cbtc generic specification

7/25/2019 CBTC Generic Specification

1/33

Introduction

The Present document constitutes the particular specification of an automatic

train control system (ATC system) to be implemented using CBTC and moving block

technology.

The purpose of the CBTC system is to ensure safe, reliable and cost effective

unmanned train operation (T!) of the complete rail system, including !perating

Control Centre (!CC) support functions.

The CBTC system includes central, trackside and onboard e"uipment #ith dedicated

soft#are to provide all functions for automatic train protection (ATP),

automatic train operation (AT!), and automatic train supervision (AT$).

% ATP shall provide the primary protection for passengers, personnel and

e"uipment against ha&ards of operations.

% AT! shall control the operations that other#ise #ould be performed by a train

driver.

% AT$ shall provide the overall supervision and control of the traffic includingstatus information for the central operator.

Communication bet#een onboard and #ayside ATC systems shall be supported by

continuous, high capacity and bidirectional data communications.

Glossary

ATC' Automatic Train Control

ATP' Automatic Train Protection

AT!' Automatic Train !peration

AT$' Automatic Train $upervision

T!' nmanned Train !peration (!A as per *+C --/%0)CBTC' Communication Based Train Control (as per standard *+++ 01.0)

23+A' failure 3ode and +ffect Analysis

45' 4ine 5eplaceable nits

!CC' !perating Control Centre

$+5' $ignal +"uipment 5oom

$*4' $afety *ntegrity 4evel (as per standard +6 7/0-)

!83' !peration 8 3aintenance

3ovement authority' portion of track over #hich a train has access at a given

time.

Applicable Standards / Documentation

The main standards assumed as a reference for the system design are the *+++ and

+6 7/0-9 suite of C+6+4+C standards or e"uivalent'

.

CBTC system standard *+++ 01.0 0

.

+6 7/0-' 5eliability, availability, maintainability, and safety (5A3$)

.


2/33

+6 7/ 0-' Communications, $ignalling, and processing systems' safety related

electronic systems for signalling

.

+6 7/0-:' Communications, $ignalling, and processing systems ; soft#are for

rail#ay control and protection systems

.

*$! //0' 3odel for "uality assurance in design, development, production,

installing and servicing.

.

*$/ ///%


3/33

Central supervisory computers, the AT$ sub%system, shall provide train

scheduling, and general operating and control information, to provide optimal

system throughput, control and fleibility. The regulation algorithms shall

include both timetable and head#ay regulation.

The ATC system shall make provision for the insertion of ne# stations #ithin the

lines as #ell as provision for lines etension.

The train control system is intended to provide short interval, great

operational fleibility, safety through continuous overspeed protection, smooth

and predictable operation, high reliability and availability, optimised

maintenance tasks.

The train control system of the rail net#ork shall be communication%based.

+"uipment reliability, redundancy, and system architecture shall ensure that the

operation of the system shall continue in the presence of any single failure.

The system architecture shall include redundant hard#are for all ATC subsystems.

Communication among trackside computers and bet#een trackside computers and the

!CC shall be by fibre optic links, encrypted radio fre"uency or copper links.

The ATC system shall be designed such that e"uipment failure rates shall be

sufficiently lo# to preclude the need for manual driving operation, #hich shall

be eceptional and reserved for train return to yards.

ATC, interlocking and train detection subsystems shall form an integrated train

control system, #ith proven in use interfaces bet#een those subsystems.

6ecessary automatic train control hard#are and soft#are shall be provided to

achieve safe and efficient fully automated and driverless operation for

passenger trains.

nder normal operation, ATC automatic mode shall re"uire no !CC staff

intervention other than supervision and minimum !CC staff intervention #hen out

of normal operation.

Traffic reinforcement steps to meet passengers demand shall be provided.

Any e"uipment failure or line interruption shall be instantly reported to !CC

and lead to minimal service disruption, as high availability re"uirements shall

be met. *n case of significant failure, the system shall then fallback to

alternative modes of operation under !CC staff full supervision.

The ATC automated control shall cover mainline and yard operations.

The ATC shall facilitate and monitor safe manual mainline and yard operations.

The ATC shall provide the !CC staff #ith user%friendly controls and supervision,

and provide all the necessary data and filtering tools to support maintenance

activity.

The system shall remain opened such as to anticipate further line etensions, in

terms of geography and capacity, as #ell as train etension. Addition of ne#

trains shall not re"uire #ayside or communication system changes.


4/33

System Design and ArchitectureThe CBTC $ystem shall be developed based on the 3oving Block principle, in #hich

the system creates a protection envelope for each train, dynamically

calculated based on train location, speed, and direction.

The protection envelope prevents any other controlled train from entering,

maintaining a variable safe separation distance bet#een the trains, #hich is

adDusted according to their actual speeds.

System PrinciplesOperational SafetyConsideration for operational safety shall be first and foremost in the design

of the CBTC system. $afety is provided by'

E +nforcement of safe train separation

E +nforcement of safe train speed limit

E Protection against derailment

E 5oute *nterlock

E *nterlock bet#een train movement and door status.

These functions shall be implemented #ith the use of vital (checked%redundant)

computer subsystems on the train, at the control location and at each #aysideinterface.

Throughout the design and development of the system, checked%redundant fail%safe

principles shall be rigorously follo#ed. 2ailure at any level in the system

causes it to revert to safe state.

Train Tracking

Communicating Train Tracking !vervie#

The locali&ation system is used for tracking of communicating trains. The train

position is determined using #ayside calibration transponders and positioning

transponders on the trackside and transponder interrogators and speed sensors on

the !n%Board. +"uipped trains report their current location to the #ayside

computers and to the AT$.

Train Separation and ovement Authority3ovement Authority is calculated by the Fone Controller and defines an area

#here the train can move safely.3ovement Authority is calculated by the #ayside computer and defines an area

#here the train can move safely. The 3ovement Authority is calculated based on

the track device statuses , position of other trains and the end of track

locations. The 3ovement Authority is limited by either an obstruction ahead of

the train, or if there is no obstruction, the destination.

The !n%Board CBTC e"uipment supervises a controlled trainGs ability to stop

#ithin the 3ovement Authority. *f the train is at risk of travelling beyond the

3ovement Authority, the !n Board computer commands +Bs.

Speed SupervisionThe CBTC system vital functions continuously check that the train respects the

most restrictive permitted speed.The most restrictive permitted speed is calculated taking into account the

follo#ing'

E 3ovement Authority limit

E Civil speed limits defined in !n%Board track database (ATP $peed Profile)

E Temporary speed restriction and

E 3aimum speed for current train operating mode.

The speed curves and stopping points that are calculated by the !n Board

computer are illustrated belo#.


5/33

Interloc!ing Principles*n order to ensure safe train movement on the guide#ay, the system follo#s the

follo#ing interlocking principles'

E Approach 4ocking

E $H*TC= Approach 4ocking

E 5oute 4ocking

E !vers#itch 4ocking

E 2lank Protection

E !verrun 4ocking and

E $H*TC= Control

Operations "e#uirements

The trains shall be driverless in nominal mode and unattended in normal

circumstances.

Train routes shall be set automatically.

Coupling of t#o trains shall be provided for rescue purpose.

The #ayside is fully reserved for train traffic and does not mi or cross other

transportation system path.The system design is to support Isingle trafficJ. !nly e"uipped train shall be

operated, along #ith specific maintenance vehicles.

ATC shall control automated yard operation and facilitate manual operation on

mainlines and yard.

*n normal operations, train #ill stop at every station. nder degraded mode of

operation it shall be, ho#ever, possible to modify the standard configuration,

skip a station or all the stations (through train) for eample.

nder nominal mode of operation, train shall run in one direction ho#ever, the

ATC system shall be designed for bi%directional operation in any section of

track.

System and Driving odesSystem Operation odesAt any point, in any time, the rail system shall be operated in one of the modes

defined belo#'

$tationary'

This is the initial and default mode. Automatic train movements and manual train

movement if re"uested by !CC are disabled.

