- Email: [email protected]
Monitoring the Signalling System Construction in the Transmanche Fixed Link
Copyright © IFAC Transportation Systems. Tianjirt) PR;{::. 1994
MONITORING THE SIGNALLING SYSTEM CONSTRUCTION IN THE TRANSMANCHE FIXED LINK
.l.M. VANDECLISSE (Tractebel, Belgium), l.P. AUCLAIR (SNCF, France) R. SHORT (Railways Inspectorate, UK), E. CROSBY (Transmark, UK) * B. LE TRUNG (InTers, France), **K. SCOTLAND (Atkins Setec, UK)
* InsrifLlr Nalional de Recherche sur les Transports er leur Securire, 2 A venue du General Malleret- Joinville, 94114 ARCUEIL CEDEX - FRANCE
** Arkins Serec, 81 Sration Road. Asl!ford, KENT TN 23 1PP,
UK
Abstract. The Transmanche Fixed Link has inaugurated a new way of monitoring a safety related process in the new Union of Europe. The Monitoring Body. independant from the infrastructure operators and the contractor. h~s been in chargl! of reporting to the British and French governments the issue of the signalling system. in matter of safl!ty . If necessary . it may draw attention of the infrastructure operator on any problem which may exis t in the interface hetween suh-system s. Thi s experience is described thereafter. Key \\'ords . Safety. Train control. Transportation. Computer control.
I . IN ADY ANCE OF EUROPE
Railw~y s
Signalling .
of the u'ansportation companies, which is competent in some well defined aspect (civil engineering . signalling ... ) - the expert work. analysis and conclusions of an y of these independent organisations will he accepted hy other Community states. The work of our Commillee anticipates theses future organisations . The next section describes our commillce's purpose, organisation and activities for Ule Fixed Link.
The opening of the Channel Tunnel Fixed Link inaugurates the Union of Europe in many ways: - Geographic union : it has eswblishcd a continuous land link between Great Britain and the continent. overcoming the psychological b,uTier of the Channel. - Political union : it inaugurates the concept of interoperability of all of the European railway networks, a concept inherelll in the directives of the European Community. This inter-operability provides for the use of some operators infrasu'ueture by a multitude of transportation companies which are independent of one another.
2. CONFIGURATION AND SPECIAL FEATURES OF THE FIXED LINK (See fig. I)
Two tracks. one in each tunnel, are nonnaJly a<;signed for each direction of movement.
This concept implies a profound change in the national altitudes of each member of the European Community. where. as far as now. the national railways are the site owners as well as the project managers and operators. The concept of interoperability, to be effective. must change ule structure of ule Control Authorities at a European level. In effect, within the frontiers of each country up until now, the controls have heen exercised by the political process through organisations reporting to the ministries of transport , following the legal requirements ,md laws
To allow for work activities or unforeseen circumstances. single line working is allowed in sections of the tracks ; Ule undersea cross-over switch set the limits of the sections for the suh-sea tracks. The British and French national railways have just linked up with the Concession railway. The signalling systems of the national railways are different to those of the Concession: two interface zones are required. Particular prohlems are due to : - the length of the Tunnel (50.5 km) - the short headway between u'ains ( 3 minutes) - the variety of trains : Eurostar (modified TGY), shuttles with very large structure gauge, freight u·ains. All of these trruns have different characteristics.
To put this inter-operahility into effect within all of the countries of the European Community. "Notified Body" will need to be set up in the following manner: - each state will nominate an organisation independent of ule operator of Ule infrastructure and 139
advice to tJle Intergovernmental Commission. The membership of tJle EMG is as follows: - 2 members are from the MdO, 1 Belgian and British; - 1 independent French member, from the SNCF ; - 1 independent British member, from the Railway Inspectorate; - 1 independent French member, from INRETS (a consultative organisation for transport systems) - 1 independent British memher, from Transmark (the consultancy arm of British Rail).
The SEMG has paid particular allention to these probleins: for example: - reversal of signalling direction to allow trains to run in the opposite to nonnal direction; - the trespassing of closed markers when operating in degraded mode; - the ordering of a succession of trains with different characteristics; - operations in temporary single line working: - the movement of the cross-over doors; - power supply surges in particular areas. 3. THE POSITION OF THE SEMG (See fig . 2)
3.3. OperaJion of the Concession The organisation chru·t for the construction of the Channel Tunnel Fixed link is a'i follows:
The Concessionnaire, Eurotunnel (ET) is responsible for operating the infrastructure over a period of 65 years. As such, ET must ensure that the track users are provided with suitable conditions.
