Introduction

The Present document constitutes the particular specification of an automatic

train control system (ATC system) to be implemented using CBTC and moving block
technology.
The purpose of the CBTC system is to ensure safe, reliable and cost effective
unmanned train operation (UTO) of the complete rail system, including Operating
Control Centre (OCC) support functions.
The CBTC system includes central, trackside and onboard equipment with dedicated
software to provide all functions for automatic train protection (ATP),
automatic train operation (ATO), and automatic train supervision (ATS).
- ATP shall provide the primary protection for passengers, personnel and
equipment against hazards of operations.
- ATO shall control the operations that otherwise would be performed by a train
driver.
- ATS shall provide the overall supervision and control of the traffic including
status information for the central operator.
Communication between onboard and wayside ATC systems shall be supported by
continuous, high capacity and bidirectional data communications.

Glossary
ATC: Automatic Train Control
ATP: Automatic Train Protection
ATO: Automatic Train Operation
ATS: Automatic Train Supervision
UTO: Unmanned Train Operation (GOA4 as per IEC 62290-1)
CBTC: Communication Based Train Control (as per standard IEEE 1474.1)
FMEA: failure Mode and Effect Analysis
LRU: Line Replaceable Units
OCC: Operating Control Centre
SER: Signal Equipment Room
SIL: Safety Integrity Level (as per standard EN 50126)
O&M: Operation & Maintenance
Movement authority: portion of track over which a train has access at a given
time.

Applicable Standards / Documentation

The main standards assumed as a reference for the system design are the IEEE and
EN 5012X suite of CENELEC standards or equivalent:
.
CBTC system standard IEEE 1474.1 1999
.
EN 50126: Reliability, availability, maintainability, and safety (RAMS)
.

EN 50 129: Communications, Signalling, and processing systems: safety related

electronic systems for signalling
.
EN 50128: Communications, Signalling, and processing systems software for
railway control and protection systems
.
ISO 9001: Model for quality assurance in design, development, production,
installing and servicing.
.
IS0 9000-3: Guidelines for the application of ISO 9001 to the development,
supply and maintenance of software.
.
IEC 1131: Programmable Logic Controllers: General Information.
.
IEC 1000-5-2 EMC Cabling guideline
MIL-HDBK-217 (RAM requirements)
.
IEEE P1483, draft standard for Verification of safety for processor based
systems used in Rail Transit Control
EN 50155 Railway appliances Electronic equipment used on rolling stock
Revision 2001
.
IEC 61 373 Railway applications Rolling stock equipment Shock and vibration
tests Revision 1999-01
.
IEC 60 529 Degrees of protection provided by enclosures (IP codes) Consolidated
edition 2.1 February 2001
.
Cables shall be flame retardant, low smoke and non halogen gas emission as per
relevant international standards.

System Overview
The ATC system shall be based on state-of-art, yet proven in use, designed for
very high system safety, reliability and availability.
The signalling system shall employ modern CBTC technology as defined in the IEEE
1474.1 standard:
a)High-resolution train location determination, independent of track circuits;
b)Continuous, high capacity, bidirectional train-to-wayside data communications;
c)On board and wayside processors performing vital functions.
The system shall be bi-directional in any section of track and automatic traffic
shall be provided in any section of the mainline tracks and depots
The safe movement of trains on tracks and in yards must be guaranteed by the
signalling system automatically, without relying on action taken by operators.
The signalling system shall employ the moving block principle, the safe
separation behind the preceding train being dynamically calculated based on the
maximum operating speeds, braking curves and locations of the trains on the
track.
The system to be deployed must be UTO - Unattended Train Operation, according to
IEC 62290-1, which is characterized by the absence of the driver or train
attendant, in both the mainline and operational yard.

Central supervisory computers, the ATS sub-system, shall provide train

scheduling, and general operating and control information, to provide optimal
system throughput, control and flexibility. The regulation algorithms shall
include both timetable and headway regulation.
The ATC system shall make provision for the insertion of new stations within the
lines as well as provision for lines extension.
The train control system is intended to provide short interval, great
operational flexibility, safety through continuous overspeed protection, smooth
and predictable operation, high reliability and availability, optimised
maintenance tasks.
The train control system of the
rail network shall be communication-based.
Equipment reliability, redundancy, and system architecture shall ensure that the
operation of the system shall continue in the presence of any single failure.
The system architecture shall include redundant hardware for all ATC subsystems.
Communication among trackside computers and between trackside computers and the
OCC shall be by fibre optic links, encrypted radio frequency or copper links.
The ATC system shall be designed such that equipment failure rates shall be
sufficiently low to preclude the need for manual driving operation, which shall
be exceptional and reserved for train return to yards.
ATC, interlocking and train detection subsystems shall form an integrated train
control system, with proven in use interfaces between those subsystems.
Necessary automatic train control hardware and software shall be provided to
achieve safe and efficient fully automated and driverless operation for
passenger trains.
Under normal operation, ATC automatic mode shall require no OCC staff
intervention other than supervision and minimum OCC staff intervention when out
of normal operation.
Traffic reinforcement steps to meet passengers demand shall be provided.
Any equipment failure or line interruption shall be instantly reported to OCC
and lead to minimal service disruption, as high availability requirements shall
be met. In case of significant failure, the system shall then fallback to
alternative modes of operation under OCC staff full supervision.
The ATC automated control shall cover mainline and yard operations.
The ATC shall facilitate and monitor safe manual mainline and yard operations.
The ATC shall provide the OCC staff with user-friendly controls and supervision,
and provide all the necessary data and filtering tools to support maintenance
activity.
The system shall remain opened such as to anticipate further line extensions, in
terms of geography and capacity, as well as train extension. Addition of new
trains shall not require wayside or communication system changes.

System Design and Architecture

The CBTC System shall be developed based on the Moving Block principle, in which
the system creates a 'protection envelope' for each train, dynamically
calculated based on train location, speed, and direction.
The 'protection envelope' prevents any other controlled train from entering,
maintaining a variable safe separation distance between the trains, which is
adjusted according to their actual speeds.

System Principles

Operational Safety
Consideration for operational safety shall be first and foremost in the design
of the CBTC system. Safety is provided by:

Enforcement of safe train separation;

Enforcement of safe train speed limit;

Protection against derailment;

Route Interlock

Interlock between train movement and door status.

These functions shall be implemented with the use of vital (checked-redundant)
computer subsystems on the train, at the control location and at each wayside
interface.
Throughout the design and development of the system, checked-redundant fail-safe
principles shall be rigorously followed. Failure at any level in the system
causes it to revert to safe state.
Train Tracking
Communicating Train Tracking Overview
The localization system is used for tracking of communicating trains. The train
position is determined using wayside calibration transponders and positioning
transponders on the trackside and transponder interrogators and speed sensors on
the On-Board. Equipped trains report their current location to the wayside
computers and to the ATS.
Train Separation and Movement Authority
Movement Authority is calculated by the Zone Controller and defines an area
where the train can move safely.
Movement Authority is calculated by the wayside computer and defines an area
where the train can move safely. The Movement Authority is calculated based on
the track device statuses , position of other trains and the end of track
locations. The Movement Authority is limited by either an obstruction ahead of
the train, or if there is no obstruction, the destination.
The On-Board CBTC equipment supervises a controlled trains ability to stop
within the Movement Authority. If the train is at risk of travelling beyond the
Movement Authority, the On Board computer commands EBs.
Speed Supervision
The CBTC system vital functions continuously check that the train respects the
most restrictive permitted speed.
The most restrictive permitted speed is calculated taking into account the
following:

Movement Authority limit;

Civil speed limits defined in On-Board track database (ATP Speed Profile);

Temporary speed restriction; and

Maximum speed for current train operating mode.

The speed curves and stopping points that are calculated by the On Board
computer are illustrated below.