6ormal'

The states of the rail subsystems are such that the rail system may perform

normally i.e. maDor operating systems report no failure. The rail is capable of

achieving its operational performances re"uirements. ($uch subsystem failures or

other conditions #hich may eist have negligible influence on safety andperformance)

>egraded

!ne or more ATC subsystems have reported a failure or other condition, such that

the rail system is not able to achieve its operational performance re"uirements

(may be due either to a sub%system failure or some eternal event, such as an

infringement of its right of #ay or obstacle detection)

+mergency


6/33

!ne or more ATC subsystems (on board or trackside controller) have reported an

emergency condition, possibly indicating a threat to human life (e.g. abnormal

degradation of braking performances beyond an acceptable limit), or a maDor

system breakdo#n re"uiring for eample a train evacuation through manual driving

mode.

Driving odesThe ATC system shall support a number of train operation modes comprising at

least'

Automatic operationThis mode consists in full driverless unmanned operation and shall be the only

mode applicable unless eceptional circumstances occur. This mode shall be

available every#here on the line and the depot ecept for the maintenance shop.

"estricted anual OperationThis is a speed control manual mode under the responsibility of the driver.

This mode corresponds to an emergency situation in case of maDor ATC failure.

The train is manually driven under the operator responsibility at a limited

speed (provisional value of 0: kmKh).

Sleeping'Automatic operation re"uires a heating%up phase, follo#ed by an initiali&ation

phase.

Immobili$ed%The train is either faulty or disabled in such a #ay that operation is not

possible #ithout re"uiring to manual maintenance operation

>riving modes are to be in accordance #ith !perations 5ules.

Initiali$ation of System &ormal Operation ode*nitiali&ation of automatic operation after system start up must be possible

#ithout manual intervention locally in each train, nor re"uire !CC operator

command to be made for each train.

*nitiali&ation of automatic operation after a global system failure must be

possible #ithout manual intervention in each train, nor re"uire !CC operator

command to be made for each train.

All parts of the ATC system including trackside and on%board computers shall be

capable of being remotely commanded to restart.

Transition bet#een any driving modes, in particular bet#een automatic and

manual, must be possible continuously and any#here on the running line and in

the yards.

The border bet#een manual and automatic areas shall only concern the shop

ac"uisition track or outer rail net#ork ac"uisition track if applicable


7/33

'unctional "e#uirements(ore 'unctionsATC core functions are'

Automatic Train Protection (ATP)' the system shall control and supervise

automated train operations in such a #ay as to assure the safety of passengers,

operations personnel and vehicles.

Automatic Train !peration (AT!)' the system shall provide commands to vehicle

subsystems to ensure reliable and comfortable service for passengers and

convenience for operation staff, #ithin the limits and restrictions imposed by

the ATP.

Automatic Train $upervision (AT$)' the system shall provide all monitoring,

control and automated functions necessary to achieve fully supervised automatic

operation of trains throughout the line sections, and to support degraded

service. This function shall be integrated #ith the control and monitoring of

communications and traction po#er systems.

Automatic Train Protection

Train Detection and Trac!ingThe ATP shall detect the presence of trains, and any maintenance vehicles

designed for use, #hether running or stationary, under automatic or manual

control. Presence detection shall be provided throughout the entire automated

portion of the system, including the yard. The train detection shall not re"uire

track circuits (*+++ 01)

*t shall not be possible to manually access the safety related database of the

train detection function.

4oss of presence detection shall result in the ATC commanding the system into a

safe condition. 2or unepected change of non%occupancy #ithin a movement

authority in force, any change of the status of non%occupancy in front of a

train, shall immediately and automatically lead to a reduction of authoritylimits andKor speed in order to prohibit train passage of the obstruction.

The presence detection function shall enable the ATC to detect the loss of

presence of a previously detected automatic or manual train in all

circumstances.

*f lost presence is detected, the ATC system shall ensure system safety is

preserved and provides annunciations to !CC. The time to recover from a lost

presence condition, that is the restoration of presence detection, shall be

minimi&ed.

All trains e"uipped #ith ATC system shall have their position, speed, travel

direction and length established by the ATC system.

The re"uired part of this information shall be echanged bet#een on board ATC

and local &one controller using train%to%trackside bidirectional data

communication net#ork.

ATC train detection shall establish the position of both the front and the rear

of the train.

ATC shall verify train length.


8/33

The ATC train detection function shall provide sufficient position accuracy to

support the performance and safety re"uirements.

*n the event of failure, including loss of po#er both at the trackside and on

board the train, the train position function shall be self%initiali&ing. 6o

manual input of data shall be re"uired to locate any train.

The ATC shall be capable of detecting and protecting parted trains.

The ATC system shall take into account the slipping and sliding of #heels to

calculate its position.

$peed and position shall be determined in a vital manner.

!ptional' ComplementaryKsecondaryKfallbackKminimum train detection

*n case the option is taken, train detection shall as a minimum determine train

positions #ith the accuracy corresponding to the subdivision of the track

system, in sections #here the train has to be located according to operation

re"uirements.

This minimum train detection shall be effective irrespective of #hether a

vehicle carries #orking onboard ATP e"uipment or not.

*n case the option is taken, the minimum train detections shall serve as fall%

back for regular train detection in case of on board ATP failure.

Safe Train SeparationThe ATP shall ensure and maintain safe operation bet#een trains. All follo#ing

and opposing running shall be protected by safety critical processes.

Braking distance shall be derived from a safe braking model that shall consider

#orst case system response times and failure conditions, consistent #ith rail#ay

industry practice. The safe braking model shall be submitted as part of safe

braking calculations.

Trains e"uipped #ith ATC shall be capable of closing up to the rear of a

preceding train, end of track, (#orkKmaintenance) or failed train. ne"uipped or

failed train shall be controlled by rules and procedures.

$afe train separation shall be based upon a principle of an instantaneous (brick

#all) stop before a preceding train.

The issue of movement authority for opposite train routes in the same track

shall continuously maintain a safe train separation that allo#s both trains to

stop #ithout colliding.

*n case of violation of oneGs train end of movement authority limit, an

immediate and automatic reduction to &ero speed for all endangered movement

authorities for other trains shall take place.

Overspeed Protection*n establishing the ATP profile, the on board ATC e"uipment shall continuously

determine the maimum safe speed at the train location, for comparison #ith the

actual train speed.


9/33

The maimum safe speed shall be the most restrictive of the speed limit for

current section of track, any temporary speed restriction imposed on that

section of track, the maimum speed that #ould enable the train to stop safely

prior to the limit of the trainGs movement authority, the maimum speed that

#ould enable the train to safely reduce its speed in conformity #ith the net

speed target and location.

+mergency braking shall automatically be initiated if the actual speed of the

train is eceeding the ATP profile speed at the actual train location.

6ote' the AT! shall control the train speed #ith an operational speed limit

lo#er than the maimum safe speed limit, i.e. ATP profile. *f this control

fails, ATP must initiate an emergency stopping.

The ATP shall support speed limits that vary along the track as a conse"uence of

local conditions.

)ra!e Assurance

$ervice Braking

*n normal conditions, the ATP profile speed compliance shall be enforced by

initiating service braking.

*f the service brake is insufficient to keep the trains #ithin the ATP profile,

the on board ATC e"uipment shall apply the emergency braking.

*mergency )ra!ing*mmediate emergency braking of a train shall be initiated automatically upon any

violation of safety conditions.

+mergency braking shall automatically be initiated if a train is moving #ithout

movement authority.

+mergency braking shall automatically be initiated if a train is moving against

the direction allo#ed in its current movement authority (anti roll back)

*mmediate emergency braking of trains shall be initiated automatically upon

system failures (including loss of fail safe communication bet#een system units)

that might create a dangerous situation.

Application of service brake either automatically or manually (in case of #ork

trains) is determined by the ATP to be insufficient to stop the train short of

an obstruction.