3.1. Intergovemmental Commission (IGO This commission is made up of British and French govemmental representatives. It is responsihle for the acceptance of the arrangements made to ensure the safety, security, environment. etc. .. such as - specifying the safety and operational requirements for tJle Tunnel, for the transportation of dangerous goods, for the arrangements in case of fire. for the evacuation of pa'isengers, etc. ..
ET is responsihle for the safety of movements, from taking charge of trains at the entry interface with the national railways up to tlle exit inreli'ace. ET is responsihle for the proper working of equipment and tlleir maintenance. to keep the initial safety levels or to improve on them .
In particular, the latter is defined in clause AI 52i of the Concession Agreement :
3.4. Transportation companies Those rulticipated are : - BR, (British Network), the SNCF, (French Network) and tlle SNCB, (Belgian Network) for passenger and freight trains between Paris or Brussels and London; - ET itself for shuttle transport of heavy goods and passengers vehicles and lorries.
" In the event qf a train hecoming imlllohilised in the tunnel for any reason, it must he possihle to ensure that any other trains in the IlInnei can he hrought Ol/f without delay and that all passengers including those from the stranded train can reach open air within a period not exceeding 90 minutes. This arrangement shall he satisfied even !f there is an interruption (If power supply from one side or the other or if there is an accident to a section (If the Clllenar,,".
All trains must he compatihle with the Concession equipment.
This clause has a significant effect on the signalling, a<; will be shown later.
3.5. The Contractor The contractor, know as TML, is responsible to ET for the supply of the Concession's infrastructure and equipement. The shuttle trains are included in this supply.
- to be assured tJwt whatever is necessru'y is done in tJle construction phase. operational aspects. operating regulations. monitoring provisions. controls and communications: - with tJle support of the report of the Maitre d'oeuvre on the validation aspects of those items. to give its autJlOrisation for operations.
TML consists of a consortium of British and French companies. It employs sub-contractors for subsystems, such ,L'i tlle signalling system.
3.2. Maitre d'oeuvre-Atkins-Setec (Mtlo)
The final delivery of the system to the concessionaire will follow completion of tests for each primary system, and for tlle integrated systems.
The MdO, made up of two engineering consultancies (WS Atkins Consultants Great Britain. and Setec from France) and their sub-consultants, monitor the work according to tJle requirements as cited above. Independent advice may also he sought !i'om others. A specialist commillee, know as the Signalling External Monitoring Group (SEMG) was set up to report on the safety issues arising from the signalling system in the context of tJle Tunnel. It reports directly to the Safety Authority. 10 assist the latter in its
4. MORE DETAll..-ED DEFINITION OF THE ROLE OF THE SEMG The independence of the Monitoring Body is essential for a basic level of confidence. The composition of the SEMG provides tllis confidence. The competence of its memhers i s another guarantee. Each member of the SEMG has expertise 140
all of ule general studies. the detailed studies and the validation documents.
in a key aspect. which in all but one case has been gained w"itbin a railway context (the non-railway member providing a different perspective for the committee). The areas covered include: _ systems; _ signalling; _ automation; _ software; _ operations.
In accordance with its purpose. the SEMG has not carried out special investigations into the equipment and designs which may be considered already "proven". and which are used without modification for ule Fixed Link. 4.3. Process
The general duties of the committee are described below. followed by the scope of its work and activities.
The SEMG, in accordance with its role. was concerned with everyuling which affected safety directly or indirectly.
4.1 . General duties (extrac!) The EMG has not taken into account performance requirements except insofar as they may affect safety. For exmnple, reliability has been taken into account since a lack of reliability causes degraded mode procedures to he used which could give rise to inciuents.
- The SEMG should witness what is done and provide recommendations for sensitive areas. - The members may not compromise their integrity in the exercise of their professional duties. - The members are required to respect the confidentiality of cOllunercial propeny. - Each member has agreed not to allow ule competent authorities to remain in ignorance of safety related aspects which may become known to him in the course of his work . even if those aspects are not directly related to his expertise . - The committee is responsible for the quality of Ule information which it provides. This does not imply that ule work of the committee in any way reduces the responsability of the companies managing the project for the safety 01 the railway signalling system and its operation.
4.:U. Safety Criteria The Basic safety requirements defined in the Concession Agreement and in Avant Projet 07 are expressed in very general terms, and it has been necessary for the SEMG to consider carefully by what criteria it can judge wheUler any specific item or activity is consistent with the overall safety requirement. The principal role of the SEMG has been to assess the means used hy the relevant participants in ensuring safety at each stage in the life cycle of the system. Wherever possihle, Ule acceptability of methods of design. construction. installation and testing has been judged by reference either to fonnal standards or to established practices proven by experience to give safe results. Even though such standards and practices may not be strictly contractual documents within the Tunnel project . the SEMG considers Ulat uley define the best availahle current practice, and that a system which does not comply in principle is unlikely to be adequately safe .
