Ram Analysis
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Ram Analysis as PDF for free.
More details
- Words: 25,181
- Pages: 86
Loading documents preview...
ANNEXURE -1A Overall Detailed Design Safety Case –KMRC-24025-04-1
Kolkata Metro Rail Corporation Ltd. Kolkata East-West Metro Rail Project Contract:
Design, Manufacture, Supply, Installation, Testing, and Commissioning of Control and Signalling, Telecom, and Low Current Systems for Kolkata E-W Metro Rail Project KMRCL/CE/S&T/01/2011
Contractor:
Ansaldo STS Consortium No. 35, SLV Complex, AVS Compound 4th Block, 80 Feet Road, Koramangala Bangalore 560 034, India
Document Title:
Overall ATC Detailed Design Safety Case
Document Number:
KMRC-24025
Revision:
04
Debasish Biswas
N.S Deo
Sujit Kumar Ghosh
Approval: ATC System Integrator
Approval: Project Engineer
Approval: Project Director
File: KMRC-24025-04-0.docx
Fourth Revision
14-Apr-2019
04
Description of Revision
Date
Rev.
Page 1 of 85
Kolkata East-West Metro Rail Project Overall ATC Detailed Design Safety Case
Document Number KMRC-24025 Revision 04 Document Revision History Rev #
Date
Author(s)
Nature of Revision
Previous Correspondence
01
18-Jan-2019
Shamik Haldar
First Version
02
31-Jan-2019
Shamik Haldar
Second Version
Updated to suite ISA comments on tracking log_09 dt 24.01.19
03
19-Feb-2019
Shamik Haldar
Third revision
Change in reference document Version no.
04
14-Apr-2019
Shamik Haldar
Fourth Revison
ISA Draft Detailed Design Safety report
Not Applicable
Author
Checker
QA
ATC System Integrator
Shamik Haldar
Amit Srivastava
Thrithe Prasad Maligee
Debasish Biswas
© 2019 Ansaldo STS Consortium. All Rights Reserved. THIS DOCUMENT AND ITS CONTENTS ARE THE PROPERTY OF ANSALDO STS CONSORTIUM, FURNISHED TO YOU ON THE FOLLOWING CONDITIONS: (1) NO RIGHT OR LICENSE UNDER ANY PATENTS OR ANY OTHER PROPRIETARY RIGHT IN RESPECT TO THIS DOCUMENT OR ITS CONTENTS IS GRANTED OR CONVEYED BY ANSALDO STS CONSORTIUM, TRANSMITTING THIS DOCUMENT AND ITS CONTENTS TO YOU, NOR SHALL SUCH TRANSMISSION CONSTITUTE ANY REPRESENTATION, WARRANTY, ASSURANCE, GUARANTY OR INDUCEMENT BY ANSALDO CONSORTIUM. WITH RESPECT TO INFRINGEMENT OF PATENT OR ANY OTHER PROPRIETARY RIGHT OF OTHERS, UNLESS OTHERWISE AGREED BY THE PARTIES IN THE CONTRACT TO WHICH THE PROPRIETARY RIGHTS REFER TO. (2) THIS DOCUMENT OR ITS CONTENTS ARE NOT TO BE USED OR TREATED IN ANY MANNER INCONSISTENT WITH THE RIGHTS OR INTERESTS OF ANSALDO STS CONSORTIUM, OR TO ITS DETRIMENT AND ARE NOT TO BE COPIED, REPRODUCED, DISCLOSED TO OTHERS, OR DISPOSED OF EXCEPT WITH PRIOR WRITTEN CONSENT.
Kolkata East-West Metro Rail Project Table of Contents 1
INTRODUCTION .......................................................................................................... 7
1.1
Purpose ......................................................................................................................................... 7
1.2
Applicability................................................................................................................................... 8
1.3
Reference Documents................................................................................................................... 8
1.3.1
Contract Documents ................................................................................................................... 8
1.3.2
Ansaldo STS Submittals.............................................................................................................. 9
1.3.3
Guidelines and Standards ..........................................................................................................11
1.3.4
Internal Standards......................................................................................................................12
1.4
Description of Changes from Previous Revision........................................................................12
1.5
Acronyms, Terms, And Definitions .............................................................................................13
1.5.1
Terms ........................................................................................................................................13
1.5.2
Acronyms and abbreviations ......................................................................................................15
2
PROJECT DESCRIPTION ......................................................................................... 18
2.1
Introduction ..................................................................................................................................18
2.2
Overview .......................................................................................................................................19
2.3
Wayside ATC System...................................................................................................................23
2.3.1
Wayside Equipment Rooms .......................................................................................................23
2.3.2
Station Platforms........................................................................................................................24
2.3.3
Depot .........................................................................................................................................24
2.3.4
LATS .........................................................................................................................................24
2.3.5
Trackside-Mounted Devices .......................................................................................................24
2.4
Vehicle ATC System.....................................................................................................................25
2.5
IXL Subsystem .............................................................................................................................26
2.5.1
IXL General Functions ...............................................................................................................28
2.5.2
IXL Application overview ............................................................................................................28
2.5.3
Data Preparation Process ..........................................................................................................28
2.6
Interaction with cbtc system........................................................................................................29
2.7
CBTC Subsystem .........................................................................................................................29
2.7.1
Core CBTC Breakdown ..............................................................................................................29
2.7.2
CBTC Data Preparation Process ................................................................................................31
3
QUALITY MANAGEMENT REPORT ......................................................................... 32
3.1
Quality planning and procedures ................................................................................................32
3.2
Quality Organization ....................................................................................................................33
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 3 of 85
Kolkata East-West Metro Rail Project 3.2.1
ASTS Quality System .................................................................................................................34
3.2.2
Quality Audits and Inspection .....................................................................................................38
3.3
Specification of requirements .....................................................................................................38
3.4
Design Control .............................................................................................................................38
3.5
Design Verification and Review ...................................................................................................39
3.6
Application Engineering ..............................................................................................................39
3.7
Procurement and Manufacture ....................................................................................................39
3.8
Product Identification and Traceability .......................................................................................39
3.9
Handling and Storage ..................................................................................................................40
3.10
Inspection and Testing ................................................................................................................41
3.11
Non-Conformance and Corrective Action ...................................................................................41
3.12
Packaging and Delivery ...............................................................................................................42
3.13
Installation and Commissioning ..................................................................................................43
3.14
Operation and Maintenance.........................................................................................................44
3.15
Quality Monitoring and Feedback ...............................................................................................44
3.16
Documentation and Records .......................................................................................................44
3.17
Configuration management /Change control ..............................................................................45
3.18
Personnel Competency and Training ..........................................................................................45
3.19
Decommissioning and Disposal ..................................................................................................45
4
SAFETY MANAGEMENT REPORT .......................................................................... 46
4.1
Safety Life Cycle ..........................................................................................................................46
4.2
Safety Organisation .....................................................................................................................47
4.3
Safety Plans..................................................................................................................................48
4.4
Hazard Log ...................................................................................................................................48
4.5
Safety Requirement specification and traceability .....................................................................51
4.6
System Design ............................................................................................................................53
4.7
Safety Verification and Validation ...............................................................................................53
4.8
External Safety Reviews ..............................................................................................................55
4.9
External Safety Audit ...................................................................................................................55
4.10
Safety Justification ......................................................................................................................55
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 4 of 85
Kolkata East-West Metro Rail Project 4.11
System Handover .........................................................................................................................57
4.12
Operation And Maintainence .......................................................................................................57
4.13
Decommissioning And Disposal .................................................................................................58
5
TECHINICAL SAFETY REPORT ............................................................................... 59
5.1
Introduction ..................................................................................................................................59
5.2
Assurance Of Correct Functional Operation ..............................................................................59
5.3
System Architecture Description ................................................................................................59
5.3.1
Definitions of Interfaces ..............................................................................................................60
5.3.2
Fulfillment of Systems Requirements Specification .....................................................................62
5.3.3
Fulfillment of Quantitative Safety Requirements .........................................................................63
5.3.4
Safety Integrity Level Allocation and Demonstration Process ......................................................63
5.3.5
Demonstration of Safety Quantative targets ...............................................................................65
5.3.6
SF 1 : Train Location Determination ..........................................................................................71
5.3.7
SF 2: Limit of Safe movement Protection ...................................................................................72
5.3.8
SF 3: Supervise/enforce authorized speed ................................................................................73
5.3.9
SF 4: Train Door Control Interlocks ...........................................................................................74
5.3.10 SF 5: PSD Control Operation ....................................................................................................75 5.4
Demonstration of the Safety Qualitative Requirements .............................................................76
5.5
Assurance of correct hardware functionality .............................................................................76
5.6
Assurance of correct software functionality...............................................................................77
5.7
Effect of fault ................................................................................................................................80
5.8
Operation with external influences .............................................................................................82
5.9
Safety Related Application Condition .........................................................................................82
5.10
Safety Qualification test ...............................................................................................................83
6
RELATED SAFETY CASES .................................................................................. 84
7
CONCLUSIONS ......................................................................................................... 85
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 5 of 85
Kolkata East-West Metro Rail Project List of Tables Table 2-1 Overview of KMRC-01 project .................................................................................................... 19 Table 2-2 Details of Stations ..................................................................................................................... 19 Table 3-1 Certifications of ASTS Integrated Management system ............................................................... 34 Table 3-2 Signaling Equipment FAT Report Summary................................................................................. 41 Table 3-3 Installation Method Statements ................................................................................................... 43 Table 4-1 Hazard Log Summary ................................................................................................................. 50 Table 4-2 SIL levels assigned to the ATC system ........................................................................................ 52 Table 4-3 KMRC O&M Manual ................................................................................................................... 58 Table 5-1 SIL levels assigned to the ATC system ........................................................................................ 64 Table 5-2 Tolerable Hazard Rate Chart ....................................................................................................... 70 Table 5-3 SIL levels assigned to the ATC system ........................................................................................ 77 Table 5-4 Product and Generic Application Safety Certificate Status ........................................................... 81 Table 6-1 – Generic Product Safety Assessment Report ............................................................................. 84
List of Figures Figure 2-1 KMRC East West Metro Corridor.............................................................................................. 18 Figure 2-2 System Overall Architecture ...................................................................................................... 22 Figure 2-3 CBTC Based Vehicle ATC System ............................................................................................ 25 Figure 2-4 IXL Interface ............................................................................................................................. 26 Figure 2-5 External CBTC interfaces, "Extended" CBTC and Core CBTC................................................... 30 Figure 3-1 Quality Organization.................................................................................................................. 33 Figure 3-2 ISO 9001:2015 certificate .......................................................................................................... 35 Figure 3-3 ISO 14001:2004 & 18001:2007 certificate ................................................................................. 36 Figure 3-4 ISO 14001:2015 & 18001:2007 certificate ................................................................................. 37 Figure 3-5 Non-Conformity Management ................................................................................................... 42 Figure 4-1 EN 50126 V diagram .................................................................................................................. 47 Figure 4-2 Safety Management Organization STC Signaling System Level ................................................. 48 Figure 4-3 KMRC Hazard Log, Safety Requirement Traceability Scheme. ................................................... 52 Figure 4-4 Example of Safety Cases Hierarchy .......................................................................................... 57 Figure 5-1 Schematic representation of Internal & External Interface. ......................................................... 62 Figure 5-2 SIL allocation and demonstration process for ATC system ........................................................ 64 Figure 5-3 SIL Demonstration Conditions. .................................................................................................. 65 Figure 5-4 Reliability Block Diagram for a Generic Location ........................................................................ 67 Figure 5-5 Simplified Block Diagram for a Generic safety function ............................................................... 70 Figure 5-6 Supervise/enforce authorized speed .......................................................................................... 73 Figure 5-7 Block diagram Train Door Control Interlocks............................................................................... 75 Figure 5-8 PSD Control Operation .............................................................................................................. 76
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 6 of 85
Kolkata East-West Metro Rail Project 1 INTRODUCTION 1.1 PURPOSE This document aims at providing the specific application safety case at Detailed Design stage of the ATC system for the Kolkata Metro Rail Corporation, hereinafter referred to as KMRC. The document presents the most updated documentary evidences, used for demonstrating by all necessary means, such as analysis, logical argument, justification for decisions and tests, how safety matters have been dealt with for supporting the first Detailed Design milestone of the ATC system. This document follows the structure for Safety Case documents in compliance with the requirements of the CENELEC EN 50129 and the provisions contained in the contract. It is highlighted that this Overall ATC System Detailed Design Safety Case addresses safety issues at ATC level, identifying how compliance to contractual regulations and norms has been translated into design solutions. The conditions for safety acceptance are presented in the Safety Case under three headings, namely:
Evidence of quality management; Evidence of safety management; Evidence of functional and technical safety.
Specifically this Detailed Design Safety Case covers: The demonstration that the safety management system has been developed in accordance with the Contract requirements ([1], [2],[3]) and the ATC System Safety Plan [10];
the demonstration that the Detailed Design has been undertaken in accordance with the Project Quality Management Plan (see Section 3);
the demonstration that all relevant safety management processes and procedures have been followed correctly (see Section 4);the demonstration that the safety requirement applicable to the Specific KMRC Application have been comprehensively identified and correctly implemented into the design (see Section 5);
The evidence that the Safety Related Application Conditions exported by the underlying ATC subsystems have been correctly managed (see Section 5);
the identification of safety assurance work and the potential impact on the safety arguments (see Section 5);
the demonstration that the ATC safety related functions can achieve an acceptable level of safety and meet the quantitative safety targets assigned to ATC system, specified in ATC Preliminary Hazard Analysis and Risk Assessment [11] (see Section 5);
The identification of the related ATC subsystems Safety Cases which provide the safety assurance evidences upon this Safety Case relies on (see Section 6).
Following are out of the scope of this document:
The subsystem that are not declared safety related (e.g DCS,Telecom) as part of
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 7 of 85
Kolkata East-West Metro Rail Project SIL allocation process [11].
The Subsystem not provided by Ansaldo STS (e.g Permanent way, PSD, Rolling Stock)
The demonstration of the safe integration between ATC and the external subsystems (e.g. SCADA, PSD, Rolling Stock), which is in charge of the Train System integrator. However this safety case covers the safety analysis done on the ATC external interfaces, providing the related evidences at higher system level for supporting the integration activities.
Any change to the function or interfaces not aligned with the design agreed with ASTS, are out of the scope of this document and ASTS is not responsible for them.
The definition of the Never To Exceed Speed for the Mainline and Depot, taking in consideration the vertical and the horizontal curves, is out of scope of ASTS.
The same is applicable for the definition of the “Train Maximum Design Speed” and for the “Train Maximum Operational Speed” provided by BEML. These NTE speed are Inputs to Ansaldo Design activity.
Occupational health and safety issues and Environmental hazards.
This document is not a self-contained document. In conformity with CENELEC 50129, evidence of compliance to safety aspects/requirements is shown by reference to other ATC documentation where these issues have been addressed. 1.2 APPLICABILITY This safety case is applicable to the Train Control & Signaling System and all the related subsystems, in accordance to the requirements of the related General Specifications [1] and the Particular Specification [2] , [3] .The Safety process described in this document is not applicable to the external systems provided by third parties and thus outside the scope of work of Ansaldo STS for the Project (such as Rolling Stock, Traction Power, Civil Works, E&M, etc.), which the S&TC system interface with. This Design Safety Case is applicable for all six elevated section coming under Ph-1A as shown in Table 2-2 Details of Stations The safety assurance related to Core CBTC and MLK subsystems are reported in the respective Safety cases. See “Related Safety Cases” 6. 1.3 REFERENCE DOCUMENTS 1.3.1 Contract Documents Ref [1] [2]
[3]
Document Number Document Name KMRCL/CE/S&T/01/20 Tender Documents, Volume 3, Employer’s 11 Requirement, General Specification KMRCL/CE/S&T/01/20 Tender Documents, Volume 4 A, Employer’s 11 Requirements, Particular Specifications and its latest amendment KMRCUCE/S&T/2011 Supplementary Agreement to Contract KMRCL/CE/S&T/2011 dated 10th October 2011
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 8 of 85
Kolkata East-West Metro Rail Project 1.3.2 Ansaldo STS Submittals Ref [4] [5] [6] [7]
[8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42]
Document Number Rev Document name INASSM03/PQP 05 Project Quality Management Plan KMRC-11001 03 S&T Interface Management Plan KMRC-24015 04 ATC System Verification and Validation Plan KMRC-21001 04 Signaling and Train Control System - System Architecture Specification (System and Sub-system Overview) KMRC-21216 04 Signaling and Train Control System –System Requirement Specification (SRS) KMRC-21217 03 Signaling System Traceability Specification KMRC- 24019 02 ATC System Safety Plan KMRC -24012 05 ATC Preliminary Hazard Analysis and Risk Assessment KMRC-24035 02 ATC System Hazard Analysis KMRC-24034 02 IXL Subsystem Hazard Analysis KMRC-24031 02 ATS Subsystem Hazard Analysis KMRC-24042 03 CBTC Subsystem Hazard Analysis KMRC-24032 02 ATC System Architecture and Interface Hazard Analysis KMRC-24043 02 Operating and Support Hazard Analysis KMRC-24062 02 Hazard Log KMRC-24063 02 ATC System Validation Test Specification KMRC-24064 02 ATC System Validation Test Plan KMRC-24065 02 Application Logic Verification specification KMRC-27004 02 Trackside Interface Specification KMRC-25038 01 IXL-ATS Interface Control Document KMRC-27027 02 IXL Subsystem Requirements Specification KMRC-26110 01 CBTC system specifications KMRC-26062 04 Zone controller functional specification KMRC-26061 01 Carborne Controller functional specification KMRC-24011 04 ATC Preliminary RAM Analysis and Apportionment KMRC-24022 01 CBTC RAM Prediction Analysis KMRC-24024 02 IXL RAM Prediction Analysis KMRC-24037 02 ATS RAM Prediction Analysis KMRC-24041 02 DCS RAM Prediction Analysis KMRC-26063 02 CBTC and Rolling Stock Detailed Interface Specification KMRC-27059 03 C-ICDD - Platform Screen Door System KMRC-24045 01 IXL V&V Plan KMRC-24044 01 CBTC V&V Plan KMRC-24046 01 ATS V&V Plan KMRC-24038 02 FOTS RAM Prediction Analysis KMRC-24039 02 ATC System RAM Prediction Analysis- Phase 1 KMRC-27019 01 Axle Counter specification KMRC-26058 02 C12_D404 - ZC - IXL ICDD KMRC-26052 01 C_D470 - CBTC foundation data
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 9 of 85
Kolkata East-West Metro Rail Project Ref [43] [44] [45] [46] [47] [48] [49] [50] [51] [52] [53] [54] [55] [56] [57] [58]
Document Number Rev Document name KMRC-27118 02 Interlocking Software Acceptance test procedure KMRC-27148 02 Interlocking Partial Acceptance test procedure KMRC-25010 02 ATS Subsystem Requirement specification KMRC-27147 01 Interlocking System Acceptance test procedure KMRC-25018 02 ATS Software Factory Acceptance Test (FAT) Procedure KMRC-25023 01 ATS Partial Acceptance Test Procedure KMRC-25025 01 ATS Software System Acceptance Test (SAT) Procedure. KMRC-27044 05 Wayside ATP Application Logic Programming guideline KMRC-26075 02 CBTC Factory Acceptance Test procedure KMRC-26116 02 CBTC System Acceptance Test Procedure KMRC-26076 02 CC Static Test procedure KMRC-26124 02 CC Dynamic Test procedure 2011/QTL/61 01 Microlok CC 3.2 Generic Product safety case REP_CCS_01 ML2-QS-009 10 MICROLOK II Generic Product Safety Case Report01.01 Frauscher Axle Counter Safety Assessment No:FS86457G Report EC_8379_1400_5_C 05 Core CBTC 6.3.3 Assessment Report ORE_CBTC_STD_F unct_Report_v6 3.3
[59] [60] [61] [62]
KMRC-26059 KMRC-27006 KMRC-27007 KMRC-27156
01 04 05 03
[63]
KMRC-27157
03
[64]
KMRC-27158
01
[65]
KMRC-27160
02
[66]
KMRC-27161
04
[67]
KMRC-27162
04
[68]
KMRC-27163
04
[69]
KMRC-26051
02
C_D154 SW version sheet Signaling Plan - Main Line (Phase 1A) Depot Signaling Plan Wayside Hardware Circuit Design Phase 1 Central Park Wayside Hardware Circuit Design Phase 1 - Salt Lake Sector V Wayside Hardware Circuit Design Phase 1 - Salt Lake Stadium Wayside Hardware Circuit Design Phase 1 Central Park Depot Wayside Hardware Circuit Design Phase 1 Karunamoyee Wayside Hardware Circuit Design Phase 1 - City Center Wayside Hardware Circuit Design Phase 1 Bengal Chemical Data Preparation Need specification
[70]
KMRC- 24002
03
Project Configuration Management Plan
[71]
KMRC-27142
01
Factory Acceptance Test Plan
[72]
KMRC-27014
02
Interlocking Equipment Specification
[73]
KMRC-27100
01
Interlocking Design Plan
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 10 of 85
Kolkata East-West Metro Rail Project Ref [74]
Document Number Rev Document name KMRC-27021 05 Salt Lake Sector V Control Table
[75]
KMRC-27022
08
Central Park Control Table
[76]
KMRC-27023
06
Salt Lake Stadium Control Table
[77]
KMRC-27025
06
Central Park Depot Control Table
[78]
KMRC-26071
01
CBTC Hardware Version Sheet
[79]
KMRC-26041
01
Onboard Subsystem Version sheet
[80]
KMRC-26052
02
C_D470- CBTC Foundation Data
[81]
KMRC-27063
02
Wayside Microlok Software Phase 1 - Central Park
[82]
KMRC-27064
02
Wayside Microlok Software Phase 1 - Salt Lake Sector V
[83]
KMRC-27065
02
[84]
KMRC-27067
02
Wayside Microlok Software Phase 1 - Salt Lake Stadium Wayside Microlok Software Phase 1 - Central Park Depot
1.3.3 Guidelines and Standards Document Ref Document Name Number [85] CENELEC EN Railway applications - The specification and 50126 demonstration of reliability, availability, maintainability and safety (RAMS) [86] CENELEC EN Railway applications - Communications, signaling and 50128 processing systems - Software for railway control and protection systems [87] CENELEC EN Railway applications - Communications, signaling and 50129 processing systems - Safety related electronic systems for signaling [88] CENELEC EN Railway applications - Communication, signaling and 50159-1 processing systems - Part 1: Safety-related communication in closed transmission systems [89] CENELEC EN Railway applications - Communication, signalling and 50159-2 processing systems - Part 2: Safety related communication in open transmission systems [90] IEEE Std IEEE Standard for Communications-Based Train Control 1474.1:2004 (CBTC) Performance and Functional Requirements [91]
IEC 62290-1
[92]
ISO 9001
[93]
ISO 14001
Document Number: KMRC-24025 Revision: 04
Railway applications - Urban guided transport management and command/control systems - Part 1: System principles and fundamental concepts Quality management systems – Requirements Environmental management systems - Requirements with guidance for use Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 11 of 85
Kolkata East-West Metro Rail Project Ref [94]
Document Number OHSAS 18001
[95]
Document Name Occupational health and safety management systems – Requirements Specification for safety requirements for equipment to be connected telecommunication networks
BS EN 41003 1999
1.3.4 Internal Standards Ref. [96] [97] [98] [99] [100] [101] [102] [103] [104] [105] [106] [107] [108] [109]
Code
Source
Rev.
Title
ASTS
MNL 001
04
ASTS IMS Manual
ASTS
INS 023
02
ASTS
INS 007
00
ASTS
PRD047
00
Configuration Management Process
ASTS
PRC 101
00
Configuration Management
ASTS
PRD 019
01
Logistics
ASTS
PRD 009
01
Manufacturing
ASTS
PRD 070
00
FAT Buy Material for Projects
ASTS
PRC 045
05
ASTS
PRC 022
02
ASTS
PRC 001
04
ASTS
PRC 006
03
ASTS
R&M 001
ASTS Roles & Mandate
ASTS
ORA 002
ASTS Organisational Chart
Manufacturing Identification and Traceability Manufacturing Warehouse instructions
Nonconformity, Corrective Actions Preventive Actions P&S, Materials and Services Acceptance (PSMSA) IMS Documentation and Records Management IMS Audit Procedure
1.4 DESCRIPTION OF CHANGES FROM PREVIOUS REVISION Description of Change Updated as ISA comments in Tracking Log _09 Dt 24.01.19
Chapter(s) Affected by the Modification(s) -
Section 1.3.2: Revision No’s updated Section 3.15 Quality Audits and Follow Up :Quality Audit summary added Table 4-1: Hazard Log Summary Section 4.4:Document reference corrected Section 5.3.2: Reference section corrected
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 12 of 85
Kolkata East-West Metro Rail Project Description of Change Updated as reference document revision updated & Quality comment Updated to suite current version of ATS GA 1.5
Chapter(s) Affected by the Modification(s) -
Section 5.3.7/5.3.8: THR calculation Safety Function SF2 & SF3
-
Document revision no for following documents changed KMRC24062,KMRC-26116,KMRC-24124,KMRC-25018,KMRC-21217. Table 3-2 Certificate number modified.