+mergency braking shall also be triggered in case of receipt of an emergency

$top%no# command from the !CC.

+mergency handle (or any other device such as buttons etc.) shall be available

in all trains.

+mergency braking, once initiated, shall remain under ATP control and may be

removed before the train comes to a complete stop if the emergency brake

condition is no longer active.

*f conditions for the train to move are not fulfilled, the emergency stop shall

remain in force, regardless of any reset, unless a s#itch to manual operation is

done.


10/33

The on board ATC, emergency braking and traction orders shall be interlocked in

such a #ay, that traction is removed as soon as emergency braking order is

initiated.

)ra!ing Performance onitoringThe train emergency brake shall be automatically tested #hen the train is #aken

up by the !CC. Trains #ith deficient emergency brakes shall not be inDected into

the carousel. Alarms and report shall be generated and sent to !CC.

Securing of "outes

5outes may be defined as any movement authority that goes through a set of one

or more s#itches.

$ecuring of routes shall basically rely on movement authority granting and

s#itch interlocking.

6o issue of mutually conflicting movement authorities is allo#ed.

The issue, change and cancelling of movement authorities shall be echanged in a

fail safe manner bet#een the issuing instanceKentities and the unit that is to

utili&e the movement authority.

3ovement authority shall cover any portion of track geometry, ecept for blocked

track sections or failed or blocked s#itches.

3ovement authorities as a minimum shall support movements bet#een any predefined

departure location and any predefined arrival location over the track geometry.

*n case of a movement authority cancellation, provisions shall be made to

safeguard that the previously authori&ed train has been brought to a complete

stop, before another movement authority or individual s#itch command is issued

that may include change of s#itch position #ithin the stopping distance of the

said train.

3ovement authorities shall be provided by the ATP function for any unmanned

movement of trains, including trains carrying passengers, unmanned supply and

removal of empty trains to manned maintenance vehicles or manned (defective)

trains, provided that safety functions are fully operational.

Automatic release from a movement authority over track sections and s#itches

shall take place immediately, upon train passage or in case of rerouting of

train, to allo# subse"uent movement authorities.

Switch Interloc!ing>etection of s#itch position shall be done automatically and continuously.

Commands shall be provided for change of s#itch position.

The issue of movement authority involving s#itches shall be conditioned on the

correct alignment and locking of the s#itches #ithin the movement authority

boundaries and the correct positioning of s#itches protecting that movement.

6o change of s#itch position by automatic or manual command must take place

#ithin a movement authority in force until the s#itch has been released from its

locking by a fully detected passage of the train holding the actual authority,

or the movement authority has been cancelled.


11/33

*f due to an error, a change of s#itch status a#ay from the correct alignment or

correct positioning takes place, movement authority limits andKor speed shall

automatically be restricted to prohibit train passage of the s#itch.

2acilities shall eist for handover of control of a s#itch from the !CC to an

operation staff at the s#itch location and vice versa.

T#o s#itch modes of operation, central (automatic or remotely controlled) or

local (manual by an operation staff) shall eclude each other at any moment.

Blocking of a s#itch shall prohibit the subse"uent issue of associated movement

authority.

Blocking or unblocking of predefined s#itches delimited by #ayside markers shall

be supported by the ATP system.

Safe end of Trac! Approach

The ATP shall ensure that the train #ill not reach the end of track buffer under

#orst case failure conditions.

Speed DetectionActual speed detection' a continuous measurement of the actual real speed of the

train shall be provided by the onboard e"uipment.

Fero speed detection' &ero speed shall be detected by the onboard ATP e"uipment.

Train Splitting Protection / Train Integrity Protection2acilities shall eist to detect any coupling detachment andKor separation of

detachable units of a train consist.

pon a detection of an unscheduled uncoupling, detachment or separation, an

immediate emergency stop shall be imposed on all units of the previously

connected train.

The ATC shall detect an unepected split and establish appropriate limits of

authority to prevent other trains from entering the pull%apart area. An alarm

shall be for#arded to the !CC.

Direction (ontrol and "ollbac! ProtectionThe ATP shall ensure in real time the specific running direction on each track

is respected.

5eversal of train travel direction shall be prevented until &ero speed has been

detected.

+mergency braking shall automatically be initiated if a train is moving against

the direction allo#ed in its current movement authority.

Train and Platform Screen Door Safe Protection

Train door protection shall be provided for all passenger trains.

Train door status and platform screen door status shall be subDect to continuoussupervision.

*f any automatic door or emergency eit door on a train unlocks for any reason

#hile the train is in motion, i.e. above &ero speed detection, an emergency stop

shall be automatically initiated.

*n the event of any unscheduled door opening, a local manual reset by authori&ed

personnel shall be re"uired prior to the restoration of train operation, unless

door status returns to IcloseJ in the meantime.


12/33

!ption' remote reset from !CC shall be available after having established,

through communication means (on%board camera, passengers dialogs), the safety

of the current situation.

A stopped train shall not be permitted to move automatically until all doors of

the train are properly closed and locked.

The ATP shall monitor the train and platform screen door in order to authori&e

their opening only if the train speed is &ero, vehicle and platform screen doors

are properly aligned #ithin the allo#able tolerances, the park brakes applied

and the propulsion system is disabled.

2acilities for emergency opening of train doors (from !CC, from inside train or

from outside train) shall eist.

Platform screen doors protection shall be provided at all platforms.

The status of platform screen doors shall be subDect to a continuous

supervision.

*f a platform screen door unlocks for any reason not during passenger echange

#ith a d#elling train, emergency stop shall be initiated for all trains inpredefined sections along the station.

*n case of unscheduled platform screen door opening the train at station shall

apply emergency braking and the incoming train shall apply emergency braking.

*n the event of any unscheduled platform screen door unlocking, a local manual

reset by authori&ed personnel shall be re"uired prior to the restoration of the

operation.

A train stopped at station platform shall not be permitted to move automatically

until all platform screen doors facing the train are properly closed and locked.

The ATP shall monitor the train and platform screen door in order to authorise

their opening if train speed is &ero, vehicle and platform screen doors are

properly aligned #ithin the allo#able tolerances, the park brakes applied and

the propulsion is disabled.

2acilities for controlling the emergency opening of platform screen doors (from

!CC, from track side or from platform side) shall eist

Temporary Speed "estrictionsThe ATP shall ensure the compliance of trains to temporary speed restrictions

that are introduced and cancelled by the AT$ system.

)loc!ing of Trac! Sections or Switch Areas

Blocking and unblocking of predefined track sections delimited by #ayside

markers shall be supported by the ATP function and supervised by the AT$function.

Blocking of track section shall prohibit the subse"uent issue of movement

authorities in that section.

+et/Dry "ail "educed Adhesion OperationThe AT$ shall be able to modify the service braking performance in ATP profile

calculations under #etKdry reduced adhesion conditions. The AT$ system shall

have the capability for the !CC to designate the #eather conditions as I#etJ or


13/33

IdryJ a system #ide basis or on predefined sections of track, particularly for

sections of track in open air.

Hhen the !CC changes the condition bet#een I#etJ or IdryJ, the AT$ system shall

notify all e"uipped trains.

Hhen in I#etJ condition, i.e. #henever or #herever adherence condition changes,

on board ATC e"uipment shall adopt a degraded braking performance. The on board

e"uipment shall ensure that trains do not violate the movement authority given

the assumed reduction in braking performance.

Obstacle DetectionHayside devices enabling the mitigation of identified ha&ards shall feed the ATP

function #ith alarms that may bear various levels of severity.

Hayside obstacle detection may complete andKor be interfaced #ith an intrusion

detection system.

The status of #ayside obstacle detectors shall be subDect to continuous

supervision.

*f an obstacle is detected, emergency stop shall be initiated for all trains in

predefined sections around the obstacle area.

Hayside obstacle detection device shall re"uire local manual reset or remote

reset depending on the device nature, prior to the restoration of normal

operation.