4.2 . Scope of work
TIle activities consist in : - the examination of the means and methods employed. and in pmticular the existence of a satisfactory process for ule design verification. - revue of the primary documents concernell with safety; - works visits: - working meetings with the main participants of ule project: - witnessing of tests : - joint activities WiUl other MdO experts.
Similar considerations apply to the fact that some of the international standards referenced are only of a draft status. In ule absence of definitive standards for software or programmable devices in safety applications. ule draft standards may be regarded as setting out U1C state of the art.
Limits of the SEMG's role : The role of the SEMG essentially consists in being reassured that the means and methods used by the various entities are appropriate. It is not the SEMG's resJX)nsability to validate the system .
The principle standards and practices used as reference criteria were:
The resources and means at the disposal of the SEMG have been sufficient to carry out a general revue of the fundamental documents. a smnpled review of some more detailed studies. and to carry out some investigations (works and site visits. discussions WiUl participants. etc ... ).
a) General standards and practices for railway signal engineering as applied by BR and SNCF . based partly on specific documents. but largely on the personal knowledge and experience of memhers of ulcEMG:
TIle verifications carried out by the SEMG to provide this level of assurance were most definitely not exhaustive. The SEMG was not resourceu to verify
b) The recommendat ions of 0 RE corn i t tees A 118 and AIlS .
141
c) Fre.nch standanls for saflware tJependahility in railways t'ixetl equipment : F 71 - 011 - Generalities F 71 - 012 - Conslraints of the soflware F71 - 013 - Methotls appropriare to the safety analysis of soflware
4.4.l.
system ilrchilecture
The signalling system may be considered in two parts : a fixed equipment part and an on-board part (see figure 4).
d) The lEe draft standard "Soflware for Computers
The functions of tlle fixed equipment are - to identify tlle positions of the Irains ; - to calculate tlle target speed to he used in each zone hasetl on tlownstream track occupancy, tlle layout of the track, antl work protections. The command issued to the train is transmitted via tlle running tracks by a complex electrical signal.
in the Application of Illllustrial Safety-relatetl Systems" . IEC MA (Secretarial) 122. e)The Heallh antl Safety Executive guidelines "Programmable Electronic Systems in safety Related Applications" .
The on-board part of tlle signalling system has 2 subsystems: - Cah Signal system . The information transmitted from tIle tracks is received and treated according to the type of train (TMST, shuttle . freight train). The result is indicated in a vital manner to the driver. The indication c1e;u'ly shows: · speed restrictions : · warning indications : · normal running speeds : · transition from and to the National networks .
4.4. !Iems examined by the SEMG The Channel Tunnel Fixed Link signalling system is derived from the new system heing installed concurrently for the French TGV -North network There is therefore no din~ct operational experience availahle, other than from some initial proving lIials. The SEMG has therefore oeen concerned aoout the adequacy of the signalling principles for the Concession, as well as with its interface with the British antl French national networks .
- Automatic Train Protection The driver is responsible for driving the Irain within the signalled speed limits . However, a protection system protects the train from driver error. It hasically checks that the actual train speed. supplied oy the train's tachometry system. is always less than tlle speed requireJ oy the fixed equipment.
The principal subjects examined have therefore heen : - the division of the tracks into hlock sections. according to the projectetl performance (headways. speeds), the various types of trains. their hraking perfonnances. - the completness of the TVM signalling system specifications , its interface with the on-hoard systems, and the cenlral monitOling systems. - the operating principles.
The whole of the signalling equipment is considered to he critical, such tllat : Any failllre wh(l/ever dlle TO an inlernal or eXlernal UIII.\·e /Ill/SI re.Hl/I ill a lIlore reslriclive condilion
Particular attention has oeen paid to degraded mode operations : - related risk analysis; - maintenance procetlw'es and action times. in - comparison Witll tlle acceptahle risk CIiteria : - personnel training. The system is schematically represented on fig.
Si1!nilllin~
heing applied. This restriction has heen applied to hOtll tlle hardware and software of the t:4uipment.
* Hardware componeI1l As is well known . the complexity of microprocessor systems makes it impossihle 10 identify all of the possiole failure modes. Nevt:rtheless, in order to use them for safety critical applications, one must have some form of redundant checking, either in hardware fonn or in informational form.
~.