-
Section 6 –Related safety cases , current ATS GA description added
ACRONYMS, TERMS, AND DEFINITIONS
1.5.1 Terms Terms Acceptance
Approval
Assessment
Assurance
Audit
Black Box
Client Component Delay
Definition A process to achieve agreement that all system requirements have been met to defined criteria, and that the system is fit for purpose. Agreement by KMRC or its designated Consultant/Engineer (or an external body) that the system requirements have been met and that the risks associated with the system solutions are As Low As Reasonably Practicable (ALARP), or that an individual deliverable meets the requirements. The process of analysis to determine whether the design authority and the Validator have achieved a product that meets the specified requirements and to form a judgement as to whether the product is fit for its intended purpose. The overall process of providing confidence that a system, product or project is compliant with the relevant requirements (which include processes, procedures, legislation and standards). A systematic and independent examination to determine whether the procedures specific to the requirements of a product comply with the planned arrangements, are implemented effectively and are suitable to achieve the specified objectives. The inputs and outputs of an item of a product or item of equipment are considered in fulfilment of a function, not the actual internal workings of the product. KMRC – the end customer of the project. “Client” is synonymous with “Employer” Hardware or software element of a sub-system or a system. By extension, it may be the sub-system or the system itself. Delay is caused when a train is unable to move or its speed is reduced due to failure of the Train Control and Signalling System. The delay is measured by the time lost by the first affected train due to a failure of the Train Control and Signalling
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 13 of 85
Kolkata East-West Metro Rail Project Terms Demonstration
Design
Employer Engineer
Environment Failure
Function Generic Application Generic Product Hazard Independence (human) Inspection
Line Replaceable Unit
Product
Project
Quality Review
Risk Safety
Definition System. Evaluation of the compliance to a requirement through system observation while in operation, without any use of specific instrumentation. The activity applied in order to analyse and transform specified requirements into acceptable design solutions which have the required safety integrity. Kolkata Metro Rail Corporation (KMRC), its legal successors and assignees. Any person nominated or appointed from time to time by the Employer to act as the Engineer for the purposes of the Contract and notified as such in writing to the Contractor Specific conditions that may affect the operation of the equipment when installed and operated on Project. A failure is an event, which causes loss of function or performance within any part of the Train Control and Signalling System and requires a maintenance intervention to restore full functionality and performance. A mode of action or activity by which a product fulfils its purpose. A generic application can be re-used for a class/type of application with common functions. A generic product can be re-used for different independent applications. A condition that could lead to an accident. Freedom from involvement in the same intellectual, commercial and/or management entity. Conformity evaluation by observation and judgment accompanied as appropriate by measurement, testing or gauging Equipment that can be replaced as a single complete unit and can be handled by a single person. It is the component on which the first level of maintenance (replacement/repair) is performed in case of failure. A collection of elements, interconnected to form a system/subsystem/equipment, in a manner which meets the specified requirements. Design, Manufacture, Supply, Installation, Testing, and Commissioning of Control and Signalling, Telecom, and Low Current Systems for KolkataE-W Metro Rail Project A user perception of the attributes of a product. Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives The combination of the frequency, or probability, and the consequence of a specified hazardous event. Freedom from unacceptable levels of risk of harm.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 14 of 85
Kolkata East-West Metro Rail Project Terms Safety acceptance Safety Approval
Safety-critical
Safety Integrity
Safety Integrity Level Service Specific Application System System Integration
System Life-cycle
Test Trial Validation
Verification
Definition The safety status given to a product by the final user. The safety satus given to a product by the requsite authority when the product has fullfilled a set of pre-determined conditions. Failure of the system, sub-system or equipment will directly lead to a situation with the potential to cause harm, injury, damage to property, plant or equipment, damage to the environment, or economic loss. The ability of a safety-related system to achieve its required safety functions under all the stated conditions within a stated operational environment and within a stated period of time. A number which indicates the required degree of confidence that a system will meet its specified safety functions with respect to systematic failures. When the railway is available for the use of fare paying passengers. Part of hardware and software can be used for only one particular installation A set of sub-systems which interact according to a design. The engineering and management actions required to assemble subsystems into major systems, or the complete system, and prove their correct inter-working. The series of activities occurring during a period of time that starts when a system is conceived and ends at decommissioning when the system is no longer available for use. Determination of one or more characteristics according to a procedure. A test conducted on the operational railway. The activity applied in order to demonstrate, by test and analysis, that the product meets in all respects its specified requirements. The activity of determination, by analysis and test, at each phase of the life-cycle, that the requirements of the phase under consideration meet the output of the previous phase and that the output of the phase under consideration fulfils its requirements.
1.5.2 Acronyms and abbreviations ACRONYM ASTS ATC ATO ATP ATS
DEFINITION Ansaldo Signalling and Transportation Solutions Automatic Train Control Automatic Train Operation Automatic Train Protection Automatic Train Supervision
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 15 of 85
Kolkata East-West Metro Rail Project ACRONYM BCC CATS CBI CBTC CC CENELEC DC DCC DCS EMC ES ESP FAI FAT FTM GA GP IEC IEEE ISA ISO IXL Km KMRC LATS MAL mm OCC OHSA O&M PAS PDM PIDS RAMS RTM SCR SER SIL
DEFINITION Backup Control Centre Central Automatic Train Supervision Computer Based Interlocking Communication Based Train Control Carborne Controller (onboard CBTC equipment) European Committee for Electrotechnical Standardization Direct Current Depot Control Centre Data Communications System Electro-Magnetic Compatibility Ethernet Switch Emergency Stop Plunger First Article Inspection Factory Acceptance test FrontAM (part of wayside CBTC equipment) Generic Application Generic Product International Electro-technical Commission Institute of Electrical and Electronic Engineers Independent Safety Assessor International Standards Organisation Interlocking Kilometre Kolkata Metro Rail Corporation Local Automatic train Supervision Move Authority Limit Milimeter Operations Control Centre Occupational Health and Safety Assessment Operation & Maintenance Passenger Anoucement System Product Data Management Passenger Information Display System Reliability, Availability, Maintainability, Safety Requirement Traceability Matrix Signal Control Room Signal Equipment Room Safety Integrity Level
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 16 of 85
Kolkata East-West Metro Rail Project ACRONYM SMR SRS TC TOD V&V WI WPR WS ZC
DEFINITION Signal Maintainence Room System Requirements Specification Team Centre (ASTS Document Management System) Train Operator Display Verification and Validation Work Item Work Product Work Station Zone Controller (part of wayside CBTC equipment)
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 17 of 85
Kolkata East-West Metro Rail Project 2 PROJECT DESCRIPTION 2.1 INTRODUCTION
Figure 2-1 KMRC East West Metro Corridor
The contract is between KMRCL, the Employer and ASTS, the contractor for S&TC portion of Kolkata East West Metro Rail Project. MYCEL is Employer appointed General Consultant to Manage and Deliver the Project as per contract requirement and on schedule. MYCEL will act as the “Engineer”. The total section spreads from Salt Lake Sector V on the east to Howrah Maidan Metro on the west and divided into Elevated and underground sections. Total number of stations are 12, out of which 6 are in elevated section and 6 are in underground section There is a depot near Central Park station and operation and control will be done from Operations and Control Centre(OCC) for mainline and from Depot Control Centre (DCC) for Depot, both located inside depot. A Backup Control Centre (BCC) will be located near Howrah Metro station. The entire stretch will be divided into 2 Phases as follows. This plan is applicable for both phases In Phase 1A, trains will be run between Salt Lake Sector-V to Salt Lake Stadium. Depot work will be executed in this phase. In Phase 1B, trains will be run between Salt Lake Sector –V to Sealdah with Depot. In Phase 2, system will be implemented between Sealdah Metro to Howrah Maidan Metro and trains operation will be between Salt Lake Sector-V and Howrah Maidan Metro. A further overview of the project is presented below:
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 18 of 85
Kolkata East-West Metro Rail Project Table 2-1 Overview of KMRC-01 project
Feature
High Level Project requirement
Track Gauge Length
1435 mm 16.6 Km 12 (6 are in elevated and 6 are in underground) 30 Seconds 150 Seconds Operational Headway & 120 Sec Design Headway 0500 Hrs. to 23.00 Hrs. 7 days per week 6 coach rake, 7 rakes in Phase 1 and 4 rakes in Phase 2, 3 rakes optional Near Central Park Station At Depot At Depot At Howrah Metro 750 Volt DC Third Rail CBTC
No. of Stations Typical Dwell time Headway Revenue Service Time Rolling Stock Depot Operational Control Center Depot Control Center Backup Control Center Traction Technology
The name of stations & execution stage are as mentioned below: Table 2-2 Details of Stations
S. No 1 2 3 4 5 6 7 8 9 10 11 12 13
Name of Station Depot Salt Lake Sector V Karunamayee Central Park City Centre Bengal Chemical Salt Lake Stadium Phool Bagan Sealdah Metro Esplanade New Mahakaran Howrah Metro Howrah Maidan Metro
Execution Phase Phase 1A Phase 1A Phase 1A Phase 1A Phase 1A Phase 1A Phase 1A Phase 1B Phase 1B Phase 2 Phase 2 Phase 2 Phase 2
2.2 OVERVIEW A brief description of the ATC system is provided here, for full description ATC system specification may be referred. The ATC signaling system consists of: Several subsystems integrated together by means of internal interfaces. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 19 of 85
Kolkata East-West Metro Rail Project
Interfaces with external elements - systems or subsystems not considered part of the Signaling System but needed for operation according to the maximum capabilities and requirements as per the contractual documents of Kolkata Metro project.
Each of the ATC subsystems performs its own functions independently from the others. The interaction of the metro operations is coordinated through the computers at the Operation Control Centre (OCC) in order to achieve an integrated control system. Under normal operating conditions the ATC functions will be implemented automatically. As general description, subsystem responsibilities can be identified as following: Automatic Train Supervision (ATS): subsystem provides control and monitoring facilities to supervise the train operations Kolkata Metro Project. It also interfaces to external systems, to perform Signaling System requirements. The Core Communication Based Train Control (CBTC): subsystem provides the protection against train collisions, overspeed and other hazardous conditions (e.g. entering an unsafe track section, opening train doors outside stations, etc.). The CBTC functions are performed by a combination of wayside and on board equipment. Moreover, the Core CBTC subsystem is composed of the following equipment: Zone Controller (ZC) depending on the configuration of the line and the number of train to supervise, more than one ZC equipment could be installed. The function of the ZC is to ensure the safe operation of trains using a moving block concept of CBTC basing on the information received from the IXL (trackside inputs vital information) and from the Carborne Controller (CC) (train identity and location), it determines a train map (location of all the trains in the line) and sends a Movement Authority Limit (MAL) to each train; Carborne Controller(CC) equipment is installed on vehicle. It permits both ATP and ATO functions: train location determination. Determine and send to ZC train's location; manage the control mode of the train; enforcement of permitted speed; drive the train according to the MAL received from the ZC and its own information and calculations based on the knowledge of the track; control over speed condition (taking into account others constraints as permanent or temporary speed restrictions,etc.); trigger an emergency braking in case of danger; manage the opening/closing procedures of train and platform doors. The Frontam (FTM) equipment is composed of servers and workstations. The FTM maintains the track database descriptions, collects maintenance information from
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 20 of 85
Kolkata East-West Metro Rail Project the ZC and CC and also provides a communication interface between ATS, ZC and CC. Interlocking (IXL) subsystem is responsible for the safe implementation of interlocking functions. IXL obtains occupancy information from Detection System (e.g. axle counter). IXL interfaces with wayside equipment such as switch machines, signals, etc. IXL interfaces with ZC to ensure safe CBTC operation, in particular the route setting and determination. It has the function to prevent train collisions and derailments over switch. IXL along with CBTC provides safe train movement using the wayside signals for train a CBTC train. If there is a failure of a Zone Controller, the DCS or the CC, trains can safely traverse the line through wayside signal aspects controlled by IXL. Data Communication System (DCS) is a broadband communications system that provides for a bi-directional, reliable, and secured exchange of data between equipment of the signaling system and subsystems and other ground equipment installed where required along the right-of-way. The following figure shows a CBTC Architecture with Microlok as IXL equipment. Note that the redundant units and equipment counts are not shown.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 21 of 85
Kolkata East-West Metro Rail Project
TO BE PROVIDED BY OTHERS
MASTER
CLOCK CLOCK
GPS
SERVERS
SYSTEM
OVERVIEW DISPLAY
PRINTERS
NOIDA METRO: CBTC SYSTEM
ETHERNET LAN E-NET SWITCHES
WORKSTATIONS
OTHER WAYSIDE LOCATIONS
FRONTAM
OCC
ES
OTHER WAYSIDE LOCATIONS
OTHER WAYSIDE LOCATIONS
ES ES ES
DCS (REDUNDANT) REMOTE ATS MAINT. WORKSTATION
OTHER RADIO APs RADIO ACCESS POINT
VEHICLE VEHICLE PROP, BRAKES, DOORS
TOD CC TRANSPONDER READER
TO ADDITIONAL ACE
DCS
DCS
TRANSPONDER READER
TRACK OCCUPANCY FALLBACK TOD
VEHICLE PROP, BRAKES, DOORS
ZONE CONTROLLER (ZC)
CC TRANSPONDER READER
TRANSPONDER READER
AXLE COUNTER EVALUATOR (ACE)
TRANSPONDER ANT.
T
TRANSPONDERS
T
WAYSIDE DEVICE I/O
WAYSIDE
TRANSPONDER ANT.
SPEED SENSORS
ES TO ADJACENT M-LOK II & ZC
T
AXLE COUNTER HEADS
SPEED SENSORS
CONTROL TERMINAL (WITH VDU)
MICROLOK II CBI (REDUNDANT)
MAINT. TERMINAL (WITH VDU)
LATS
PA & PIDS STATION/PLATFORM AREA
PSD EMERG. SW & PLUNGER
T
T
T
TO OCC (VIA DCS)
T
DEPOT CONTROL CENTER
T
AXLE COUNTERS
TRANSFER TRACK
TRACKMOUNTED TRANSPONDERS/ TAGS
AXLE COUNTER BLOCKS
STATION/PLATFORM AREA
PSD
POINT MACH.
EMERG. SW & PLUNGER
LED SIGNAL
PA & PIDS
DEPOT
Figure 2-2 System Overall Architecture
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 22 of 85
ES
ES
Kolkata East-West Metro Rail Project This is to be noted here that, the above figure is indicative only, for detail the System architecture document is to be referred. The proposed CBTC system has equipment distributed at three major locations: Control Center (OCC), wayside locations in the Signalling Equipment Rooms (SERs); and on each vehicle. Standard railway field equipment such as axle counters, signals, switch machines, etc. are installed where required along the right-of-way. Axle counters and signals on the wayside (at the interlocking) are essential components of interlocking functionality and assuring the system is compatible with unequipped trains. The Microlok and ZC work in concert with each other and vitally share signalling information. Microlok interfaces with switch machines, signals, warning systems, axle counters and the ATS. The Microlok units contain the vital logic that permits control of switch machines and interlocking signals; Microlok also performs interlocking functions based on routing requests received from the ATS. Odometry and transponder subsystems are essential to establishing train position. These positions are calculated by each train’s CC and then compiled by the ZCs to safely manage the traffic and deliver the MAL to each train. Transponders/Balises/Tags are placed in fixed locations along the track and an onboard reader uses a high frequency signal to acquire transponder/balise information as the train passes the Transponder/Balise. The information contains an ID that the train uses to obtain precise location and direction of travel. The vehicle CC equipment receives continuous vital communications from the ZC and the onboard ATP enforces safe protection of the train. Train traction and braking orders are issued by the ATO. The configuration of the CBTC system has been designed to provide all reasonable measures to mitigate the effects of a single independent or multiple dependent failure(s). 2.3 WAYSIDE ATC SYSTEM The wayside configuration is a distributed architecture comprising vital and non-vital control functions. This configuration permits the reliable and safe operation of trains on the system. Wayside equipment encompasses: 2.3.1 Wayside Equipment Rooms a. ZCs: For Kolkata Metro Phase 1A, one ZC is installed in Central Park SER. b. Frontam (FTM) - For Phase1A, One FTM Located at Depot Admin building CER.Maintenance Aid front end Computer. c. Microlok CBIs: Vital microprocessor based interlocking system interfaced with point machines, signals, train detection system, ATS, PSD, other field devices etc.Axles counter for detection of equipped and non-equipped vehicles and secondary train detection (in case of CBTC failure). d. Interface vital relays as required. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 23 of 85
Kolkata East-West Metro Rail Project 2.3.2 Station Platforms - Emergency Stop Plungers/Pushbuttons (ESPs). -
Interface to staff protection key switch
-
Interface to platform screen doors
2.3.3 Depot a. Microlok CBIs b. Interface vital relays c. Balises for the Test Track in Depot d. Axle counters for detection of equipped and non-equipped vehicles and secondary train detection (in case of CBTC failure). e. Signals f. Switch Machine 2.3.4 LATS The Local Automatic Train Supervision subsystem achieves all the local wayside ATO functions and the implementation of non-vital logic. These permit localized control of ATS functions, and are also interfaced to the Public Address/Passenger Information Display (PA/PIDS) system. 2.3.5 Trackside-Mounted Devices a. Direction indicators b. Axle counter heads c. Transponders/Balises d. Marker boards e. DCS-dedicated communications equipment, which includes wayside access points, antennas, cables, and access switches. f. Signals g. Switch Machine
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 24 of 85
Kolkata East-West Metro Rail Project 2.4 VEHICLE ATC SYSTEM
DCS Ethernet Alpha network
DCS Ethernet Beta network
TOD
I/O V & NV
Driver Cab Desk
Vital µC 2oo3
X discrete V&NV IO
I/O V & NV
Door System
fan
Vital µC 2oo3
Brake
fan
Integrity
Tag readers
X discrete V&NV IO
Driver Cab Desk
fan
Integrity
Acclerometers Anal. & Digit.
Speed sensors
TOD
fan
TMS
Acclerometers Anal. & Digit.
Speed sensors
Speed sensors
Speed sensors
Tag readers
Figure 2-3 CBTC Based Vehicle ATC System
This is to be noted here that, the above figure is indicative only, for detail the System architecture document is to be referred. The onboard system is designed to provide full ATO mode with a Train Operator as well as Train Operator-controlled mode of train operation while obeying the ATP limits. Each 6-car train is equipped with Two CCs: a. Each CC comprising the: -
ATP and ATO subsystems
-
Balise transponder module
-
Event logging system
b. DCS-dedicated communications antennas, and cables.
equipment,
which
includes
mobile
c. CBTC devices external to the CC include: -
Transponder antenna/Tag Reader
-
Tachometers and accelerometers
-
TOD.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 25 of 85
radio,
Kolkata East-West Metro Rail Project 2.5 IXL SUBSYSTEM The general interactions between the functionalities implemented in the subsystems listed above are represented in the next figure. ATC System PSD (External Device)
ATS
IXL
IXL Field Devices (Signals, Axle Counters, Point Machines, Crank Handles, Level Crossing)
CBTC Wayside (Zone Controller)
Figure 2-4 IXL Interface
The IXL subsystem is based on generic product named Microlok II. The interlocking scheme is divided into Interlocking Microloks in stations with Points & fixed Signals & Non Interlocking Microloks with Station without Points & Signals. All Microlok units are housed in SER. Microlok Unit consists of the following electronic board.
CPU Card Power Supply Card Synchronisation Card Communication Card Vital Output Card Vital Input Card Non Vital card
This entire arrangement of cards is housed in 19’ cardfile. For details Interlocking Equipment Specification Interlocking Equipment Specification KMRC-27014 CPU cards in a Microlok unit are connected to Microlok CPU cards in same or adjacent Interlocking through Peer Protocol. Microlok architecture supports Hot standby configuration between Online and partner system. This configuration is called MDSC i.e Microlok Duplicated Seamless changeover. Automatic switchover is facilitated to the redundant unit when a critical fault has occurred in the Online units without disrupting last status of filed devices.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 26 of 85
Kolkata East-West Metro Rail Project CPU cards in Interlocking Microloks will house the Interlocking logic which executes vital logics like route call, route set & signal lowering logics. For processing of Vital logics, Input functions from Site devices are gathered from Microloks in same Interlocking or from Microloks from Adjacent Interlocking. CPU cards in Non-Interlocking Microloks which are installed along stations without Points and Signals collects Inputs from External devices like PSD and SPKS & sends the information to Interlocking Microlok. Function exchange of the field devices with Microlok Input Outputs cards are established through Relays Interface. Field equipment connected with IXL and considered as a part of IXL subsystem
415V AC Point machine (via relay interface) supplied by Vosslog-Cogifer. Axle Counters supplied by Frauscher LED Signals supplied by GAEC LED Matrix for Route Indication supplied by Electrancs Platform Screen Door supplied by CRRC (supply not in Ansaldo Scope) Crank Handle supplied by Kiran Infra Emergency Stop switch supplied by Networth Staff protection key switch supplied by Siemens (supply not in Ansaldo Scope) Level Crossing at Depot supplied by Heidz
The functional behavior of the system is described in IXL Sub-system Requirement Specification [24], but for a brief overview of the functions refers to the next section. For all components that are not part of the ASTS production, the IXL subsystem will assure the technological and functional integration in terms of correct integrity of wiring with the external device, while if the assessment is needed; it is under the responsibility of the supplier. Below is the list of External and Internal Interfaces with IXL & other devices External Interfaces are
IXL-ATS interface: interface between IXL and ATS by means of wayside DCS. Applicable for ATS functions. IXL-ZC interface: interface between IXL and wayside CBTC, by means of wayside DCS. Applicable for CBTC functions. IXL- PSD Interface: Parallel wiring through Vital Input boards and relay interface & cables. IXL – Signal Interface: Parallel wiring through Vital Input/Outputs boards and relay interface & cables. IXL- Point Machine: Parallel wiring through Vital Input/Outputs boards and relay interface & cables. IXL- ESS: Parallel wiring through Vital Input and relay interface & cables. IXL- SPKS: Parallel wiring through Vital Input and relay interface & cables.
These interface are further elaborated in Trackside Interface Specification [22] Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 27 of 85
Kolkata East-West Metro Rail Project Internal Interfaces are
Microlok to Microlok communication between same or neighbouring Internal.
2.5.1 IXL General Functions The main functions of IXL system are listed below. 1. Interlocking Functions: carried out to manage all the stations and stops along the line and in the depot (centralized in the OCC) and processing of route commands and safe protection functions like: a. Vital management of the Points; b. Train detection; c. Vital management of route movements; d. Management of specific vital inputs/outputs 2. CATS/LATS & IVDU communication: IXL communicated through CATS in OCC for operation for Signals and Points for Mainline & ATS in DCC for Operations of Points & Signal in Depot. In an event of CATS failure, ATS in BCC will take over the control. Additionally in every Interlocking station a LATS & IVDU is provided for operating field devices in case of failure of Station communication with CATS.IVDU is provided as a backup to LATS in each Interlocking station. 3. Diagnostic Monitoring: Maintenance terminals will be provided in each Interlocking for monitoring status of Interlocking equipment & retrieving and analyzing failure report from Microlok Maintenance Tool. 4. Safe communication with the train separation subsystem (wayside CBTC Subsystem). 2.5.2 IXL Application overview The IXL Application involves the customization based on configuration i.e
Microlok System configuration in the stations. Interlocking or Non Interlocking Microlok in Mainline or Depot. DATA retrieved from Signal Interlocking Plan.[60],[61] Route definition as in Control Table.[74],[75],[76],[77] Input Output assignments based on field devices to be controlled in Interlocking
The correctness of the specific application is ensured at design level with the verification activities on documents, and after the implementation by means of on lab and on field validation activities. 2.5.3 Data Preparation Process Each Microlok CPU board contains pre loaded Generic Product software, in this project Microlok CPU contains Executive program CC 3.2.The MLK Hardware Platform and CC 3.2 executive software constitute the Generic Product. Independent assessor RINA has provided SIL 4 certification to the executive software CC3.2. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 28 of 85
Kolkata East-West Metro Rail Project There is no concept of Generic Application + Configuration Data for specific application. For each Signaling equipment there is location-specific application software loaded within the MLK unit. The Microlok Data for specific application has to customized based on the configuration items as mentioned in above section. This specific application when ready is compiled with the compiler tool which can generate the machine language compatible to the Executive version of the CPU. The development of specific application is done following design process & verification cycles for each phase of the project. This process is in line with EN 50128. For a detailed description of the Data Preparation Process refer to “Interlocking Design Plan” [73]. 2.6 INTERACTION WITH CBTC SYSTEM Full CBTC system provides the highest level of system operation and performance. CBTC requires all train control subsystems to be present and operational; wayside, ATS, vehicle, and DCS. CBTC provides moving block safe train separation and protection, full on-board ATP/ATO operation and supports all defined CBTC operational modes. Certain operational modes provide full system operation and performance: Automatic Train Operation (AM) and ATP Manual (ATPM). Other modes provide reduced operation in degraded conditions Restricted Manual (RM) & Run On Sight (ROS). The IXL system has to operate in cooperation with CBTC system, when in AM mode, and has to operate independently in degraded conditions (without CBTC supervision). C12_D404 - ZC - IXL ICDD [41] defines the functions to be exchanged between Zone Controller and IXL devices.IXL processes inputs to generate the outputs to ZC to achieve train running in different modes of CBTC. For details of functions exchanged ZC-IXL ICDD [41] can be referred. 2.7 CBTC SUBSYSTEM The Core CBTC product is identified by the C_D154 SW version sheet [59]. It contains all the applicable specifications for the definition and the design of each equipment of the Core CBTC product. Each of the equipment of the Core CBTC product is also identified by a Version Sheet and a Hardware description CBTC Hardware Version Sheet & On Board Version sheet [78],[79]. 2.7.1 Core CBTC Breakdown The Core CBTC is made up of the following equipment: The Zone Controller (ZC), The Carborne Controller (CC) with its odometry subsystem, The tag subsystem (Eurobalise), The TOD, Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 29 of 85
Kolkata East-West Metro Rail Project
The FRONTAM. External CBTC interfaces
Rolling Stock
Energy ATS
Extended CBTC
Core CBTC FRONTAM
TOD
DCS (fiber + radio)
IXL CC (ODO, ATP, ATO)
ZC TAG
Wayside Signalling (field eqpt.)
