the detection and response to brake subsystem failures shall remain with the train subsystems. Also, on board ATC shall account for brake system failures, either resulting from brake alarms provided by the rolling stock subsystems, or resulting from train braking performance monitored by ATC processing. Loss of Train Integrity Any loss of train continuity (unscheduled train splitting) shall be detected by train subsystems that should initiate an emergency brake application. The on board ATC equipment shall report the event to the trackside and OCC equipment. The ATC system shall prevent movement authorities from being issued to other trains in the pull out area. The pull apart area shall extend from the last known location of the rear of the train prior to the splitting up to the train movement authority limit. The ATS function shall alarm and log the event and notify the OCC. On board ATC equipment shall be able to report to the ATS that a splitting has been corrected and the train is ready to proceed. Trackside and central ATC equipment shall allow the train to resume operations after a train splitting is fixed. Automatic Train Rescue Operation It shall be possible for a train to be coupled to an immobilized train in order to push/pull the train to the next station and/or back to the depot. The ATC train detection shall track the rescue operation and the rescued trains. Failures which Prevent On board ATC Equipment Receiving Updated Authorities Failures which prevent on board ATC equipment receiving updated movement authorities include communication equipment failures and complete local trackside ATC failures. When a train is in operation (depot or mainline) and the on board detects that it is no longer able to receive authorities from the trackside, the train is automatically brought to stop within the ATP safety speed profile. Upon restoration of data communications with the local trackside ATC, dialog between the on board and trackside ATC shall resume in order to establish the correct actual train location along with its updated movement authority. Failures which Prevent the On board ATC from Determining Train Location. In the event of complete onboard failure, loss of location tracking capability, or other serious failure, the ATC equipment shall release the emergency brake. The on board ATC equipment shall also cease to communicate with other train subsystems, except for diagnostic information, and shall cause a loss of “enable” signal to the propulsion system. To recover from a failure, the on board ATC system may be either be reset and reinitialized remotely from OCC or locally from the train driving control panel, depending on the operating rules and regulations. If the reset is successful, train position shall be established by the ATC system. OCC and train driving control panel shall have an indicator informing of the successful reset. The resume of normal train operation shall then be enabled by a command either originating from OCC or a local agent on board. In case the recovery of the on board ATC functions does not allow the resumption to a safe and normal operation. It shall also be possible to select the restricted manual driving mode from the train driving control panel.
Failures which Prevent Local Trackside ATC from Advancing a Movement Authority Failures which prevent the local trackside ATC from advancing the movement authority to a train include elementary track portion train detection failures, or unexpected track portion occupancy, switch status failures, or unexpected switch status change, and failures o receive updated location reports from the train ahead. Under these failure modes, the trackside ATC shall pull-back the movement authority limit to a train to the location of the failure, if necessary.