In this tliagram only those aspects which invol ve new principles or technology in the signalling aspects are detailetl. New principles As stated in 2, the signalling system must he compatible with trains with 5 different traction/braking characteristics. The system must allow for trains with the best performance such a~ tlle TMST, allowing a throughput of 20 u'ains/hour in each direction ..
The latter fonn of redundancy has been used for Ule signalling system of the Channel Tunnel Fixed Link . It is referred to as the "Monoprocesseur Code". Its safety has been evaluated mathematically and approved in France by a special commission made up of hardware specialist.'; and matllematicians . The result of this gives an estimated "probability for the non-detection of a fault or an elTor" of Ule order of 10- 12 .
New technolo~y Such versatility is only available from an atlvancetl track to train transmission system. witll tlle capability for processing complex tlata. Widespread use of computers is necessary, which brings cOlTesponding problems conceming hartlw;u'e antl software.
Tht: SEMG has taken note of this information, and has examined its application for the Fixed Link.
142
,.. S,pftware component At the Lime of signing of the contract, formal development metJ1Qds were only parlially in place. TIle methods adopted for the soflware were primarily based on Quality Assurance, then Failure Modes and Effects Analysis for sof!ware, and finally on intensive validation using simulators on site.
However, in a safety system even a simple installation error, if undetected , can lead to disaster. It is imporlant that the SEMG should be satisfied with EurotunneJ's arrangements to ensure that testing is effective, and part of tJlis process should consist of ohserving sample category A tests to gain confidence ulat a smisfactory testing regime is heing followed .
The SEMG considers, following audits of the contractors, that the accumulm ion of the melllOds used provides sufficient confidence.
Cale~ory
B Tesls . Category B tests are likely to involve a measure of judgement both in assessing whetJler the metJ1Qd of testing was adequate and in evaluating the results in relation to safety. It is important for tJle SEMG to witness such tests , especially where tJle conclusion to he drawn from the test may he to some extent a matter of opinion, eg in Ule case of simulated evacuation exercises.
4.4 .. 2. 1lle SEMG's views on the validation process Risk Analysis . As ha~ already heen noted , it wa' not possihle for Ille SEMG to he involved in the detail of all of the elements, nor to investigate all of the interactions, nor 10 allend all of the validation tests . The SEMG has based its opinion on those aspects identified in the Risk Analysis .
5. CONCLUSION At the time of writing this paper, the te s ts on completion ;u-e taking place in order to he read y for opening on the 6uI of May, IC)<.J4 .
Test Cate!!nries. The test s leadin~ up to commissioning may he divided into two categories :
The activities of ule EMG have heen at two levels: - to identify from the general safety requirements those aspects affected hy the signalling system, and to he satisfied that ule functionality and the operating regulations are suflicient. - to witness that the procedures for development con trols are strictly adhered to hy the suhcontractor, from the development of ule product through to its installation on site, via the various validmion stages. - to wimess ule trainin g provided to the operators and drivers. - to draw the attention of the various contractors to ule interface requirements for the signalling system. This has proved to he one of the most difficult prohlems.
a) Tests which verify the systems or equipment. as huiit or installed, conform to the relevant design specifications. b) Tests which confirm that systems, as designed, meet the relevant requirements under all conditions, including partial failures and degraded modes of operation. "Systems" in this context includes relevant operating procedures . Category A tests. Because of the extent and complexity of the system involved there will he a very large numher of category A tests, many of them of a very detailed and repetitive nature , eg wire counts in the signalling system. It is clc ,u'ly not possihle for the SEMG to witness more than a fraction of such tests , nor is it desirahle that the SEMG should take on the role of monitoring the quality of installation and testing work in ule tunnel.
6. REFERENCE
Commission of the European Communities DOC.CERTIF.<.J117 - Notified Body.
Dover
Fig. 1 - T he Eurot unnel System 143
Inter-govemment~1
Commission IGC
Safety AuthOlity SA
I--
-
J Operator of infrilstruc:ture EUROTUNNEL ET
I Contractor TML
I
...
Maitre d'o<, uvre A TKINS SETEC
f4-
Signalling External MonitOling Committee SEMG
I Transportati o n companies EUROTl1NNEL SNCF-SNCB-BR
Fig. :2 - Position of SEMG
Trall~lIIaIlC"e
Fixed Llllk Traill Operal")!1 Sy.