TMS, TAR, Other
Figure 2-5 External CBTC interfaces, "Extended" CBTC and Core CBTC
The Generic Application releases are certified by an independent assessor which provides an ISA report. The Core CBTC Generic Application provides the Core CBTC functions needed by KMRC project. All Core CBTC development is done in the Generic Core CBTC. All the Core CBTC Generic Application activities (design, development, verifications, tests, validations, safety) are supported by Generic Application Safety Case [56] and are an independently assessed refer [57]. KMRC project can use this Generic Core CBTC as a black box product and configure it according to the line and the rolling stock. It is to be noted that the referred CBTC Version 6.3.2-R3 presented in this safety case will be upgraded to Version 6.3.3 & which will be candidate version for KMRC. Presently the safety assessment of this version is ongoing & the report will be shared with ISA once available. The C_D470- CBTC Foundation Data [80] gives the inputs & assumption along with as Design Database for KMRC PH-1A taking CBTC Referential V06-03-03-00 for the release.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 30 of 85
Kolkata East-West Metro Rail Project 2.7.2 CBTC Data Preparation Process The Core CBTC GA provides all the functions needed by the Core CBTC SA. The Core CBTC SA team selects the applicable functions for KMRC among the functions provided by the Core CBTC GA. The Core CBTC Specific Application does not add any other additional functional content. The ZC & CC Functional Specification [26] ,[27] can be referred. The Data specification Need Specification [69] provides the requirements for configuring the Specific Application needs based on Generic Application. The project interface document used for Specific application Design. The IXL –ZC Interface document C12_D404 - ZC - IXL ICDD [41], CC –Rolling Stock ICDD [33] .
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 31 of 85
Kolkata East-West Metro Rail Project 3 QUALITY MANAGEMENT REPORT This chapter corresponds to the “Quality Management Report” section of the Overall Detailed Design Safety Case, in accordance with the provisions of the CENELEC EN 50129 [87] technical standard. The ASTS Quality System is used for all projects developed by ASTS and particularly for the Kolkata East West Metro Project. The Quality System is described in Project Quality Management Plan [4] and it is applied to all ASTS people both the ones involved in the delivery and verification of the products and that ones in duty to manage the relation with customer. The organizational responsibilities are described in the ASTS Roles & Mandates [108]. 3.1 QUALITY PLANNING AND PROCEDURES Quality planning and procedures have been described in the Project Quality Management Plan [4]
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 32 of 85
Kolkata East-West Metro Rail Project 3.2 QUALITY ORGANIZATION The ASTS quality organisation is as shown below
Project QA
Figure 3-1 Quality Organization
The Kolkata Metro east project organization is detailed in Project Management Plan [1] . The overall ASTS organization is fully detailed in the ASTS Organizational Chart [109]. The Integrated Management System is detailed in the IMS Manual [96].
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 33 of 85
Kolkata East-West Metro Rail Project 3.2.1 ASTS Quality System The Quality System is described into the Project Quality Management Plan [1] and it’s applied to all ASTS people both that one’s involved in the delivery and verification of the products and that ones in duty to manage the relation with customer. The certificate ASTS, n° LRQA/LRC 6019580/QMS/U/EN, declares the conformity of ASTS to the procedure defined in ISO 9001 [92] Table 3-1 Certifications of ASTS Integrated Management system
Certificate ISO 9001:2015 ISO 14001:2015 ISO 14001:2015 &ISO18001:2007
Organization Certifier ASTS India LRQA ASTS India ASTS India
Cert. No Cert. Expiry LRC 21/11/2020 6019580/QMS/U/EN/033 LRQA LRC 10094151 26/03/2020 LRQA ISO 1400126/03/2020 0042860/OHSAS 18001-0042861
The following figures in next page provide a copy for evidence of the abovementioned certificates.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 34 of 85
Kolkata East-West Metro Rail Project
Figure 3-2 ISO 9001:2015 certificate
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 35 of 85
Kolkata East-West Metro Rail Project
Subcontractors in the KMRC project are certified against ISO 9001:2015. The subcontractor’s Quality Certifications have been collected in the ASTS server Figure 3-3 ISO 14001:2004 & 18001:2007 certificate
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 36 of 85
Kolkata East-West Metro Rail Project
Figure 3-4 ISO 14001:2015 & 18001:2007 certificate
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 37 of 85
Kolkata East-West Metro Rail Project 3.2.2 Quality Audits and Inspection Audits, as defined in the Project Quality Management Plan [4] are carried out under the responsibility of the QA department 3.3 SPECIFICATION OF REQUIREMENTS Requirements for the design of the Wayside IXL Application are contained in IXL Subsystem requirement specification [24].The compliance of requirements mentioned in IXL Subsystem requirement specification are mapped to a set a basic safety rules provide in Wayside ATP Application Logic Programming Guidelines [50] , Signaling Plan - Main Line (Phase 1A) [60],Depot Signaling Plan [61] & Control Table of Interlocking Locations [74] - [74] & Various Interface documents as in section 5.3.1 The Wayside ATP Application Logic Programming Guidelines [50] provide the necessary indications on how to translate the requirements as per Signaling and Train Control System - System Requirements Specification (SRS) [9] for IXL & IXL Subsystem requirement specification [24] into a software code. Additional requirements are provided by the software coding rules and features that the platform MICROLOK II Executive Software support. The input and output signals that the Microlok II processes depend on the location configuration. Each input and output is physically assigned to a board (I/O Assignment); this way the number of input and output boards that the MICROLOK II units must support is determined. Once this process in complete, all identified input and output signals and the Control tables along with Signal Interlocking plan are used by Data designer to develop the wayside Application logic as per guidelines specified in Wayside ATP Application Logic Programming Guidelines [50]. For CBTC Specific Application Design, the Data Preparation Need Specification [69] which specifies the Application requirement at Specific level i.e. project configuration level. The C_D154 SW version sheet [59] elucidates the Hardware and Software configuration used in CBTC Version GA 6.3.3 which will be used in KMRC project. 3.4 DESIGN CONTROL Design control is carried out using Project Configuration Management Plan [70].Configuration management is carried out using Project Lifecycle management tool Team Centre. Changes can be called in Design in Peer Verification phase, Validation phase or change requested from Client. For each new revision of the Design an updated version of that Design along with verification files are uploaded in Team Centre by the author which is further approved & authorized by Verifier & Project Engineer respectively. For changes coming from client the updated Design version along with Change request is uploaded in Team centre following same approval process as mentioned above. With each Software release Microlok II software program file includes a Program History which provides traceability to revision levels. Which each Software Release version in Team Centre a Version Description Document, VDD document is released.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 38 of 85
Kolkata East-West Metro Rail Project Similarly of CBTC Database release in TC, the C_D154 SW version sheet [59] and respective ZC,CC, TOD ,Tag ,CBTC Tools & Frontam Delivery Sheets and Configuration Data are released. 3.5 DESIGN VERIFICATION AND REVIEW The overview of Verification and Validation methods are detailed in ATC System Verification and Validation Plan [6] with finer approach detailed in respective Subsystem V&V plan of IXL, CBTC & ATS [35],[36],[37]. The internal ASTS Formal Technical Review Procedure, which includes peer technical reviews for all Design documents related to IXL and review by RAMS for Documents related to safety, is followed. Internal IMS procedure PRD-043 is followed which is detailed in ATC System Verification and Validation Plan [6] . All verification records in form of comments in FOR_437 for each version of a design document that is uploaded in Team Centre. 3.6 APPLICATION ENGINEERING The development of the application engineering has been described in Section 2.5.3, which describes the process for creating the basic hardware design documents by assembling the necessary information. Additional information is included in the following document: Wayside ATP Application Logic Programming Guidelines [50] , Data Preparation Need Specification [69]. 3.7 PROCUREMENT AND MANUFACTURE To ensure all products have the highest quality, various inspections and verification activities have taken place to verify the acceptability of the products and materials supplied by ASTS. Methods include: • Sample inspection; • 100 % inspection; • Sample testing; • Material Certifications/declaration of conformity. The control of the purchased product is ensured by the procurement process through the following activities: • Selection and management of suppliers; • Management of the purchase request, including the identification of the needs and requirements related to the needs (specifications); • Definition and negotiation of quotations and contract and choice of the best supplier; • Management of the purchase order; • Acceptance tests on purchased items (products and services) to verify the compliance with requirements and specifications. 3.8 PRODUCT IDENTIFICATION AND TRACEABILITY ASTS has introduced a system, which enables tracing of a part or product from when it is received (or manufactured) by ASTS until it is installed. The policy and guidelines apply to all materials, parts, sub-assemblies, assemblies, sub-systems and systems to be Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 39 of 85
Kolkata East-West Metro Rail Project installed, and manufactured and/or assembled by ASTS and its suppliers and subcontractors. They apply to all stages of the project. Each product supplied by ASTS are identified by a code to ensure the product is traceable all lifelong from the receipt through installation. Products manufactured by ASTS are identified through a barcode label in order to be tracked during manufacturing and repair goods activities in accordance with the instructions INS023 Manufacturing Identification and Traceability and INS007 Manufacturing Warehouse instructions. Both documents set the process for the identification of all materials, parts and assemblies by appropriate codes and numbers to ensure their traceability. This identification and coding system has the following features:
Helps the “Manufacturing” and “Repair goods” job scheduling of each product, Tracks the product along the production line during these 2 processes, Collects/records the manufacturing and repairing data of each product, Identifies and tracks each product without ambiguity during these 2 processes.
Finished products are labeled with a unique serial number to allow for traceability of product configurations. ASTS has developed and maintained a specific Configuration Management Plan [70] for the preparation and control of the configuration. 3.9 HANDLING AND STORAGE ASTS documents and maintains a system to ensure that parts and products are protected correctly from the time of receipt (or manufacture), during transportation and storage, until final installation and hand-over. All products are handled in a manner to prevent damage or deterioration by use of padded or protective material handling units, and methods. Sensitive materials are handled to prevent damage, tampering and deterioration. Materials, components, equipment, modules, subassemblies, accessories, and final products are protected during transportation and are delivered in sound condition in accordance with the process description PRD 019 Logistics. Where third-party haulers are used the same procedure applies. The activity of warehousing (storing and preserving) involves many warehouses with different materials inside, the criteria to handle the stock is strictly linked to the characteristics of the goods stored and they are performed in accordance with Logistics [101]. All items are counted, measured or weighed to the unit of measure shown on the purchase order. A location is provided for each phase of the project (receiving, work in progress, and shipping).
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 40 of 85
Kolkata East-West Metro Rail Project Incoming material are tagged to prevent loss, reviewed and documented as received condition on the receiving log and are stored on racks or pallets to prevent damage. 3.10 INSPECTION AND TESTING The Test management process is managed in accordance with Ansaldo STS Quality Systems. All tests are described in procedures; the procedures include purpose, scope, reference data, operational description and forms to be used. ASTS defines the planning, specification, scheduling and reporting of inspections and tests to be carried out during the course of the project according Factory Acceptance Test plan [71]. The sequence of inspection and test activities are planned in such a manner to gradually build up confidence that contract requirements are being fulfilled. All standard materials and products purchased Kolkata East West Metro Project is required to be delivered with a certificate of production from the original supplier. All materials, components and systems produced to meet specific Kolkata East West Metro Project requirements have been subject to inspection and test at the production site to verify compliance with requirements. FAT procedures for IXL & CBTC equipments are followed during inspection and test in supplier premises or Factory. The Following are factory acceptance test report summary. Table 3-2 Signaling Equipment FAT Report Summary
S.No 1 2 3 4 5 6 7 8
Document Name EI equipment Factory Acceptance Test Report Relay Factory Acceptance Test Report ZC equipment Factory Acceptance Test Report Axle Counter Factory Acceptance Test Report Point Machine Factory Acceptance Test Report Carborne Controller Factory Acceptance Test Report
Document Number KMRC- 27097
BTM/ BTM Antenna Factory Acceptance Test Report Balise equipment Factory Acceptance Test Report
KMRC-26085
KMRC- 27101 KMRC- 27104 KMRC- 27111 KMRC- 27112 KMRC- 26084
KMRC-27195
3.11 NON-CONFORMANCE AND CORRECTIVE ACTION Systems, sub-systems and components which do not conform to the requirements of the Contract are considered as defective and are removed and replaced with acceptable Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 41 of 85
Kolkata East-West Metro Rail Project systems, sub-systems or components. The ASTS Quality Procedure PRC 045 Nonconformity, Corrective Actions Preventive Actions [104] is applied. Defective systems, sub-systems or components which have been corrected will not be used until the Employer approval. The Quality Procedure PRC 022 - Package and Services P&S, Materials and Services Acceptance (PSMSA) [105] dedicated to Suppliers Control also apply. Any work, practice, process or procedure in non-conformance to the contract documents are subject to segregation, quarantining, marking, tagging, etc. by ASTS staff in line with accepted procedures. Every unfulfilled requirement concerning a released product (including hardware, software, documents…) reveals a nonconformity status. The observer of non-conformity informs the person in charge of managing it of the issue presents a synthesis of the nonconformity management (including also nonconformity detected after delivery):
Figure 3-5 Non-Conformity Management
3.12 PACKAGING AND DELIVERY All packaging materials and procedures being utilized or to be utilized by the supplier and/or subcontractors are subject to inspection by ASTS. All packaging together with packaging and protective materials are new, maintain its integrity and perform its intended function while being transported, handled and stored.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 42 of 85
Kolkata East-West Metro Rail Project All products are suitably protected and packaged to prevent corrosion during handling, transport and storage and packed in a safe way to avoid personal injury and damage to equipment and property. Products, where practical, are shipped fully assembled; however, when shipping of fully assembled products is not possible it is the supplier’s responsibility to disassemble the products so that it can be properly packed and protected. The quality assurance department is informed of any unsatisfactory situations to facilitate any corrections/possible corrective actions through the Nonconforming process or through approved equivalent communication. 3.13 INSTALLATION AND COMMISSIONING Method statements for particular installation or commissioning processes are prepared at stages of installation and commissioning. The Method Statements include working methods and quality control check points and criteria. The following table mentions he list of Method statements of Signaling equipment. Table 3-3 Installation Method Statements
S.no 1. 2. 3. 4. 5.
Document No KMRC- 2B301-1 KMRC- 2B301-3 KMRC- 2B301-6 KMRC- 2B301-7 KMRC- 2B301-8
6.
KMRC- 2B301-9
7. 8. 9. 10.
KMRC- 2B301-10 KMRC- 2B301-11 KMRC- 2B301-12 KMRC- 2B301-13
11.
KMRC- 2B301-15
12
KMRC-2B301-2
Document Name Installation Method Statement -Location Boxes Installation Method Statement - Axle Counter Installation Method Statement - Signals Installation Method Statement – Rack Installation Installation Method Statement - EMSS Emergency Stop Switch Installation Method Statement - Cable laying in elevated / tunnel / depot Installation Method Statement - Point Machine Installation Method Statement - LX Gate Installation Method Statement - Marker Board Installation Method Statement - Crank Handle / EKT Installation Method Statement - Depot Line Slot Switch Boxes Installation Method Statement - Trackside Balise
Particular production processes are executed according to written procedure and are organized the following trainings for the personnel involved in the project:
Training Project procedures; Trainings requirements in suppliers QM; IT-registration and use; Calibration and use of survey and measuring equipment; Project Programme for QHSE training of staff
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 43 of 85
Kolkata East-West Metro Rail Project Complete records of the execution processes, equipment and personnel involved in all particular production processes are maintained and are submitted for reference upon Employer’s request. 3.14 OPERATION AND MAINTENANCE In Section 3.4 includes the general procedure for handling software changes during design, testing and starting of revenue service. 3.15 QUALITY MONITORING AND FEEDBACK The quality department conducts audits to oversee Quality process of the project. The following table summarizes the find in various Quality Audit in Design phase. Internal Quality Audit Date 26 & 27 Oct. 2017
26 and 27th June 2018
Audited Organization KMRC Site Office
KMRC site Office
Scope Project Management, Project Engineering ( Signalling and Telecom) & RAMS Project Management, Project Engineering ( Signalling and Telecom & RAMS)
Lead Auditor Kumkum Nayak
Report No JA-17120
Conclusion
Follow-up
Total 2 observations were raised which is applicable for all functions/domains eg. Signalling, Telecom & RAMS
All the observations are closed by respective WPL
Kumkum Nayak
JA-18004
Total 2 observations were raised which is applicable for all functions/domains eg. Signalling, Telecom & RAMS
All the observations are closed by respective WPL
3.16 DOCUMENTATION AND RECORDS ASTS will maintain the Quality Records as per the ISO 9001 Standard §4.2.4. The Quality Records include but are not limited to the following: • Internal and external audit records; • Inspection and Test Plans; • calibration records; • non-conformance reports; • certificates of compliance; • training records; • personnel qualifications. Team Centre is the tool used to support the ASTS management, sharing, and storage of records. The procedure includes: Scope and categorization of control of quality records and evaluation, collection, compilation, indexing, filing, storage, maintenance, duration of storage,
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 44 of 85
Kolkata East-West Metro Rail Project 3.17 CONFIGURATION MANAGEMENT /CHANGE CONTROL ASTS has developed and maintained a specific Configuration Management Plan for the preparation and control of the configuration. For further details about the configuration management system of ASTS please refer to Project Configuration Management Plan [4] 3.18 PERSONNEL COMPETENCY AND TRAINING Please refer to corresponding section of ASTS Project Quality Management Plan. Quality audits and Follow-Up The internal auditing process is managed in accordance with ASTS Quality Systems, moreover in order to implement a common management systems for audits at KMRC project level, ASTS follows the quality audit process as mentioned in section 9 of Project Quality Management plan [4]. The lists of applicable documents are mentioned in Project Quality Management plan [4]. 3.19 DECOMMISSIONING AND DISPOSAL No hazardous materials are in the IXL equipment. The products have long lives (25-30 years) at the end of which they can be dismantled and various constituent materials (metals, plastics, etc.) can be recycled. End of life cycle disposal typology for transformers and electronic wastes must conform to the most current common practices for these types of equipment at the time of obsolesce. However disposal is the responsibility of the ATC system equipment maintainer at the end of product lifecycle.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 45 of 85
Kolkata East-West Metro Rail Project 4 SAFETY MANAGEMENT REPORT According to EN 50129 [87] this section presents all the necessary evidences that the safety of the ATC Subsystem has been, and shall continue to be, managed by means of an effective safety management process. The purpose of this process is to further reduce the incidence of safety related human errors throughout the life cycle of the ATC Subsystem, and thus minimize the residual risk of safety related systematic faults. The safety management, methods, procedures and organization applied to the ATC System are defined and documented since the early stage of the project as per ATC System Safety Plan [10] This Section is structured following the CENELEC 50129 [87], and as such includes the following sections:
Safety Lifecycle; Safety Organization; Safety Plan; Hazard Log; Safety Requirements Specification and Traceability; System Design; Safety Reviews; Safety Verification & Validation; Safety Justification; System Hand-over; Operation & Maintenance;
Within the Detailed Design phase, the following safety management activities have been performed:
preparation and updating of the ATC System Safety Plan [10] , basing on Client, and ISA comments; preparation and updating of the ATC System Verification and Validation Plan [6] basing on Client and I-ISA comments. preparation and updating of the ATC System Hazard Analysis [12] basing on Client, and ISA comments; setting up of, updating and tracking in TC of the Hazard log [18] safety and quality audits conducted in Detailed Design phase.
A list of the safety related documents for the Final Design milestone is also provided in this chapter. 4.1 SAFETY LIFE CYCLE The ATC System Safety Plan [R.10] presents a description of the planned Safety Management activities to be carried out during the entire lifecycle of the project’s phases and related documentation to be produced at ATC level, in order to identify and eliminate/control all the hazards associated with the ATC Subsystem that could lead to injury or loss of human life. In figure below the mapping of CENELEC lifecycle phases to project milestones are described. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 46 of 85
Kolkata East-West Metro Rail Project Verification & Update of Preliminary Design
Detaileesign
Construction Design
Procurement Construction Testing & & & Installation Commissioning Manufacturing
Handing Over
Out of Scope of Work
1. Concept 2. System definition and application conditions 3. Risk Analysis
11-14 Cenelec Phases 4. System requirements
10. System Acceptance
Validation
5. Apportionment of System requirements
9. Validation
6. Design and Implementation
8. Installation
7. Manufacturing
Figure 4-1 EN 50126 V diagram
This Safety Case covers the Safety Management activities performed up to the consolidation of the ATC system design (Final Design), therefore the applicable lifecycle phases are from 1 to 6. 4.2 SAFETY ORGANISATION The Safety Management Organization for the ATC system has been reported in the ATC System Safety Plan [R.10], along with the description of roles and responsibilities of all the key resources. In particular, the ATC RAMS WPL is responsible for all the Safety and V&V activities performed on the integrated ATC system, interfacing with the other RAMS WPLs (Core CBTC, IXL, ATS) and with the ASTS and Client Representative for the coordination and management of the technical safety activities. The Project Safety Team also interfaces with the Project Management as well as the Engineering and Development departments, playing an active role in the analysis and consolidation of the system requirements (e.g. reviewing project changes which could affect safety of the project, as part of the formal change control process and checking the safety classification of the requirements). The KMRC project safety team operates in an independent way with the other project teams. This allows the team to oversee the activities of each of the Development and Engineering teams to ensure that the safety requirements of the specification are attained.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 47 of 85
Kolkata East-West Metro Rail Project
Amit Srivastava (RAMS Head-India)
PRM (Shamik Haldar)
ATS WPL
Integration
(Shamik Haldar)
(Sachin Veer Singh)
Core CBTC WPL
(Myriam Marchand/ Sachinveer Singh)
RAM WPL
IXL WPL
(Yusmery Solarzano/ Jeevanjyoti Khurana)
(Shamik Halder)
V&V(Amiya Chakravarthy,Sreeja Roy)
Figure 4-2 Safety Management Organization STC Signaling System Level
4.3 SAFETY PLANS The “ATC System Safety Plan” for KMRC Project has been issued [10].The Safety Plan includes also Safety Case Plan, which identifies the planned structure and principal contents of the Safety Cases, supporting the ATC safety demonstration. Moreover, please note that the STC System Safety Plan covers also the subsystems (CBTC, IXL, and ATS) related safety activities. 4.4 HAZARD LOG The following hazard analyses have been performed for KMRC project:
ATC Preliminary Hazard Analysis and Risk Assessment System Hazard Analysis [11]
ATC System Hazard Analysis [12]
IXL Subsystem Hazard Analysis [13]
ATS Subsystem Hazard Analysis [14]
CBTC Subsystem Hazard Analysis [15]
ATC System Architecture and Interface Hazard Analysis (SAIHA)
Operating and Support Hazard Analysis (O&SHA) [16]
All hazards identified in PHA, SSHA, SHA, O&SHA and IHA have been presented in the Hazard Log [18].
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 48 of 85
Kolkata East-West Metro Rail Project The ATC Hazard Log [18] reports all the hazards identified during the analysis performed at ATC level, following both top-down and bottom-up hazard identification approaches. More specifically: Historical hazards coming from past ASTS similar metro projects have been evaluated in order to define their applicability to the KMRC Metro project. Each hazard has been reviewed in terms of severity and frequency, according to project specific Risk Criticality Matrix. These activities have been carried out during proper hazard meetings involving Metro system experts, safety specialists and design team belonging to ASTS organization; The hazard analysis done at System level and reported in the “ATC Preliminary Hazard Analysis and Risk assessment ” [11], has been further analyzed and developed at ATC level, for those hazards involving ATC system. For each of the applicable functional requirements, a proper analysis has been performed for detecting possible hazards, arising from the failure of the functions, identified by means of guidewords and “what if” studies. This analysis has been done with the support of the operational scenarios reported in the Operation Manuals. Refer Table 4-3 KMRC O&M Manual for the list of Manuals to be submitted in the project. In order to better evaluate Operational responsibility during failure of a function or in degraded mode operation the Exported O&M Hazards are traced to Operational Manual, Railway Rules, and Indian Railway Metro Rule. Though the current version of Hazard Log maintained doesn’t record this traceability as this will be presented in next version after discussion with Cleint. In order to extend the analysis to all the functionalities implemented by the ATC, a Subsystem Hazard Analysis is conducted for IXL,ATS and CBTC subsystems, ATC interfaces have been analysed on the basis of the applicable technical specifications, applying a FMEA pattern to systematically analyse the known failure modes affecting the data exchanged between the subsystems. The following table summarizes the status of safety mitigation coming from Hazard Analysis as mentioned above as well as Safety Related Application condition and assumptions coming from IXL & CBTC System which is treated as “Resolved” at the Design stage by giving traceability of its fulfillment through design & test procedures.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 49 of 85
Kolkata East-West Metro Rail Project Table 4-1 Hazard Log Summary
IXL Requirement Total Resolved Open IXL SRACs Total Resolved Open ATS-DCS Requirement Total Resolved Open CBTC Requirement* Total Resolved Open S&TC Requirement Total Resolved Open Installation-T&C requirement Total Resolved Open OSHA Total Resolved Open Safety Requirements Total Resolved Open CBTC Assumption Dictionary D-150-1 Total Resolved Open
No’s 171 171 0 No’s 73 73 0 No’s 36 36 0 No’s 234 234 0 No’s 60 60 0 No’s 87 87 0 No’s 74 74 0 No’s 227 227 0 No’s 218 218 0
*The CBTC requirement which are exported to CBTC Specific Application V&V or S_DPSR, ZC_DPSR & CC_DPSR, the resolution of these requirements provided based on the strategy followed in other projects. These requirements can be closed only when V&V activity is finished & Systemize & CC DPSR are produced.. The allocation of export list of CBTC Requirement can be gathered from CBTC Subsystem Hazard Analysis [15]. The Exported Requirements are not presented here as the acceptance on these with other Contractors & KMRC is under progress. The acceptance certificates for exported requirements from other contractors will be covered in the final ATC System Safety Case. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 50 of 85
Kolkata East-West Metro Rail Project Hence, these exported requirements are not in the scope of detailed design under S&TC. It is to be noted that the version of ATC Hazard Log [18] presented is the first version of the document. Closure of all Hazard along with Acceptance of other Contractor on the Exported Mitigation as well as Acceptance of KMRC on the O & M related Safety Mitigations will be evidence in the next version of this Hazard Log. The final version of the Hazard Log will serve as a part of ATC System Safety Case KMRC-24110, a future deliverable in this project. The ATC Hazard Log [18] has been also uploaded in Team Center, for allowing the management of all the KMRC hazards on a common platform and thus to facilitate the transfer of hazards and mitigations among stakeholders. 4.5 SAFETY REQUIREMENT SPECIFICATION AND TRACEABILITY System requirements were derived from the original KMRC Customer Requirements as given [2] & [3] as well as various Design Meeting with KMRC / GC representatives. These requirements are uniquely indentified in Signaling and Train Control System –System Requirement Specification (SRS) [8]. The ATC Hazard Log for KMRC [18] contains all hazards identified through a Preliminary Hazard Analysis (PHA) [11],System Hazard Analysis (SHA) [12],subsystem and interface hazard analyses [13],[14],[15],[16] and SRAC/Assumptions coming from lower level subsystem document is one of the sources for developing the System Safety Requirements. All the safety requirements have been identified in ATC Hazard Log for KMRC [18] and traced to various design elements in detailed design documents. It is to be noted that ATS and ATO subsystems provided on this project are mature systems and have proven interface with ASTS CBTC and IXL. The ATS utilizes the ASTS "Hermes" ATS product, which is build using a set of pre-existing proven software modules and libraries, currently used in ATS systems in revenue service in various driverless Metro systems worldwide. The ATS subsystem was then customized with the specific application (track configuration and interface) for KMRC. There are two specific commands originate from ATS with safety implications. They are (1) Removal of a blocked signal or switch and (2) Removal of TSR. In ATS these commands have been implemented using Class-1 and TAN commands. The Removal of a block has been proven safe with ‘proven in use ‘argument. These safety commands from ATS are processed by mandatory interaction with SIL 4 system like for Block removal ATS interacts with Microlok based IXL subsystem while for TSR removal ATS interacts with ZC. The details of these functionalities are provided in Zone Controller Functional specification [40], ATS subsystem requirement specification [45] & Wayside ATP Application Logic Programming guideline [50]. Safety Requirements can be both qualitative and quantitative. Qualitative Safety Requirements arise mainly from Contract and Hazards mitigations. Quantitative Safety requirements have been derived from SIL Apportionment process, described in [R.11]. In particular, the document presents: Identification of the system safety function; Attribution of SIL to the safety related functions; Identification, where applicable, of external risk reduction facilities; Assignment of each safety related function to sub-systems; and Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 51 of 85
Kolkata East-West Metro Rail Project
Functional analysis in order to verify the safety functions and justify the subsystems involved.