Automatic Train OperationThe AT! function shall provide commands to vehicle subsystems, in particular the

propulsion unit, to ensure reliable and comfortable service for passengers as

described belo#.

AT! operates under the safety constraint of ATP and shall in no #ay reduce the

safety level of the ATP.

otion (ontrolTrain acceleration, deceleration, and station stop shall be controlled by the on

board AT! function #ithin the established ATP profile. The AT! shall effect this

control by providing commands to the trainLs propulsion and braking units in

real time.

The ATC e"uipment shall cause the service brakes to be applied automatically, as

re"uired, for speed maintaining, to reduce train speed on approach to a civil

#ork speed reduction or temporary speed reduction, and to bring the train to a

stop at a movement authority limit or programmed station stop.($ervice braking shall also be applied automatically in manual mode every time

the on board ATC detects that the fied ceiling speed limit is reached)

Speed "egulation and "un Time (ontrolThe AT! shall control train speed and deceleration rates to stop trains at

stations platforms #ithin tolerances defined by safety analysis and enforced by

the ATP.


14/33

The AT! shall control train braking commands to provide a smooth stop, avoiding

Derks as the train comes to rest. An automatic Dog for#ardKback feature may be

used, #ithin safety constraints #hen going back#ard.

Trains #hich do not succeed in positioning #ithin tolerances at the station

platform may perform a for#ard or reverse Dog attempt. The number of Dog

attempts shall be a maimum of one for every failed positioning.

Trains #hich do not stop (after Dog attempts, if so designed) #ithin the correct

alignment tolerances shall automatically send a re"uest to !CC along #ith train

stop imprecision information figures in order to be authori&ed to proceed to

net station.

The AT! shall control the train speed #ithin an acceptable limit of re"uired

speed for the profile defined for a particular operation mode and track

location.

The AT! shall, in combination #ith the propulsion and braking control circuits

of the train, shall meet the acceleration and Derk limit, avoid unnecessary

po#erKbrake transitions, avoid over speed,provide the smoothest practical ride

for passengers.

Dwell Time and Departurepon platform train stop, the AT! shall control the station d#ell as per service

regulation needs.

The d#ell time shall be either automatically defined according to timetable and

head#ay regulation needs, or may be shortened or etended by means of a

straightfor#ard control from !CC or from the local control

At the end of the programmed d#ell time, the AT! shall automatically command

platform screen doors and train doors to simultaneously close, preceded by an

audio and visual signal for passenger information.

!nce all doors are confirmed to be locked, the ATC shall command the train to

depart the station.

Programmed Station StopBraking and stopping at a station must be made #ithin a precision allo#ing the

passenger echange to be done at the predetermined areas through platform screen

doors, #ithin the precision defined in the performance re"uirements.

2or coupled train passenger unloading, the station stop at the net station must

support successive unloading of passengers for both coupled trains.

Other Sub 'unctionsThe AT! function shall address other functions and their interfacing

re"uirements #ith AT$, ATP function and communication e"uipment' re"uest for

door opening, train response to !CC controls, train departure testing, passenger

information support, train health monitoring

Automatic Train SupervisionAutomatic train supervisuin shall provide the follo#ing functions'

Automatic "oute SettingAutomatic 5oute $etting is the AT$ function that automatically re"uests routes

for trains to implement train movements defined by'

E 5un assignments


15/33

E 4ine assignments

E $ingle >estination assignments and

E $huttle assignments.

Turnbac! odificationThe AT$ !perator shall be able to establish diversions to change the turnback

location for trains on scheduled run assignments or line assignments. This

feature allo#s short turnbacks to be established for specified time period.

(onflict ,andlingConflict handling shall provide deadlocking prevention of train segments.

anual "oute SettingThe 5oute allo#s the AT$ !perator to manually re"uest or cancel any route.

Automatic Train "egulationAutomatic Train 5egulation manages the d#ell time and train run type for trains

#ith a run assignment. *t also calculates the schedule and head#ay adherence of

each train for presentation to the central operator.

Automatic Train 5egulation manages the d#ell time for trains #ith a run

assignment.Anti-)unching .Automatic Platform ,oldThe AT$ shall apply automatically a platform hold to a train at a platform #hen

there is an ecessive accumulation of trains on the track do#nstream.

An automatically created platform hold is automatically removed #hen the

concentration of trains do#nstream has come back to a normal state. The Central

!perator shall be able to override an automatic hold by performing an individual

train depart or by disabling the automatic hold feature for the platform in

"uestion.

Schedule AssignmentThe AT$ sall provide a facility to assign a selected operating schedule using

the $chedule $election command.

The AT$ shall provide a facility to plan the automatic schedule assignment

covers a certain duration (e.g.


16/33

The current operating timetable may be edited by the AT$ operator to provide

temporary service adDustments. !nline edits only apply to the currently loaded

timetable.

(ancel "un/TripThis command allo#s the AT$ operator to cancel a trip or an entire run. This

has the effect of removing the trip data from passenger information. Hhen a

train arrives at a terminus and the net trip has been cancelled it #ill go out

of service.

Train Out of ServiceThe AT$ operator shall be able to select a platform to take a train out of

service for any trip. This platform #ill be reflected in passenger information

as the ne# destination. Hhen the train arrives at that designated platform it

#ill go out of service unless it has been formed%to another trip.

Slide TripThe $lide Trip command allo#s the AT$ operator to change the departure time for

a trip. All of the platform times for the trip are slid by the corresponding

time change.

*ven Out ,eadway

The +ven !ut =ead#ay command (also kno# as fle) allo#s the AT$ operator to

perform multiple Trip $lides in one command

Divert Tripcommand allo#s the AT$ operator to turn a trip short, etend a trip or send a

trip do#n a different track.

odify TripThis command gives the AT$ operator the ability to modify details of a single

trip.

Add "unThis command allo#s the AT$ operator to add a run into the current timetable

odify *ntryThis command allo#s the AT$ operator to change the entry location for a run.

An entry line and revenue start platform must be specified.

odify *1it

This command allo#s the AT$ operator to change the eit location for a run. An

eit line and revenue end platform must be specified.

"evert "unThis command reverts all trip modifications that have been made to a run back to

the timetable values.

Station )ypassThe AT$ shall be able to direct a train or group of trains to skip a station or

group of stations. Train groups shall include a manually specified (click on)

group, all trains in a direction, or all trains in service.

The AT$ system shall provide a trigger to automatically generate Public

Announcement on the platform to and onboard concerned trains to notify

passengers that the train is not stopping in the station.

The on board ATC e"uipment shall suppress station overrun notices to the !CC orthe 4ocal Control room.

The ATC system shall allo# trains to leave stations being bypassed at the

maimum authori&ed speed.

,olding a Train at StationThe AT$ shall enable the !CC or the 4ocal Control !ffice to hold a train in a

station through an AT$

command.

"estricting or Stopping a Train 3en route4


17/33

a) Stop at ne1t station. The AT$ system shall provide a means to stop trains enroute either immediately or at the net station. The AT$ system shall allo# the

!CC to designate a train, group of trains,section of track, or the #hole system,

and define #hether the stop is to be at the net station or

immediate.

*n the case of a net%station stop the on board ATC e"uipment shall determine

#hether the train can physically stop in service braking mode by the net

station. *f the train is in the process of departing a station, it shall

continue to the net station and stop there. *f the train is in the process of

bypassing a station and the ATC system determines that the train cannot stop at

that station under normal service braking, the train shall be allo#ed to run to

the net station #here it #ill stop.

!nce stopped at the station, each train movement authority shall be pulled back

by the ATC system to the stopped location.

The !CC shall be able to release the stop%at%net%station command by a group

command, either a single train, group of trains, all trains in a section of

track or all trains on the line. !nce released, the ATC system shall allo#

movement authorities to be advanced, and the AT$ system shall set routes

for trains through interlocking process.

b) Stop &owfunction (emergency). The AT$ system shall provide a means for the!CC to designate a train, group of trains, all trains in a section of track, all

trains on the line, to be stopped immediately #ith emergency braking. This

command shall cause the on board ATC e"uipment to immediately

apply the brakes, and notify the train in manual driving mode if any.