Interlocking Principles
In order to ensure safe train movement on the guideway, the system follows the
following interlocking principles:

Approach Locking;

SWITCH Approach Locking;

Route Locking;

Overswitch Locking;

Flank Protection;

Overrun Locking; and

SWITCH Control

Operations Requirements
The trains shall be driverless in nominal mode and unattended in normal
circumstances.
Train routes shall be set automatically.
Coupling of two trains shall be provided for rescue purpose.
The wayside is fully reserved for train traffic and does not mix or cross other
transportation system path.
The system design is to support single traffic. Only equipped train shall be
operated, along with specific maintenance vehicles.
ATC shall control automated yard operation and facilitate manual operation on
mainlines and yard.
In normal operations, train will stop at every station. Under degraded mode of
operation it shall be, however, possible to modify the standard configuration,
skip a station or all the stations (through train) for example.
Under nominal mode of operation, train shall run in one direction however, the
ATC system shall be designed for bi-directional operation in any section of
track.

System and Driving Modes

System Operation Modes
At any point, in any time, the rail system shall be operated in one of the modes
defined below:
Stationary:
This is the initial and default mode. Automatic train movements and manual train
movement if requested by OCC are disabled.
Normal:
The states of the rail subsystems are such that the rail system may perform
normally i.e. major operating systems report no failure. The rail is capable of
achieving its operational performances requirements. (Such subsystem failures or
other conditions which may exist have negligible influence on safety and
performance)
Degraded
One or more ATC subsystems have reported a failure or other condition, such that
the rail system is not able to achieve its operational performance requirements
(may be due either to a sub-system failure or some external event, such as an
infringement of its right of way or obstacle detection)
Emergency

One or more ATC subsystems (on board or trackside controller) have reported an
emergency condition, possibly indicating a threat to human life (e.g. abnormal
degradation of braking performances beyond an acceptable limit), or a major
system breakdown requiring for example a train evacuation through manual driving
mode.
Driving Modes
The ATC system shall support a number of train operation modes comprising at
least:
Automatic operation
This mode consists in full driverless unmanned operation and shall be the only
mode applicable unless exceptional circumstances occur. This mode shall be
available everywhere on the line and the depot except for the maintenance shop.
Restricted Manual Operation
This is a speed control manual mode under the responsibility of the driver.
This mode corresponds to an emergency situation in case of major ATC failure.
The train is manually driven under the operator responsibility at a limited
speed (provisional value of 18 km/h).
Sleeping:
Automatic operation requires a heating-up phase, followed by an initialization
phase.
Immobilized:
The train is either faulty or disabled in such a way that operation is not
possible without requiring to manual maintenance operation
Driving modes are to be in accordance with Operations Rules.
Initialization of System Normal Operation Mode
Initialization of automatic operation after system start up must be possible
without manual intervention locally in each train, nor require OCC operator
command to be made for each train.
Initialization of automatic operation after a global system failure must be
possible without manual intervention in each train, nor require OCC operator
command to be made for each train.
All parts of the ATC system including trackside and on-board computers shall be
capable of being remotely commanded to restart.
Transition between any driving modes, in particular between automatic and
manual, must be possible continuously and anywhere on the running line and in
the yards.
The border between manual and automatic areas shall only concern the shop
acquisition track or outer rail network acquisition track if applicable

Functional Requirements
Core Functions
ATC core functions are:

Automatic Train Protection (ATP): the system shall control and supervise
automated train operations in such a way as to assure the safety of passengers,
operations personnel and vehicles.
Automatic Train Operation (ATO): the system shall provide commands to vehicle
subsystems to ensure reliable and comfortable service for passengers and
convenience for operation staff, within the limits and restrictions imposed by
the ATP.
Automatic Train Supervision (ATS): the system shall provide all monitoring,
control and automated functions necessary to achieve fully supervised automatic
operation of trains throughout the line sections, and to support degraded
service. This function shall be integrated with the control and monitoring of
communications and traction power systems.
Automatic Train Protection
Train Detection and Tracking
The ATP shall detect the presence of
designed for use, whether running or
control. Presence detection shall be
portion of the system, including the
track circuits (IEEE 1474)

trains, and any maintenance vehicles

stationary, under automatic or manual
provided throughout the entire automated
yard. The train detection shall not require

It shall not be possible to manually access the safety related database of the
train detection function.
Loss of presence detection shall result in the ATC commanding the system into a
safe condition. For unexpected change of non-occupancy within a movement
authority in force, any change of the status of non-occupancy in front of a
train, shall immediately and automatically lead to a reduction of authority
limits and/or speed in order to prohibit train passage of the obstruction.
The presence detection function shall enable the ATC to detect the loss of
presence of a previously detected automatic or manual train in all
circumstances.
If lost presence is detected, the ATC system shall ensure system safety is
preserved and provides annunciations to OCC. The time to recover from a lost
presence condition, that is the restoration of presence detection, shall be
minimized.
All trains equipped with ATC system shall have their position, speed, travel
direction and length established by the ATC system.
The required part of this information shall be exchanged between on board ATC
and local zone controller using train-to-trackside bidirectional data
communication network.
ATC train detection shall establish the position of both the front and the rear
of the train.
ATC shall verify train length.

The ATC train detection function shall provide sufficient position accuracy to
support the performance and safety requirements.
In the event of failure, including loss of power both at the trackside and on
board the train, the train position function shall be self-initializing. No
manual input of data shall be required to locate any train.
The ATC shall be capable of detecting and protecting parted trains.
The ATC system shall take into account the slipping and sliding of wheels to
calculate its position.
Speed and position shall be determined in a vital manner.
Optional: Complementary/secondary/fallback/minimum train detection
In case the option is taken, train detection shall as a minimum determine train
positions with the accuracy corresponding to the subdivision of the track
system, in sections where the train has to be located according to operation
requirements.
This minimum train detection shall be effective irrespective of whether a
vehicle carries working onboard ATP equipment or not.
In case the option is taken, the minimum train detections shall serve as fallback for regular train detection in case of on board ATP failure.
Safe Train Separation
The ATP shall ensure and maintain safe operation between trains. All following
and opposing running shall be protected by safety critical processes.
Braking distance shall be derived from a safe braking model that shall consider
worst case system response times and failure conditions, consistent with railway
industry practice. The safe braking model shall be submitted as part of safe
braking calculations.
Trains equipped with ATC shall be capable of closing up to the rear of a
preceding train, end of track, (work/maintenance) or failed train. Unequipped or
failed train shall be controlled by rules and procedures.
Safe train separation shall be based upon a principle of an instantaneous (brick
wall) stop before a preceding train.
The issue of movement authority for opposite train routes in the same track
shall continuously maintain a safe train separation that allows both trains to
stop without colliding.
In case of violation of ones train end of movement authority limit, an
immediate and automatic reduction to zero speed for all endangered movement
authorities for other trains shall take place.
Overspeed Protection
In establishing the ATP profile, the on board ATC equipment shall continuously
determine the maximum safe speed at the train location, for comparison with the
actual train speed.

The maximum safe speed shall be the most restrictive of the speed limit for
current section of track, any temporary speed restriction imposed on that
section of track, the maximum speed that would enable the train to stop safely
prior to the limit of the trains movement authority, the maximum speed that
would enable the train to safely reduce its speed in conformity with the next
speed target and location.
Emergency braking shall automatically be initiated if the actual speed of the
train is exceeding the ATP profile speed at the actual train location.
Note: the ATO shall control the train speed with an operational speed limit
lower than the maximum safe speed limit, i.e. ATP profile. If this control
fails, ATP must initiate an emergency stopping.
The ATP shall support speed limits that vary along the track as a consequence of
local conditions.
Brake Assurance
Service Braking
In normal conditions, the ATP profile speed compliance shall be enforced by
initiating service braking.
If the service brake is insufficient to keep the trains within the ATP profile,
the on board ATC equipment shall apply the emergency braking.
Emergency Braking
Immediate emergency braking of a train shall be initiated automatically upon any
violation of safety conditions.
Emergency braking shall automatically be initiated if a train is moving without
movement authority.
Emergency braking shall automatically be initiated if a train is moving against
the direction allowed in its current movement authority (anti roll back)
Immediate emergency braking of trains shall be initiated automatically upon
system failures (including loss of fail safe communication between system units)
that might create a dangerous situation.
Application of service brake either automatically or manually (in case of work
trains) is determined by the ATP to be insufficient to stop the train short of
an obstruction.
Emergency braking shall also be triggered in case of receipt of an emergency
Stop-now command from the OCC.
Emergency handle (or any other device such as buttons etc.) shall be available
in all trains.
Emergency braking, once initiated, shall remain under ATP control and may be
removed before the train comes to a complete stop if the emergency brake
condition is no longer active.
If conditions for the train to move are not fulfilled, the emergency stop shall
remain in force, regardless of any reset, unless a switch to manual operation is
done.