The SIL levels assigned to the ATC system are reported in the table below: Table 4-2 SIL levels assigned to the ATC system
ID.
SAFETY FUNCTION
IXL
Train location determination Limit of safe movement SF2 protection Supervise/enforce SF3 authorized speed SF1
SF4
Train Door control interlocks
SF5 PSD control operation
Wayside CBTC
Onboard External System CBTC
SIL4
SIL4
SIL4
-
SIL4
SIL4
SIL4
-
SIL4
SIL4
SIL4
-
-
SIL4
SIL2
SIL2
SIL2
Passenger Vehicle Emergency Braking Passenger Vehicle Door Closed and Locked PSD – Door Closed and Locked
The handling and traceability of the qualitative safety requirements is depicted in the following figure. In particular, it highlights the link between the hazard analyses performed at ATC level and the safety requirements management flow.
Figure 4-3 KMRC Hazard Log, Safety Requirement Traceability Scheme.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 52 of 85
Kolkata East-West Metro Rail Project As this Safety case provides the Safety in Design hence the Safety requirements are traced to test procedures. The final closure of the Hazard will be provided by evidences in form of Test reports. 4.6 SYSTEM DESIGN A top-down, structured design methodology has been used with rigorously controlled and reviewed documentation. The compliance with operational and safety requirements is addressed in the Technical Safety Report (section 5). All interface aspects are being addressed as below: External interfaces (i.e. between the ATC Subsystem and other subsystems of the KMRC System) are managed by means of dedicated activities documented in the Interface Control Definition Documents (ICDDs). Refer to the S&T Interface Management plan [5] for more details. The external interfaces CBTC and Rolling Stock Detailed Interface Specification [33], C-ICDD - Platform Screen Door System [34] have been also analysed from a safety perspective by the ATC RAMS team, as documented in the ATC System Architecture and Interface Hazard Analysis. [32]. Internal Interfaces (between the different assemblies/components of the ATC supply) are coordinated by the Engineering Signaling Integrator through his review of technical documentation and through Internal Interface Meetings held regularly by the ATC design teams. Internal interfaces C12_D404 - ZC - IXL ICDD [41], Trackside Interface Specification [22] , IXL-ATS Interface Control Document [22] , CBTC-ATS internal interface is managed through “KMRC-26052 - C_D470 - CBTC foundation data are also subjected to safety analyses by the RAMS project team. Review records will be documented in Susbsyem V&V Reports ( to submitted with Final Safety cases) The results of the integration process at the ATC System level will be within the scope of the ATC System Final safety case KMRC-24110 which is deliverable document for this project. 4.7 SAFETY VERIFICATION AND VALIDATION Verification and validation activities for ATC system are described in the ATC System V&V Plan [6] The V&V process followed by ASTS during the life cycle of the ATC system ensures integration of safety aspects in all CENELEC phase at ATC level. The safety V&V activities at ATC subsystems level are covered by the respective V&V plan i.e. IXL V&V Plan [35], CBTC V&V Plan [36], ATS V&V Plan [37]. The V&V process described in the ATC System Verification and Validation Plan includes the following review steps:
Requirements Traceability Matrix (RTM) Analysis; Document Verification; Design Verification (Design Reviews) Activities; RAMS Analysis.
For what concerns the Design phase, the following V&V activities have been carried out: review of all engineering design documentation; review of requirement traceability to assess all possible impacts on safety; safety related documents have been reviewed to ensure that safety requirements, Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 53 of 85
Kolkata East-West Metro Rail Project
or assumptions made in safety verifications, are compliant with the ATC system functionality; all design and contract change requests have been approved by the Safety Management Organization.
As described in Section 3 of ATC System Verification & Validation Plan [6] , the ASTS RAMS team operates in an independent and matrix fashion with the other project teams. This allows the teams to oversee the activities of each of the development teams as well as third-party furnished products and subsystems to ensure that the safety requirements of the relevant specifications are attained. As per IMS procedure PRD 043, on every design document PEER verification is conducted which also includes independent Safety review by RAMS team. The reviews on Safety document are summarized in Subsystem V&V reports. These V&V reports will be evidence in Susbsystem Safety Cases as well as ATC system safety case a future deliverable of this project. As far as independent testing is concerned, independent testers are assigned both to the FAT and field testing of the Wayside and Vehicle Application and Central software. For the Software Factory Acceptance tests, testers from RAMS team will be performing tests. For field testing, complete independence is provided as testers are competent and qualified engineering personnel from ASTS Testing & Commissioning Team, who have not been involved at all in the design. RAMS Engineer will be reviewing the Site test reports & check them providing evidence to closure of the Hazard. The evidence of RAMS reviews on Site test reports will be provided in IXL, ATS, and Vehicle & Wayside Validation Reports which will be delivered Please note for the independence of MLK data preparation, the process includes the design of the MLK data by designer; the check of the MLK data by Peer including RAMS Engineer using Application Logic Verification specification [21]; the approval by MLK manager; the factory test by test team which is independent with designer; the field test by test team which is independent with designer; the MLK verification test by system department which is independent with designer; Joint review of the test report to validate. For the independence of CBTC data preparation, the site survey and data collection of the line profile and track data is performed by engineering team; ASTS DB engineering team starts the CBTC data preparation process upon the site survey results. Consequently, ASTS DB V&V team performs the V&V activity on the corresponding DB released by ASTS DB engineering team. The result of Verification & Validation are captured in CC, ZC & System Design Safety Preparation report (DPSRs) which will later submitted as part CBTC Specific Application Safety case KMRC- 24030 , a future deliverable document in this project phase. System Integration and testing: The system integration and testing has been defined in ATC System Validation Test Specification [19] & ATC System Validation Test Plan [20].
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 54 of 85
Kolkata East-West Metro Rail Project The system integration test reports will be given in ATC System Verification and Validation Report KMRC -24106, a future deliverable document in this project phase. 4.8 EXTERNAL SAFETY REVIEWS ISA review status on all documents agreed to share with ISA for Safety Justification for this project is contained in subsequent version of Tracking Log .This tracking log document lists the comments on very Design, RAMS & Test reports by ISA & which forms the basis of ISA acceptance on a document. As this Safety Case aims to justify fulfillment safety requirement in Design hence ISA comments on Design Documents in Tracking Log_08 forms the basis of ISA acceptance of documents referred in Section 1.3.2 4.9 EXTERNAL SAFETY AUDIT ISA has conducted an external Safety Audit - “Audit plan and report during the System Validation phase at ANSALDO STS Consortium’s factories” at Tito Scalo Zona Industriale site, Potenza, 85050, Italy. The Auditor assessed the implementation of the KEWML Factory Acceptance Test process specified into the documents:
BTM Module FAT Procedures (ref. KMRC-26118-01, revision 01) Beacon FAT Procedures (ref. KMRC-26119-01-1, revision 01) Onboard Antenna FAT Procedures (ref. KMRC-26120-01-1, revision 01)
ISA has provided the report as documented in EC_8692_0015_1_FAT_Audit_Report. 4.10 SAFETY JUSTIFICATION Evidence of safety will be provided by means of a hierarchical safety case approach presented in the ATC System Safety Plan [10] and recalled in paragraph “related safety cases” §6). Three different categories of Safety Cases are considered:
Generic Product Safety Case (independent from application); Generic Application Safety Case (for a class of applications); Specific Application Safety Case (for a specific application).
In this hierarchical approach, each safety case includes the demonstration of fulfillment of safety requirements defined at higher level by making reference to lower level safety cases (for example the Specific Application Safety Case takes advantage of the safety demonstrations included in the related Generic Product Safety Case). However, requirements from the safety related application conditions defined at lower level should also be considered (for example a Specific Application should be developed taking into account the limitations and allowed configurations of the Generic Product). The role of the several planned Safety Cases is described below: Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 55 of 85
Kolkata East-West Metro Rail Project
The ATC System Specific Application Safety Case – Physical Implementation is meant to address the demonstration that the Design, Manufacture, Supply, Installation, Testing, and Commissioning, of the whole ATC Sub-system fulfils the relevant requirements. The evidence provided applies to the entire ATC System, addressing the specific issues of each single location. This represents the final step of the Overall ATC safety justification. For KMRC it will be covered by ATC System Specific Application Safety Case KMRC-24110 a deliverable once all testing activities are concluded. The ATC System Detailed Design Safety Case (this document) is meant to address the demonstration that the design of the whole ATC system fulfils the relevant requirements. The evidence provided applies in general to the safety related functions, without addressing the specific issues of each single location. This represents the first step of the Overall ATC safety justification. The Core CBTC Generic Application Safety case address the safety justification of Functionalities used in Core CBTC solution. For KMRC CBTC Version 6.3.3 will be used & the ISA assessment report of the Generic Solution has been shared with ISA. The Core CBTC and IXL Safety Cases – Physical Implementation are meant to address the demonstration that the design of the respective Sub-system fulfils the relevant requirements, addressing the specific issues of each single location. For KMRC CBTC Specific Application Safety case KMRC-24030 & IXL Specific Application Safety case –KMRC-24036 will be delivered on conclusion of Subsystem Level Site Testing.
It should be noted that the safety demonstration related to the ATS subsystems is reported within the ATC level safety case. On the basis of the above considerations, the safety justification included in this Safety Case mainly aims to demonstrate that:
all safety functions have been identified; the safety integrity requirements for such functions can be fulfilled by the chosen architecture of the ATC sub- systems/platforms performing these functions; evidence exists that safety integrity requirements have been correctly implemented into hardware and software design; a formal verification process, compliant with the requirements of CENELEC EN 50128 and EN 50129 is in place.
Next figure reports the safety case hierarchy for the ATC System deployed on KMRC:
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 56 of 85
Kolkata East-West Metro Rail Project
Figure 4-4 Example of Safety Cases Hierarchy
4.11 SYSTEM HANDOVER Not applicable for the present phase, it will be developed in the next phases. 4.12 OPERATION AND MAINTAINENCE Through this safety case ASTS presents the planning for Operation & Maintenance phase During the Operation and Maintenance Phase, ASTS will provide all the necessary inputs to the O&M Contractor during the development of the Safety Management System for Operation and Maintenance. Following all Hazard Analysis ASTS plans to provide two types of documents to the O&M Contractor:
The first document sums up the safety requirements related to the operation, describing the procedures to put in place for the subsystem (for example for each alarm…); The second document sums up the safety requirements related to the maintenance. The safety requirements related to maintenance shall establish the link with the nomenclature and the designation of the safety components such as specified in the List of the Safety Components of the supplier. These documents shall be presented to the approval of the operator. Once approved, these documents will be used as a basis for the operator to establish his procedures, and operating and maintenance instructions.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 57 of 85
Kolkata East-West Metro Rail Project The following list tabulates the list of Operational & Maintenance Manual deliverable to Client. Table 4-3 KMRC O&M Manual
S/N 1
2 3
Document Number Interlocking Equipment Field Maintenance, Operations, and Troubleshooting Manual Interlocking Equipment Service/User Manuals
Training Material KMRC-27177
KMRC-27180
ATS Operations Manual
KMRC-25039
4
ATS Maintenance Manual
KMRC-25040
5
Vehicle ATC Operator Manual
KMRC-26106
6 7
Vehicle ATC Maintenance Manual CBTC Maintenance Manual
KMRC-26107 KMRC-26111
4.13 DECOMMISSIONING AND DISPOSAL Not applicable for the present phase, it will be developed in the next phases
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 58 of 85
Kolkata East-West Metro Rail Project 5 TECHINICAL SAFETY REPORT 5.1 INTRODUCTION This Section describes the technical principles that assure the safety of the design at overall ATC System level. It therefore covers all safety related design aspects dealing with the overall design of the ATC. According to the standard CENELEC 50129 [87] this section, mandatory for Safety Integrity Levels 1 to 4 inclusive, has to give the evidence of how the Technical and Functional Safety is achieved for the ATC system. This Technical Safety Report explains the technical principles which assure the safety of the design, including (or giving references to) all supporting evidence (for example, design principles and calculations, test specifications and safety analyses). The Safety and V&V process for the Specific Applications is described in: ATC System Safety Plan [10] ATC System Verification and Validation Plan [6] According to the CENELEC 50129 [87] this Technical Safety Report is structured as follows: Introduction (Section 5.1) Assurance of correct functional operation (Section 5.2) Effects of faults (Section 5.7) Operation with external influences Safety-related application conditions Safety Qualification Tests 5.2 ASSURANCE OF CORRECT FUNCTIONAL OPERATION This paragraph concerns correct operation of the ATC system under fault-free conditions (i.e. with no faults in existence), in accordance with the specified operational and safety requirements. 5.3 SYSTEM ARCHITECTURE DESCRIPTION The description of the ASTS System has been provided in Section 2 of this Safety Case.Further,Signalling and Train Control System - System Architecture Specification (System and Sub-system Overview) [7] includes additional considerations on the ATC system architecture and the design criteria in meeting the functional, operational, and safety requirements. Vital components have been selected to perform safety functions. Redundant configurations have been adopted to ensure a high degree of reliability wherever required. The redundancy at Vital Equipment level are referred in CC & ZC Functional specification documents [26],[27].
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 59 of 85
Kolkata East-West Metro Rail Project 5.3.1 Definitions of Interfaces Two kinds of interfaces are identified for the ATC System: Internal Interfaces (i.e. between equipment/components internal to the STC System), and External Interfaces (i.e. with other subsystems). Considering the architecture and the functional and operational requirements of the ATC Subsystem, the following interfaces are identified: IXL- Other systems
Between adjacent IXL/Depot IXL- ReferProgramming guideline [50]
Be IXL-ATS Interface Control Document between IXL and ATS, including CATS and Station ATS (LATS) Work Stations-Refer IXL-ATS Interface Control Document [23]
Between IXL and Specification [22]
Between IXL and LED Signals Refer-Trackside Interface Specification [22]
Between IXL and the Platform Screen Door System -. Refer-Trackside Interface Specification [22] & C-ICDD - Platform Screen Door System [34]
Between IXL and Emergency Stop Plunger (ESP)- Refer-Trackside Interface Specification [22]
Between IXL and Staff Protection Key Switch(SPKS) - Refer-Trackside Interface Specification [22]
Between IXL and Zone Controller – Refer - C12_D404 - ZC - IXL ICDD [41]
Between IXL and Point Machine - Refer-Trackside Interface Specification [22]
Between IXL and Level Crossing –Refer- Depot Book of Plan [65]
Between IXL & Depot Slot switch - Refer- Depot Book of Plan [65]
Axle
Counter
Wayside ATP Application Logic
Subsystem-
Refer-Trackside
Interface
ATS-Other System
Between ATS & IXL-Refer IXL-Refer -ATS Interface Control Document [23]
Between ATS & CBTC (ZC & CC via Frontam) – Refer foundation data [42]
Between ATS –SCADA (Not a part of Safety Assessment)
Between ATS – PIDS/PAS (Not a part of Safety Assessment)
C_D470 - CBTC
CBTC-Other System
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 60 of 85
Kolkata East-West Metro Rail Project
CC- Rolling Stock – Refer CBTC and Rolling Stock Detailed Interface Specification [33]
CC-ATS (Via Frontam ) - Refer - C_D470 - CBTC foundation data [42]
ZC-ATS (Via Frontam ) - Refer - C_D470 - CBTC foundation data [42]
ZC-IXL - Refer - C12_D404 - ZC - IXL ICDD [41]
CC-ZC (Via Frontam) – Internal Interface specification covered by Generic solution.
Next figure reports graphically the main ATC following internal and external interfaces. Physical and protocol interface between On-board CBTC ( Carborne Controller assembly) and Wayside CBTC (Beacon assembly) subsystems, Physical and protocol interface between On-board CBTC ( Carborne Controller assembly) and DCS (On- Board Network assembly) subsystems, Physical and protocol interface between Wayside CBTC ( Frontam assembly) and DCS (Wayside Network assembly) subsystems, Physical and protocol interface between Wayside CBTC (Zone Controller assembly) and DCS (Wayside Network assembly) subsystems, Physical and protocol interface between ATS (ATS Server assembly) and DCS (Wayside Network assembly) subsystems, Physical and protocol interface between IXL and DCS (Wayside Network assembly) subsystems, Functional interface between On-board CBTC (Carborne Controller assembly) and Wayside CBTC (Frontam assembly), Functional interface between On-board CBTC (Carborne Controller assembly) and Wayside CBTC (ZC assembly), Functional interface between Wayside CBTC (Frontam assembly) and ATS server assembly, Functional interface between Wayside CBTC (ZC assembly) and IXL subsystem (MLK assembly), Functional interface between ATS subsystem (ATS server assembly) and IXL subsystem (MLK assembly), Physical and functional interface between ATS subsystem (ATS Maintenance Workstation).
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 61 of 85
Kolkata East-West Metro Rail Project Wayside Devices
Passenger Information System
PSD
PSD DID
CC RST DID
Train Management System
CC RST DID
Train Lines
CC TOD IIS
Train Operator Display (TOD)
CC Odo IIS
Tachometer
CC BTM IIS
Balise Transmission Module
-
SIG IXL Way sid e DID
Interlocking MicroLok II
Zone Controller
ZC-IXL DID
CC ZC IIS
Carborne Controller
FT M IIS
ZC
IXL VDU IIS
CC FTM IIS
Frontam CBI VDU IXL ATS IIS
ATS - CBIVDU IIS
ATS F TM I IS
LATS
CATS -ATS IIS ATS IIS
OCC
CC Ante n na NTP DID -
ATS
ON BOARD
TETRA DID
Euroantenna
-
ATS
EuroBalise
Time Distribution System
PIDS DID PSD DID -
ATS
TETRA RADIO
Communication Systems (PAS/PIDS)
SIG
Legend IIS: Internal Interface specification DID: Detailed Interface Document
PSD
WAYSIDE
Not in ATC Scope ATC Scope
Figure 5-1 Schematic representation of Internal & External Interface.
Consistency and completeness of the interface requirements is ensured by the System Project Engineer, who is also responsible to manage the interfaces among the STC Systems and supervises the identification and resolution of interface issues with the other sub-systems. More technical detail about interfaces can be found within Signalling and Train Control System - System Architecture Specification (System and Sub-system Overview) [7] 5.3.2 Fulfillment of Systems Requirements Specification System requirements (both in terms of functionality and performance) have been traced from the customer specifications to the ASTS ATC system documentation and in the Signaling System Traceability Specification [9]. This document provides the evidence that all relevant customer requirements have been taken into consideration and that the ATC architecture and configuration have been verified in Design to satisfy them .The review record (PEER verification) of the Signaling System Traceability Specification is contained in Ansaldo configuration management tool Team Centre. As already reported in §4.5, and according System requirements were derived from each contract requirement and reported in Team Center in Signaling and Train Control System –System Requirement Specification (SRS) [17] The following documentation is considered the reference requirement specification at ATC System level: Contractual documentation, as reported in 1.3.1 Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 62 of 85
Kolkata East-West Metro Rail Project
Signaling and Train Control System - System Architecture Specification (System and Sub-system Overview) [7]
The following documentation is, instead, applicable only at ATC Sub System level:
IXL Subsystem Requirements Specification [24] CBTC system specifications [25] Zone controller functional specification [26] Carborne Controller functional specification [27] ATS Sub-System Requirements Specification (SRS) [28]
5.3.3 Fulfillment of Quantitative Safety Requirements This paragraph provides the evidence that the overall safety targets allocated to the ATC Subsystem, in terms of Safety Integrity Levels (SILs) can be met by the ATC subsystem’s architecture and components. In order to come up with the SIL demonstration, this section first discusses how SILs are allocated to the ATC functions and components, then provides the ATC hazards summary. 5.3.4 Safety Integrity Level Allocation and Demonstration Process The Safety Integrity Level allocation and demonstration process at ATC level is depicted in the following figure.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 63 of 85
Kolkata East-West Metro Rail Project
Figure 5-2 SIL allocation and demonstration process for ATC system
ATC safety related functions have been identified as part of the safety analysis described in ATC Preliminary Hazard Analysis and Risk Assessment [11]. During PHA, for each safety function involving ATC a quantitative safety requirement in terms of SIL has been determined. Next table reports the list of identified safety functions, along the respective required SIL allocated to the involved ATC subsystem. Whereas an external subsystem is involved in the implementation of the function, this is reported in a separated column. Table 5-1 SIL levels assigned to the ATC system
ID.
SAFETY FUNCTION
IXL
Train location determination Limit of safe movement SF2 protection Supervise/enforce SF3 authorized speed SF1
SF4
Train Door control interlocks
SF5 PSD control operation
Wayside CBTC
Onboard External System CBTC
SIL4
SIL4
SIL4
-
SIL4
SIL4
SIL4
-
SIL4
SIL4
SIL4
-
-
SIL4
SIL2
SIL2
SIL2
Passenger Vehicle Emergency Braking Passenger Vehicle Door Closed and Locked PSD – Door Closed and Locked
Next figure reports the two type of conditions that need to be fulfilled for achieving the SIL demonstration for a function: Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 64 of 85
Kolkata East-West Metro Rail Project
SIL Qualitative target conditions: (Design and V&V process required by CENELEC according to assigned formalized in Safety Cases): • • •
Quality Management Conditions; Safety Management Conditions; Technical Safety Conditions (Technical defenses against systematic faults)
Quantitative target conditions: Quantified Safety Targets (FR); Technical Safety Conditions (for the achievement of random failure integrity)
.
• . Figure 5-3 SIL Demonstration Conditions.
