Designed-in Logic to Ensure Safety of Integration and Field Engineering of Large Scale CBTC Systems Author: Fenggang Shi

Contents Introduction Safety Concerns in CBTC Signaling System Integration and Migration Systematic Approach to Designing Safety Features for Integration and Migration Expected Safety Features in CBTC Designs to Prevent Field Integration Hazards Conclusion

Signaling Systems and Projects Advanced signaling systems maximally automate train operations to make urban rail transit systems: Minimize chances of human control errors contributing to hazards Reduce human operation delays impacting operation efficiency As the world’s population is constantly on the rise, more people are living in cities, which results in: green field projects for signaling in new tracks brown field projects to replace or overlay existing signaling systems with more advanced systems Signaling projects have demanding schedules, and complicated field engineering conditions which raise significant challenges of system integration safety 2

Challenging Integration and Migration of CBTC Systems Communications-Based Train Control (CBTC) signaling systems use the most advanced technology from computers and communication networks to offer: Driverless Train Operation (DTO) systems Unattended Train Operation (UTO) systems Field integration and migration (Multiple Step Transitions of Field Engineering) schedules raise significant safety management challenges: Complicated designs for advanced functions and availability of 99.999%, with many of devices in different geographic locations Complicated integration testing: functional tests with intensive interactions between many controllers and devices Frequent cut-over, multiple step transition or mixed operations 3

Designed-in Safety Features to Support Field Engineering CBTC field integration and migration are safety critical Various hazardous conditions can arise as combinations of working people and train movement in partially integrated system Defects in procedures and their execution can lead to accidents: train derailments or collisions, and injuries or fatalities of field people Re-signaling projects are much more challenging than new projects on field engineering safety of CBTC system integration, cut-over, and migration Designing necessary and effective safety features for managing hazards of CBTC field integration and migration is necessary and needs a systematic approach 4

Contents Introduction Safety Concerns in CBTC Signaling System Integration and Migration Systematic Approach to Designing Safety Features for Integration and Migration Expected Safety Features in CBTC Designs to Prevent Field Integration Hazards Conclusion

Needs of New Features for CBTC System Integrations CBTC system suppliers historically focus on systems to be safe for train operation and pay less attention to designing safety features for field engineering No standards obligate suppliers to design safety features in signaling systems to facilitate field safety Designing safety features for engineering creates development cost Traditional procedure based field safety management cannot manage challenges associated with: Increased complexity of CBTC systems, which makes integration steps much more complicated than before Various field integration and migration scenarios as enforced by customers, aggressive project schedule and frequent switch-over between existing systems’ operations and new system integration 6

Complexity of CBTC Systems Automatic Train Supervision (ATS), central and local (more than 10) locations Zone Controller (ZC), about 10 zones or more for a system Vehicle Onboard Controller (VOBC) on each train, about 100 trains Data Communication Networks and Signal Links 7

Hazards in Field Engineering Hazard 1: High speed train movement intruding into a trackside work zone Hazard 2: Train movement on a moving or unlocked switch Hazard 3: Unintended train movement going out of integration testing area Hazard 4: Unexpected interactions between a certified service zone controller and a zone controller under testing Hazard 5: CBTC controllers under integration intruding into legacy system service operation, which may result in hazards in the legacy signaling train separation functions Hazard 6: Legacy system intruding into the CBTC integration, which can cause conflicting switch control resulting in CBTC test train derailment 8

Contents Introduction Safety Concerns in CBTC Signaling System Integration and Migration Systematic Approach to Designing Safety Features for Integration and Migration Expected Safety Features in CBTC Designs to Prevent Field Integration Hazards Conclusion

Objectives of Developing Safety Features Safety features must facilitate field engineering safety needs: to simplify field safety management procedures to prevent or to reduce the risk of hazards associated with system integration These safety features are expected to be part of the future CBTC system safety properties, which can be used in the final system for managing special operation needs and maintenance scenarios 10

Systematic Approach for Developing Safety Features The systematic approach to developing these safety features follows the safety engineering process: Performing hazard analysis, which includes identifying hazards in possible engineering activities in various integration scenarios and environment conditions in system integration and migration Based on hazard mitigations to specify safety features as requirements for hardware and software, as well as defining the necessary instructions for using these features Validating and demonstrating the safety features in both in-house and field testing to ensure their correctness in supporting field system integration and testing 11

Possible Hazard Contributors For each hazard (of Hazard 1…Hazard 6), the hazard analysis intends to identify all contributors from: Hazardous conditions from external factors, which may exist in customer’s requirements and field engineering constraints for system integration and commissioning Possible incomplete validation of interlocking routes, which may result in train traversal to an unlocked switch during integration testing, leading to subsequent derailment Unexpected behavior or conditions in controllers’ interactions in a partially integrated system configuration Defects in the integration strategy, which may lead to a hazardous sequence of integration 12

Control Zone based Integration and Hazard Analysis Effective integration strategy is an incremental approach taken control zone by control zone: Control Zone internal integration: all devices and controllers in this control zone are integrated under the condition that the zone under integration is isolated from its neighboring zones Control Zones’ interface integration: when two neighboring zones have their internal integration completed, the interface integration between them can be performed to confirm CBTC train functions Categorization of Hazard conditions facilitates to design effective safety features: Hazards associated with the internal integration of a zone Hazards associated with zone interface during integration and migration of any two zones 13