The on board ATC, emergency braking and traction orders shall be interlocked in
such a way, that traction is removed as soon as emergency braking order is
initiated.
Braking Performance Monitoring
The train emergency brake shall be automatically tested when the train is waken
up by the OCC. Trains with deficient emergency brakes shall not be injected into
the carousel. Alarms and report shall be generated and sent to OCC.
Securing of Routes
Routes may be defined as any movement authority that goes through a set of one
or more switches.
Securing of routes shall basically rely on movement authority granting and
switch interlocking.
No issue of mutually conflicting movement authorities is allowed.
The issue, change and cancelling of movement authorities shall be exchanged in a
fail safe manner between the issuing instance/entities and the unit that is to
utilize the movement authority.
Movement authority shall cover any portion of track geometry, except for blocked
track sections or failed or blocked switches.
Movement authorities as a minimum shall support movements between any predefined
departure location and any predefined arrival location over the track geometry.
In case of a movement authority cancellation, provisions shall be made to
safeguard that the previously authorized train has been brought to a complete
stop, before another movement authority or individual switch command is issued
that may include change of switch position within the stopping distance of the
said train.
Movement authorities shall be provided by the ATP function for any unmanned
movement of trains, including trains carrying passengers, unmanned supply and
removal of empty trains to manned maintenance vehicles or manned (defective)
trains, provided that safety functions are fully operational.
Automatic release from a movement authority over track sections and switches
shall take place immediately, upon train passage or in case of rerouting of
train, to allow subsequent movement authorities.
Switch Interlocking
Detection of switch position shall be done automatically and continuously.
Commands shall be provided for change of switch position.
The issue of movement authority involving switches shall be conditioned on the
correct alignment and locking of the switches within the movement authority
boundaries and the correct positioning of switches protecting that movement.
No change of switch position by automatic or manual command must take place
within a movement authority in force until the switch has been released from its
locking by a fully detected passage of the train holding the actual authority,
or the movement authority has been cancelled.

If due to an error, a change of switch status away from the correct alignment or
correct positioning takes place, movement authority limits and/or speed shall
automatically be restricted to prohibit train passage of the switch.
Facilities shall exist for handover of control of a switch from the OCC to an
operation staff at the switch location and vice versa.
Two switch modes of operation, central (automatic or remotely controlled) or
local (manual by an operation staff) shall exclude each other at any moment.
Blocking of a switch shall prohibit the subsequent issue of associated movement
authority.
Blocking or unblocking of predefined switches delimited by wayside markers shall
be supported by the ATP system.
Safe end of Track Approach
The ATP shall ensure that the train will not reach the end of track buffer under
worst case failure conditions.
Speed Detection
Actual speed detection: a continuous measurement of the actual real speed of the
train shall be provided by the onboard equipment.
Zero speed detection: zero speed shall be detected by the onboard ATP equipment.
Train Splitting Protection / Train Integrity Protection
Facilities shall exist to detect any coupling; detachment and/or separation of
detachable units of a train consist.
Upon a detection of an unscheduled uncoupling, detachment or separation, an
immediate emergency stop shall be imposed on all units of the previously
connected train.
The ATC shall detect an unexpected split and establish appropriate limits of
authority to prevent other trains from entering the pull-apart area. An alarm
shall be forwarded to the OCC.
Direction Control and Rollback Protection
The ATP shall ensure in real time the specific running direction on each track
is respected.
Reversal of train travel direction shall be prevented until zero speed has been
detected.
Emergency braking shall automatically be initiated if a train is moving against
the direction allowed in its current movement authority.
Train and Platform Screen Door Safe Protection
Train door protection shall be provided for all passenger trains.
Train door status and platform screen door status shall be subject to continuous
supervision.
If any automatic door or emergency exit door on a train unlocks for any reason
while the train is in motion, i.e. above zero speed detection, an emergency stop
shall be automatically initiated.
In the event of any unscheduled door opening, a local manual reset by authorized
personnel shall be required prior to the restoration of train operation, unless
door status returns to close in the meantime.

Option: remote reset from OCC shall be available after having established,
through communication means (on-board camera, passengers' dialogs), the safety
of the current situation.
A stopped train shall not be permitted to move automatically until all doors of
the train are properly closed and locked.
The ATP shall monitor the train and platform screen door in order to authorize
their opening only if the train speed is zero, vehicle and platform screen doors
are properly aligned within the allowable tolerances, the park brakes applied
and the propulsion system is disabled.
Facilities for emergency opening of train doors (from OCC, from inside train or
from outside train) shall exist.
Platform screen doors protection shall be provided at all platforms.
The status of platform screen doors shall be subject to a continuous
supervision.
If a platform screen door unlocks for any reason not during passenger exchange
with a dwelling train, emergency stop shall be initiated for all trains in
predefined sections along the station.
In case of unscheduled platform screen door opening the train at station shall
apply emergency braking and the incoming train shall apply emergency braking.
In the event of any unscheduled platform screen door unlocking, a local manual
reset by authorized personnel shall be required prior to the restoration of the
operation.
A train stopped at station platform shall not be permitted to move automatically
until all platform screen doors facing the train are properly closed and locked.
The ATP shall monitor the train and platform screen door in order to authorise
their opening if train speed is zero, vehicle and platform screen doors are
properly aligned within the allowable tolerances, the park brakes applied and
the propulsion is disabled.
Facilities for controlling the emergency opening of platform screen doors (from
OCC, from track side or from platform side) shall exist
Temporary Speed Restrictions
The ATP shall ensure the compliance of trains to temporary speed restrictions
that are introduced and cancelled by the ATS system.
Blocking of Track Sections or Switch Areas
Blocking and unblocking of predefined track sections delimited by wayside
markers shall be supported by the ATP function and supervised by the ATS
function.
Blocking of track section shall prohibit the subsequent issue of movement
authorities in that section.
Wet/Dry Rail Reduced Adhesion Operation
The ATS shall be able to modify the service braking performance in ATP profile
calculations under wet/dry reduced adhesion conditions. The ATS system shall
have the capability for the OCC to designate the weather conditions as wet or

dry a system wide basis or on predefined sections of track, particularly for

sections of track in open air.
When the OCC changes the condition between wet or dry, the ATS system shall
notify all equipped trains.
When in wet condition, i.e. whenever or wherever adherence condition changes,
on board ATC equipment shall adopt a degraded braking performance. The on board
equipment shall ensure that trains do not violate the movement authority given
the assumed reduction in braking performance.
Obstacle Detection
Wayside devices enabling the mitigation of identified hazards shall feed the ATP
function with alarms that may bear various levels of severity.
Wayside obstacle detection may complete and/or be interfaced with an intrusion
detection system.
The status of wayside obstacle detectors shall be subject to continuous
supervision.
If an obstacle is detected, emergency stop shall be initiated for all trains in
predefined sections around the obstacle area.
Wayside obstacle detection device shall require local manual reset or remote
reset depending on the device nature, prior to the restoration of normal
operation.