Qualitative conditions demonstration has been done, in accordance with requirements from EN CENELEC standards in chapter 3 (Evidence of Quality Management) and chapter 4 (Evidence of Safety Management), and additional demonstration is presented in the sections of as mentioned in this safety case. The achievement of ATC technical safety requirements (qualitative) for mitigating both the systematic and the random faults are dealt with in §5.4. Next paragraph reports, instead, the approach followed and the detailed analysis performed for the evaluation and demonstration of achievement of the Quantified Safety Targets for the ATC safety related functions. 5.3.5 Demonstration of Safety Quantative targets 5.3.5.1 Quantitative safety targets demonstration approach. The demonstration of the quantitative safety requirements at ATC level requires the calculation of the failure rates of the safety functions for which the ATC system is involved as Leader. To achieve the appropriate demonstration for the quantitative SIL requirement, the unsafe failure rates associated to each safety function must be calculated starting from the underlying equipment/component and generic application failure rates. In particular, while the generic products provide the failure rate of the respective equipment and components, the generic applications use these figures for evaluating their respective failure rates, taking into account the architecture adopted for using the generic products (e.g. components in series or parallel, redundancy, etc.). The failure rates shall be provided in the relevant GP/GA safety cases and reported in terms of THR (Tolarable Hazard Rate i.e. unsafe failures). If the product/application is not covered by a Safety Case (e.g. component/application involved only in SIL0 functions), the failure rates provided by respective RAM analysis/reports are used. It should be noted that the RAM figures always represent a more conservative data with respect the safety ones, i.e. the RAM failure rates for a component are always greater or equal than the respective THR. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 65 of 85
Kolkata East-West Metro Rail Project At ATC Specific Application level, the failure rate of each safety related function is evaluated by considering the relevant equipment/components involved in a “unit” hazardous event, for which a conservative configuration in terms of number of trains, number of stations and specific location and length of track involved with the hazardous event shall be defined.This equipment/components configuration is called “Generic Location”. The “Generic Location” thus provides the number of safety-related subsystems/equipment pieces/components involved around a train performing each safety function. If needed, the scope of one or more trains can be considered for collision related hazards. Besides the specific number of equipment pieces/components involved in the performance of each safety function, also the particular contribution to the safety integrity provided by each subsystems/equipment pieces/components should be considered. This aspect considers not the number of pieces involved but the type of contribution from each type of equipment/components (e.g. serial, parallel contributions can be considered) to the particular safety function in which it is involved. To show the type of contribution for all the equipment/components involved in the performance of each safety function, a functional block diagram for each ATC safety related function is provided. The most conservative demonstration for a safety function shall consider all components/equipment involved to contribute serially, i.e. assuming that the safety function fails whenever one of the components/equipment fails. In this case failure rates for each equipment piece/component shall be added in order to obtain the failure rate of the safety function. Only in case the quantitative safety target is not reached by considering all the components/equipment in series (most conservative functional block diagram), the functional block diagram may be adjusted (if possible) in order to better modelling the safety function (e.g. introducing parallels and redundancies, if they are applicable) and/or additional analysis/considerations on the affected hazard scenarios may be performed to justify the reduction of the functional failure rate. 5.3.5.2 General Considerations and Assumptions This paragraph provides typical assumptions for the subsystem/ equipment/ component configuration involved in a generic safety function, which will help in the definition of the generic location for the evaluation of the unsafe failure rates of the ATC safety related functions. The following considerations apply:
The train under consideration might be endangered either by a fault of its Carborne Controller (CC) or by an adjacent train, which is acting incorrectly (i.e. rear collision, side collision at an interlocking, head-on collision). Therefore, in a collision hazard scenario, the number of considered CC units will be 2; The stand-by units are not considered for the purpose of this analysis, since the unsafe failures of the ATC components are, by definition, undetectable. For this
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 66 of 85
Kolkata East-West Metro Rail Project
reason the failover procedure is not expected to be invoked in case of occurrence of an unsafe failure of the component; One train is always under the control of an Interlocking (IXL). Though, in case the train is approaching a section change or a change of track, then this train will also be affected by the neighbor Interlocking device. Therefore the number of IXL units will be 4 considering the maximum no’s of Microlok that can be involved in a route from one Interlocking to another. One train is always under the control of a Zone Controller (ZC). As there is only 1 ZC for KMRC in PH1A hence considered number of ZC units will be 1.
The previous assumptions derive in the following basic equipment configuration for the generic safety function’s “Generic Location.
n° 1 of Zone Controller; n° 2 of Carborne Controller; n° 4 of IXL (MLK); n° 1 FrontAM (the only one, located at Depot); Axle counter(only in degraded mode operation) Miscellaneous Wayside Safety-related Components (e.g. points, vital relays, signals, balises); Miscellaneous Vehicle Safety-related Components (e.g. speed sensors, vital relay, etc.); DCS equipment; ATS equipment
Considering all the equipment to contribute serially to the failure rate of the generic safety related function (i.e. the failure of each single equipment lead to the failure of the function), the following functional block diagram applies:
Computer Based Interlocking (MLK II, Axle Counter, Switch Machine, Vital relays, Signals)
Wayside CBTC (ZC)
Onboard CBTC (Balise, CC)
DCS (Onboard & Wayside network)
Figure 5-4 Reliability Block Diagram for a Generic Location
Other general considerations apply in order to simplify the above functional block model.
The miscellaneous wayside vital components are not expected to contribute significantly to the total number of unsafe failures, as: o Vital Relays are intrinsically fail-safe by design. In other words, every failure mode is known to result in a more restrictive, or safer, state. For this reason, the occurrence probability of unsafe failures due to Vital Relays is considered to be negligible;
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 67 of 85
ATS (Central & Local)
Kolkata East-West Metro Rail Project o
o
o
o
Switch Machines are also considered to be intrinsically fail-safe, and therefore are assumed to have negligible contribution to the overall probability of unsafe failures. This consideration is supported by the available safety certification for Point Machine (refer to chapter 6 for details), that ensures the achievement of a SIL4 safety target. Additionally, it has to be considered that, once a route has been established for a train, power is cut from the switch which is therefore incapable of spontaneously moving to an unsafe position when not commanded to move. Also, the ability of the switch machine to provide safe correspondence data is ensured through the use of intrinsically fail-safe equipment, taking into account that any systematic correspondence control failure rate is made negligible by the application of a SIL4–compliant process for design, installation and testing; Balises are used for providing position reference to the train, so they are crucial for the ATP function. All the systematic faults are negligible since their configuration, installation and check is done in accordance to a SIL4 process (evidence are provided in the core CBTC Safety Case, refer to chapter 6). The random faults are related to the data corruption of the transmitted telegrams, but the likelihood of a corrupted valid message (false positive) is minimized by the protocol adopted in the communication with the BTM (air-gap interface). Furthermore, any non-transmitting balise can be detected by the Onboard CBTC system (since the on-board track database contains the position of the balises), that reports the information to the Frontam for diagnostic and maintenance purposes. Balises are laid out in such a manner that loss of any single balise does not affect the CBTC functions. For these reasons, the occurrence probability of unsafe failures due to Balises is considered negligible; Signals can be excluded from the analysis for all those functions that are related, in nominal mode, to the operations with CBTC mode. In all other cases (degraded modes with CBTC bypassed) it has to be considered that the signals are vital components controlled by IXL, and are intrinsically fail-safe by design. Every failure mode (e.g. lamp out) is detected by IXL and result in a more restrictive, or safer, state. For this reason, the occurrence probability of unsafe failures due to signals is considered to be negligible. Axle counters are fail safe device which ensures track section vacancy. The Safety assessment report is mentioned in Chapter 6. The Tolerable Hazard Rate are taken from the Safety Certificate.
All Communication Equipment is considered to be a source of corrupting
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 68 of 85
Kolkata East-West Metro Rail Project noise that may be introduced into the communications channel. In other words, it is both permissible and expected that data corruption may occur as a result of Communication Equipment failure. Nevertheless, it should be noted that DCS implements a variety of defenses (e.g. sequence numbers, time stamps, time-out, cryptographic techniques etc.) against a list of identified threats (e.g. corruption, delay, repetition, deletion, etc.). Therefore, all the failure modes affecting the DCS system are assumed to have negligible effect on the overall occurrence probability of unsafe failures.
The Frontam can be excluded from the analysis since it is mainly in charge of collecting CBTC subsystem maintenance information. Frontam also stores the track database used by the CBTC trains to determine their position and driving speeds (portions of the track database are downloaded by the CC on the basis of their location). Since the track database is protected by a vital checksum and a configuration number, any Frontam failure mode that affect the integrity of the database is assumed to have negligible effect on the overall occurrence probability of unsafe failures.
ATS subsystem, implementing vehicle regulation functions, is not supposed to contribute to the System functions’ unsafe failure rates, based on the consideration that IXL and CBTC are designed to ensure the system safety regardless of ATS contribution (refer to System Hazard Analysis [14]). The miscellaneous vehicle vital components are not expected to contribute significantly to the total number of unsafe failures, as: o Vital Relays, as already mentioned for the wayside system, are intrinsically fail-safe. Therefore, by design, every failure mode is known to result in a more restrictive, or safer, state; o According S Signaling and Train Control System - System Architecture Specification (System and Sub-system Overview) [6] (System and Subsystem Overview) there are used two speed sensors with different technology on each vehicle. These sensors exhibit intrinsic fail-safety, and are incapable of producing electrical output pulses above the threshold count without corresponding axle rotation. Dual sensors are used primarily to enhance slip/slide detection capability. However, as the two sensors are continuously compared, this configuration also dramatically reduces the possibility of unsafe failure due to speed sensor error. Therefore, because the two sensors are intrinsically failsafe, and also continuously compared, speed sensor failure is assumed to have no contribution to the overall unsafe failure rate;
Given the above considerations, the majority of unsafe ATC System failures are assumed to result mainly from the Interlocking, Zone Controller and Carborne Controller. These three systems employ microprocessors using diversity and self-checking fail-safe software Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 69 of 85
Kolkata East-West Metro Rail Project techniques to ensure that reactive fail-safety is achieved. While these systems possess no known unsafe failure modes, they do possess an essentially infinite number of total failure modes, thereby making it impossible to prove their fail-safety absolutely. Therefore, quantitative analysis must be used to place an upper limit on the probability that each system will contribute to an unsafe system failure. Therefore, for the evaluation of the unsafe ATC failure modes, the following simplified functional block diagram applies: Therefore, for the evaluation of the unsafe ATC failure modes, the following simplified functional block diagram applies:
Computer Based Interlocking (MLK II, Axle Counters,)
Wayside CBTC (ZC, ZCR)
Onboard CBTC (, CC)
Figure 5-5 Simplified Block Diagram for a Generic safety function
Next table reports the available unsafe failure rate for the components to be taken into account. Table 5-2 Tolerable Hazard Rate Chart
ATC Unsafe Document Reference Notes Component Failure Rates [events/hour] MLKII 6.265x10-10 ISA Safety Assessment Report MICROLOCK II version CC 3.2 2011/QTL/61 REP_CCS_01 Rev 1.0 -09 Zone 1.181x10 Core CBTC System Hazard Hazard Rate (when IXL Controller Analysis / Interface Hazard is MLK) Analysis (C_D2101 - Revision : 06-01-01-00) -09 Carborne 2.879x10 Core CBTC System Hazard CC Failure Rate for a Controller Analysis/Interface Hazard Mono-CC configuration Analysis (C_D2101 - Revision : 06-01-01-00)
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 70 of 85
Kolkata East-West Metro Rail Project ATC Unsafe Document Reference Component Failure Rates [events/hour] Axle 1 x10-09 Safety Assessment Report Counter Assessment according to EN 50129 FAdC – R2 Report-No.: FS86457G Revision: 01.01 Date: 2015-03-13
Notes
The THR associated with the event TOP3 (in case of Dual configuration, IO-EXB & annual average temperature greater than 40 deg Centigrade) is greater than 1 x10-08 and is less than 1 x10-09 in all other cases. The project does not use Dual configuration hence a THR of 1 x10-09 is considered
In the following paragraphs, for each safety related function involving ATC a proper evaluation of the unsafe failure rate is provided. 5.3.6 SF 1 : Train Location Determination According to table 5-3 , the target frequency of occurrence of an unsafe loss of train location determination function is the one associated to the SIL4, as per EN 50129 [87]. During Normal operation, the train detection and localization is done by CBTC. For degraded mode of non-communicating trains IXL is used for location determination. Normal Mode calculations: For the calculation of the unsafe failure rate of this function, the following elements are of CBTC are considered: CC: 1 number as each train in controlled by a single CC at any given instant of time. ZC :1 Numbers as one train is always under the control of a Zone Controller (ZC). There is single ZC in KMRC Ph-1A. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF1N 1 ZC 1 CC 1x1.181x10-09 +1x 2.879x10-09 = 4.06x10-09 Degraded Mode calculations: For the degraded mode, the trains are located based on fixed block signaling principles. Each block is bounded by an axle counter detection system. So for the calculation of the unsafe failure rate of this function, the following elements of IXL system are considered: Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 71 of 85
Kolkata East-West Metro Rail Project MLK - II: 4 numbers. The project has 3 zones on mainline and all time during any cross boundary route (one Interlocking to another) can have maximum 4 no’s of Microloks Axle Counter: Maximum 3 set is considered as each block, platform section & a switch zone track section has one axle counter for making a route. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF1D 4 MLK 3 AC 4x6.265x10-10 +1x 1x10-09 = 3.5x10-09 The calculated unsafe failure rate demonstrates that the safety function achieves its required quantitative target for SIL4. 5.3.7
SF 2: Limit of Safe movement Protection
According to table 5-3 the target frequency of occurrence of an unsafe loss of safe movement protection is the one associated to the SIL4, as per 50129 [87]. During Normal operation, the train safe movement protection is ensured by CBTC (wayside and onboard). For degraded mode of non-communicating trains IXL alone or along with CBTC is used for safe movement protection. Normal Mode calculations: For the calculation of the unsafe failure rate of this function, the following elements of CBTC are considered: CC: 2 number as each train in controlled by a single CC at any given instant of time and location of 2 trains are involved in the event. ZC: 1 Numbers as one train is always under the control of a Zone Controller (ZC). There is single ZC in KMRC Ph-1A. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF2N 1 ZC 2 CC 1x1.181x10-09 +2x 2.879x10-09 = 6.939 x10-09 Degraded Mode calculations: For the degraded mode, one of the trains is located based on fixed block signaling principles and the second communicating train is located by CBTC. The fixed block is bounded by an axle counter detection system. So for the calculation of the unsafe failure rate of this function, the following elements of IXL & CBTC system are considered:
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 72 of 85
Kolkata East-West Metro Rail Project MLK - II: 4 numbers. The project has 3 zones on mainline and all time during any cross boundary route (one Interlocking to another) can have maximum 4 no’s of Microloks. Axle Counter: 2 set is considered as ahead train using fixed block signaling can occupy 2 Axle counter section at a time. CC: 1 number as each train in controlled by a single CC at any given instant of time. ZC : 1 Numbers as one train is always under the control of a Zone Controller (ZC). There is single ZC in KMRC Ph-1A. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF2D 4 MLK 2 AC 1 ZC 1 CC 4x6.265x10-10 +2x 1x10-09 +1x1.181x10-09 +1x 2.879x10-09 = 8.56x10-09 The calculated unsafe failure rate demonstrates that the safety function achieves its required quantitative target for SIL4. 5.3.8
SF 3: Supervise/enforce authorized speed
According to table 5-3 the target frequency of occurrence of an unsafe loss of supervision/enforcement of authorized speed function is the one associated to the SIL4, as per as per 50129 [87]. During Normal operation, the train speed supervision is done by CBTC. For degraded mode of non-communicating trains operator is responsible to drive at speed less than 25KMPH. Hence SIL computation is done only for the normal case. The Automatic Train Protection (ATP) system running on the Onboard CBTC has the responsibility of: Supervise the authorized speed at any time (only Onboard CBTC is involved), and; Command the brakes in case an over-speed is detected. In this case, the actual enforcement of brake/speed reduction is implemented in cooperation with Rolling Stock, which has the direct responsibility for traction cut-off and the brake application. Refer to the figure below. < --S&TC-- >
IXL
Wayside CBTC ZC
Onboard CBTC (CC)
< --RS-- >
RS Vital Relays & Train lines
RS Brake System
Figure 5-6 Supervise/enforce authorized speed Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 73 of 85
Kolkata East-West Metro Rail Project Since Rolling Stock safety assurance is out of the scope of this Safety Case (it is covered within RS contractor’s scope of work), in the following it is demonstrated the achievement of quantified safety target only for the S&TC system part. Normal Mode calculations: For the calculation of the unsafe failure rate of this function, elements of the over speed detection and braking command generation function of CBTC are considered: CC: 1 number as each train in controlled by a single CC at any given instant of time. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation: MLK - II: 4 numbers. The project has 3 zones on mainline and all time during any cross boundary route (one Interlocking to another) can have maximum 4 no’s of Microloks. ZC : 1 Numbers as one train is always under the control of a Zone Controller (ZC). There is single ZC in KMRC Ph-1A.
SF3N 4 MLK + 1 ZC + 1 CC 4x6.265x10-10 + 1x1.181x10-09 +1x 2.879x10-09 = 6.653 x10-09 The calculated unsafe failure rate demonstrates that the safety function achieves its required quantitative target for SIL4. 5.3.9 SF 4: Train Door Control Interlocks According to table 5-3 the target frequency of occurrence of an unsafe loss of Train Door Control Interlocks function is the one associated to the SIL4, as per 50129 [87]. During Normal operation, the Door Control Interlocks is ensured by CBTC. For degraded mode of non-communicating trains operator is responsible to open the doors. Hence SIL computation is done only for the normal case. Referring to the picture below, the Automatic train Protection (ATP) system running on the Onboard CBTC shall issue the Door Enable & Door Open commands, sequentially, to the Rolling Stock when Zero Speed and correct side platform is detected. The correct opening of all the train doors shall be the responsibility of Rolling Stock Contractor. Based on this argument the following paragraph addresses the SIL4 nature of the command generation of Signaling & Train Control system.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 74 of 85
Kolkata East-West Metro Rail Project < --S&TC-- > Onboard CBTC (CC)
< --RS-- > RS Door Control Train lines
RS Door Control Units
Figure 5-7 Block diagram Train Door Control Interlocks
Normal Mode calculations: For the calculation of the unsafe failure rate of this function, elements of the door control interlocking command generation function of CBTC are considered: CC: 1 number as each train in controlled by a single CC at any given instant of time. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF4N 1 CC 1x 2.879x10-09 = 2.879x10-09 The calculated unsafe failure rate demonstrates that the safety function achieves its required quantitative target for SIL4. 5.3.10 SF 5: PSD Control Operation According to table 5-3 the target frequency of occurrence of an unsafe loss of PSD Control operation function is the one associated to the SIL2, as per EN 50129 [87]. Referring to the picture below, the Automatic train Protection (ATP) system running on the Onboard CBTC shall issue the Door Enable & Door Open commands, sequentially, to the ZC when Zero Speed and correct side platform is detected. ZC in turn will transmit the commands to CBI (IXL), which will in turn provide the door enable & door open commands to the PSD. The correct opening of all the platform screen doors shall be the responsibility of PSD Contractor. Based on this argument the following paragraph addresses the SIL4 nature of the command generation of Signaling & Train control system.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 75 of 85
Kolkata East-West Metro Rail Project <-----S&TC-----------> Onboard CBTC (CC)
Wayside CBTC (ZC)
<--PSD-- > CBI (MLK)
PSD
Figure 5-8 PSD Control Operation
Normal Mode calculations: For the calculation of the unsafe failure rate of this function, elements of the PSD Door operation command generation function of CBTC and CBI are considered: CC: 1 number as each train in controlled by a single CC at any given instant of time. ZC: 1 number as the ZC receives the commands from CC and transmits it to CBI MLK: 1 number as the MLK receives the commands from ZC and transmits it to CBI. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF6D 1 MLK 1 ZC 1 CC 6.265x10-10 + 1.181x10-09 + 2.879x10-09 = 4.69x10-09 The calculated unsafe failure rate demonstrates that the safety function achieves its required quantitative target for SIL2. 5.4 DEMONSTRATION OF THE SAFETY QUALITATIVE REQUIREMENTS Safety Qualitative requirements are demonstrated according to the process described in §4.5. Next paragraph reports the evidence of the activities performed at design phase to support the demonstration that the safety requirements have been identified and implemented into the ATC design. 5.5 ASSURANCE OF CORRECT HARDWARE FUNCTIONALITY Correct hardware functionality of the KMRC signaling system equipment at system level is assured through extensive verification and validation (V&V) of Safety Requirements as well as through extensive RAM analyses. V&V evidence of Safety requirements is provided in the project Hazard Log, performed during their development phases as described in V&V Plans. Though this Safety case present the linking of Design principle & testing procedure for Fulfillment of System Requirement as well as Safety requirement. Evidences can referred in
Signaling System Traceability Specification [9]
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 76 of 85
Kolkata East-West Metro Rail Project
ATC Hazard Log [18]
ATC System Validation Test Specification [19]
Evidence of RAM Analysis
ATC Preliminary RAM Analysis and Apportionment [28]
CBTC RAM Prediction Analysis [29]
IXL RAM Prediction Analysis [30]
ATS RAM Prediction Analysis [31]
DCS RAMS Prediction Analysis [32]
FOTS RAM Prediction Analysis [38]
ATC System RAM Prediction Analysis- Phase 1[39]
It is to be noted that field installation, field testing, Integration tests and reliability demonstration will be provide the final assurance of correct hardware functionality: The relevant reports on the above activities will be evidenced in ATC System Safety Case – KMRC-24110, a future delivery in this project. 5.6 ASSURANCE OF CORRECT SOFTWARE FUNCTIONALITY Correct software functionality had been assured by compliance with the requirements of EN 50128 to the extent required by the Safety Integrity Level (SIL) of the functions performed by each software program/module. The ATC system was designed and developed following the process in accordance with the standard of EN 50128:2001 [87]. According to the safety functions performed by the ATC and the relevant SIL requirements defined in Section 4.5, compliance with the Software Integrity Levels as on basis of the functions performed by each software program/module is presented table 5-3 in where the required SIL level associated with relevant software is mentioned. Table 5-3 SIL levels assigned to the ATC system
S.No SOFTWARE PROGRAM/MODULE
COMPLIANCE
1 2 3 4 5 7 8 9 10
SIL 0 SIL 4 SIL 4 SIL 4 SIL 4 SIL 0 SIL 4 SIL 4 SIL 0
ATS Software* MICROLOK II Executive Software Wayside ATP Application Software (running on MLK II) Carborne Controller platform software (DIVA) Carborne Controller ATP application software Data Communications Subsystem (DCS) Zone Controller platform software (DIVA) Zone Controller ATP application software FRONTAM
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 77 of 85
Kolkata East-West Metro Rail Project (*) Setting and removal of TSRs are the safety related functions implemented in current CBTC version via ATS. The detailed safety analysis of TSR management is included in ATS Subsystem Hazard Analysis [14] the test traceability to the safety mitigations are provided in the ATC Hazard Log [18] .The safety analysis has identified the safety constraints expressed as risk reduction measures, which are either being exported as the safety related conditions to the Metro operation and maintenance, or have been fulfilled by the related subsystems. Concerning item 1 (ATS), the hazard analyses (whose result is documented in the Hazard Log) did not identify any mitigations which would require a SIL level to be assigned to these subsystems. Further, it interacts with CBTC and IXL systems which are SIL-4 systems. Since no safety-related function is assigned to the ATS therefore by definition its SW SIL is 0. In addition, ATS is not a new product and utilizes the "Hermes" ATS product which is ‘proven in use’, that is a set of pre-existing proven software modules and libraries which are currently used in ATS systems in revenue service in various systems worldwide. The product was then customized with the specific application (track configuration and interface) of KMRC –Ph-1A. Though ATS Software functionality tests are conducted at Lab & Field .There is dedicated ATS Software Factory Acceptance Test (FAT) Procedure [47] for Lab testing and ATS Partial Acceptance Test Procedure [49] & ATS Software System Acceptance Test (SAT) Procedure [50]. It is to be noted that testability of Vital Functions from ATS System like Removal of Block & Removal of TSR are part of respective IXL Software and CBTC Software test in Lab using KMRC-27118 [43] & KMRC-26075 [51] and at Field using Interlocking Partial Acceptance test procedure [44] & CBTC System Acceptance Test Procedure [52]. The status of ATS Tests for all locations (FAT, PIT, PAT, SAT) will been summarized in the ATS Specific Application Verification Report KMRC-24047 & ATS Specific Application Validation Report KMRC-24048,these are future deliverable once the Field testing activities concludes. Concerning items 2 (Microlok II executive software), item 4 (Carborne Controller platform software – DIVA) and item 5 ( Carborne Controller ATP Application Software) please see Section 6 – Related Safety Cases. Concerning item 3, interlocking MLK specific application software [81],[82],[83],[84] Safety Case provides evidence of how independent Design Review & Validation is conducted by Safety team. Concerning item 8 (Zone Controller platform software – DIVA) and item 9 (Zone Controller ATP Application Software) please see section 6 – Related Safety Cases. Concerning item 10 (FRONTAM), since no safety-related function is assigned to the FRONTAM, therefore by definition its SW SIL is 0.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 78 of 85
Kolkata East-West Metro Rail Project Concerning the Core CBTC data preparation process for CC, which is a SIL 4 process and is included in the Core CBTC Generic Application Safety Case (see section 6 Related Safety Cases). Further, the Design Preparation Safety report of CC, ZC & System will be conducted by CBTC SA V&V team on the CBTC Database. These reports will be delivered as a part of CBTC Specific Application Safety Case – KMRC- 24030, a future deliverable in this project. Wayside IXL Subsystem The Microlok Product is certified as SIL-4 product & in service in many station in Indian Main Line (surface railway) since last 15 years. For KMRC the same hardware as used in Main line railway is used while the Software for the Wayside MLK Specific Application, the Interlocking Application Logic Programming guidelines [50] forms the reference for design and further the V&V activities are performed using the and IXL V&V Plan [35] .The application logic for each station has been verified by Independent RAMS team using Application Logic Verification specification [21]. Further the IXL Software will be tested in Lab using KMRC-27118 [43] and at Field using Interlocking Partial Acceptance test procedure [44] & Interlocking System Acceptance test procedure [44] The status of IXL Tests for all locations (FAT, PIT, PAT, SAT) will been summarized in the IXL Specific Application Verification Report KMRC-24051 & IXL Specific Application Validation Report KMRC-24052,these are future deliverable once the Field testing activities concludes. Wayside and CBTC Onboard System. Further to Database Verification process the functionality of CBTC On board & Wayside System are checked in Factory, Field and also in Integrated Lab & Field environment. The Factory testing is conducted using CBTC Factory Acceptance Test Procedure [51] whereas for Field testing CBTC System Acceptance Test Procedure [52]. Final test campaign is conducted using ATC System Validation Test Specification [19] when respective Lab & Site CBTC Test Campaign are over. For Onbaord CC Integration testing with Rolling Stock, CC Static Test procedure KMRC26076 [53] & CC Dynamic Test procedure KMRC-26124 to be used [54]. The summary of Wayside & Vehicle test reports will be covered in Wayside ATC Verification & Validation Test Report KMRC-24108 and KMRC-24107.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 79 of 85
Kolkata East-West Metro Rail Project 5.7 EFFECT OF FAULT This section provides evidence of KMRC signalling system/subsystems/equipment to continue to meet their specified safety requirements in the event of random hardware faults and, as far as reasonably practicable, systematic faults. In order to achieve these targets, the core CBTC platforms such as the MicroLok II IXL, the CC and ZC have been designed using the following fail-safe design principles outlined in EN 50129 [87]
The MLK II uses inherent fail-safety and reactive fail-safety (also known as diversity & self-checking) techniques and controls the Point Machines (SIL-4 Product), and Signals.