Contents Introduction Safety Concerns in CBTC Signaling System Integration and Migration Systematic Approach to Designing Safety Features for Integration and Migration Expected Safety Features in CBTC Designs to Prevent Field Integration Hazards Conclusion

Practice of Designing Safety Features in Product Reviewing previous CBTC projects to gain knowledge of challenges in integration of future CBTC systems Applying the systematic approach to analyze the current projects’ integration plans and possible field engineering scenarios predicted for future projects Identifying hazards and their mitigations in the context of Zone by Zone integration Designing hazard mitigation into the integration logic of the CBTC product in design Validating integration logic and safety features as designed-in properties of the CBTC product, which can be customized for managing various integration and migration scenarios 15

Safety Features For Zone Internal Integration (1) Work Zone protection, which prohibits a train in an automatic mode from entering into a work zone. This feature mitigates Hazard 1 Automatic Train Mode Inhibit Zone, which enforces train travel through a specified zone only in a manual operation mode. This feature further mitigates Hazard 1 Operator Switch lock, which enables the operator to lock a switch in a specific position to prevent it from moving to the other position by any other switch move requests, and it also only permits a manual train route to go through it. This is designed to mitigate Hazard 2 16

Safety Features For Zone Internal Integration (2) Operator Switch Blocking, which enables the operator to block any switch movement command and prevent any movement authority to be granted to the blocked switch. This mitigates Hazard 2 and Hazard 3 Lock a signal on Red, which locks a signal in Red even if its permissive condition is true. This feature is intended to prevent a manually driven train from moving into a work zone, and can also be used to enforce the ends of the testing area. This mitigates Hazard 3 and also Hazard 4 by locking the boundary entry signal to Red of a service zone to prevent any train entry 17

Safety Features For Zone Internal Integration (3) Close Tracks, which prevents a CBTC train movement to or within these tracks. This feature can be used for managing emergency situations encountered during integration testing. It can also be used further to mitigate Hazard 3 and Hazard 4 by closing testing zone boundary tracks Temporary Speed Restriction (or Go Slow Zone), which enforce a lower speed for CBTC controlled trains to travel within a specific track zone during integration. This feature can be used for mitigating Hazard 1 by setting a lower speed on top of a work zone protection and Hazard 3 by setting zero speed at the end tracks of a testing area 18

Objectives of Integration between Zones Crossing border route interlocking: All routes crossing a ZC-ZC border have interlocking logic, and the authorization of each route in the hand-over zone (i.e. departure zone) has the pre-condition that the take-over zone (i.e. destination zone) has already locked and authorized the portion of the route in its territory. This ensures safety of train traversal across the zone boundary Train hand-over and take-over on crossing border routes: CBTC controlled trains and manual trains going through zone boundary Crossing border route cancellation interlocking: If the operator cancels a crossing border route, the take-over zone can cancel the portion of the route if only if the hand-over zone completes its cancellation. This ensures that the train approaching the route or already on the route has stopped before the route is cancelled 19

Safety Features For Integration between Zones (1) Usage of safety features mentioned for zone internal integration in boundary track area: These features can be used to manage the border area by setting Temporary Speed and Automatic Train Mode Inhibit Zone Closing border: This feature closes a specific border of any control zone with its neighboring zone to prevent any train going to the neighboring zone, and also to prohibit a train entry from the neighboring zone into its territory. This feature can be used in the service zone controller with safety confidence for mitigating Hazard 4 20

Safety Features For Integration between Zones (2) Prohibit collaboration with another zone controller: This can be used to inform a revenue operation zone controller not to make train detection and tracking decisions based on any information from the neighboring zone controller under integration and testing. This prevents any testing zone’s error in tracking a train crossing the border from causing failures of detecting a non-communicating train entry in the revenue zone. This can mitigate Hazard 4 Crossing border route cancellation interlocking: If the operator cancels a crossing border route, the take-over zone can cancel the portion of the route if only if the hand-over zone completes its cancellation. This ensures that the train approaching the route or already on the route has stopped before the route is cancelled 21

Safety Features For Integration between Zones (3) Safety features for migrating Hazard 5 and Hazard 6 are designed for managing cut-over between legacy system and CBTC system under integration Cut-over Box in a control zone, which is a vital hardware mechanism to switch trackside device controls exclusively between the CBTC system and the legacy signaling system Cut-over switch for a train, which is a vital switch circuit that can switch the train to be controlled either by the controller of the legacy system or by the VOBC of the CBTC system exclusively 22

Using Safety Features in Current Projects Based on our practice on the integration and migration of several CBTC systems, the designed-in safety features have demonstrated their effectiveness in: Mitigating hazards associated with the system integration and migration Reducing the field integration schedule risk on these projects because these features significantly simplify field safety procedures 23

Conclusion Integration of a large scale safety critical system such as a CBTC system itself has various hazards, which need mitigations from safety features to be designed in the system Developing these expected safety features needs a systematic approach to ensure them to be designed as important part of the system integration logic Safety features developed in the systematic approach can be used to enhance safety of: System integration and testing Failure management in the final system 24

Many thanks for your attention