Automatic Train Operation

The ATO function shall provide commands to vehicle subsystems, in particular the
propulsion unit, to ensure reliable and comfortable service for passengers as
described below.
ATO operates under the safety constraint of ATP and shall in no way reduce the
safety level of the ATP.
Motion Control
Train acceleration, deceleration, and station stop shall be controlled by the on
board ATO function within the established ATP profile. The ATO shall effect this
control by providing commands to the trains propulsion and braking units in
real time.
The ATC equipment shall cause the service brakes to be applied automatically, as
required, for speed maintaining, to reduce train speed on approach to a civil
work speed reduction or temporary speed reduction, and to bring the train to a
stop at a movement authority limit or programmed station stop.
(Service braking shall also be applied automatically in manual mode every time
the on board ATC detects that the fixed ceiling speed limit is reached)
Speed Regulation and Run Time Control
The ATO shall control train speed and deceleration rates to stop trains at
stations platforms within tolerances defined by safety analysis and enforced by
the ATP.

The ATO shall control train braking commands to provide a smooth stop, avoiding
jerks as the train comes to rest. An automatic jog forward/back feature may be
used, within safety constraints when going backward.
Trains which do not succeed in positioning within tolerances at the station
platform may perform a forward or reverse jog attempt. The number of jog
attempts shall be a maximum of one for every failed positioning.
Trains which do not stop (after jog attempts, if so designed) within the correct
alignment tolerances shall automatically send a request to OCC along with train
stop imprecision information figures in order to be authorized to proceed to
next station.
The ATO shall control the train speed within an acceptable limit of required
speed for the profile defined for a particular operation mode and track
location.
The ATO shall, in combination with the propulsion and braking control circuits
of the train, shall meet the acceleration and jerk limit, avoid unnecessary
power/brake transitions, avoid over speed,provide the smoothest practical ride
for passengers.
Dwell Time and Departure
Upon platform train stop, the ATO shall control the station dwell as per service
regulation needs.
The dwell time shall be either automatically defined according to timetable and
headway regulation needs, or may be shortened or extended by means of a
straightforward control from OCC or from the local control
At the end of the programmed dwell time, the ATO shall automatically command
platform screen doors and train doors to simultaneously close, preceded by an
audio and visual signal for passenger information.
Once all doors are confirmed to be locked, the ATC shall command the train to
depart the station.
Programmed Station Stop
Braking and stopping at a station must be made within a precision allowing the
passenger exchange to be done at the predetermined areas through platform screen
doors, within the precision defined in the performance requirements.
For coupled train passenger unloading, the station stop at the next station must
support successive unloading of passengers for both coupled trains.
Other Sub Functions
The ATO function shall address other functions and their interfacing
requirements with ATS, ATP function and communication equipment: request for
door opening, train response to OCC controls, train departure testing, passenger
information support, train health monitoring

Automatic Train Supervision

Automatic train supervisuin shall provide the following functions:
Automatic Route Setting
Automatic Route Setting is the ATS function that automatically requests routes
for trains to implement train movements defined by:

Run assignments;

Line assignments;
Single Destination assignments; and
Shuttle assignments.

Turnback Modification
The ATS Operator shall be able to establish diversions to change the turnback
location for trains on scheduled run assignments or line assignments. This
feature allows short turnbacks to be established for specified time period.
Conflict Handling
Conflict handling shall provide deadlocking prevention of train segments.
Manual Route Setting
The Route allows the ATS Operator to manually request or cancel any route.
Automatic Train Regulation
Automatic Train Regulation manages the dwell time and train run type for trains
with a run assignment. It also calculates the schedule and headway adherence of
each train for presentation to the central operator.
Automatic Train Regulation manages the dwell time for trains with a run
assignment.
Anti-Bunching (Automatic Platform Hold)
The ATS shall apply automatically a platform hold to a train at a platform when
there is an excessive accumulation of trains on the track downstream.
An automatically created platform hold is automatically removed when the
concentration of trains downstream has come back to a normal state. The Central
Operator shall be able to override an automatic hold by performing an individual
train depart or by disabling the automatic hold feature for the platform in
question.
Schedule Assignment
The ATS sall provide a facility to assign a selected operating schedule using
the Schedule Selection command.
The ATS shall provide a facility to plan the automatic schedule assignment
covers a certain duration (e.g. 30 days).
Train Launch
When the level of service needs to be increased, the ATS shal present to ATS
Operator a launch list. This list will be sequential, indicating the expected
order of trains to enter into service.
Train Exit from Service
The Exit List shall be generated when a schedule is assigned by the ATS
Operator. The Exit List will indicate the runs to be exited for each Reduction
of service for the entire schedule.
The ATS shall control each train to the completion of its current route and/or
line assignment and trigger the normal completion of service.
Junction Priority
At places where tracks meet, the schedule can define the rules for selecting
which train can proceed into the junction first. The ATS Operator has the option
to change the algorithm of managing the trains that meet at a junction. The
default rule is based on the first train scheduled to arrive at a junction.
Re-Determination
The ATS Operator shall have facilities to initiate a re-determination of runs
for a schedule. This command is used to bring the system back on schedule
following a failure that caused a large delay that cannot be recovered.
Online Timetable Editing

The current operating timetable may be edited by the ATS operator to provide
temporary service adjustments. Online edits only apply to the currently loaded
timetable.
Cancel Run/Trip
This command allows the ATS operator to cancel a trip or an entire run. This
has the effect of removing the trip data from passenger information. When a
train arrives at a terminus and the next trip has been cancelled it will go out
of service.
Train Out of Service
The ATS operator shall be able to select a platform to take a train out of
service for any trip. This platform will be reflected in passenger information
as the new destination. When the train arrives at that designated platform it
will go out of service unless it has been formed-to another trip.
Slide Trip
The Slide Trip command allows the ATS operator to change the departure time for
a trip. All of the platform times for the trip are slid by the corresponding
time change.
Even Out Headway
The Even Out Headway command (also know as flex) allows the ATS operator to
perform multiple Trip Slides in one command
Divert Trip
command allows the ATS operator to turn a trip short, extend a trip or send a
trip down a different track.
Modify Trip
This command gives the ATS operator the ability to modify details of a single
trip.
Add Run
This command allows the ATS operator to add a run into the current timetable
Modify Entry
This command allows the ATS operator to change the entry location for a run.
An entry line and revenue start platform must be specified.
Modify Exit
This command allows the ATS operator to change the exit location for a run. An
exit line and revenue end platform must be specified.
Revert Run
This command reverts all trip modifications that have been made to a run back to
the timetable values.
Station Bypass
The ATS shall be able to direct a train or group of trains to skip a station or
group of stations. Train groups shall include a manually specified (click on)
group, all trains in a direction, or all trains in service.
The ATS system shall provide a trigger to automatically generate Public
Announcement on the platform to and onboard concerned trains to notify
passengers that the train is not stopping in the station.
The on board ATC equipment shall suppress station overrun notices to the OCC or
the Local Control room.
The ATC system shall allow trains to leave stations being bypassed at the
maximum authorized speed.
Holding a Train at Station
The ATS shall enable the OCC or the Local Control Office to hold a train in a
station through an ATS
command.
Restricting or Stopping a Train en route

a) Stop at next station. The ATS system shall provide a means to stop trains en
route either immediately or at the next station. The ATS system shall allow the
OCC to designate a train, group of trains,section of track, or the whole system,
and define whether the stop is to be at the next station or
immediate.
In the case of a next-station stop the on board ATC equipment shall determine
whether the train can physically stop in service braking mode by the next
station. If the train is in the process of departing a station, it shall
continue to the next station and stop there. If the train is in the process of
bypassing a station and the ATC system determines that the train cannot stop at
that station under normal service braking, the train shall be allowed to run to
the next station where it will stop.
Once stopped at the station, each train movement authority shall be pulled back
by the ATC system to the stopped location.
The OCC shall be able to release the stop-at-next-station command by a group
command, either a single train, group of trains, all trains in a section of
track or all trains on the line. Once released, the ATC system shall allow
movement authorities to be advanced, and the ATS system shall set routes
for trains through interlocking process.
b) Stop Now function (emergency). The ATS system shall provide a means for the
OCC to designate a train, group of trains, all trains in a section of track, all
trains on the line, to be stopped immediately with emergency braking. This
command shall cause the on board ATC equipment to immediately
apply the brakes, and notify the train in manual driving mode if any.
The on board ATC shall adjust the train movement authority consistent with the
actual stop.
The OCC shall be able to release the stop-immediately command on one train at a
time, or a group of trains, all trains in a section of track, or all trains on
the line. Once released, the on board ATC equipment shall release the emergency
brake command, the ATC shall allow movement authorities to be advanced, and ATS
system shall set routes for trains.
c) Stop Now function (service). This function is identical to the emergency Stop
Now function except that trains are brought to stop with service braking.
Track Maintenance Support
The ATS system shall provide a mean for the OCC to block track and switches, and
apply temporary speed restrictions (TSR) and remove them as necessary.
Track and Switching Blocking
The ATC system shall not grant movement authorities to trains to operate into or
out of blocked track sections or switches areas. The ATS system shall include
facilities to allow the OCC to block and unblock track sections and switches.
Temporary Speed Reductions
The temporary speed restriction shall be enforced in a similar manner to civil
work speed limits. Trains that already have authority through the TSR order area
and can comply with the speed limit shall do so.
In the event that a TSR is received by a train that encompasses an area within a
safe braking distance of the train, and the restriction would place the train in
an overspeed condition, the on board ATC