The CC, ZC, Balises and Tag Readers use a combination of composite fail-safety and inherent fail-safety techniques.
Axle Counter Subsystem model FAdC-R2 provided by FRAUSCHER carries a certificate of approval to EN 50129 series from TUV SUD Rail.
The effect of faults for the KMRC specific application is directly addressed at generic application for CBTC and at Generic Product for IXL and the Specific Application is therefore completely covered by the following details:
Effects of single faults: The effect at Core CBTC level of single faults is analysed in Core CBTC GASC [57] . The analysis of the effect of single faults at On-Board and Wayside equipment level is presented in Core CBTC GASC [57], and MLK II GPSC [55], respectively. Independence of items: The redundancies inside the On-Board equipment are analysed at CC level and presented in the Core CBTC GASC [57]. The redundancies inside the Wayside equipment are analyzed at ZC and MLK level presented in the Core CBTC GASC [57] and MLK II GPSC [55],, respectively. Detection of single faults: The detection of single faults for the On-Board equipment is presented in the Core CBTC GASC [57]. The detection of single faults for the Wayside equipment is presented in the Core CBTC GASC [57] and MLK II GPSC [55], respectively. Action following detection: The actions following detection of on-board equipment fault is presented in the Core CBTC GASC [57]. The actions following detection of a ZC and MLK equipment fault is presented in the Core CBTC GASC [57] and MLK II GPSC [55], respectively. Effect of multiple faults: The effect at Core CBTC level of multiple faults is analysed in Core CBTC GASC. The analysis of the effect of multiple faults at On-Board and Wayside equipment level is presented in Core CBTC GASC [57] and MLK II GPSC [55] respectively.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 80 of 85
Kolkata East-West Metro Rail Project Protections against systematic faults: The analysis of the protections against systematic faults at On-Board and Wayside equipment level is presented in Core CBTC GASC [57]and MLK II GPSC [55],, respectively. In summary the CBTC generic functions have been developed and analyzed at generic level and presented in the Core CBTC GASC [57]. For the verification of specific application in KMRC (DB and the corresponding parameters), it is fulfilled via the site tests and the data preparation process which is defined in the Generic Application Safety Case. Further, the core platforms have been designed and certified to Safety Integrity Level 4 in accordance with the requirements of EN50126 [85], EN50128 [86] and EN50129 [87] for Systematic Failure Integrity. Table 5-4 Product and Generic Application Safety Certificate Status
Product definition Microlock II Executive SW
Date September 2011
Two out of three vital architecture (basic architecture of ZC and CC) MTOR vital input/output board for train interface unit
June 2001
DIVA vital platform 2-o-o-3 vital computer Bi-standard DIVA- v6.0.3b BTM version 6.21 Bi-standard diva- v6.0.3b Odometer 3.1.2 Bi-standard DIVA- v6.0.3b CSD DIVA
November 2005 May 2006
Bi-standard DIVA- v6.0.3b MTOR Bi-standard DIVA- v6.0.3b DMI software Bi-standard DIVA- v6.0.3b DMI hardware Axle Counter
February 2007
September 2003
February 2007 February 2007
February 2007 March 2007
Core CBTC Generic Application
March 13, 2013 July , 2018
Certification report Safety Assessment Report MICROLOK II_CC 3.2 from RINA SpA, of Genoa, Italy Homologation of LGVMéditerrannée by SNCF Certificate By CERTIFER, French Notified Body Independent safety assessment report by SNCF IG-SF Assessment report BTM version 6.21, by RAILCERT Report on evaluation of Central Odometry – by CERTIFER Independent safety evaluation of CSD DIVA 2.2, final report by IGSF. Evaluation report on MTOR FTT, by CERTIFER DMI software evaluation report, by CERTIFER DMI hardware final evaluation report, by CERTIFER FS86457G Revision: 01.01 Safety Assessment Report System Core CBTC V6.3.2_R3
ASTS had undertaken elaborate Hazard Analysis at specific application level for Kolkata Metro 1 to identify various hazards and assigned mitigations. Some of these mitigations have been traced to product level while others have been mitigated at specific application level. Please refer ATC System Hazard Log [18] . Hence the effects of various faults have Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 81 of 85
Kolkata East-West Metro Rail Project been resolved at Design level to ensure that over all ATC system could be operated at SIL-4 level of safety. 5.8 OPERATION WITH EXTERNAL INFLUENCES Correct operation includes fulfillment of both operational and safety requirements under specified external influences such as temperature and humidity extremes, mechanical vibration and shock, electromagnetic interference from other systems of the Metro or surrounding facilities, etc. The KMRC signaling system and its constituent subsystems/ equipment have been designed and verified to work safely and reliably under the specified external influences.
All certified products were subject to Shock, Vibration, Environmental and EMI/EMC testing according to EN standards. An EMI/EMC testing on the KMRC Signaling system and its subsystems will be performed based on following plans.
EMC Control Plan Signaling Level EMC Wayside Survey Test Plan EMC On-board Survey Test Plan EMC Wayside Integration Test Plan (Phase 1) EMC On-board Integration Test Plan
It is to be noted the reports based on these plans will be part of ATC System Safety Case KMRC-24110 5.9 SAFETY RELATED APPLICATION CONDITION This Section describes the safety-related conditions and constraints that must be obeyed for the operation of the KMRC signalling system. As this Safety Case deals with the whole Signaling System as designed for the KMRC system, safety related application conditions mainly consist of those rules that guarantee the correct operation of the Signalling System in the KMRC environment according to the principles used for the system and subsystems design. Specifically, these conditions and constraints include:
Application design safeguards that must be in place to account for the inherent characteristics of the core platforms (exported safety application conditions from CBI, and CC), the Axle Counter subsystem, other wayside equipment, which require specific operation and/or maintenance actions. These includes -
SRAC Mentioned in CC.3.2 Safety Assessment Report by RINA Microlok II Platform Safety Assessment issues SRACs from Axle Counter System SRACs from CBTC Generic Application Solution.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 82 of 85
Kolkata East-West Metro Rail Project It is to be noted that all SRACs related to IXL, ATS & CBTC Design are resolved & evidence in ATC Hazard Log. [18]
Application conditions and operational safeguards that are a result of interfaces with other systems of the Metro (e.g., rolling stock, platform screen doors). These were identified during the interface hazard analyses and documented in the hazard log. These SRACs are a part of Hazard Log & acceptance report of these SRACs with other Contractors will be evidenced in the next version of Hazard Log.
Safeguards to be practiced by the operations & maintenance personnel, given the inherent characteristics of the signalling system, documented in the relevant manuals. These SRACs are a part of Hazard Log & acceptance report of these SRACs with on O&M will be evidenced in the next version of Hazard Log.
Application conditions corresponding to the exported requirements of data verification process, which shall be transferred to KMRC for operation and maintenance. These SRAC list will be coming only after Design/Database verification.
5.10 SAFETY QUALIFICATION TEST The complete list of the integration system level field tests is reported in ATC System Validation Test Plan [19] and ATC System Validation Test Specification [19]. These tests are planned at the Factory and Field. The Reports of these tests will be documented in ATC System Verification & Validation Test Report KMRC-24106, a future deliverable document in this project.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 83 of 85
Kolkata East-West Metro Rail Project
6
RELATED SAFETY CASES
As already outlined in 4.10 the following safety cases are related to this document: -
ML2-QS-009 Rev. 11 dated 9 Sep 2011 - MICROLOK II Generic Product Safety Case
-
STD_CBTC_GASC_06-03-03
The following are the Generic Product Safety Case and Generic Application Safety cases are supported by the respective product level ISA Reports as shown in below table
Axle Counter Table 6-1 – Generic Product Safety Assessment Report
Generic Product/Application Axle Counter Microlok CBTC ATS
Safety Assessment Report Report-No:FS86457G 2011/QTL/61 REP_CCS_01 EC_8379_1400_5_CORE_CBTC_STD_Funct_Report_v6 3.3 2016QTL09 REP_CCT_01 - ATS Safety Subsystem
The ATC subsystems’ safety cases rely, on their turn, on Generic Application and Generic Product safety cases, implemented and assessed outside the specific KMRC project. Details are reported in the safety cases listed above. It is to be noted that the assessment report of ATS Safety subsystem on removal of TSR is on v4.9.3 of ATS Generic Application. The generic application of ATS is further updated due to global projects needs .The version of GA of ATS for KMRC current phase will be updated than v4.9.3 and which is v5.1.8. The ATS version description document will evidence that the SIL 2 functions are unaltered and changes are done for different project needs. The official version of ATS version description document which will be referred in Signaling Safety case (document to be submitted later in this project) will clearly elucidate that Checksums of SIL 2 tasks. KMRC System Hardware and Software configuration document will evidence the use of same checksum for Site loaded kits. The safety functions in ATS are also validated at Lab & at Site for which the ATS Lab & Site test reports will be evidenced with Signaling Safety case.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 84 of 85
Kolkata East-West Metro Rail Project 7 CONCLUSIONS In compliance with the requirements of the CENELEC EN 50129 and the provisions contained in the contract, this Safety Case has described how safety matters have been dealt with during the Detailed Design Phase of the ATC System to be deployed on the KMRC-Ph-1A, also providing all the required evidences for the demonstration that the ATC System designed for KMRC achieves adequate safety levels for the functions it implements within a Metro application. This document is not a self-contained document, but it refers to the documentation that has been prepared during the ATC Design phase to support the ATC system technical safety assurance activities. As reported in 1.1 this Safety Case follows the structure of the EN 50129 and covers the phases 1 to 6 of the CENELEC lifecycle. In particular, this document has provided:
a clear description of the ATC System in terms of functionalities, architecture, boundaries and interfaces (see Section 2.2); the demonstration that the ATC Design has been undertaken in accordance with a well-defined quality management process (see Section 3); the demonstration that all relevant safety management processes and activities have been correctly implemented (see Section 4); the demonstration that the safety requirement applicable to the Specific KMRC Application have been comprehensively identified and correctly implemented into the design (see Section 5); the evidence that the Safety Related Application Conditions are identified which are to be exported to the other Interfacing Contractors (Refer ATC Hazard Log [18]); the demonstration that the ATC safety related functions can achieve an acceptable level of safety and meet the quantitative safety targets assigned to ATC system, specified in PHA [11] (see Section 5.3.5);
Therefore, this Safety Case, being associated to a first Design milestone of the project, has provided the assurance that the safety principles applicable to a KMRC Signaling system have been properly implemented throughout the Design phase. Nevertheless, it cannot provide a conclusive evidence of the ATC System safety, since:
as reported in 4.7 verification & validation activities on ATC requirements are in progress are still ongoing & further traceability to Safety Mitigation from Hazard Analysis are to be evidenced.
Updates of this Safety Case will be provided in future to capture the review comments if any from ISA/Customer.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 85 of 85
Kolkata Metro Rail Corporation Ltd. Kolkata East-West Metro Rail Project Contract:
Design, Manufacture, Supply, Installation, Testing, and Commissioning of Control and Signalling, Telecom, and Low Current Systems for Kolkata E-W Metro Rail Project KMRCL/CE/S&T/01/2011
Contractor:
Ansaldo STS Consortium No. 35, SLV Complex, AVS Compound 4th Block, 80 Feet Road, Koramangala Bangalore 560 034, India
Document Title:
Overall ATC Detailed Design Safety Case
Document Number:
KMRC-24025
Revision:
04
Debasish Biswas
N.S Deo
Sujit Kumar Ghosh
Approval: ATC System Integrator
Approval: Project Engineer
Approval: Project Director
File: KMRC-24025-04-0.docx
Fourth Revision
14-Apr-2019
04
Description of Revision
Date
Rev.
Page 1 of 85
Kolkata East-West Metro Rail Project Overall ATC Detailed Design Safety Case
Document Number KMRC-24025 Revision 04 Document Revision History Rev #
Date
Author(s)
Nature of Revision
Previous Correspondence
01
18-Jan-2019
Shamik Haldar
First Version
02
31-Jan-2019
Shamik Haldar
Second Version
Updated to suite ISA comments on tracking log_09 dt 24.01.19
03
19-Feb-2019
Shamik Haldar
Third revision
Change in reference document Version no.
04
14-Apr-2019
Shamik Haldar
Fourth Revison
ISA Draft Detailed Design Safety report
Not Applicable
Author
Checker
QA
ATC System Integrator
Shamik Haldar
Amit Srivastava
Thrithe Prasad Maligee
Debasish Biswas
© 2019 Ansaldo STS Consortium. All Rights Reserved. THIS DOCUMENT AND ITS CONTENTS ARE THE PROPERTY OF ANSALDO STS CONSORTIUM, FURNISHED TO YOU ON THE FOLLOWING CONDITIONS: (1) NO RIGHT OR LICENSE UNDER ANY PATENTS OR ANY OTHER PROPRIETARY RIGHT IN RESPECT TO THIS DOCUMENT OR ITS CONTENTS IS GRANTED OR CONVEYED BY ANSALDO STS CONSORTIUM, TRANSMITTING THIS DOCUMENT AND ITS CONTENTS TO YOU, NOR SHALL SUCH TRANSMISSION CONSTITUTE ANY REPRESENTATION, WARRANTY, ASSURANCE, GUARANTY OR INDUCEMENT BY ANSALDO CONSORTIUM. WITH RESPECT TO INFRINGEMENT OF PATENT OR ANY OTHER PROPRIETARY RIGHT OF OTHERS, UNLESS OTHERWISE AGREED BY THE PARTIES IN THE CONTRACT TO WHICH THE PROPRIETARY RIGHTS REFER TO. (2) THIS DOCUMENT OR ITS CONTENTS ARE NOT TO BE USED OR TREATED IN ANY MANNER INCONSISTENT WITH THE RIGHTS OR INTERESTS OF ANSALDO STS CONSORTIUM, OR TO ITS DETRIMENT AND ARE NOT TO BE COPIED, REPRODUCED, DISCLOSED TO OTHERS, OR DISPOSED OF EXCEPT WITH PRIOR WRITTEN CONSENT.
Kolkata East-West Metro Rail Project Table of Contents 1
INTRODUCTION .......................................................................................................... 7
1.1
Purpose ......................................................................................................................................... 7
1.2
Applicability................................................................................................................................... 8
1.3
Reference Documents................................................................................................................... 8
1.3.1
Contract Documents ................................................................................................................... 8
1.3.2
Ansaldo STS Submittals.............................................................................................................. 9
1.3.3
Guidelines and Standards ..........................................................................................................11
1.3.4
Internal Standards......................................................................................................................12
1.4
Description of Changes from Previous Revision........................................................................12
1.5
Acronyms, Terms, And Definitions .............................................................................................13
1.5.1
Terms ........................................................................................................................................13
1.5.2
Acronyms and abbreviations ......................................................................................................15
2
PROJECT DESCRIPTION ......................................................................................... 18
2.1
Introduction ..................................................................................................................................18
2.2
Overview .......................................................................................................................................19
2.3
Wayside ATC System...................................................................................................................23
2.3.1
Wayside Equipment Rooms .......................................................................................................23
2.3.2
Station Platforms........................................................................................................................24
2.3.3
Depot .........................................................................................................................................24
2.3.4
LATS .........................................................................................................................................24
2.3.5
Trackside-Mounted Devices .......................................................................................................24
2.4
Vehicle ATC System.....................................................................................................................25
2.5
IXL Subsystem .............................................................................................................................26
2.5.1
IXL General Functions ...............................................................................................................28
2.5.2
IXL Application overview ............................................................................................................28
2.5.3
Data Preparation Process ..........................................................................................................28
2.6
Interaction with cbtc system........................................................................................................29
2.7
CBTC Subsystem .........................................................................................................................29
2.7.1
Core CBTC Breakdown ..............................................................................................................29
2.7.2
CBTC Data Preparation Process ................................................................................................31
3
QUALITY MANAGEMENT REPORT ......................................................................... 32
3.1
Quality planning and procedures ................................................................................................32
3.2
Quality Organization ....................................................................................................................33
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 3 of 85
Kolkata East-West Metro Rail Project 3.2.1
ASTS Quality System .................................................................................................................34
3.2.2
Quality Audits and Inspection .....................................................................................................38
3.3
Specification of requirements .....................................................................................................38
3.4
Design Control .............................................................................................................................38
3.5
Design Verification and Review ...................................................................................................39
3.6
Application Engineering ..............................................................................................................39
3.7
Procurement and Manufacture ....................................................................................................39
3.8
Product Identification and Traceability .......................................................................................39
3.9
Handling and Storage ..................................................................................................................40
3.10
Inspection and Testing ................................................................................................................41
3.11
Non-Conformance and Corrective Action ...................................................................................41
3.12
Packaging and Delivery ...............................................................................................................42
3.13
Installation and Commissioning ..................................................................................................43
3.14
Operation and Maintenance.........................................................................................................44
3.15
Quality Monitoring and Feedback ...............................................................................................44
3.16
Documentation and Records .......................................................................................................44
3.17
Configuration management /Change control ..............................................................................45
3.18
Personnel Competency and Training ..........................................................................................45
3.19
Decommissioning and Disposal ..................................................................................................45
4
SAFETY MANAGEMENT REPORT .......................................................................... 46
4.1
Safety Life Cycle ..........................................................................................................................46
4.2
Safety Organisation .....................................................................................................................47
4.3
Safety Plans..................................................................................................................................48
4.4
Hazard Log ...................................................................................................................................48
4.5
Safety Requirement specification and traceability .....................................................................51
4.6
System Design ............................................................................................................................53
4.7
Safety Verification and Validation ...............................................................................................53
4.8
External Safety Reviews ..............................................................................................................55
4.9
External Safety Audit ...................................................................................................................55
4.10
Safety Justification ......................................................................................................................55
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 4 of 85
Kolkata East-West Metro Rail Project 4.11
System Handover .........................................................................................................................57
4.12
Operation And Maintainence .......................................................................................................57
4.13
Decommissioning And Disposal .................................................................................................58
5
TECHINICAL SAFETY REPORT ............................................................................... 59
5.1
Introduction ..................................................................................................................................59
5.2
Assurance Of Correct Functional Operation ..............................................................................59
5.3
System Architecture Description ................................................................................................59
5.3.1
Definitions of Interfaces ..............................................................................................................60
5.3.2
Fulfillment of Systems Requirements Specification .....................................................................62
5.3.3
Fulfillment of Quantitative Safety Requirements .........................................................................63
5.3.4
Safety Integrity Level Allocation and Demonstration Process ......................................................63
5.3.5
Demonstration of Safety Quantative targets ...............................................................................65
5.3.6
SF 1 : Train Location Determination ..........................................................................................71
5.3.7
SF 2: Limit of Safe movement Protection ...................................................................................72
5.3.8
SF 3: Supervise/enforce authorized speed ................................................................................73
5.3.9
SF 4: Train Door Control Interlocks ...........................................................................................74
5.3.10 SF 5: PSD Control Operation ....................................................................................................75 5.4
Demonstration of the Safety Qualitative Requirements .............................................................76
5.5
Assurance of correct hardware functionality .............................................................................76
5.6
Assurance of correct software functionality...............................................................................77
5.7
Effect of fault ................................................................................................................................80
5.8
Operation with external influences .............................................................................................82
5.9
Safety Related Application Condition .........................................................................................82
5.10
Safety Qualification test ...............................................................................................................83
6
RELATED SAFETY CASES .................................................................................. 84
7
CONCLUSIONS ......................................................................................................... 85
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 5 of 85
Kolkata East-West Metro Rail Project List of Tables Table 2-1 Overview of KMRC-01 project .................................................................................................... 19 Table 2-2 Details of Stations ..................................................................................................................... 19 Table 3-1 Certifications of ASTS Integrated Management system ............................................................... 34 Table 3-2 Signaling Equipment FAT Report Summary................................................................................. 41 Table 3-3 Installation Method Statements ................................................................................................... 43 Table 4-1 Hazard Log Summary ................................................................................................................. 50 Table 4-2 SIL levels assigned to the ATC system ........................................................................................ 52 Table 4-3 KMRC O&M Manual ................................................................................................................... 58 Table 5-1 SIL levels assigned to the ATC system ........................................................................................ 64 Table 5-2 Tolerable Hazard Rate Chart ....................................................................................................... 70 Table 5-3 SIL levels assigned to the ATC system ........................................................................................ 77 Table 5-4 Product and Generic Application Safety Certificate Status ........................................................... 81 Table 6-1 – Generic Product Safety Assessment Report ............................................................................. 84
List of Figures Figure 2-1 KMRC East West Metro Corridor.............................................................................................. 18 Figure 2-2 System Overall Architecture ...................................................................................................... 22 Figure 2-3 CBTC Based Vehicle ATC System ............................................................................................ 25 Figure 2-4 IXL Interface ............................................................................................................................. 26 Figure 2-5 External CBTC interfaces, "Extended" CBTC and Core CBTC................................................... 30 Figure 3-1 Quality Organization.................................................................................................................. 33 Figure 3-2 ISO 9001:2015 certificate .......................................................................................................... 35 Figure 3-3 ISO 14001:2004 & 18001:2007 certificate ................................................................................. 36 Figure 3-4 ISO 14001:2015 & 18001:2007 certificate ................................................................................. 37 Figure 3-5 Non-Conformity Management ................................................................................................... 42 Figure 4-1 EN 50126 V diagram .................................................................................................................. 47 Figure 4-2 Safety Management Organization STC Signaling System Level ................................................. 48 Figure 4-3 KMRC Hazard Log, Safety Requirement Traceability Scheme. ................................................... 52 Figure 4-4 Example of Safety Cases Hierarchy .......................................................................................... 57 Figure 5-1 Schematic representation of Internal & External Interface. ......................................................... 62 Figure 5-2 SIL allocation and demonstration process for ATC system ........................................................ 64 Figure 5-3 SIL Demonstration Conditions. .................................................................................................. 65 Figure 5-4 Reliability Block Diagram for a Generic Location ........................................................................ 67 Figure 5-5 Simplified Block Diagram for a Generic safety function ............................................................... 70 Figure 5-6 Supervise/enforce authorized speed .......................................................................................... 73 Figure 5-7 Block diagram Train Door Control Interlocks............................................................................... 75 Figure 5-8 PSD Control Operation .............................................................................................................. 76
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 6 of 85
Kolkata East-West Metro Rail Project 1 INTRODUCTION 1.1 PURPOSE This document aims at providing the specific application safety case at Detailed Design stage of the ATC system for the Kolkata Metro Rail Corporation, hereinafter referred to as KMRC. The document presents the most updated documentary evidences, used for demonstrating by all necessary means, such as analysis, logical argument, justification for decisions and tests, how safety matters have been dealt with for supporting the first Detailed Design milestone of the ATC system. This document follows the structure for Safety Case documents in compliance with the requirements of the CENELEC EN 50129 and the provisions contained in the contract. It is highlighted that this Overall ATC System Detailed Design Safety Case addresses safety issues at ATC level, identifying how compliance to contractual regulations and norms has been translated into design solutions. The conditions for safety acceptance are presented in the Safety Case under three headings, namely:
Evidence of quality management; Evidence of safety management; Evidence of functional and technical safety.
Specifically this Detailed Design Safety Case covers: The demonstration that the safety management system has been developed in accordance with the Contract requirements ([1], [2],[3]) and the ATC System Safety Plan [10];
the demonstration that the Detailed Design has been undertaken in accordance with the Project Quality Management Plan (see Section 3);
the demonstration that all relevant safety management processes and procedures have been followed correctly (see Section 4);the demonstration that the safety requirement applicable to the Specific KMRC Application have been comprehensively identified and correctly implemented into the design (see Section 5);
The evidence that the Safety Related Application Conditions exported by the underlying ATC subsystems have been correctly managed (see Section 5);
the identification of safety assurance work and the potential impact on the safety arguments (see Section 5);
the demonstration that the ATC safety related functions can achieve an acceptable level of safety and meet the quantitative safety targets assigned to ATC system, specified in ATC Preliminary Hazard Analysis and Risk Assessment [11] (see Section 5);
The identification of the related ATC subsystems Safety Cases which provide the safety assurance evidences upon this Safety Case relies on (see Section 6).
Following are out of the scope of this document:
The subsystem that are not declared safety related (e.g DCS,Telecom) as part of
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 7 of 85
Kolkata East-West Metro Rail Project SIL allocation process [11].
The Subsystem not provided by Ansaldo STS (e.g Permanent way, PSD, Rolling Stock)
The demonstration of the safe integration between ATC and the external subsystems (e.g. SCADA, PSD, Rolling Stock), which is in charge of the Train System integrator. However this safety case covers the safety analysis done on the ATC external interfaces, providing the related evidences at higher system level for supporting the integration activities.
Any change to the function or interfaces not aligned with the design agreed with ASTS, are out of the scope of this document and ASTS is not responsible for them.
The definition of the Never To Exceed Speed for the Mainline and Depot, taking in consideration the vertical and the horizontal curves, is out of scope of ASTS.
The same is applicable for the definition of the “Train Maximum Design Speed” and for the “Train Maximum Operational Speed” provided by BEML. These NTE speed are Inputs to Ansaldo Design activity.
Occupational health and safety issues and Environmental hazards.