The on board ATC shall adDust the train movement authority consistent #ith the

actual stop.

The !CC shall be able to release the stop%immediately command on one train at a

time, or a group of trains, all trains in a section of track, or all trains on

the line. !nce released, the on board ATC e"uipment shall release the emergency

brake command, the ATC shall allo# movement authorities to be advanced, and AT$

system shall set routes for trains.

c) Stop &owfunction (service). This function is identical to the emergency $top6o# function ecept that trains are brought to stop #ith service braking.

Trac! aintenance SupportThe AT$ system shall provide a mean for the !CC to block track and s#itches, and

apply temporary speed restrictions (T$5) and remove them as necessary.

Trac! and Switching )loc!ingThe ATC system shall not grant movement authorities to trains to operate into or

out of blocked track sections or s#itches areas. The AT$ system shall include

facilities to allo# the !CC to block and unblock track sections and s#itches.

Temporary Speed "eductionsThe temporary speed restriction shall be enforced in a similar manner to civil

#ork speed limits. Trains that already have authority through the T$5 order area

and can comply #ith the speed limit shall do so.

*n the event that a T$5 is received by a train that encompasses an area #ithin a

safe braking distance of the train, and the restriction #ould place the train in

an overspeed condition, the on board ATC


18/33

e"uipment shall brake the train into compliance if the train fails to respond

to the service brakes, the on board ATC e"uipment shall apply the emergency

brakes.

Temporary speed reductions are under ATP control.

Passenger and Staff InformationAT$ must generate data about time schedules and deviations in time schedules to

inform passengers and staff.

Automatic Depot Operations (ontrolGeneralThe depot shall be e"uipped for automatic train movement in all locations ecept

for the designated shop tracks. Trains shall move automatically bet#een storage

tracks, the main line and shop transfer track(s).

2rom the shop transfer tracks to the maintenance shop, it shall be possible to

hand over the automatic train movement control to manual control.

!ption' for maintenance ease, trains may be remotely driven bet#een shoptransfer track and maintenance shop from a local shop panel control.

Trains shall be routed #ithin the yards by automatic means or by remote command

from the !CC.

$afe manual driving of trains #ithin the >epot shall be possible #ithin

limitation fied by on%board ATP (!ptional)

Automation of train movement initiation bet#een the >epot and main line and vice

versa shall be maimi&ed.

The system design principles for the >epot shall be the same to those for the

main line. All mainline functions shall be available in the depot.

Depot to ain 0ine Operation+very time a train has gone through the sleep state, #hich is the normal state

for train storage, a train shall be subDected to series of static safety and

functional tests #hich are conducted automatically to ensure that critical

systems are fully operational.

The ATC system shall possess a self testing capacity.

*f the tests are passed successfully, the train can proceed to the main line for

revenue operation. *f one or more of the tests fail, train insertion is put on

standby and the !CC is alerted to the nature of the failure.

The location of entry tests, also depending on track lay%out, should be chosen

such that failure of entry tests does not block further access for trains to and

from the mainline.

ain 0ine to 5ard OperationTrains shall return to the >epot from revenue service in accordance #ith

automatic schedule re"uirements, or upon !CC re"uest.

The scheduled destination shall be capable of being overridden from the !CC.

The return to the >epot re"uested from the !CC may concern one or more trains.

Train StorageThe necessary movements shall be automatically achievable.


19/33

Hhen trains are to be put to sleep, the !CC shall be able to trigger the sleep

mode only for trains in the correct position in their storage track.

A command shall be available to initiate sleep mode in and section of storage

track outside the depot.

The train a#akening shall be made by the !CC automatically from the schedule or

manually initiated via operator command.

Spare PartsThe Contract supply shall include the delivery of sufficient amount of spare

parts to secure that the rail system #ill be self%sustained #ith spare parts,

especially during the test period, the trial run, and during the critical early

stages of commercial operation. The Contractor shall indicate and itemi&ed list

of spare parts including total value for a maintenance period of < years

follo#ing completion of the specified period of operation and maintenance.

Detailed description of the entire AT( systemThe contractor shall submit a detailed description of the ATC system delivered.

The description shall address all functional and technical re"uirements and

shall eplain in detail ho# each of these is achieved, including control tables

(as applicable) and safety braking model. ($afety distance calculations)

>escription and dra#ings of all items of hard#are

>escription and dra#ings of all interface arrangements

2ully detailed operating diagrams for normal time%table scenario

Trac!side and +ayside AT( (haracteristicsGeneral "e#uirementsThe trackside and #ayside ATC subsystem The shall consist essentially of a

net#ork of highly reliable, distributed vital area computer (local tracksideATC) The trackside intelligence for train tracking, movement authority setting,

interlocking function and other ATC related ATP functions is resident in the

trackside computer($).

Trackside systems shall also include primary train location devices,

(transponders) #hich are able to provide a uni"ue identity to the on board ATC

positioning system.

+ach trackside ATC shall be microprocessor based and shall be responsible for

the control of trains, being in driverless or manual mode, and facilitate the

passage of une"uipped vehicles.

+ach trackside ATC shall interface #ith the data communication net#ork andKor

the multi%service backbone net#ork, to the AT$ server at the !CC, to the other

adDacent trackside ATC, and to the trackside e"uipment.

The Contractor shall determine the architecture for the trackside ATC net#ork

#hich shall form the basis of his design in order to meet the functional, and

performance re"uirements of these specifications. The length of track, number of

allo#able trains in a section, the number of stations, and the number of

interlocking and other trackside elements #ith #itch the ATC must interface,

combined #ith the degree of redundancy incorporated in each trackside ATC, shall

constrain the ability of the ATC system to meet these aforementioned


20/33

re"uirements along #ith the safety, availability, reliability, and

maintainability criteria set in the $ystem Assurance Program Plan.

"estricted anual ode*n the event of a loss of vital information (such as train location, movement

authority, etc) as a result of failure of the ATC on board system, a failed

train to track communication link, or a failed trackside ATC, the ATC shall

cause an emergency brake application. 2urther movement of the train shall be

possible in restricted manual mode, #hich selection shall disconnect all non

re"uired subsystems

The train operator #ill be able to select restricted manual mode using a s#itch

on the driving panel, the result of this action shall bypass the ATC functions

and insure the removal of the movement authority restriction. The train can then

be operated at a restricted speed (0: kmKh) by propulsion subsystem or by

on board ATC.

*t shall be possible in 53 mode to reset, or reinitiali&e, the on board ATC

e"uipment. *f the reset is successful and full ATC functions, including train

location determination, are restored, a message shall be indicated to the train

operator and to the !CC. The train operator may then select the driverless modeto resume normal operation.

0evel of SafetyThe global safety shall depend on a system #hose safety has been definitely

proved independently of any application soft#are.

*n order to insure the safety of the systems used in the field of rail#ay

signalling, it is re"uired to fulfill t#o main conditions'

% the system used has to ensure a faultless and complete function in the sense

of the task definition

% it has to sho# a vital behaviour in case of failures and faults referring to

the system itself or to components directly connected #ith it.

6ital Subsystems

The vital subsystems shall be designed as to be fail%safe. The architecture and

this relevant e"uipment implemented to ensure the processing safety shall be

described clearly by the contractor, such as'

% coded mono processor

% bi or tri%processor #ith comparison or maDority vote

% mono%processor #ith bi%soft#are.

=ot redundancy or -%out%of%< polling a concept is recommended for high

availability. An alarm alerts the maintenance #hich is able to intervene #ithout

interrupting system operation.

*n case of po#er supply defect, the system #ill shut%do#n in an orderly manner,locking points in the current position. The stored functions #ill be memori&ed

for a pre%determinate time of hours at least. Hhen po#er supply recovers, the

system resumes automatically if there is no loss of information stored, if not,

a restart manual by the maintainer #ill be necessary.