Sigllalllll~
lIl."ruction~
sy~tclll
Way
of opera ti oll
~l
e'l"iplllcnt
equiplllent
Train Protection
Fig . 3 - Signalling Sy~telll
Tachymetry
On-board equipment
Way-side equipment
I--_ _ _~Automatic
Emergency brake
Signalling Cab display
Train occupancy Track lay-out Work protection
rotection
Calculation of target speed
FigA- Architecture of the Signalling System
144
I
MONITORING THE SIGNALLING SYSTEM CONSTRUCTION IN THE TRANSMANCHE FIXED LINK
.l.M. VANDECLISSE (Tractebel, Belgium), l.P. AUCLAIR (SNCF, France) R. SHORT (Railways Inspectorate, UK), E. CROSBY (Transmark, UK) * B. LE TRUNG (InTers, France), **K. SCOTLAND (Atkins Setec, UK)
* InsrifLlr Nalional de Recherche sur les Transports er leur Securire, 2 A venue du General Malleret- Joinville, 94114 ARCUEIL CEDEX - FRANCE
** Arkins Serec, 81 Sration Road. Asl!ford, KENT TN 23 1PP,
UK
Abstract. The Transmanche Fixed Link has inaugurated a new way of monitoring a safety related process in the new Union of Europe. The Monitoring Body. independant from the infrastructure operators and the contractor. h~s been in chargl! of reporting to the British and French governments the issue of the signalling system. in matter of safl!ty . If necessary . it may draw attention of the infrastructure operator on any problem which may exis t in the interface hetween suh-system s. Thi s experience is described thereafter. Key \\'ords . Safety. Train control. Transportation. Computer control.
I . IN ADY ANCE OF EUROPE
Railw~y s
Signalling .
of the u'ansportation companies, which is competent in some well defined aspect (civil engineering . signalling ... ) - the expert work. analysis and conclusions of an y of these independent organisations will he accepted hy other Community states. The work of our Commillee anticipates theses future organisations . The next section describes our commillce's purpose, organisation and activities for Ule Fixed Link.
The opening of the Channel Tunnel Fixed Link inaugurates the Union of Europe in many ways: - Geographic union : it has eswblishcd a continuous land link between Great Britain and the continent. overcoming the psychological b,uTier of the Channel. - Political union : it inaugurates the concept of interoperability of all of the European railway networks, a concept inherelll in the directives of the European Community. This inter-operability provides for the use of some operators infrasu'ueture by a multitude of transportation companies which are independent of one another.
2. CONFIGURATION AND SPECIAL FEATURES OF THE FIXED LINK (See fig. I)
Two tracks. one in each tunnel, are nonnaJly a<;signed for each direction of movement.
This concept implies a profound change in the national altitudes of each member of the European Community. where. as far as now. the national railways are the site owners as well as the project managers and operators. The concept of interoperability, to be effective. must change ule structure of ule Control Authorities at a European level. In effect, within the frontiers of each country up until now, the controls have heen exercised by the political process through organisations reporting to the ministries of transport , following the legal requirements ,md laws
To allow for work activities or unforeseen circumstances. single line working is allowed in sections of the tracks ; Ule undersea cross-over switch set the limits of the sections for the suh-sea tracks. The British and French national railways have just linked up with the Concession railway. The signalling systems of the national railways are different to those of the Concession: two interface zones are required. Particular prohlems are due to : - the length of the Tunnel (50.5 km) - the short headway between u'ains ( 3 minutes) - the variety of trains : Eurostar (modified TGY), shuttles with very large structure gauge, freight u·ains. All of these trruns have different characteristics.
To put this inter-operahility into effect within all of the countries of the European Community. "Notified Body" will need to be set up in the following manner: - each state will nominate an organisation independent of ule operator of Ule infrastructure and 139
advice to tJle Intergovernmental Commission. The membership of tJle EMG is as follows: - 2 members are from the MdO, 1 Belgian and British; - 1 independent French member, from the SNCF ; - 1 independent British member, from the Railway Inspectorate; - 1 independent French member, from INRETS (a consultative organisation for transport systems) - 1 independent British memher, from Transmark (the consultancy arm of British Rail).
The SEMG has paid particular allention to these probleins: for example: - reversal of signalling direction to allow trains to run in the opposite to nonnal direction; - the trespassing of closed markers when operating in degraded mode; - the ordering of a succession of trains with different characteristics; - operations in temporary single line working: - the movement of the cross-over doors; - power supply surges in particular areas. 3. THE POSITION OF THE SEMG (See fig . 2)
3.3. OperaJion of the Concession The organisation chru·t for the construction of the Channel Tunnel Fixed link is a'i follows:
The Concessionnaire, Eurotunnel (ET) is responsible for operating the infrastructure over a period of 65 years. As such, ET must ensure that the track users are provided with suitable conditions.