This document is not a self-contained document. In conformity with CENELEC 50129, evidence of compliance to safety aspects/requirements is shown by reference to other ATC documentation where these issues have been addressed. 1.2 APPLICABILITY This safety case is applicable to the Train Control & Signaling System and all the related subsystems, in accordance to the requirements of the related General Specifications [1] and the Particular Specification [2] , [3] .The Safety process described in this document is not applicable to the external systems provided by third parties and thus outside the scope of work of Ansaldo STS for the Project (such as Rolling Stock, Traction Power, Civil Works, E&M, etc.), which the S&TC system interface with. This Design Safety Case is applicable for all six elevated section coming under Ph-1A as shown in Table 2-2 Details of Stations The safety assurance related to Core CBTC and MLK subsystems are reported in the respective Safety cases. See “Related Safety Cases” 6. 1.3 REFERENCE DOCUMENTS 1.3.1 Contract Documents Ref [1] [2]
[3]
Document Number Document Name KMRCL/CE/S&T/01/20 Tender Documents, Volume 3, Employer’s 11 Requirement, General Specification KMRCL/CE/S&T/01/20 Tender Documents, Volume 4 A, Employer’s 11 Requirements, Particular Specifications and its latest amendment KMRCUCE/S&T/2011 Supplementary Agreement to Contract KMRCL/CE/S&T/2011 dated 10th October 2011
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 8 of 85
Kolkata East-West Metro Rail Project 1.3.2 Ansaldo STS Submittals Ref [4] [5] [6] [7]
[8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42]
Document Number Rev Document name INASSM03/PQP 05 Project Quality Management Plan KMRC-11001 03 S&T Interface Management Plan KMRC-24015 04 ATC System Verification and Validation Plan KMRC-21001 04 Signaling and Train Control System - System Architecture Specification (System and Sub-system Overview) KMRC-21216 04 Signaling and Train Control System –System Requirement Specification (SRS) KMRC-21217 03 Signaling System Traceability Specification KMRC- 24019 02 ATC System Safety Plan KMRC -24012 05 ATC Preliminary Hazard Analysis and Risk Assessment KMRC-24035 02 ATC System Hazard Analysis KMRC-24034 02 IXL Subsystem Hazard Analysis KMRC-24031 02 ATS Subsystem Hazard Analysis KMRC-24042 03 CBTC Subsystem Hazard Analysis KMRC-24032 02 ATC System Architecture and Interface Hazard Analysis KMRC-24043 02 Operating and Support Hazard Analysis KMRC-24062 02 Hazard Log KMRC-24063 02 ATC System Validation Test Specification KMRC-24064 02 ATC System Validation Test Plan KMRC-24065 02 Application Logic Verification specification KMRC-27004 02 Trackside Interface Specification KMRC-25038 01 IXL-ATS Interface Control Document KMRC-27027 02 IXL Subsystem Requirements Specification KMRC-26110 01 CBTC system specifications KMRC-26062 04 Zone controller functional specification KMRC-26061 01 Carborne Controller functional specification KMRC-24011 04 ATC Preliminary RAM Analysis and Apportionment KMRC-24022 01 CBTC RAM Prediction Analysis KMRC-24024 02 IXL RAM Prediction Analysis KMRC-24037 02 ATS RAM Prediction Analysis KMRC-24041 02 DCS RAM Prediction Analysis KMRC-26063 02 CBTC and Rolling Stock Detailed Interface Specification KMRC-27059 03 C-ICDD - Platform Screen Door System KMRC-24045 01 IXL V&V Plan KMRC-24044 01 CBTC V&V Plan KMRC-24046 01 ATS V&V Plan KMRC-24038 02 FOTS RAM Prediction Analysis KMRC-24039 02 ATC System RAM Prediction Analysis- Phase 1 KMRC-27019 01 Axle Counter specification KMRC-26058 02 C12_D404 - ZC - IXL ICDD KMRC-26052 01 C_D470 - CBTC foundation data
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 9 of 85
Kolkata East-West Metro Rail Project Ref [43] [44] [45] [46] [47] [48] [49] [50] [51] [52] [53] [54] [55] [56] [57] [58]
Document Number Rev Document name KMRC-27118 02 Interlocking Software Acceptance test procedure KMRC-27148 02 Interlocking Partial Acceptance test procedure KMRC-25010 02 ATS Subsystem Requirement specification KMRC-27147 01 Interlocking System Acceptance test procedure KMRC-25018 02 ATS Software Factory Acceptance Test (FAT) Procedure KMRC-25023 01 ATS Partial Acceptance Test Procedure KMRC-25025 01 ATS Software System Acceptance Test (SAT) Procedure. KMRC-27044 05 Wayside ATP Application Logic Programming guideline KMRC-26075 02 CBTC Factory Acceptance Test procedure KMRC-26116 02 CBTC System Acceptance Test Procedure KMRC-26076 02 CC Static Test procedure KMRC-26124 02 CC Dynamic Test procedure 2011/QTL/61 01 Microlok CC 3.2 Generic Product safety case REP_CCS_01 ML2-QS-009 10 MICROLOK II Generic Product Safety Case Report01.01 Frauscher Axle Counter Safety Assessment No:FS86457G Report EC_8379_1400_5_C 05 Core CBTC 6.3.3 Assessment Report ORE_CBTC_STD_F unct_Report_v6 3.3
[59] [60] [61] [62]
KMRC-26059 KMRC-27006 KMRC-27007 KMRC-27156
01 04 05 03
[63]
KMRC-27157
03
[64]
KMRC-27158
01
[65]
KMRC-27160
02
[66]
KMRC-27161
04
[67]
KMRC-27162
04
[68]
KMRC-27163
04
[69]
KMRC-26051
02
C_D154 SW version sheet Signaling Plan - Main Line (Phase 1A) Depot Signaling Plan Wayside Hardware Circuit Design Phase 1 Central Park Wayside Hardware Circuit Design Phase 1 - Salt Lake Sector V Wayside Hardware Circuit Design Phase 1 - Salt Lake Stadium Wayside Hardware Circuit Design Phase 1 Central Park Depot Wayside Hardware Circuit Design Phase 1 Karunamoyee Wayside Hardware Circuit Design Phase 1 - City Center Wayside Hardware Circuit Design Phase 1 Bengal Chemical Data Preparation Need specification
[70]
KMRC- 24002
03
Project Configuration Management Plan
[71]
KMRC-27142
01
Factory Acceptance Test Plan
[72]
KMRC-27014
02
Interlocking Equipment Specification
[73]
KMRC-27100
01
Interlocking Design Plan
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 10 of 85
Kolkata East-West Metro Rail Project Ref [74]
Document Number Rev Document name KMRC-27021 05 Salt Lake Sector V Control Table
[75]
KMRC-27022
08
Central Park Control Table
[76]
KMRC-27023
06
Salt Lake Stadium Control Table
[77]
KMRC-27025
06
Central Park Depot Control Table
[78]
KMRC-26071
01
CBTC Hardware Version Sheet
[79]
KMRC-26041
01
Onboard Subsystem Version sheet
[80]
KMRC-26052
02
C_D470- CBTC Foundation Data
[81]
KMRC-27063
02
Wayside Microlok Software Phase 1 - Central Park
[82]
KMRC-27064
02
Wayside Microlok Software Phase 1 - Salt Lake Sector V
[83]
KMRC-27065
02
[84]
KMRC-27067
02
Wayside Microlok Software Phase 1 - Salt Lake Stadium Wayside Microlok Software Phase 1 - Central Park Depot
1.3.3 Guidelines and Standards Document Ref Document Name Number [85] CENELEC EN Railway applications - The specification and 50126 demonstration of reliability, availability, maintainability and safety (RAMS) [86] CENELEC EN Railway applications - Communications, signaling and 50128 processing systems - Software for railway control and protection systems [87] CENELEC EN Railway applications - Communications, signaling and 50129 processing systems - Safety related electronic systems for signaling [88] CENELEC EN Railway applications - Communication, signaling and 50159-1 processing systems - Part 1: Safety-related communication in closed transmission systems [89] CENELEC EN Railway applications - Communication, signalling and 50159-2 processing systems - Part 2: Safety related communication in open transmission systems [90] IEEE Std IEEE Standard for Communications-Based Train Control 1474.1:2004 (CBTC) Performance and Functional Requirements [91]
IEC 62290-1
[92]
ISO 9001
[93]
ISO 14001
Document Number: KMRC-24025 Revision: 04
Railway applications - Urban guided transport management and command/control systems - Part 1: System principles and fundamental concepts Quality management systems – Requirements Environmental management systems - Requirements with guidance for use Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 11 of 85
Kolkata East-West Metro Rail Project Ref [94]
Document Number OHSAS 18001
[95]
Document Name Occupational health and safety management systems – Requirements Specification for safety requirements for equipment to be connected telecommunication networks
BS EN 41003 1999
1.3.4 Internal Standards Ref. [96] [97] [98] [99] [100] [101] [102] [103] [104] [105] [106] [107] [108] [109]
Code
Source
Rev.
Title
ASTS
MNL 001
04
ASTS IMS Manual
ASTS
INS 023
02
ASTS
INS 007
00
ASTS
PRD047
00
Configuration Management Process
ASTS
PRC 101
00
Configuration Management
ASTS
PRD 019
01
Logistics
ASTS
PRD 009
01
Manufacturing
ASTS
PRD 070
00
FAT Buy Material for Projects
ASTS
PRC 045
05
ASTS
PRC 022
02
ASTS
PRC 001
04
ASTS
PRC 006
03
ASTS
R&M 001
ASTS Roles & Mandate
ASTS
ORA 002
ASTS Organisational Chart
Manufacturing Identification and Traceability Manufacturing Warehouse instructions
Nonconformity, Corrective Actions Preventive Actions P&S, Materials and Services Acceptance (PSMSA) IMS Documentation and Records Management IMS Audit Procedure
1.4 DESCRIPTION OF CHANGES FROM PREVIOUS REVISION Description of Change Updated as ISA comments in Tracking Log _09 Dt 24.01.19
Chapter(s) Affected by the Modification(s) -
Section 1.3.2: Revision No’s updated Section 3.15 Quality Audits and Follow Up :Quality Audit summary added Table 4-1: Hazard Log Summary Section 4.4:Document reference corrected Section 5.3.2: Reference section corrected
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 12 of 85
Kolkata East-West Metro Rail Project Description of Change Updated as reference document revision updated & Quality comment Updated to suite current version of ATS GA 1.5
Chapter(s) Affected by the Modification(s) -
Section 5.3.7/5.3.8: THR calculation Safety Function SF2 & SF3
-
Document revision no for following documents changed KMRC24062,KMRC-26116,KMRC-24124,KMRC-25018,KMRC-21217. Table 3-2 Certificate number modified.
-
Section 6 –Related safety cases , current ATS GA description added
ACRONYMS, TERMS, AND DEFINITIONS
1.5.1 Terms Terms Acceptance
Approval
Assessment
Assurance
Audit
Black Box
Client Component Delay
Definition A process to achieve agreement that all system requirements have been met to defined criteria, and that the system is fit for purpose. Agreement by KMRC or its designated Consultant/Engineer (or an external body) that the system requirements have been met and that the risks associated with the system solutions are As Low As Reasonably Practicable (ALARP), or that an individual deliverable meets the requirements. The process of analysis to determine whether the design authority and the Validator have achieved a product that meets the specified requirements and to form a judgement as to whether the product is fit for its intended purpose. The overall process of providing confidence that a system, product or project is compliant with the relevant requirements (which include processes, procedures, legislation and standards). A systematic and independent examination to determine whether the procedures specific to the requirements of a product comply with the planned arrangements, are implemented effectively and are suitable to achieve the specified objectives. The inputs and outputs of an item of a product or item of equipment are considered in fulfilment of a function, not the actual internal workings of the product. KMRC – the end customer of the project. “Client” is synonymous with “Employer” Hardware or software element of a sub-system or a system. By extension, it may be the sub-system or the system itself. Delay is caused when a train is unable to move or its speed is reduced due to failure of the Train Control and Signalling System. The delay is measured by the time lost by the first affected train due to a failure of the Train Control and Signalling
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 13 of 85
Kolkata East-West Metro Rail Project Terms Demonstration
Design
Employer Engineer
Environment Failure
Function Generic Application Generic Product Hazard Independence (human) Inspection
Line Replaceable Unit
Product
Project
Quality Review
Risk Safety
Definition System. Evaluation of the compliance to a requirement through system observation while in operation, without any use of specific instrumentation. The activity applied in order to analyse and transform specified requirements into acceptable design solutions which have the required safety integrity. Kolkata Metro Rail Corporation (KMRC), its legal successors and assignees. Any person nominated or appointed from time to time by the Employer to act as the Engineer for the purposes of the Contract and notified as such in writing to the Contractor Specific conditions that may affect the operation of the equipment when installed and operated on Project. A failure is an event, which causes loss of function or performance within any part of the Train Control and Signalling System and requires a maintenance intervention to restore full functionality and performance. A mode of action or activity by which a product fulfils its purpose. A generic application can be re-used for a class/type of application with common functions. A generic product can be re-used for different independent applications. A condition that could lead to an accident. Freedom from involvement in the same intellectual, commercial and/or management entity. Conformity evaluation by observation and judgment accompanied as appropriate by measurement, testing or gauging Equipment that can be replaced as a single complete unit and can be handled by a single person. It is the component on which the first level of maintenance (replacement/repair) is performed in case of failure. A collection of elements, interconnected to form a system/subsystem/equipment, in a manner which meets the specified requirements. Design, Manufacture, Supply, Installation, Testing, and Commissioning of Control and Signalling, Telecom, and Low Current Systems for KolkataE-W Metro Rail Project A user perception of the attributes of a product. Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives The combination of the frequency, or probability, and the consequence of a specified hazardous event. Freedom from unacceptable levels of risk of harm.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 14 of 85
Kolkata East-West Metro Rail Project Terms Safety acceptance Safety Approval
Safety-critical
Safety Integrity
Safety Integrity Level Service Specific Application System System Integration
System Life-cycle
Test Trial Validation
Verification
Definition The safety status given to a product by the final user. The safety satus given to a product by the requsite authority when the product has fullfilled a set of pre-determined conditions. Failure of the system, sub-system or equipment will directly lead to a situation with the potential to cause harm, injury, damage to property, plant or equipment, damage to the environment, or economic loss. The ability of a safety-related system to achieve its required safety functions under all the stated conditions within a stated operational environment and within a stated period of time. A number which indicates the required degree of confidence that a system will meet its specified safety functions with respect to systematic failures. When the railway is available for the use of fare paying passengers. Part of hardware and software can be used for only one particular installation A set of sub-systems which interact according to a design. The engineering and management actions required to assemble subsystems into major systems, or the complete system, and prove their correct inter-working. The series of activities occurring during a period of time that starts when a system is conceived and ends at decommissioning when the system is no longer available for use. Determination of one or more characteristics according to a procedure. A test conducted on the operational railway. The activity applied in order to demonstrate, by test and analysis, that the product meets in all respects its specified requirements. The activity of determination, by analysis and test, at each phase of the life-cycle, that the requirements of the phase under consideration meet the output of the previous phase and that the output of the phase under consideration fulfils its requirements.
1.5.2 Acronyms and abbreviations ACRONYM ASTS ATC ATO ATP ATS
DEFINITION Ansaldo Signalling and Transportation Solutions Automatic Train Control Automatic Train Operation Automatic Train Protection Automatic Train Supervision
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 15 of 85
Kolkata East-West Metro Rail Project ACRONYM BCC CATS CBI CBTC CC CENELEC DC DCC DCS EMC ES ESP FAI FAT FTM GA GP IEC IEEE ISA ISO IXL Km KMRC LATS MAL mm OCC OHSA O&M PAS PDM PIDS RAMS RTM SCR SER SIL
DEFINITION Backup Control Centre Central Automatic Train Supervision Computer Based Interlocking Communication Based Train Control Carborne Controller (onboard CBTC equipment) European Committee for Electrotechnical Standardization Direct Current Depot Control Centre Data Communications System Electro-Magnetic Compatibility Ethernet Switch Emergency Stop Plunger First Article Inspection Factory Acceptance test FrontAM (part of wayside CBTC equipment) Generic Application Generic Product International Electro-technical Commission Institute of Electrical and Electronic Engineers Independent Safety Assessor International Standards Organisation Interlocking Kilometre Kolkata Metro Rail Corporation Local Automatic train Supervision Move Authority Limit Milimeter Operations Control Centre Occupational Health and Safety Assessment Operation & Maintenance Passenger Anoucement System Product Data Management Passenger Information Display System Reliability, Availability, Maintainability, Safety Requirement Traceability Matrix Signal Control Room Signal Equipment Room Safety Integrity Level
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 16 of 85
Kolkata East-West Metro Rail Project ACRONYM SMR SRS TC TOD V&V WI WPR WS ZC
DEFINITION Signal Maintainence Room System Requirements Specification Team Centre (ASTS Document Management System) Train Operator Display Verification and Validation Work Item Work Product Work Station Zone Controller (part of wayside CBTC equipment)
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 17 of 85
Kolkata East-West Metro Rail Project 2 PROJECT DESCRIPTION 2.1 INTRODUCTION
Figure 2-1 KMRC East West Metro Corridor
The contract is between KMRCL, the Employer and ASTS, the contractor for S&TC portion of Kolkata East West Metro Rail Project. MYCEL is Employer appointed General Consultant to Manage and Deliver the Project as per contract requirement and on schedule. MYCEL will act as the “Engineer”. The total section spreads from Salt Lake Sector V on the east to Howrah Maidan Metro on the west and divided into Elevated and underground sections. Total number of stations are 12, out of which 6 are in elevated section and 6 are in underground section There is a depot near Central Park station and operation and control will be done from Operations and Control Centre(OCC) for mainline and from Depot Control Centre (DCC) for Depot, both located inside depot. A Backup Control Centre (BCC) will be located near Howrah Metro station. The entire stretch will be divided into 2 Phases as follows. This plan is applicable for both phases In Phase 1A, trains will be run between Salt Lake Sector-V to Salt Lake Stadium. Depot work will be executed in this phase. In Phase 1B, trains will be run between Salt Lake Sector –V to Sealdah with Depot. In Phase 2, system will be implemented between Sealdah Metro to Howrah Maidan Metro and trains operation will be between Salt Lake Sector-V and Howrah Maidan Metro. A further overview of the project is presented below:
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 18 of 85
Kolkata East-West Metro Rail Project Table 2-1 Overview of KMRC-01 project
Feature
High Level Project requirement
Track Gauge Length
1435 mm 16.6 Km 12 (6 are in elevated and 6 are in underground) 30 Seconds 150 Seconds Operational Headway & 120 Sec Design Headway 0500 Hrs. to 23.00 Hrs. 7 days per week 6 coach rake, 7 rakes in Phase 1 and 4 rakes in Phase 2, 3 rakes optional Near Central Park Station At Depot At Depot At Howrah Metro 750 Volt DC Third Rail CBTC
No. of Stations Typical Dwell time Headway Revenue Service Time Rolling Stock Depot Operational Control Center Depot Control Center Backup Control Center Traction Technology
The name of stations & execution stage are as mentioned below: Table 2-2 Details of Stations
S. No 1 2 3 4 5 6 7 8 9 10 11 12 13
Name of Station Depot Salt Lake Sector V Karunamayee Central Park City Centre Bengal Chemical Salt Lake Stadium Phool Bagan Sealdah Metro Esplanade New Mahakaran Howrah Metro Howrah Maidan Metro
Execution Phase Phase 1A Phase 1A Phase 1A Phase 1A Phase 1A Phase 1A Phase 1A Phase 1B Phase 1B Phase 2 Phase 2 Phase 2 Phase 2
2.2 OVERVIEW A brief description of the ATC system is provided here, for full description ATC system specification may be referred. The ATC signaling system consists of: Several subsystems integrated together by means of internal interfaces. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 19 of 85
Kolkata East-West Metro Rail Project
Interfaces with external elements - systems or subsystems not considered part of the Signaling System but needed for operation according to the maximum capabilities and requirements as per the contractual documents of Kolkata Metro project.
Each of the ATC subsystems performs its own functions independently from the others. The interaction of the metro operations is coordinated through the computers at the Operation Control Centre (OCC) in order to achieve an integrated control system. Under normal operating conditions the ATC functions will be implemented automatically. As general description, subsystem responsibilities can be identified as following: Automatic Train Supervision (ATS): subsystem provides control and monitoring facilities to supervise the train operations Kolkata Metro Project. It also interfaces to external systems, to perform Signaling System requirements. The Core Communication Based Train Control (CBTC): subsystem provides the protection against train collisions, overspeed and other hazardous conditions (e.g. entering an unsafe track section, opening train doors outside stations, etc.). The CBTC functions are performed by a combination of wayside and on board equipment. Moreover, the Core CBTC subsystem is composed of the following equipment: Zone Controller (ZC) depending on the configuration of the line and the number of train to supervise, more than one ZC equipment could be installed. The function of the ZC is to ensure the safe operation of trains using a moving block concept of CBTC basing on the information received from the IXL (trackside inputs vital information) and from the Carborne Controller (CC) (train identity and location), it determines a train map (location of all the trains in the line) and sends a Movement Authority Limit (MAL) to each train; Carborne Controller(CC) equipment is installed on vehicle. It permits both ATP and ATO functions: train location determination. Determine and send to ZC train's location; manage the control mode of the train; enforcement of permitted speed; drive the train according to the MAL received from the ZC and its own information and calculations based on the knowledge of the track; control over speed condition (taking into account others constraints as permanent or temporary speed restrictions,etc.); trigger an emergency braking in case of danger; manage the opening/closing procedures of train and platform doors. The Frontam (FTM) equipment is composed of servers and workstations. The FTM maintains the track database descriptions, collects maintenance information from
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 20 of 85
Kolkata East-West Metro Rail Project the ZC and CC and also provides a communication interface between ATS, ZC and CC. Interlocking (IXL) subsystem is responsible for the safe implementation of interlocking functions. IXL obtains occupancy information from Detection System (e.g. axle counter). IXL interfaces with wayside equipment such as switch machines, signals, etc. IXL interfaces with ZC to ensure safe CBTC operation, in particular the route setting and determination. It has the function to prevent train collisions and derailments over switch. IXL along with CBTC provides safe train movement using the wayside signals for train a CBTC train. If there is a failure of a Zone Controller, the DCS or the CC, trains can safely traverse the line through wayside signal aspects controlled by IXL. Data Communication System (DCS) is a broadband communications system that provides for a bi-directional, reliable, and secured exchange of data between equipment of the signaling system and subsystems and other ground equipment installed where required along the right-of-way. The following figure shows a CBTC Architecture with Microlok as IXL equipment. Note that the redundant units and equipment counts are not shown.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 21 of 85
Kolkata East-West Metro Rail Project
TO BE PROVIDED BY OTHERS
MASTER
CLOCK CLOCK
GPS
SERVERS
SYSTEM
OVERVIEW DISPLAY
PRINTERS
NOIDA METRO: CBTC SYSTEM
ETHERNET LAN E-NET SWITCHES
WORKSTATIONS
OTHER WAYSIDE LOCATIONS
FRONTAM
OCC
ES
OTHER WAYSIDE LOCATIONS
OTHER WAYSIDE LOCATIONS
ES ES ES
DCS (REDUNDANT) REMOTE ATS MAINT. WORKSTATION
OTHER RADIO APs RADIO ACCESS POINT
VEHICLE VEHICLE PROP, BRAKES, DOORS
TOD CC TRANSPONDER READER
TO ADDITIONAL ACE
DCS
DCS
TRANSPONDER READER
TRACK OCCUPANCY FALLBACK TOD
VEHICLE PROP, BRAKES, DOORS
ZONE CONTROLLER (ZC)
CC TRANSPONDER READER
TRANSPONDER READER
AXLE COUNTER EVALUATOR (ACE)
TRANSPONDER ANT.
T
TRANSPONDERS
T
WAYSIDE DEVICE I/O
WAYSIDE
TRANSPONDER ANT.
SPEED SENSORS
ES TO ADJACENT M-LOK II & ZC
T
AXLE COUNTER HEADS
SPEED SENSORS
CONTROL TERMINAL (WITH VDU)
MICROLOK II CBI (REDUNDANT)
MAINT. TERMINAL (WITH VDU)
LATS
PA & PIDS STATION/PLATFORM AREA
PSD EMERG. SW & PLUNGER
T
T
T
TO OCC (VIA DCS)
T
DEPOT CONTROL CENTER
T
AXLE COUNTERS
TRANSFER TRACK
TRACKMOUNTED TRANSPONDERS/ TAGS
AXLE COUNTER BLOCKS
STATION/PLATFORM AREA
PSD
POINT MACH.
EMERG. SW & PLUNGER
LED SIGNAL
PA & PIDS
DEPOT
Figure 2-2 System Overall Architecture
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 22 of 85
ES
ES
Kolkata East-West Metro Rail Project This is to be noted here that, the above figure is indicative only, for detail the System architecture document is to be referred. The proposed CBTC system has equipment distributed at three major locations: Control Center (OCC), wayside locations in the Signalling Equipment Rooms (SERs); and on each vehicle. Standard railway field equipment such as axle counters, signals, switch machines, etc. are installed where required along the right-of-way. Axle counters and signals on the wayside (at the interlocking) are essential components of interlocking functionality and assuring the system is compatible with unequipped trains. The Microlok and ZC work in concert with each other and vitally share signalling information. Microlok interfaces with switch machines, signals, warning systems, axle counters and the ATS. The Microlok units contain the vital logic that permits control of switch machines and interlocking signals; Microlok also performs interlocking functions based on routing requests received from the ATS. Odometry and transponder subsystems are essential to establishing train position. These positions are calculated by each train’s CC and then compiled by the ZCs to safely manage the traffic and deliver the MAL to each train. Transponders/Balises/Tags are placed in fixed locations along the track and an onboard reader uses a high frequency signal to acquire transponder/balise information as the train passes the Transponder/Balise. The information contains an ID that the train uses to obtain precise location and direction of travel. The vehicle CC equipment receives continuous vital communications from the ZC and the onboard ATP enforces safe protection of the train. Train traction and braking orders are issued by the ATO. The configuration of the CBTC system has been designed to provide all reasonable measures to mitigate the effects of a single independent or multiple dependent failure(s). 2.3 WAYSIDE ATC SYSTEM The wayside configuration is a distributed architecture comprising vital and non-vital control functions. This configuration permits the reliable and safe operation of trains on the system. Wayside equipment encompasses: 2.3.1 Wayside Equipment Rooms a. ZCs: For Kolkata Metro Phase 1A, one ZC is installed in Central Park SER. b. Frontam (FTM) - For Phase1A, One FTM Located at Depot Admin building CER.Maintenance Aid front end Computer. c. Microlok CBIs: Vital microprocessor based interlocking system interfaced with point machines, signals, train detection system, ATS, PSD, other field devices etc.Axles counter for detection of equipped and non-equipped vehicles and secondary train detection (in case of CBTC failure). d. Interface vital relays as required. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 23 of 85
Kolkata East-West Metro Rail Project 2.3.2 Station Platforms - Emergency Stop Plungers/Pushbuttons (ESPs). -
Interface to staff protection key switch
-
Interface to platform screen doors
2.3.3 Depot a. Microlok CBIs b. Interface vital relays c. Balises for the Test Track in Depot d. Axle counters for detection of equipped and non-equipped vehicles and secondary train detection (in case of CBTC failure). e. Signals f. Switch Machine 2.3.4 LATS The Local Automatic Train Supervision subsystem achieves all the local wayside ATO functions and the implementation of non-vital logic. These permit localized control of ATS functions, and are also interfaced to the Public Address/Passenger Information Display (PA/PIDS) system. 2.3.5 Trackside-Mounted Devices a. Direction indicators b. Axle counter heads c. Transponders/Balises d. Marker boards e. DCS-dedicated communications equipment, which includes wayside access points, antennas, cables, and access switches. f. Signals g. Switch Machine
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 24 of 85
Kolkata East-West Metro Rail Project 2.4 VEHICLE ATC SYSTEM
DCS Ethernet Alpha network
DCS Ethernet Beta network
TOD
I/O V & NV
Driver Cab Desk
Vital µC 2oo3
X discrete V&NV IO
I/O V & NV
Door System
fan
Vital µC 2oo3
Brake
fan
Integrity
Tag readers
X discrete V&NV IO
Driver Cab Desk
fan
Integrity
Acclerometers Anal. & Digit.