Software ArchitectureThe contractor shall distinguish bet#een basic soft#are and application

soft#are.


21/33

The function of the basic soft#are is to keep the application soft#are

independent of the hard#are and to provide high%performance services.

The basic soft#are mainly governs the operating system and communications.

Input/Output SafetyA restrictive status of each input and output shall be defined by the

contractor.

$erious faulty operation detection at the level of an input or an output shall

involve its restrictive status.

$erious faulty operation detection at the level of the system shall involve the

system stop and the outputs restrictive status.

*n addition, the system outputs shall be systematically maintained in

restrictive status before the complete initiali&ation.

aintenance 'acilities of the odule

>iagnostics and maintenance subsystem consists of a personal computer based toolthat provides support for the maintenance staff. A comprehensive range of

diagnostic facilities shall be built into the system.

*t shall be possible for maintenance staff to interrogate the system at any time

and check the current state of any specified signalling functions, or list any

current fault reports. The memori&ation on appropriated support of all relevant

events (changes of state, operator re"uests) shall be maintained several days

for further analysis.

Protection against electromagnetic interferences is re"uired.

odule 'ailures2ailure of #hole unit. *n case of a redundant unit failure, the unit shall

automatically s#itch to the other redundant unit. An alarm shall be transmitted

to the !CC and to the 4ocal Control !ffice.

Any failure shall be considered as a light failure if a vital part of the unit

intervening directly on safety is not concerned.

enerally, it #ould be advisable to avoid unDustified stopping.

As far as possible, a faulty element shall not stop the operation of the module.

*nvironmental (onditions

(limatic (onditionsAll components used in electronic apparatus must be capable of operating

faultlessly, according to *+C //:%0,*+C //:%-%0,*+C //:%-%-,*+C //:%-%


22/33

+6 7/0-0%05ail#ays applications ; +lectromagnetic compatibility ; All applicable

parts

+6 0///%+lectromagnetic compatibility

AT( System SafetySafety Ob7ectivesThe design shall include provisions #hich are specific for the safety and

security of passengers, !peration and 3aintenance staff, +mergency and $ecurity

$taff, and the public.

6o single failure, event or likely combination of events, shall cause a critical

or catastrophic ha&ard to any of the above or to system e"uipment. 6on%critical

and non%catastrophic ha&ards are to be minimi&ed andKor controlled. The bDective

shall be to prevent train collision and derailment.

The re"uired level that shall be obtained must be very high.

The Contractor shall identify, assess and classify risk inherent to each kind of

technology, to each kind of method used in the system.

Safety Performance "e#uirements8Achievement of $ystem $afety is a primary design and performance re"uirement for

the $upplied $ystem, #hich must perform in a safe manner under all operating

conditions. The design of safety%homologated e"uipment shall meet one of the

follo#ing three safety types' intrinsic safety, controlled safety or

probabilistic safety.

(ontrolled SafetyA piece of e"uipment is said to have Mcontrolled safetyM #ith respect to certain

malfunctions or failures #hen conse"uences detrimental to safety are inhibited

by another independent device #hich detects these and controls passage to a

restrictive status. As for intrinsic safety, eperience sho#s that the degree of

safety reached is better than 0/% per hour.

Probabilistic SafetyA piece of e"uipment is said to possess Mprobabilistic safetyM #hen the

probability of its operating in a manner detrimental to safety is smaller than a

pre%determined value. The probability of occurrence of a catastrophic failure

(#hich may lead to collision or derailing) must be smaller than 0/%.

"e#uirements$upplied $ystem shall provide a level of safety such that any single,

independent hard#are, soft#are or

communication failure, or any combination of such failures, #ith the potential

for causing death or severe

inDury to customers or staff shall not occur #ith a fre"uency greater than onceper 0/% system operating

hours. $ystem operating hours is defined as the time that the system is turned

on and operating. This

safety re"uirement includes failures of all types, both random hard#are failures

and systematic

designKsoft#are failures.

The Contractor shall identify, analyse and classify inherent risks in each type

of technology used in the


23/33

$upplied $ystem. 2or the soft#are elements of the $upplied $ystem this shall

include the risks inherent in

each part of the soft#are (for eample' operating system, application soft#are,

databases and firm#are),

and to the methodologies and tools used for their development.

$afety critical (vital) functions shall be verified through anyKall of the

follo#ing' analysis, factory testing, environmental testing, or field

verification. All hard#are or soft#are designs, techni"ues, or methodology

shall re"uire documented verification of proven safety for approval. $afety

analysis shall include ha&ard identification and Dustification of acceptable

risk. =a&ard identification shall be ehaustive.

The Contractor shall document the principles, strategies and tools used to

implement the safety re"uirements. The safety measures incorporated in the

$upplied $ystem shall be traceable to the safety re"uirements and identified

ha&ards.

Design "e#uirements

Overall "e#uirements+lements of system #hich are not directly concerned #ith safety shall be kept

separate from the safety part of the system

All credible failure modes for each hard#are and soft#are element of the

architecture shall be identified.

The >esign shall ensure that no failure can induce a critical situation' in case

of a failure or an error, the system shall return to a recogni&ed safe state.

2aults shall be detected #ith on%line, high diagnostic coverage. A 2ail%$afe

architecture very much depends on the effectiveness of its fault detection

measures, it may not need any on%line diagnostics.

=o#ever, a fail%operational architecture needs detailed on%line diagnostic

coverage to achieve its integrity and reliability, because #ithout this it is

very difficult to implement any recovery mechanism.

The architecture shall be designed to increase the availability of the system by

using a combination of #ell tried and #ell defined fault avoidance and fault

tolerant measures.

The design specification shall identify the components and modules of the

architecture, and describe their functional and other characteristics (such as

their integrity levels, failure rates, performance). *t shall also describe

interfaces, internally and #ith eternal e"uipment.

The design shall ensure that the architecture operate correctly in all

foreseeable environmental conditions, such as +3C, noise, heat, etc. The

envelope for the environmental conditions and re"uirements is defined in there"uirements specification.

The architecture of the $upplied $ystem shall be such that a clear segregation

can be made bet#een safety critical (vital) e"uipment and functions, and non%

safety critical (non%vital) e"uipment and functions.

All data communication subsystems #ithin the $upplied $ystem that are used to

transfer safety%critical data shall be designed to provide ade"uate levels of

error detection for this purpose.


24/33

The accuracy, resolution, and integrity of the train location system shall be

consistent #ith limits established for safe braking distance, enforcement of

speed &ones, s#itch protection, and other safety functions.

,ardware "e#uirements$afety critical components shall be 2ail%$afe or Checked 5edundant'

2ail%$afe means that any fre"uent component failure (that is likely to occur

more often than once in 0/%

system operating hours) shall not result in a condition kno#n to be unsafe.

Checked 5edundant means that the probability of any failure or combination of

failures is lo# enough to provide a level of safety at least comparable to that

provided by a fail safe design.

The Contractor shall produce a full and comprehensive definition of the

application of these safety elements.

Software "e#uirementsThe Contractor shall identify, assess and classify risk inherent to each kind of

soft#are' operating system, application soft#are, to each kind of ne# technology

and ne# tools,

>esign of soft#are must take into account hard#are systematic, random failure

and common mode failure,

>ata%driven soft#are (including parametric or configurable soft#are) shall be

protected against possible errors arising from entry of incorrect data through

accepted procedures,

*f vital and non%vital soft#are is to be implemented on a single hard#are

platform, then all of the soft#are shall meet the re"uirements for vital

soft#are unless appropriate techni"ues, are used to ensure vital soft#are is

unaffected by the non%vital soft#are,

$afety critical (vital) functions shall be implemented in a manner #hich is

2ail%$afe, The general re"uirements for 2ail%$afe designs are outlined belo#.