3.1. Intergovemmental Commission (IGO This commission is made up of British and French govemmental representatives. It is responsihle for the acceptance of the arrangements made to ensure the safety, security, environment. etc. .. such as - specifying the safety and operational requirements for tJle Tunnel, for the transportation of dangerous goods, for the arrangements in case of fire. for the evacuation of pa'isengers, etc. ..
ET is responsihle for the safety of movements, from taking charge of trains at the entry interface with the national railways up to tlle exit inreli'ace. ET is responsihle for the proper working of equipment and tlleir maintenance. to keep the initial safety levels or to improve on them .
In particular, the latter is defined in clause AI 52i of the Concession Agreement :
3.4. Transportation companies Those rulticipated are : - BR, (British Network), the SNCF, (French Network) and tlle SNCB, (Belgian Network) for passenger and freight trains between Paris or Brussels and London; - ET itself for shuttle transport of heavy goods and passengers vehicles and lorries.
" In the event qf a train hecoming imlllohilised in the tunnel for any reason, it must he possihle to ensure that any other trains in the IlInnei can he hrought Ol/f without delay and that all passengers including those from the stranded train can reach open air within a period not exceeding 90 minutes. This arrangement shall he satisfied even !f there is an interruption (If power supply from one side or the other or if there is an accident to a section (If the Clllenar,,".
All trains must he compatihle with the Concession equipment.
This clause has a significant effect on the signalling, a<; will be shown later.
3.5. The Contractor The contractor, know as TML, is responsible to ET for the supply of the Concession's infrastructure and equipement. The shuttle trains are included in this supply.
- to be assured tJwt whatever is necessru'y is done in tJle construction phase. operational aspects. operating regulations. monitoring provisions. controls and communications: - with tJle support of the report of the Maitre d'oeuvre on the validation aspects of those items. to give its autJlOrisation for operations.
TML consists of a consortium of British and French companies. It employs sub-contractors for subsystems, such ,L'i tlle signalling system.
3.2. Maitre d'oeuvre-Atkins-Setec (Mtlo)
The final delivery of the system to the concessionaire will follow completion of tests for each primary system, and for tlle integrated systems.
The MdO, made up of two engineering consultancies (WS Atkins Consultants Great Britain. and Setec from France) and their sub-consultants, monitor the work according to tJle requirements as cited above. Independent advice may also he sought !i'om others. A specialist commillee, know as the Signalling External Monitoring Group (SEMG) was set up to report on the safety issues arising from the signalling system in the context of tJle Tunnel. It reports directly to the Safety Authority. 10 assist the latter in its
4. MORE DETAll..-ED DEFINITION OF THE ROLE OF THE SEMG The independence of the Monitoring Body is essential for a basic level of confidence. The composition of the SEMG provides tllis confidence. The competence of its memhers i s another guarantee. Each member of the SEMG has expertise 140
all of ule general studies. the detailed studies and the validation documents.
in a key aspect. which in all but one case has been gained w"itbin a railway context (the non-railway member providing a different perspective for the committee). The areas covered include: _ systems; _ signalling; _ automation; _ software; _ operations.
In accordance with its purpose. the SEMG has not carried out special investigations into the equipment and designs which may be considered already "proven". and which are used without modification for ule Fixed Link. 4.3. Process
The general duties of the committee are described below. followed by the scope of its work and activities.
The SEMG, in accordance with its role. was concerned with everyuling which affected safety directly or indirectly.
4.1 . General duties (extrac!) The EMG has not taken into account performance requirements except insofar as they may affect safety. For exmnple, reliability has been taken into account since a lack of reliability causes degraded mode procedures to he used which could give rise to inciuents.
- The SEMG should witness what is done and provide recommendations for sensitive areas. - The members may not compromise their integrity in the exercise of their professional duties. - The members are required to respect the confidentiality of cOllunercial propeny. - Each member has agreed not to allow ule competent authorities to remain in ignorance of safety related aspects which may become known to him in the course of his work . even if those aspects are not directly related to his expertise . - The committee is responsible for the quality of Ule information which it provides. This does not imply that ule work of the committee in any way reduces the responsability of the companies managing the project for the safety 01 the railway signalling system and its operation.
4.:U. Safety Criteria The Basic safety requirements defined in the Concession Agreement and in Avant Projet 07 are expressed in very general terms, and it has been necessary for the SEMG to consider carefully by what criteria it can judge wheUler any specific item or activity is consistent with the overall safety requirement. The principal role of the SEMG has been to assess the means used hy the relevant participants in ensuring safety at each stage in the life cycle of the system. Wherever possihle, Ule acceptability of methods of design. construction. installation and testing has been judged by reference either to fonnal standards or to established practices proven by experience to give safe results. Even though such standards and practices may not be strictly contractual documents within the Tunnel project . the SEMG considers Ulat uley define the best availahle current practice, and that a system which does not comply in principle is unlikely to be adequately safe .