equipment shall brake the train into compliance; if the train fails to respond
to the service brakes, the on board ATC equipment shall apply the emergency
brakes.
Temporary speed reductions are under ATP control.

Passenger and Staff Information

ATS must generate data about time schedules and deviations in time schedules to
inform passengers and staff.
Automatic Depot Operations Control
General
The depot shall be equipped for automatic train movement in all locations except
for the designated shop tracks. Trains shall move automatically between storage
tracks, the main line and shop transfer track(s).
From the shop transfer tracks to the maintenance shop, it shall be possible to
hand over the automatic train movement control to manual control.
Option: for maintenance ease, trains may be remotely driven between shop
transfer track and maintenance shop from a local shop panel control.
Trains shall be routed within the yards by automatic means or by remote command
from the OCC.
Safe manual driving of trains within the Depot shall be possible within
limitation fixed by on-board ATP (Optional)
Automation of train movement initiation between the Depot and main line and vice
versa shall be maximized.
The system design principles for the Depot shall be the same to those for the
main line. All mainline functions shall be available in the depot.
Depot to Main Line Operation
Every time a train has gone through the sleep state, which is the normal state
for train storage, a train shall be subjected to series of static safety and
functional tests which are conducted automatically to ensure that critical
systems are fully operational.
The ATC system shall possess a self testing capacity.
If the tests are passed successfully, the train can proceed to the main line for
revenue operation. If one or more of the tests fail, train insertion is put on
standby and the OCC is alerted to the nature of the failure.
The location of entry tests, also depending on track lay-out, should be chosen
such that failure of entry tests does not block further access for trains to and
from the mainline.
Main Line to Yard Operation
Trains shall return to the Depot from revenue service in accordance with
automatic schedule requirements, or upon OCC request.
The scheduled destination shall be capable of being overridden from the OCC.
The return to the Depot requested from the OCC may concern one or more trains.
Train Storage
The necessary movements shall be automatically achievable.

When trains are to be put to sleep, the OCC shall be able to trigger the sleep
mode only for trains in the correct position in their storage track.
A command shall be available to initiate sleep mode in and section of storage
track outside the depot.
The train awakening shall be made by the OCC automatically from the schedule or
manually initiated via operator command.
Spare Parts
The Contract supply shall include the delivery of sufficient amount of spare
parts to secure that the rail system will be self-sustained with spare parts,
especially during the test period, the trial run, and during the critical early
stages of commercial operation. The Contractor shall indicate and itemized list
of spare parts including total value for a maintenance period of 3 years
following completion of the specified period of operation and maintenance.

Detailed description of the entire ATC system

The contractor shall submit a detailed description of the ATC system delivered.
The description shall address all functional and technical requirements and
shall explain in detail how each of these is achieved, including control tables
(as applicable) and safety braking model. (Safety distance calculations)
Description and drawings of all items of hardware
Description and drawings of all interface arrangements
Fully detailed operating diagrams for normal time-table scenario

Trackside and Wayside ATC Characteristics

General Requirements
The trackside and wayside ATC subsystem The shall consist essentially of a
network of highly reliable, distributed vital area computer (local trackside
ATC) The trackside intelligence for train tracking, movement authority setting,
interlocking function and other ATC related ATP functions is resident in the
trackside computer(S).
Trackside systems shall also include primary train location devices,
(transponders) which are able to provide a unique identity to the on board ATC
positioning system.
Each trackside ATC shall be microprocessor based and shall be responsible for
the control of trains, being in driverless or manual mode, and facilitate the
passage of unequipped vehicles.
Each trackside ATC shall interface with the data communication network and/or
the multi-service backbone network, to the ATS server at the OCC, to the other
adjacent trackside ATC, and to the trackside equipment.
The Contractor shall determine the architecture for the trackside ATC network
which shall form the basis of his design in order to meet the functional, and
performance requirements of these specifications. The length of track, number of
allowable trains in a section, the number of stations, and the number of
interlocking and other trackside elements with witch the ATC must interface,
combined with the degree of redundancy incorporated in each trackside ATC, shall
constrain the ability of the ATC system to meet these aforementioned

requirements along with the safety, availability, reliability, and

maintainability criteria set in the System Assurance Program Plan.
Restricted Manual Mode
In the event of a loss of vital information (such as train location, movement
authority, etc) as a result of failure of the ATC on board system, a failed
train to track communication link, or a failed trackside ATC, the ATC shall
cause an emergency brake application. Further movement of the train shall be
possible in restricted manual mode, which selection shall disconnect all non
required subsystems
The train operator will be able to select restricted manual mode using a switch
on the driving panel, the result of this action shall bypass the ATC functions
and insure the removal of the movement authority restriction. The train can then
be operated at a restricted speed (18 km/h) by propulsion subsystem or by
on board ATC.
It shall be possible in RM mode to reset, or reinitialize, the on board ATC
equipment. If the reset is successful and full ATC functions, including train
location determination, are restored, a message shall be indicated to the train
operator and to the OCC. The train operator may then select the driverless mode
to resume normal operation.
Level of Safety
The global safety shall depend on a system whose safety has been definitely
proved independently of any application software.
In order to insure the safety of the systems used in the field of railway
signalling, it is required to fulfill two main conditions:
- the system used has to ensure a faultless and complete function in the sense
of the task definition
- it has to show a vital behaviour in case of failures and faults referring to
the system itself or to components directly connected with it.
Vital Subsystems
The vital subsystems shall be designed as to be fail-safe. The architecture and
this relevant equipment implemented to ensure the processing safety shall be
described clearly by the contractor, such as:
- coded mono processor
- bi or tri-processor with comparison or majority vote
- mono-processor with bi-software.
Hot redundancy or 2-out-of-3 polling a concept is recommended for high
availability. An alarm alerts the maintenance which is able to intervene without
interrupting system operation.
In case of power supply defect, the system will shut-down in an orderly manner,
locking points in the current position. The stored functions will be memorized
for a pre-determinate time of 4 hours at least. When power supply recovers, the
system resumes automatically if there is no loss of information stored, if not,
a restart manual by the maintainer will be necessary.
Software Architecture
The contractor shall distinguish between basic software and application
software.

The function of the basic software is to keep the application software

independent of the hardware and to provide high-performance services.
The basic software mainly governs the operating system and communications.
Input/Output Safety
A restrictive status of each input and output shall be defined by the
contractor.
Serious faulty operation detection at the level of an input or an output shall
involve its restrictive status.
Serious faulty operation detection at the level of the system shall involve the
system stop and the outputs restrictive status.
In addition, the system outputs shall be systematically maintained in
restrictive status before the complete initialization.
Maintenance Facilities of the Module
Diagnostics and maintenance subsystem consists of a personal computer based tool
that provides support for the maintenance staff. A comprehensive range of
diagnostic facilities shall be built into the system.
It shall be possible for maintenance staff to interrogate the system at any time
and check the current state of any specified signalling functions, or list any
current fault reports. The memorization on appropriated support of all relevant
events (changes of state, operator requests) shall be maintained several days
for further analysis.
Protection against electromagnetic interferences is required.
Module Failures
Failure of whole unit. In case of a redundant unit failure, the unit shall
automatically switch to the other redundant unit. An alarm shall be transmitted
to the OCC and to the Local Control Office.
Any failure shall be considered as a light failure if a vital part of the unit
intervening directly on safety is not concerned.
Generally, it would be advisable to avoid unjustified stopping.
As far as possible, a faulty element shall not stop the operation of the module.