2ail%$afety >esign'

$afety of system design shall be assured by the incorporation of 2ail%$afe

principles in the design of safety%critical modules. 2ail%$afe designs shall

ensure that any failure, or combinations of failures, shall result in a

condition that is kno#n to be safe.

.Certain e"uipment and components are declared to be 2ail%$afe by their

compliance #ith eisting codes and standards for these particular devices (e.g.

vital signalling relays) and may be used, in an appropriate manner, in the

design of a safety critical system element. >evices of this type are

considered to be conventional in their approach to achieving fail%safety. *t

shall be the responsibility of the Contractor to, present the safety certifiable

evidence of the inherent fail%safety%of the devices to be used.


25/33

2ail%$afe +"uivalence >esign' >esigns #hich are e"uivalent to 2ail%$afe shall be

considered for safety critical functions #hen their 2ail%$afe e"uivalence is

eplicitly proven by undertaking safety engineering nalysis and verification in

accordance #ith this $pecification. $uch a safety proof shall demonstrate that

the probability of any failure, or combinations of failures, #hich could result

in an unsafe condition shall satisfy the safety design re"uirement defined in

the previous section.

Checked%5edundant >esign' >esigns #hich are checked%redundant in their

configuration may be proven to be 2ail%$afe e"uivalent, providing these checked%

redundant designs incorporate the follo#ing design principles'

The checking process, in itself, shall be either 2ail%$afe or checked%redundant.

The checking process shall encompass the complete subsystem, andKor all

components, related to performing the safety%critical function.

The checking process shall detect any failure of the subsystem #hich may degrade

the integrity of the safety function. Hhere soft#are is used to implement a

system function, then soft#are errors shall be considered as failures.

The checking process shall be comprehensive and fre"uent. *t shall be performedat least as often as the function #hich is being checked, and sufficiently

fre"uently that the probability of an unsafe failure shall satisfy the safety

design re"uirement defined in the previous section.

.

The design and development of critical soft#are shall be in accordance #ith

recogni&ed international soft#are standards applicable to critical, high

integrity systems. Hhere soft#are is employed to perform a function #hich is

sho#n to be directly pertinent to $ystem $afety, then that soft#are shall

have been developed to a rigorous interpretation of these design and development

processes, Critical decision processes, #hich directly impact the $ystem $afety,

#ithin the soft#are program shall be structured to ensure minimum compleity,

and thus allo# for revie# and eplicit testing of the logic paths. The

dependence of safety of the system on a single soft#are decision process, logic

path, or critical data element should be avoided, #here possible, by

incorporating diversity #ithin the soft#are design.

>atabases #hich contain information that can impact the safety performance of

the $upplied $ystem, shall be considered safety critical, and shall be

appropriately protected during data storage, retrieval, communications, and

processing. The $upplied $ystem shall be designed to ensure that all such data

is accurate during initial data entry, processing, utilisation, and update, and

a process shall be established for appropriate data management of this safety

critical data.

Software Safety (ase

The $oft#are safety case shall describe and Dustify the soft#are safety

analyses.

ProcessThe Contractor shall establish a soft#are safety case. *t shall include' an

overall description of functions, the soft#are architecture and design

principles, re"uirements related to soft#are defined from the various safety

analysis, safety functions, interfaces, means of implementations.

The soft#are safety case shall provide information to assess that'


26/33

the soft#are re"uirements are verified, the soft#are is correctly designed.

Software Specific Safety DocumentationThe follo#ing documents shall be established by the Contractor'

$ecurity and $afety 3anagement Plan ($$3P),

$ystem $afety Plan

$oft#are $afety Plan ($*4 re"uirement)

Preliminary =a&ard Analysis,

Test Plan, Test 5eports,

$afety Case,

$oft#are $afety case

"A 'ailure (ategories for AT( systemThe follo#ing table defines 5A3 failure categories'

2ailure Category >efinition

Significant(immobilising failure) a failure that generates a ha&ard andKorprevents train movement or causes a delay to service greater than a specified

time andKor generates a cost greater than a specified level

a7or (service failure)a failure that must be rectified for the system toachieve its specified performance and does not generate a ha&ard andKor a

delay or cost greater than the minimum threshold specified for a significantfailure

inora failure that does not prevent a system achieving itsspecified performance and, does not meet criteria for significant or

maDor failure

"eliability9 Availability and aintainability "e#uirementsOverall "eliability "e#uirementsThe 5eliability of each 45 directly related to $afety shall be greater than 0/%

failures per hour

+ach 45 of a system #hose failure #ould be significant shall have 5eliability

greater than -.0/%7 failures per hour

+ach 45 of a system #hose failure #ould be maDor shall have 5eliability greater

than 0/% failures per hour

+ach 45 of a system #hose failure #ould be minor shall have 5eliability greater

than 7.0/% failures per hour

A 45 considered as being related to $afety is a 45 #hose failure #ould be

critical for $afety. These 45 shall be defined through $afety activities.

The Contractor shall develop an analysis (failure analysis and assessment) in

order to determine #hich 5eliability re"uirements are applicable for each 45.

Overall Availability "e#uirements

The overall Availability of a system #hose failure #ould be significant shallnot be less than /..

The overall Availability of a system #hose failure #ould be maDor shall not be

less than /.7.

The overall Availability of a system #hose failure #ould be minor shall not be

less than /..

2ailure of a single item shall not cause failure of the overall system

The Contractor shall develop a 23+A analysis (5A3 analysis and assessment) in

order to determine #hich Availability re"uirements are applicable for each

e"uipment.


27/33

Overall Maintainability Requirements3eans of failure detection shall be defined' po#er%up self test, continual

background test, re"uested self test etc.

The Contractor shall present a complete list of preventative maintenance

recommendations for each type of e"uipment supplied.

3ore specific 3aintainability 5e"uirements #hose applicability has to be defined

because depending on each type of e"uipment are presented'

.

The e"uipment #hose failure #ould be significant or maDor shall be installed, so

that removal and replacement of each of its 45s can be achieved #ithin


28/33

Performance "e#uirementsGeneralThe contractor shall determine the theoretical minimum travel times bet#een

terminus stations using -/ seconds d#ell time at each intermediate stations,

tightest acceleration figures #ith propulsion limited to passenger comfortconstraints, and nominal service brake rates. The contractor shall submit the

minimum run time determination report, #hich shall include simulations and all

assumptions, for approval.

The ATC system shall contribute no more than


29/33

The contractor shall determine the variation (reduction) in head#ay that the ATC

system supports against a reduction in train speed, due to leading trains

interfering #ith the operation of follo#ing train(s). The contractor shall

submit an analysis of head#ay against train speed for approval.

Operating ,eadwayThe target scheduled peak service operating head#ay is / seconds.

The ATC system shall support a full service operating at the minimum design

head#ay at any point on the line #ith no degradation of system performance.

5eductions in head#ay shall be achievable through changes to schedule according

available AT$ strategies, including increase to the operating train fleet.

Train Performance ParametersA maimum operating speed for trains of / kmKhour shall be enforced by the ATC

system.

The ATC system shall be capable of commanding a variety of braking rates from

the brake subsystem in order to meet different speed profiles re"uired to meet

the performance and functional re"uired to meet the performance and functionalre"uirements of these specifications.

The Contractor shall determine the safe braking model for the ATC system, #hich

shall be submitted for approval.

The design life of all ATC e"uipment in service shall be -/ years

ATC shall provide automatic station stopping. AT! station stops shall be

accurate #ithin'

K% /.-7 metres of the designated stop location at least ./ O of the time.

K% /.7 metre of the designated stop location at least . O of the time.

>ocument submittal recapitulation'

3inimum run time determination report

ATC system tolerances and response times

Analysis of head#ay against speed

$afe braking model.

$top 6o# function. The time bet#een the !CC initiating the command at the AT$

#orkstation, and the on board ATC commanding the application of the brakes shall

be of less than < seconds.