4.2 . Scope of work
TIle activities consist in : - the examination of the means and methods employed. and in pmticular the existence of a satisfactory process for ule design verification. - revue of the primary documents concernell with safety; - works visits: - working meetings with the main participants of ule project: - witnessing of tests : - joint activities WiUl other MdO experts.
Similar considerations apply to the fact that some of the international standards referenced are only of a draft status. In ule absence of definitive standards for software or programmable devices in safety applications. ule draft standards may be regarded as setting out U1C state of the art.
Limits of the SEMG's role : The role of the SEMG essentially consists in being reassured that the means and methods used by the various entities are appropriate. It is not the SEMG's resJX)nsability to validate the system .
The principle standards and practices used as reference criteria were:
The resources and means at the disposal of the SEMG have been sufficient to carry out a general revue of the fundamental documents. a smnpled review of some more detailed studies. and to carry out some investigations (works and site visits. discussions WiUl participants. etc ... ).
a) General standards and practices for railway signal engineering as applied by BR and SNCF . based partly on specific documents. but largely on the personal knowledge and experience of memhers of ulcEMG:
TIle verifications carried out by the SEMG to provide this level of assurance were most definitely not exhaustive. The SEMG was not resourceu to verify
b) The recommendat ions of 0 RE corn i t tees A 118 and AIlS .
141
c) Fre.nch standanls for saflware tJependahility in railways t'ixetl equipment : F 71 - 011 - Generalities F 71 - 012 - Conslraints of the soflware F71 - 013 - Methotls appropriare to the safety analysis of soflware
4.4.l.
system ilrchilecture
The signalling system may be considered in two parts : a fixed equipment part and an on-board part (see figure 4).
d) The lEe draft standard "Soflware for Computers
The functions of tlle fixed equipment are - to identify tlle positions of the Irains ; - to calculate tlle target speed to he used in each zone hasetl on tlownstream track occupancy, tlle layout of the track, antl work protections. The command issued to the train is transmitted via tlle running tracks by a complex electrical signal.
in the Application of Illllustrial Safety-relatetl Systems" . IEC MA (Secretarial) 122. e)The Heallh antl Safety Executive guidelines "Programmable Electronic Systems in safety Related Applications" .
The on-board part of tlle signalling system has 2 subsystems: - Cah Signal system . The information transmitted from tIle tracks is received and treated according to the type of train (TMST, shuttle . freight train). The result is indicated in a vital manner to the driver. The indication c1e;u'ly shows: · speed restrictions : · warning indications : · normal running speeds : · transition from and to the National networks .
4.4. !Iems examined by the SEMG The Channel Tunnel Fixed Link signalling system is derived from the new system heing installed concurrently for the French TGV -North network There is therefore no din~ct operational experience availahle, other than from some initial proving lIials. The SEMG has therefore oeen concerned aoout the adequacy of the signalling principles for the Concession, as well as with its interface with the British antl French national networks .
- Automatic Train Protection The driver is responsible for driving the Irain within the signalled speed limits . However, a protection system protects the train from driver error. It hasically checks that the actual train speed. supplied oy the train's tachometry system. is always less than tlle speed requireJ oy the fixed equipment.
The principal subjects examined have therefore heen : - the division of the tracks into hlock sections. according to the projectetl performance (headways. speeds), the various types of trains. their hraking perfonnances. - the completness of the TVM signalling system specifications , its interface with the on-hoard systems, and the cenlral monitOling systems. - the operating principles.
The whole of the signalling equipment is considered to he critical, such tllat : Any failllre wh(l/ever dlle TO an inlernal or eXlernal UIII.\·e /Ill/SI re.Hl/I ill a lIlore reslriclive condilion
Particular attention has oeen paid to degraded mode operations : - related risk analysis; - maintenance procetlw'es and action times. in - comparison Witll tlle acceptahle risk CIiteria : - personnel training. The system is schematically represented on fig.
Si1!nilllin~
heing applied. This restriction has heen applied to hOtll tlle hardware and software of the t:4uipment.
* Hardware componeI1l As is well known . the complexity of microprocessor systems makes it impossihle 10 identify all of the possiole failure modes. Nevt:rtheless, in order to use them for safety critical applications, one must have some form of redundant checking, either in hardware fonn or in informational form.
~.
In this tliagram only those aspects which invol ve new principles or technology in the signalling aspects are detailetl. New principles As stated in 2, the signalling system must he compatible with trains with 5 different traction/braking characteristics. The system must allow for trains with the best performance such a~ tlle TMST, allowing a throughput of 20 u'ains/hour in each direction ..