Environmental Conditions
Climatic Conditions
All components used in electronic apparatus must be capable of operating
faultlessly, according to IEC 60068-1,IEC 60068-2-1,IEC 60068-2-2,IEC 60068-2-3.
EMC Compliance Standards
The Contractor shall perform all factory and site measurements in order to show
the EMC compliance of the ATC equipment according to the following standards:
EN 50155 Railway appliances Electronic equipment used on rolling stock

EN 50121-1Railways applications Electromagnetic compatibility All applicable

parts
EN 61000-4Electromagnetic compatibility

ATC System Safety

Safety Objectives
The design shall include provisions which are specific for the safety and
security of passengers, Operation and Maintenance staff, Emergency and Security
Staff, and the public.
No single failure, event or likely combination of events, shall cause a critical
or catastrophic hazard to any of the above or to system equipment. Non-critical
and non-catastrophic hazards are to be minimized and/or controlled. The bjective
shall be to prevent train collision and derailment.
The required level that shall be obtained must be very high.
The Contractor shall identify, assess and classify risk inherent to each kind of
technology, to each kind of method used in the system.
Safety Performance Requirements.
Achievement of System Safety is a primary design and performance requirement for
the Supplied System, which must perform in a safe manner under all operating
conditions. The design of safety-homologated equipment shall meet one of the
following three safety types: intrinsic safety, controlled safety or
probabilistic safety.
Controlled Safety
A piece of equipment is said to have "controlled safety" with respect to certain
malfunctions or failures when consequences detrimental to safety are inhibited
by another independent device which detects these and controls passage to a
restrictive status. As for intrinsic safety, experience shows that the degree of
safety reached is better than 10-9 per hour.
Probabilistic Safety
A piece of equipment is said to possess "probabilistic safety" when the
probability of its operating in a manner detrimental to safety is smaller than a
pre-determined value. The probability of occurrence of a catastrophic failure
(which may lead to collision or derailing) must be smaller than 10-9.
Requirements
Supplied System shall provide a level of safety such that any single,
independent hardware, software or
communication failure, or any combination of such failures, with the potential
for causing death or severe
injury to customers or staff shall not occur with a frequency greater than once
per 10-9 system operating
hours. System operating hours is defined as the time that the system is turned
on and operating. This
safety requirement includes failures of all types, both random hardware failures
and systematic
design/software failures.
The Contractor shall identify, analyse and classify inherent risks in each type
of technology used in the

Supplied System. For the software elements of the Supplied System this shall
include the risks inherent in
each part of the software (for example: operating system, application software,
databases and firmware),
and to the methodologies and tools used for their development.
Safety critical (vital) functions shall be verified through any/all of the
following: analysis, factory testing, environmental testing, or field
verification. All hardware or software designs, techniques, or methodology
shall require documented verification of proven safety for approval. Safety
analysis shall include hazard identification and justification of acceptable
risk. Hazard identification shall be exhaustive.
The Contractor shall document the principles, strategies and tools used to
implement the safety requirements. The safety measures incorporated in the
Supplied System shall be traceable to the safety requirements and identified
hazards.
Design Requirements
Overall Requirements
Elements of system which are not directly concerned with safety shall be kept
separate from the safety part of the system
All credible failure modes for each hardware and software element of the
architecture shall be identified.
The Design shall ensure that no failure can induce a critical situation: in case
of a failure or an error, the system shall return to a recognized safe state.
Faults shall be detected with on-line, high diagnostic coverage. A Fail-Safe
architecture very much depends on the effectiveness of its fault detection
measures, it may not need any on-line diagnostics.
However, a fail-operational architecture needs detailed on-line diagnostic
coverage to achieve its integrity and reliability, because without this it is
very difficult to implement any recovery mechanism.
The architecture shall be designed to increase the availability of the system by
using a combination of well tried and well defined fault avoidance and fault
tolerant measures.
The design specification shall identify the components and modules of the
architecture, and describe their functional and other characteristics (such as
their integrity levels, failure rates, performance). It shall also describe
interfaces, internally and with external equipment.
The design shall ensure that the architecture operate correctly in all
foreseeable environmental conditions, such as EMC, noise, heat, etc. The
envelope for the environmental conditions and requirements is defined in the
requirements specification.
The architecture of the Supplied System shall be such that a clear segregation
can be made between safety critical (vital) equipment and functions, and nonsafety critical (non-vital) equipment and functions.
All data communication subsystems within the Supplied System that are used to
transfer safety-critical data shall be designed to provide adequate levels of
error detection for this purpose.

The accuracy, resolution, and integrity of the train location system shall be
consistent with limits established for safe braking distance, enforcement of
speed zones, switch protection, and other safety functions.
Hardware Requirements
Safety critical components shall be Fail-Safe or Checked Redundant:
Fail-Safe means that any frequent component failure (that is likely to occur
more often than once in 10-9
system operating hours) shall not result in a condition known to be unsafe.
Checked Redundant means that the probability of any failure or combination of
failures is low enough to provide a level of safety at least comparable to that
provided by a fail safe design.
The Contractor shall produce a full and comprehensive definition of the
application of these safety elements.
Software Requirements
The Contractor shall identify, assess and classify risk inherent to each kind of
software: operating system, application software, to each kind of new technology
and new tools,
Design of software must take into account hardware systematic, random failure
and common mode failure,
Data-driven software (including parametric or configurable software) shall be
protected against possible errors arising from entry of incorrect data through
accepted procedures,
If vital and non-vital software is to be implemented on a single hardware
platform, then all of the software shall meet the requirements for vital
software unless appropriate techniques, are used to ensure vital software is
unaffected by the non-vital software,
Safety critical (vital) functions shall be implemented in a manner which is
Fail-Safe, The general requirements for Fail-Safe designs are outlined below.
Fail-Safety Design:
Safety of system design shall be assured by the incorporation of Fail-Safe
principles in the design of safety-critical modules. Fail-Safe designs shall
ensure that any failure, or combinations of failures, shall result in a
condition that is known to be safe.
.
Certain equipment and components are declared to be Fail-Safe by their
compliance with existing codes and standards for these particular devices (e.g.
vital signalling relays) and may be used, in an appropriate manner, in the
design of a safety critical system element. Devices of this type are
considered to be conventional in their approach to achieving fail-safety. It
shall be the responsibility of the Contractor to, present the safety certifiable
evidence of the inherent fail-safety-of the devices to be used.