The time necessary to the initiali&ation of a sub%system (trackside ATC, on

board ATC, interlocking, track to train transmission, train detection) shall be

as short as possible and no greater than / seconds

Temporary speed reduction area resolution' less than -7/ meters.

The Contractor shall outline any significant variance from the usual parameters

of *+++ standard 01ATC performance target.

System Performance Safety "e#uirementsAchievement of $ystem $afety is a primary design and performance re"uirement for

the for the ATC system, #hich must perform in a safe manner under all operating

conditions.

$afety performances are dealt #ith in the safety section of the present

document. The t#o follo#ing points can ho#ever be outlined.


30/33

:ualitative Safety "e#uirementsThe Contractor shall accomplish the design and implementation of the ATC system

including the development of procedures and other means in such a manner to

assure'

the system safely performs the correct safety critical functions #ithin the

normal range of input and other operating conditions and #ith no component

failures. This includes sho#ing to the etent reasonably possible that the

system is free of unsafe systematic failures ; those failures #hich can be

attributed to human error that could occur throughout the designKimplementation

process and result in an unsafe condition. This also re"uires that all

applicable ha&ards are sho#n, in the =a&ard 4og to be eliminated or having their

associated risks mitigated to acceptable levels.

.

the system performs the correct safety critical functions in a fail%safe manner

under conditions of hard#are failure #ith normal input and operating conditions.

This re"uires that all ha&ards associated #ith the design implementation are

sho#n, via the =a&ard 4og, to be eliminated or have their associated risks

mitigated to acceptable levels.

.the system performs the correct safety critical functions in a fail%safe manner

under conditions of hard#are failure #ith normal input and operating conditions.

This re"uires that all ha&ards associated #ith the design implementation are

sho#n, via the =a&ard 4og, to be eliminated or have their associated risks

mitigated to acceptable levels.

.

the system performs the correct safety critical functions under conditions of

abnormalKimproper inputs and other eternal influences such as electrical,

mechanical and environmental factors as specified in these Technical

$pecifications.

This re"uires that all applicable ha&ards are sho#n, via the =a&ard 4og, to be

eliminated or having their associated risks mitigated to acceptable levels.

$afety%critical functions are those cited in these Technical $pecifications and

those identified by performing the re"uired safety analysis activities.

>uring normal ATC operating, system safety shall not depend on the correctness

of actions taken or procedures used by operation personnel.

Procedures shall not be considered a substitute for safety functions that are to

be vested in specific components, e"uipment, or facilities. The impact of the

safety of processes and procedures #hich relate to the ATC proDect installation

shall be analy&ed as part of the system safety plan.

:uantitative System Safety "e#uirements

The achievement of system safety re"uires that the ATC system as installed

provide an ade"uate level of safety assurance.

The ContractorGs design and implementation of the ATC system, including the

development of ha&ard mitigation procedures and other means, shall provide a

"uantitative level of safety such that any single, independent hard#are,

soft#are or communication failure, or any combination of such failures, #ith the

potential of causing death or severe inDury to customers or staff, shall not

occur #ith a fre"uency greater than once per 0/% system operating hours. This

shall be epressed as the 3ean Time Bet#een =a&ardous +vents (3TB+) or T=A

Tolerable =a&ard 5ate. I$ystem operating hoursJ is defined as the time that the


31/33

system is operating (- hours a day in normal operation) This safety re"uirement

includes contributions from random hard#are failures, systematic failures due to

human error, and procedural and other means employed to ensure safety.

'ailure anagementGeneralThis section details the re"uirements for the mitigation of the impact on

operations of ATC system and e"uipment failures.

The ATC system shall provide graceful degradation of performances, i.e. the loss

or degradation of functions due to e"uipment failure shall aim the system

to#ards a progressive, coherent and controlled shutdo#n, providing maintenance

staff #ith the necessary time and information to reverse back to full

system availability.

'ailure DetectionThe ATC shall include appropriate maintenance and diagnostic provisions to

detect and react to e"uipment failures. This shall include remote diagnostics at

the maintenance facility and at the !CC, the ability to remotely interrogate

trackside and on board e"uipment from these facilities, along #ith faultdisplays for troubleshooting and the timely identification of failed components

and functions.

'ailure AssessmentThe AT$ function shall include routines for assessing and establishing

recommended responses to detected failures.

!perating procedures and regulations shall govern the staff reactions in

function of the type of failures, (remote or local reset, automatic rescue,

manual driving, passenger evacuation etc).

Train 'ailuresThis section summari&es the re"uirements for ATC response to train failures.

Train Doors 'ailurePrimary responsibility to detect and respond to train door failures,

specifically failures #hich result in a loss of door closed status, shall remain

#ith the train subsystems (rolling stock)The on board ATC e"uipment shall

monitor door closed status. 4oss of closed door status shall trigger emergency

braking. *n manual degraded mode, loss of closed door status shall result in a

visual alarm on the driving panel display.


32/33

)ra!e 'ailuresPrimary responsibility for the detection and response to brake subsystem

failures shall remain #ith the train subsystems. Also, on board ATC shall

account for brake system failures, either resulting from brake alarms provided

by the rolling stock subsystems, or resulting from train braking performance

monitored by ATC processing.

0oss of Train IntegrityAny loss of train continuity (unscheduled train splitting) shall be detected by

train subsystems that should initiate an emergency brake application. The on

board ATC e"uipment shall report the event to the trackside and !CC e"uipment.

The ATC system shall prevent movement authorities from being issued to

other trains in the pull out area. The pull apart area shall etend from the

last kno#n location of the rear of the train prior to the splitting up to the

train movement authority limit.

The AT$ function shall alarm and log the event and notify the !CC. !n board ATC

e"uipment shall be able to report to the AT$ that a splitting has been corrected

and the train is ready to proceed. Trackside and central ATC e"uipment shall

allo# the train to resume operations after a train splitting is fied.

Automatic Train "escue Operation*t shall be possible for a train to be coupled to an immobili&ed train in order

to pushKpull the train to the net station andKor back to the depot. The ATC

train detection shall track the rescue operation and the rescued trains.

'ailures which Prevent On board AT( *#uipment "eceiving ;pdated Authorities2ailures #hich prevent on board ATC e"uipment receiving updated movement

authorities include communication e"uipment failures and complete local

trackside ATC failures.

Hhen a train is in operation (depot or mainline) and the on board detects that

it is no longer able to receive authorities from the trackside, the train is

automatically brought to stop #ithin the ATP safety speed profile.

pon restoration of data communications #ith the local trackside ATC, dialog

bet#een the on board and trackside ATC shall resume in order to establish the

correct actual train location along #ith its updated movement authority.

'ailures which Prevent the On board AT( from Determining Train 0ocation8*n the event of complete onboard failure, loss of location tracking capability,

or other serious failure, the ATC e"uipment shall release the emergency brake.

The on board ATC e"uipment shall also cease to communicate #ith other train

subsystems, ecept for diagnostic information, and shall cause a loss of

IenableJ signal to the propulsion system.

To recover from a failure, the on board ATC system may be either be reset and

reinitiali&ed remotely from !CC or locally from the train driving control panel,depending on the operating rules and regulations.

*f the reset is successful, train position shall be established by the ATC

system. !CC and train driving control panel shall have an indicator informing of

the successful reset. The resume of normal train operation shall then be enabled

by a command either originating from !CC or a local agent on board.

*n case the recovery of the on board ATC functions does not allo# the resumption

to a safe and normal operation. *t shall also be possible to select the

restricted manual driving mode from the train driving control panel.


33/33

'ailures which Prevent 0ocal Trac!side AT( from Advancing a ovement Authority2ailures #hich prevent the local trackside ATC from advancing the movement

authority to a train include elementary track portion train detection failures,

or unepected track portion occupancy, s#itch status failures, or unepected

s#itch status change, and failures o receive updated location reports from the

train ahead.

nder these failure modes, the trackside ATC shall pull%back the movement

authority limit to a train to the location of the failure, if necessary.

cbtc generic specification

Documents