The latter fonn of redundancy has been used for Ule signalling system of the Channel Tunnel Fixed Link . It is referred to as the "Monoprocesseur Code". Its safety has been evaluated mathematically and approved in France by a special commission made up of hardware specialist.'; and matllematicians . The result of this gives an estimated "probability for the non-detection of a fault or an elTor" of Ule order of 10- 12 .
New technolo~y Such versatility is only available from an atlvancetl track to train transmission system. witll tlle capability for processing complex tlata. Widespread use of computers is necessary, which brings cOlTesponding problems conceming hartlw;u'e antl software.
Tht: SEMG has taken note of this information, and has examined its application for the Fixed Link.
142
,.. S,pftware component At the Lime of signing of the contract, formal development metJ1Qds were only parlially in place. TIle methods adopted for the soflware were primarily based on Quality Assurance, then Failure Modes and Effects Analysis for sof!ware, and finally on intensive validation using simulators on site.
However, in a safety system even a simple installation error, if undetected , can lead to disaster. It is imporlant that the SEMG should be satisfied with EurotunneJ's arrangements to ensure that testing is effective, and part of tJlis process should consist of ohserving sample category A tests to gain confidence ulat a smisfactory testing regime is heing followed .
The SEMG considers, following audits of the contractors, that the accumulm ion of the melllOds used provides sufficient confidence.
Cale~ory
B Tesls . Category B tests are likely to involve a measure of judgement both in assessing whetJler the metJ1Qd of testing was adequate and in evaluating the results in relation to safety. It is important for tJle SEMG to witness such tests , especially where tJle conclusion to he drawn from the test may he to some extent a matter of opinion, eg in Ule case of simulated evacuation exercises.
4.4 .. 2. 1lle SEMG's views on the validation process Risk Analysis . As ha~ already heen noted , it wa' not possihle for Ille SEMG to he involved in the detail of all of the elements, nor to investigate all of the interactions, nor 10 allend all of the validation tests . The SEMG has based its opinion on those aspects identified in the Risk Analysis .
5. CONCLUSION At the time of writing this paper, the te s ts on completion ;u-e taking place in order to he read y for opening on the 6uI of May, IC)<.J4 .
Test Cate!!nries. The test s leadin~ up to commissioning may he divided into two categories :
The activities of ule EMG have heen at two levels: - to identify from the general safety requirements those aspects affected hy the signalling system, and to he satisfied that ule functionality and the operating regulations are suflicient. - to witness that the procedures for development con trols are strictly adhered to hy the suhcontractor, from the development of ule product through to its installation on site, via the various validmion stages. - to wimess ule trainin g provided to the operators and drivers. - to draw the attention of the various contractors to ule interface requirements for the signalling system. This has proved to he one of the most difficult prohlems.
a) Tests which verify the systems or equipment. as huiit or installed, conform to the relevant design specifications. b) Tests which confirm that systems, as designed, meet the relevant requirements under all conditions, including partial failures and degraded modes of operation. "Systems" in this context includes relevant operating procedures . Category A tests. Because of the extent and complexity of the system involved there will he a very large numher of category A tests, many of them of a very detailed and repetitive nature , eg wire counts in the signalling system. It is clc ,u'ly not possihle for the SEMG to witness more than a fraction of such tests , nor is it desirahle that the SEMG should take on the role of monitoring the quality of installation and testing work in ule tunnel.
6. REFERENCE
Commission of the European Communities DOC.CERTIF.<.J117 - Notified Body.
Dover
Fig. 1 - T he Eurot unnel System 143
Inter-govemment~1
Commission IGC
Safety AuthOlity SA
I--
-
J Operator of infrilstruc:ture EUROTUNNEL ET
I Contractor TML
I
...
Maitre d'o<, uvre A TKINS SETEC
f4-
Signalling External MonitOling Committee SEMG
I Transportati o n companies EUROTl1NNEL SNCF-SNCB-BR
Fig. :2 - Position of SEMG
Trall~lIIaIlC"e
Fixed Llllk Traill Operal")!1 Sy.
Sigllalllll~
lIl."ruction~
sy~tclll
Way
of opera ti oll
~l
e'l"iplllcnt
equiplllent
Train Protection
Fig . 3 - Signalling Sy~telll
Tachymetry
On-board equipment
Way-side equipment
I--_ _ _~Automatic
Emergency brake
Signalling Cab display
Train occupancy Track lay-out Work protection
rotection
Calculation of target speed
FigA- Architecture of the Signalling System
144
I