Fail-Safe Equivalence Design: Designs which are equivalent to Fail-Safe shall be

considered for safety critical functions when their Fail-Safe equivalence is
explicitly proven by undertaking safety engineering nalysis and verification in
accordance with this Specification. Such a safety proof shall demonstrate that
the probability of any failure, or combinations of failures, which could result
in an unsafe condition shall satisfy the safety design requirement defined in
the previous section.
Checked-Redundant Design: Designs which are checked-redundant in their
configuration may be proven to be Fail-Safe equivalent, providing these checkedredundant designs incorporate the following design principles:
The checking process, in itself, shall be either Fail-Safe or checked-redundant.
The checking process shall encompass the complete subsystem, and/or all
components, related to performing the safety-critical function.
The checking process shall detect any failure of the subsystem which may degrade
the integrity of the safety function. Where software is used to implement a
system function, then software errors shall be considered as failures.
The checking process shall be comprehensive and frequent. It shall be performed
at least as often as the function which is being checked, and sufficiently
frequently that the probability of an unsafe failure shall satisfy the safety
design requirement defined in the previous section.
.
The design and development of critical software shall be in accordance with
recognized international software standards applicable to critical, high
integrity systems. Where software is employed to perform a function which is
shown to be directly pertinent to System Safety, then that software shall
have been developed to a rigorous interpretation of these design and development
processes, Critical decision processes, which directly impact the System Safety,
within the software program shall be structured to ensure minimum complexity,
and thus allow for review and explicit testing of the logic paths. The
dependence of safety of the system on a single software decision process, logic
path, or critical data element should be avoided, where possible, by
incorporating diversity within the software design.
Databases which contain information that can impact the safety performance of
the Supplied System, shall be considered safety critical, and shall be
appropriately protected during data storage, retrieval, communications, and
processing. The Supplied System shall be designed to ensure that all such data
is accurate during initial data entry, processing, utilisation, and update, and
a process shall be established for appropriate data management of this safety
critical data.
Software Safety Case
The Software safety case shall describe and justify the software safety
analyses.
Process
The Contractor shall establish a software safety case. It shall include: an
overall description of functions, the software architecture and design
principles, requirements related to software defined from the various safety
analysis, safety functions, interfaces, means of implementations.
The software safety case shall provide information to assess that:

the software requirements are verified, the software is correctly designed.

Software Specific Safety Documentation
The following documents shall be established by the Contractor:
Security and Safety Management Plan (SSMP),
System Safety Plan
Software Safety Plan (SIL4 requirement)
Preliminary Hazard Analysis,
Test Plan, Test Reports,
Safety Case,
Software Safety case
RAM Failure Categories for ATC system
The following table defines RAM failure categories:
Failure Category Definition
Significant (immobilising failure) a failure that generates a hazard and/or
prevents train movement or causes a delay to service greater than a specified
time and/or generates a cost greater than a specified level
Major (service failure)a failure that must be rectified for the system to
achieve its specified performance and does not generate a hazard and/or a
delay or cost greater than the minimum threshold specified for a significant
failure
Minor a failure that does not prevent a system achieving its
specified performance and, does not meet criteria for significant or
major failure
Reliability, Availability and Maintainability Requirements
Overall Reliability Requirements
The Reliability of each LRU directly related to Safety shall be greater than 109 failures per hour
Each LRU of a system whose failure would be significant shall have Reliability
greater than 2.10-5 failures per hour
Each LRU of a system whose failure would be major shall have Reliability greater
than 10-4 failures per hour
Each LRU of a system whose failure would be minor shall have Reliability greater
than 5.10-4 failures per hour
A LRU considered as being related to Safety is a LRU whose failure would be
critical for Safety. These LRU shall be defined through Safety activities.
The Contractor shall develop an analysis (failure analysis and assessment) in
order to determine which Reliability requirements are applicable for each LRU.
Overall Availability Requirements
The overall Availability of a system whose failure would be significant shall
not be less than 0.9999.
The overall Availability of a system whose failure would be major shall not be
less than 0.9995.
The overall Availability of a system whose failure would be minor shall not be
less than 0.999.
Failure of a single item shall not cause failure of the overall system
The Contractor shall develop a FMEA analysis (RAM analysis and assessment) in
order to determine which Availability requirements are applicable for each
equipment.

Overall Maintainability Requirements

Means of failure detection shall be defined: power-up self test, continual
background test, requested self test etc.
The Contractor shall present a complete list of preventative maintenance
recommendations for each type of equipment supplied.
More specific Maintainability Requirements whose applicability has to be defined
because depending on each type of equipment are presented:
.
The equipment whose failure would be significant or major shall be installed, so
that removal and replacement of each of its LRUs can be achieved within 30
minutes
.
The equipment whose failure would be minor shall be installed, so that removal
and replacement of each of its LRUs can be achieved within 60 minutes
The Contractor shall develop a FMEA analysis (failure analysis and assessment)
in order to determine which maintainability requirements are applicable for each
equipment.
Spare Part Requirements
Replacement of a LRU shall not require the equipment to be powered down
Spare parts shall be interchangeable with their corresponding part
An adequate supply of spare parts shall be available for at least 10 years from
completion of the works.
The Contractor shall undertake to notify the Client in advance of the intended
cessation of spares Availability
Spares for repairable items shall be supplied and quantities shall be determined
from in agreement with the Client
Spares for consumables and non-repairable items shall be supplied for three
years of maintenance and quantities shall be determined in agreement with the
Client
Generic name, trade name, description, drawing references and correlation with
the maintenance manuals shall be provided.

Software Assurance

The ATC system shall be assigned with an overall SIL 4 level implying at least:
All corresponding requirements as per EN50128 standard shall be fully
considered.
The Contractor shall propose, and undertake if approved by the Engineer, a
software development life cycle based on those proposed in the EN50128 standard.
.
The Contractor documentation shall necessarily include:
- Software Safety Plan Software
- Quality Assurance Plan
- Software safety case
The Contractor may apportion some part of the systems with inferior SIL levels
after safety analysis to be approved by the Engineer.

Performance Requirements

General
The contractor shall determine the theoretical minimum travel times between
terminus stations using 20 seconds dwell time at each intermediate stations,
tightest acceleration figures with propulsion limited to passenger comfort
constraints, and nominal service brake rates. The contractor shall submit the
minimum run time determination report, which shall include simulations and all
assumptions, for approval.
The ATC system shall contribute no more than 3% to the theoretical minimum run
time established in the minimum run time determination report (as described
above)The ATC contribution to the run time shall include, but not be limited to
delays in initiating trains start from a station after door closed status is
established, ATP determination process for safety, headway and other
requirements; the resolution of speed commands, the tolerances between ATO and
ATP profiles to ensure that a train does not normally exceed the ATP profile,
passenger comfort constraints, train position resolution constraints, system
response times, for trackside equipment, on board equipment and combination of
both; communication delays in all communication links, and constraints on the
station stopping profile to ensure the stopping accuracy and profile coherence
required by this specification. The above ATC tolerances and response times
shall be defined by the contractor for approval.
Design Headways
The ATC system shall provide the closest feasible safe operating headways for
equipped trains in normal directions, on all track supporting passenger service
and terminus operations (including intermediate terminus)
The design headway shall be such as to allow an operational headway of 90
seconds for a station dwell time of 20 seconds.
Trackside ATC equipment lay-out and installation shall be dimensioned in
coherence with train characteristics and performances, with possibilities for an
upgrade in train length.
The achievable design headway shall be determined by the time required by for
safe braking, station dwells and other physical parameters, plus a maximum
allowance for all ATC system latencies and tolerances, including ATS, ATC, and
wayside signalling and communication equipment of 3 seconds.
The ATC system contribution to headway shall include, but not be limited to;
delays in initiating trains start from a station after door closed status is
established; ATP profile determination process for safety, headway and other
requirements of this specification; the resolution of speed commands, the
tolerances between ATO and ATP profiles to ensure that a train does not normally
exceed the ATP profile, passenger comfort constraints, train position resolution
constraints, system response times, for trackside equipment, on board equipment
and combination of both; communication delays in all communication
links, and constraints on the station stopping profile to ensure the stopping
accuracy and profile coherence required by this specification. The above ATC
tolerances and response times shall be defined by the contractor for approval.
The design headway shall be calculated based upon normal operation of a
preceding train not interfering with the performance of a following train.

The contractor shall determine the variation (reduction) in headway that the ATC
system supports against a reduction in train speed, due to leading trains
interfering with the operation of following train(s). The contractor shall
submit an analysis of headway against train speed for approval.
Operating Headway
The target scheduled peak service operating headway is 90 seconds.
The ATC system shall support a full service operating at the minimum design
headway at any point on the line with no degradation of system performance.
Reductions in headway shall be achievable through changes to schedule according
available ATS strategies, including increase to the operating train fleet.
Train Performance Parameters
A maximum operating speed for trains of 90 km/hour shall be enforced by the ATC
system.
The ATC system shall be capable of commanding a variety of braking rates from
the brake subsystem in order to meet different speed profiles required to meet
the performance and functional required to meet the performance and functional
requirements of these specifications.
The Contractor shall determine the safe braking model for the ATC system, which
shall be submitted for approval.
The design life of all ATC equipment in service shall be 20 years
ATC shall provide automatic station stopping. ATO station stops shall be
accurate within:
+/- 0.25 metres of the designated stop location at least 99.90 % of the time.
+/- 0.5 metre of the designated stop location at least 99.99 % of the time.
Document submittal recapitulation:
Minimum run time determination report
ATC system tolerances and response times
Analysis of headway against speed
Safe braking model.
Stop Now function. The time between the OCC initiating the command at the ATS
workstation, and the on board ATC commanding the application of the brakes shall
be of less than 3 seconds.
The time necessary to the initialization of a sub-system (trackside ATC, on
board ATC, interlocking, track to train transmission, train detection) shall be
as short as possible and no greater than 40 seconds
Temporary speed reduction area resolution: less than 250 meters.
The Contractor shall outline any significant variance from the usual parameters
of IEEE standard 1474
ATC performance target.
System Performance Safety Requirements
Achievement of System Safety is a primary design and performance requirement for
the for the ATC system, which must perform in a safe manner under all operating
conditions.
Safety performances are dealt with in the safety section of the present
document. The two following points can however be outlined.

Qualitative Safety Requirements

The Contractor shall accomplish the design and implementation of the ATC system
including the development of procedures and other means in such a manner to
assure:
the system safely performs the correct safety critical functions within the
normal range of input and other operating conditions and with no component
failures. This includes showing to the extent reasonably possible that the
system is free of unsafe systematic failures those failures which can be
attributed to human error that could occur throughout the design/implementation
process and result in an unsafe condition. This also requires that all
applicable hazards are shown, in the Hazard Log to be eliminated or having their
associated risks mitigated to acceptable levels.
.
the system performs the correct safety critical functions in a fail-safe manner
under conditions of hardware failure with normal input and operating conditions.
This requires that all hazards associated with the design implementation are
shown, via the Hazard Log, to be eliminated or have their associated risks
mitigated to acceptable levels.
.
the system performs the correct safety critical functions in a fail-safe manner
under conditions of hardware failure with normal input and operating conditions.
This requires that all hazards associated with the design implementation are
shown, via the Hazard Log, to be eliminated or have their associated risks
mitigated to acceptable levels.
.
the system performs the correct safety critical functions under conditions of
abnormal/improper inputs and other external influences such as electrical,
mechanical and environmental factors as specified in these Technical
Specifications.
This requires that all applicable hazards are shown, via the Hazard Log, to be
eliminated or having their associated risks mitigated to acceptable levels.
Safety-critical functions are those cited in these Technical Specifications and
those identified by performing the required safety analysis activities.
During normal ATC operating, system safety shall not depend on the correctness
of actions taken or procedures used by operation personnel.
Procedures shall not be considered a substitute for safety functions that are to
be vested in specific components, equipment, or facilities. The impact of the
safety of processes and procedures which relate to the ATC project installation
shall be analyzed as part of the system safety plan.
Quantitative System Safety Requirements
The achievement of system safety requires that the ATC system as installed
provide an adequate level of safety assurance.
The Contractors design and implementation of the ATC system, including the
development of hazard mitigation procedures and other means, shall provide a
quantitative level of safety such that any single, independent hardware,
software or communication failure, or any combination of such failures, with the
potential of causing death or severe injury to customers or staff, shall not
occur with a frequency greater than once per 10-9 system operating hours. This
shall be expressed as the Mean Time Between Hazardous Events (MTBE) or THA
Tolerable Hazard Rate. System operating hours is defined as the time that the

system is operating (24 hours a day in normal operation) This safety requirement
includes contributions from random hardware failures, systematic failures due to
human error, and procedural and other means employed to ensure safety.
Failure Management
General
This section details the requirements for the mitigation of the impact on
operations of ATC system and equipment failures.
The ATC system shall provide graceful degradation of performances, i.e. the loss
or degradation of functions due to equipment failure shall aim the system
towards a progressive, coherent and controlled shutdown, providing maintenance
staff with the necessary time and information to reverse back to full
system availability.
Failure Detection
The ATC shall include appropriate maintenance and diagnostic provisions to
detect and react to equipment failures. This shall include remote diagnostics at
the maintenance facility and at the OCC, the ability to remotely interrogate
trackside and on board equipment from these facilities, along with fault
displays for troubleshooting and the timely identification of failed components
and functions.
Failure Assessment
The ATS function shall include routines for assessing and establishing
recommended responses to detected failures.
Operating procedures and regulations shall govern the staff reactions in
function of the type of failures, (remote or local reset, automatic rescue,
manual driving, passenger evacuation etc).
Train Failures
This section summarizes the requirements for ATC response to train failures.
Train Doors Failure
Primary responsibility to detect and respond to train door failures,
specifically failures which result in a loss of door closed status, shall remain
with the train subsystems (rolling stock)The on board ATC equipment shall
monitor door closed status. Loss of closed door status shall trigger emergency
braking. In manual degraded mode, loss of closed door status shall result in a
visual alarm on the driving panel display.

Brake Failures
Primary responsibility for the detection and response to brake subsystem
failures shall remain with the train subsystems. Also, on board ATC shall
account for brake system failures, either resulting from brake alarms provided
by the rolling stock subsystems, or resulting from train braking performance
monitored by ATC processing.
Loss of Train Integrity
Any loss of train continuity (unscheduled train splitting) shall be detected by
train subsystems that should initiate an emergency brake application. The on
board ATC equipment shall report the event to the trackside and OCC equipment.
The ATC system shall prevent movement authorities from being issued to
other trains in the pull out area. The pull apart area shall extend from the
last known location of the rear of the train prior to the splitting up to the
train movement authority limit.
The ATS function shall alarm and log the event and notify the OCC. On board ATC
equipment shall be able to report to the ATS that a splitting has been corrected
and the train is ready to proceed. Trackside and central ATC equipment shall
allow the train to resume operations after a train splitting is fixed.
Automatic Train Rescue Operation
It shall be possible for a train to be coupled to an immobilized train in order
to push/pull the train to the next station and/or back to the depot. The ATC
train detection shall track the rescue operation and the rescued trains.
Failures which Prevent On board ATC Equipment Receiving Updated Authorities
Failures which prevent on board ATC equipment receiving updated movement
authorities include communication equipment failures and complete local
trackside ATC failures.
When a train is in operation (depot or mainline) and the on board detects that
it is no longer able to receive authorities from the trackside, the train is
automatically brought to stop within the ATP safety speed profile.
Upon restoration of data communications with the local trackside ATC, dialog
between the on board and trackside ATC shall resume in order to establish the
correct actual train location along with its updated movement authority.
Failures which Prevent the On board ATC from Determining Train Location.
In the event of complete onboard failure, loss of location tracking capability,
or other serious failure, the ATC equipment shall release the emergency brake.
The on board ATC equipment shall also cease to communicate with other train
subsystems, except for diagnostic information, and shall cause a loss of
enable signal to the propulsion system.
To recover from a failure, the on board ATC system may be either be reset and
reinitialized remotely from OCC or locally from the train driving control panel,
depending on the operating rules and regulations.
If the reset is successful, train position shall be established by the ATC
system. OCC and train driving control panel shall have an indicator informing of
the successful reset. The resume of normal train operation shall then be enabled
by a command either originating from OCC or a local agent on board.
In case the recovery of the on board ATC functions does not allow the resumption
to a safe and normal operation. It shall also be possible to select the
restricted manual driving mode from the train driving control panel.

Failures which Prevent Local Trackside ATC from Advancing a Movement Authority
Failures which prevent the local trackside ATC from advancing the movement
authority to a train include elementary track portion train detection failures,
or unexpected track portion occupancy, switch status failures, or unexpected
switch status change, and failures o receive updated location reports from the
train ahead.
Under these failure modes, the trackside ATC shall pull-back the movement
authority limit to a train to the location of the failure, if necessary.