Speed sensors
TOD
fan
TMS
Acclerometers Anal. & Digit.
Speed sensors
Speed sensors
Speed sensors
Tag readers
Figure 2-3 CBTC Based Vehicle ATC System
This is to be noted here that, the above figure is indicative only, for detail the System architecture document is to be referred. The onboard system is designed to provide full ATO mode with a Train Operator as well as Train Operator-controlled mode of train operation while obeying the ATP limits. Each 6-car train is equipped with Two CCs: a. Each CC comprising the: -
ATP and ATO subsystems
-
Balise transponder module
-
Event logging system
b. DCS-dedicated communications antennas, and cables.
equipment,
which
includes
mobile
c. CBTC devices external to the CC include: -
Transponder antenna/Tag Reader
-
Tachometers and accelerometers
-
TOD.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 25 of 85
radio,
Kolkata East-West Metro Rail Project 2.5 IXL SUBSYSTEM The general interactions between the functionalities implemented in the subsystems listed above are represented in the next figure. ATC System PSD (External Device)
ATS
IXL
IXL Field Devices (Signals, Axle Counters, Point Machines, Crank Handles, Level Crossing)
CBTC Wayside (Zone Controller)
Figure 2-4 IXL Interface
The IXL subsystem is based on generic product named Microlok II. The interlocking scheme is divided into Interlocking Microloks in stations with Points & fixed Signals & Non Interlocking Microloks with Station without Points & Signals. All Microlok units are housed in SER. Microlok Unit consists of the following electronic board.
CPU Card Power Supply Card Synchronisation Card Communication Card Vital Output Card Vital Input Card Non Vital card
This entire arrangement of cards is housed in 19’ cardfile. For details Interlocking Equipment Specification Interlocking Equipment Specification KMRC-27014 CPU cards in a Microlok unit are connected to Microlok CPU cards in same or adjacent Interlocking through Peer Protocol. Microlok architecture supports Hot standby configuration between Online and partner system. This configuration is called MDSC i.e Microlok Duplicated Seamless changeover. Automatic switchover is facilitated to the redundant unit when a critical fault has occurred in the Online units without disrupting last status of filed devices.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 26 of 85
Kolkata East-West Metro Rail Project CPU cards in Interlocking Microloks will house the Interlocking logic which executes vital logics like route call, route set & signal lowering logics. For processing of Vital logics, Input functions from Site devices are gathered from Microloks in same Interlocking or from Microloks from Adjacent Interlocking. CPU cards in Non-Interlocking Microloks which are installed along stations without Points and Signals collects Inputs from External devices like PSD and SPKS & sends the information to Interlocking Microlok. Function exchange of the field devices with Microlok Input Outputs cards are established through Relays Interface. Field equipment connected with IXL and considered as a part of IXL subsystem
415V AC Point machine (via relay interface) supplied by Vosslog-Cogifer. Axle Counters supplied by Frauscher LED Signals supplied by GAEC LED Matrix for Route Indication supplied by Electrancs Platform Screen Door supplied by CRRC (supply not in Ansaldo Scope) Crank Handle supplied by Kiran Infra Emergency Stop switch supplied by Networth Staff protection key switch supplied by Siemens (supply not in Ansaldo Scope) Level Crossing at Depot supplied by Heidz
The functional behavior of the system is described in IXL Sub-system Requirement Specification [24], but for a brief overview of the functions refers to the next section. For all components that are not part of the ASTS production, the IXL subsystem will assure the technological and functional integration in terms of correct integrity of wiring with the external device, while if the assessment is needed; it is under the responsibility of the supplier. Below is the list of External and Internal Interfaces with IXL & other devices External Interfaces are
IXL-ATS interface: interface between IXL and ATS by means of wayside DCS. Applicable for ATS functions. IXL-ZC interface: interface between IXL and wayside CBTC, by means of wayside DCS. Applicable for CBTC functions. IXL- PSD Interface: Parallel wiring through Vital Input boards and relay interface & cables. IXL – Signal Interface: Parallel wiring through Vital Input/Outputs boards and relay interface & cables. IXL- Point Machine: Parallel wiring through Vital Input/Outputs boards and relay interface & cables. IXL- ESS: Parallel wiring through Vital Input and relay interface & cables. IXL- SPKS: Parallel wiring through Vital Input and relay interface & cables.
These interface are further elaborated in Trackside Interface Specification [22] Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 27 of 85
Kolkata East-West Metro Rail Project Internal Interfaces are
Microlok to Microlok communication between same or neighbouring Internal.
2.5.1 IXL General Functions The main functions of IXL system are listed below. 1. Interlocking Functions: carried out to manage all the stations and stops along the line and in the depot (centralized in the OCC) and processing of route commands and safe protection functions like: a. Vital management of the Points; b. Train detection; c. Vital management of route movements; d. Management of specific vital inputs/outputs 2. CATS/LATS & IVDU communication: IXL communicated through CATS in OCC for operation for Signals and Points for Mainline & ATS in DCC for Operations of Points & Signal in Depot. In an event of CATS failure, ATS in BCC will take over the control. Additionally in every Interlocking station a LATS & IVDU is provided for operating field devices in case of failure of Station communication with CATS.IVDU is provided as a backup to LATS in each Interlocking station. 3. Diagnostic Monitoring: Maintenance terminals will be provided in each Interlocking for monitoring status of Interlocking equipment & retrieving and analyzing failure report from Microlok Maintenance Tool. 4. Safe communication with the train separation subsystem (wayside CBTC Subsystem). 2.5.2 IXL Application overview The IXL Application involves the customization based on configuration i.e
Microlok System configuration in the stations. Interlocking or Non Interlocking Microlok in Mainline or Depot. DATA retrieved from Signal Interlocking Plan.[60],[61] Route definition as in Control Table.[74],[75],[76],[77] Input Output assignments based on field devices to be controlled in Interlocking
The correctness of the specific application is ensured at design level with the verification activities on documents, and after the implementation by means of on lab and on field validation activities. 2.5.3 Data Preparation Process Each Microlok CPU board contains pre loaded Generic Product software, in this project Microlok CPU contains Executive program CC 3.2.The MLK Hardware Platform and CC 3.2 executive software constitute the Generic Product. Independent assessor RINA has provided SIL 4 certification to the executive software CC3.2. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 28 of 85
Kolkata East-West Metro Rail Project There is no concept of Generic Application + Configuration Data for specific application. For each Signaling equipment there is location-specific application software loaded within the MLK unit. The Microlok Data for specific application has to customized based on the configuration items as mentioned in above section. This specific application when ready is compiled with the compiler tool which can generate the machine language compatible to the Executive version of the CPU. The development of specific application is done following design process & verification cycles for each phase of the project. This process is in line with EN 50128. For a detailed description of the Data Preparation Process refer to “Interlocking Design Plan” [73]. 2.6 INTERACTION WITH CBTC SYSTEM Full CBTC system provides the highest level of system operation and performance. CBTC requires all train control subsystems to be present and operational; wayside, ATS, vehicle, and DCS. CBTC provides moving block safe train separation and protection, full on-board ATP/ATO operation and supports all defined CBTC operational modes. Certain operational modes provide full system operation and performance: Automatic Train Operation (AM) and ATP Manual (ATPM). Other modes provide reduced operation in degraded conditions Restricted Manual (RM) & Run On Sight (ROS). The IXL system has to operate in cooperation with CBTC system, when in AM mode, and has to operate independently in degraded conditions (without CBTC supervision). C12_D404 - ZC - IXL ICDD [41] defines the functions to be exchanged between Zone Controller and IXL devices.IXL processes inputs to generate the outputs to ZC to achieve train running in different modes of CBTC. For details of functions exchanged ZC-IXL ICDD [41] can be referred. 2.7 CBTC SUBSYSTEM The Core CBTC product is identified by the C_D154 SW version sheet [59]. It contains all the applicable specifications for the definition and the design of each equipment of the Core CBTC product. Each of the equipment of the Core CBTC product is also identified by a Version Sheet and a Hardware description CBTC Hardware Version Sheet & On Board Version sheet [78],[79]. 2.7.1 Core CBTC Breakdown The Core CBTC is made up of the following equipment: The Zone Controller (ZC), The Carborne Controller (CC) with its odometry subsystem, The tag subsystem (Eurobalise), The TOD, Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 29 of 85
Kolkata East-West Metro Rail Project
The FRONTAM. External CBTC interfaces
Rolling Stock
Energy ATS
Extended CBTC
Core CBTC FRONTAM
TOD
DCS (fiber + radio)
IXL CC (ODO, ATP, ATO)
ZC TAG
Wayside Signalling (field eqpt.)
TMS, TAR, Other
Figure 2-5 External CBTC interfaces, "Extended" CBTC and Core CBTC
The Generic Application releases are certified by an independent assessor which provides an ISA report. The Core CBTC Generic Application provides the Core CBTC functions needed by KMRC project. All Core CBTC development is done in the Generic Core CBTC. All the Core CBTC Generic Application activities (design, development, verifications, tests, validations, safety) are supported by Generic Application Safety Case [56] and are an independently assessed refer [57]. KMRC project can use this Generic Core CBTC as a black box product and configure it according to the line and the rolling stock. It is to be noted that the referred CBTC Version 6.3.2-R3 presented in this safety case will be upgraded to Version 6.3.3 & which will be candidate version for KMRC. Presently the safety assessment of this version is ongoing & the report will be shared with ISA once available. The C_D470- CBTC Foundation Data [80] gives the inputs & assumption along with as Design Database for KMRC PH-1A taking CBTC Referential V06-03-03-00 for the release.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 30 of 85
Kolkata East-West Metro Rail Project 2.7.2 CBTC Data Preparation Process The Core CBTC GA provides all the functions needed by the Core CBTC SA. The Core CBTC SA team selects the applicable functions for KMRC among the functions provided by the Core CBTC GA. The Core CBTC Specific Application does not add any other additional functional content. The ZC & CC Functional Specification [26] ,[27] can be referred. The Data specification Need Specification [69] provides the requirements for configuring the Specific Application needs based on Generic Application. The project interface document used for Specific application Design. The IXL –ZC Interface document C12_D404 - ZC - IXL ICDD [41], CC –Rolling Stock ICDD [33] .
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 31 of 85
Kolkata East-West Metro Rail Project 3 QUALITY MANAGEMENT REPORT This chapter corresponds to the “Quality Management Report” section of the Overall Detailed Design Safety Case, in accordance with the provisions of the CENELEC EN 50129 [87] technical standard. The ASTS Quality System is used for all projects developed by ASTS and particularly for the Kolkata East West Metro Project. The Quality System is described in Project Quality Management Plan [4] and it is applied to all ASTS people both the ones involved in the delivery and verification of the products and that ones in duty to manage the relation with customer. The organizational responsibilities are described in the ASTS Roles & Mandates [108]. 3.1 QUALITY PLANNING AND PROCEDURES Quality planning and procedures have been described in the Project Quality Management Plan [4]
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 32 of 85
Kolkata East-West Metro Rail Project 3.2 QUALITY ORGANIZATION The ASTS quality organisation is as shown below
Project QA
Figure 3-1 Quality Organization
The Kolkata Metro east project organization is detailed in Project Management Plan [1] . The overall ASTS organization is fully detailed in the ASTS Organizational Chart [109]. The Integrated Management System is detailed in the IMS Manual [96].
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 33 of 85
Kolkata East-West Metro Rail Project 3.2.1 ASTS Quality System The Quality System is described into the Project Quality Management Plan [1] and it’s applied to all ASTS people both that one’s involved in the delivery and verification of the products and that ones in duty to manage the relation with customer. The certificate ASTS, n° LRQA/LRC 6019580/QMS/U/EN, declares the conformity of ASTS to the procedure defined in ISO 9001 [92] Table 3-1 Certifications of ASTS Integrated Management system
Certificate ISO 9001:2015 ISO 14001:2015 ISO 14001:2015 &ISO18001:2007
Organization Certifier ASTS India LRQA ASTS India ASTS India
Cert. No Cert. Expiry LRC 21/11/2020 6019580/QMS/U/EN/033 LRQA LRC 10094151 26/03/2020 LRQA ISO 1400126/03/2020 0042860/OHSAS 18001-0042861
The following figures in next page provide a copy for evidence of the abovementioned certificates.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 34 of 85
Kolkata East-West Metro Rail Project
Figure 3-2 ISO 9001:2015 certificate
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 35 of 85
Kolkata East-West Metro Rail Project
Subcontractors in the KMRC project are certified against ISO 9001:2015. The subcontractor’s Quality Certifications have been collected in the ASTS server Figure 3-3 ISO 14001:2004 & 18001:2007 certificate
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 36 of 85
Kolkata East-West Metro Rail Project
Figure 3-4 ISO 14001:2015 & 18001:2007 certificate
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 37 of 85
Kolkata East-West Metro Rail Project 3.2.2 Quality Audits and Inspection Audits, as defined in the Project Quality Management Plan [4] are carried out under the responsibility of the QA department 3.3 SPECIFICATION OF REQUIREMENTS Requirements for the design of the Wayside IXL Application are contained in IXL Subsystem requirement specification [24].The compliance of requirements mentioned in IXL Subsystem requirement specification are mapped to a set a basic safety rules provide in Wayside ATP Application Logic Programming Guidelines [50] , Signaling Plan - Main Line (Phase 1A) [60],Depot Signaling Plan [61] & Control Table of Interlocking Locations [74] - [74] & Various Interface documents as in section 5.3.1 The Wayside ATP Application Logic Programming Guidelines [50] provide the necessary indications on how to translate the requirements as per Signaling and Train Control System - System Requirements Specification (SRS) [9] for IXL & IXL Subsystem requirement specification [24] into a software code. Additional requirements are provided by the software coding rules and features that the platform MICROLOK II Executive Software support. The input and output signals that the Microlok II processes depend on the location configuration. Each input and output is physically assigned to a board (I/O Assignment); this way the number of input and output boards that the MICROLOK II units must support is determined. Once this process in complete, all identified input and output signals and the Control tables along with Signal Interlocking plan are used by Data designer to develop the wayside Application logic as per guidelines specified in Wayside ATP Application Logic Programming Guidelines [50]. For CBTC Specific Application Design, the Data Preparation Need Specification [69] which specifies the Application requirement at Specific level i.e. project configuration level. The C_D154 SW version sheet [59] elucidates the Hardware and Software configuration used in CBTC Version GA 6.3.3 which will be used in KMRC project. 3.4 DESIGN CONTROL Design control is carried out using Project Configuration Management Plan [70].Configuration management is carried out using Project Lifecycle management tool Team Centre. Changes can be called in Design in Peer Verification phase, Validation phase or change requested from Client. For each new revision of the Design an updated version of that Design along with verification files are uploaded in Team Centre by the author which is further approved & authorized by Verifier & Project Engineer respectively. For changes coming from client the updated Design version along with Change request is uploaded in Team centre following same approval process as mentioned above. With each Software release Microlok II software program file includes a Program History which provides traceability to revision levels. Which each Software Release version in Team Centre a Version Description Document, VDD document is released.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 38 of 85
Kolkata East-West Metro Rail Project Similarly of CBTC Database release in TC, the C_D154 SW version sheet [59] and respective ZC,CC, TOD ,Tag ,CBTC Tools & Frontam Delivery Sheets and Configuration Data are released. 3.5 DESIGN VERIFICATION AND REVIEW The overview of Verification and Validation methods are detailed in ATC System Verification and Validation Plan [6] with finer approach detailed in respective Subsystem V&V plan of IXL, CBTC & ATS [35],[36],[37]. The internal ASTS Formal Technical Review Procedure, which includes peer technical reviews for all Design documents related to IXL and review by RAMS for Documents related to safety, is followed. Internal IMS procedure PRD-043 is followed which is detailed in ATC System Verification and Validation Plan [6] . All verification records in form of comments in FOR_437 for each version of a design document that is uploaded in Team Centre. 3.6 APPLICATION ENGINEERING The development of the application engineering has been described in Section 2.5.3, which describes the process for creating the basic hardware design documents by assembling the necessary information. Additional information is included in the following document: Wayside ATP Application Logic Programming Guidelines [50] , Data Preparation Need Specification [69]. 3.7 PROCUREMENT AND MANUFACTURE To ensure all products have the highest quality, various inspections and verification activities have taken place to verify the acceptability of the products and materials supplied by ASTS. Methods include: • Sample inspection; • 100 % inspection; • Sample testing; • Material Certifications/declaration of conformity. The control of the purchased product is ensured by the procurement process through the following activities: • Selection and management of suppliers; • Management of the purchase request, including the identification of the needs and requirements related to the needs (specifications); • Definition and negotiation of quotations and contract and choice of the best supplier; • Management of the purchase order; • Acceptance tests on purchased items (products and services) to verify the compliance with requirements and specifications. 3.8 PRODUCT IDENTIFICATION AND TRACEABILITY ASTS has introduced a system, which enables tracing of a part or product from when it is received (or manufactured) by ASTS until it is installed. The policy and guidelines apply to all materials, parts, sub-assemblies, assemblies, sub-systems and systems to be Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 39 of 85
Kolkata East-West Metro Rail Project installed, and manufactured and/or assembled by ASTS and its suppliers and subcontractors. They apply to all stages of the project. Each product supplied by ASTS are identified by a code to ensure the product is traceable all lifelong from the receipt through installation. Products manufactured by ASTS are identified through a barcode label in order to be tracked during manufacturing and repair goods activities in accordance with the instructions INS023 Manufacturing Identification and Traceability and INS007 Manufacturing Warehouse instructions. Both documents set the process for the identification of all materials, parts and assemblies by appropriate codes and numbers to ensure their traceability. This identification and coding system has the following features:
Helps the “Manufacturing” and “Repair goods” job scheduling of each product, Tracks the product along the production line during these 2 processes, Collects/records the manufacturing and repairing data of each product, Identifies and tracks each product without ambiguity during these 2 processes.
Finished products are labeled with a unique serial number to allow for traceability of product configurations. ASTS has developed and maintained a specific Configuration Management Plan [70] for the preparation and control of the configuration. 3.9 HANDLING AND STORAGE ASTS documents and maintains a system to ensure that parts and products are protected correctly from the time of receipt (or manufacture), during transportation and storage, until final installation and hand-over. All products are handled in a manner to prevent damage or deterioration by use of padded or protective material handling units, and methods. Sensitive materials are handled to prevent damage, tampering and deterioration. Materials, components, equipment, modules, subassemblies, accessories, and final products are protected during transportation and are delivered in sound condition in accordance with the process description PRD 019 Logistics. Where third-party haulers are used the same procedure applies. The activity of warehousing (storing and preserving) involves many warehouses with different materials inside, the criteria to handle the stock is strictly linked to the characteristics of the goods stored and they are performed in accordance with Logistics [101]. All items are counted, measured or weighed to the unit of measure shown on the purchase order. A location is provided for each phase of the project (receiving, work in progress, and shipping).
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 40 of 85
Kolkata East-West Metro Rail Project Incoming material are tagged to prevent loss, reviewed and documented as received condition on the receiving log and are stored on racks or pallets to prevent damage. 3.10 INSPECTION AND TESTING The Test management process is managed in accordance with Ansaldo STS Quality Systems. All tests are described in procedures; the procedures include purpose, scope, reference data, operational description and forms to be used. ASTS defines the planning, specification, scheduling and reporting of inspections and tests to be carried out during the course of the project according Factory Acceptance Test plan [71]. The sequence of inspection and test activities are planned in such a manner to gradually build up confidence that contract requirements are being fulfilled. All standard materials and products purchased Kolkata East West Metro Project is required to be delivered with a certificate of production from the original supplier. All materials, components and systems produced to meet specific Kolkata East West Metro Project requirements have been subject to inspection and test at the production site to verify compliance with requirements. FAT procedures for IXL & CBTC equipments are followed during inspection and test in supplier premises or Factory. The Following are factory acceptance test report summary. Table 3-2 Signaling Equipment FAT Report Summary
S.No 1 2 3 4 5 6 7 8
Document Name EI equipment Factory Acceptance Test Report Relay Factory Acceptance Test Report ZC equipment Factory Acceptance Test Report Axle Counter Factory Acceptance Test Report Point Machine Factory Acceptance Test Report Carborne Controller Factory Acceptance Test Report
Document Number KMRC- 27097
BTM/ BTM Antenna Factory Acceptance Test Report Balise equipment Factory Acceptance Test Report
KMRC-26085
KMRC- 27101 KMRC- 27104 KMRC- 27111 KMRC- 27112 KMRC- 26084
KMRC-27195
3.11 NON-CONFORMANCE AND CORRECTIVE ACTION Systems, sub-systems and components which do not conform to the requirements of the Contract are considered as defective and are removed and replaced with acceptable Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 41 of 85
Kolkata East-West Metro Rail Project systems, sub-systems or components. The ASTS Quality Procedure PRC 045 Nonconformity, Corrective Actions Preventive Actions [104] is applied. Defective systems, sub-systems or components which have been corrected will not be used until the Employer approval. The Quality Procedure PRC 022 - Package and Services P&S, Materials and Services Acceptance (PSMSA) [105] dedicated to Suppliers Control also apply. Any work, practice, process or procedure in non-conformance to the contract documents are subject to segregation, quarantining, marking, tagging, etc. by ASTS staff in line with accepted procedures. Every unfulfilled requirement concerning a released product (including hardware, software, documents…) reveals a nonconformity status. The observer of non-conformity informs the person in charge of managing it of the issue presents a synthesis of the nonconformity management (including also nonconformity detected after delivery):
Figure 3-5 Non-Conformity Management
3.12 PACKAGING AND DELIVERY All packaging materials and procedures being utilized or to be utilized by the supplier and/or subcontractors are subject to inspection by ASTS. All packaging together with packaging and protective materials are new, maintain its integrity and perform its intended function while being transported, handled and stored.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 42 of 85
Kolkata East-West Metro Rail Project All products are suitably protected and packaged to prevent corrosion during handling, transport and storage and packed in a safe way to avoid personal injury and damage to equipment and property. Products, where practical, are shipped fully assembled; however, when shipping of fully assembled products is not possible it is the supplier’s responsibility to disassemble the products so that it can be properly packed and protected. The quality assurance department is informed of any unsatisfactory situations to facilitate any corrections/possible corrective actions through the Nonconforming process or through approved equivalent communication. 3.13 INSTALLATION AND COMMISSIONING Method statements for particular installation or commissioning processes are prepared at stages of installation and commissioning. The Method Statements include working methods and quality control check points and criteria. The following table mentions he list of Method statements of Signaling equipment. Table 3-3 Installation Method Statements
S.no 1. 2. 3. 4. 5.
Document No KMRC- 2B301-1 KMRC- 2B301-3 KMRC- 2B301-6 KMRC- 2B301-7 KMRC- 2B301-8
6.
KMRC- 2B301-9
7. 8. 9. 10.
KMRC- 2B301-10 KMRC- 2B301-11 KMRC- 2B301-12 KMRC- 2B301-13
11.
KMRC- 2B301-15
12
KMRC-2B301-2
Document Name Installation Method Statement -Location Boxes Installation Method Statement - Axle Counter Installation Method Statement - Signals Installation Method Statement – Rack Installation Installation Method Statement - EMSS Emergency Stop Switch Installation Method Statement - Cable laying in elevated / tunnel / depot Installation Method Statement - Point Machine Installation Method Statement - LX Gate Installation Method Statement - Marker Board Installation Method Statement - Crank Handle / EKT Installation Method Statement - Depot Line Slot Switch Boxes Installation Method Statement - Trackside Balise
Particular production processes are executed according to written procedure and are organized the following trainings for the personnel involved in the project:
Training Project procedures; Trainings requirements in suppliers QM; IT-registration and use; Calibration and use of survey and measuring equipment; Project Programme for QHSE training of staff
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 43 of 85
Kolkata East-West Metro Rail Project Complete records of the execution processes, equipment and personnel involved in all particular production processes are maintained and are submitted for reference upon Employer’s request. 3.14 OPERATION AND MAINTENANCE In Section 3.4 includes the general procedure for handling software changes during design, testing and starting of revenue service. 3.15 QUALITY MONITORING AND FEEDBACK The quality department conducts audits to oversee Quality process of the project. The following table summarizes the find in various Quality Audit in Design phase. Internal Quality Audit Date 26 & 27 Oct. 2017
26 and 27th June 2018
Audited Organization KMRC Site Office
KMRC site Office
Scope Project Management, Project Engineering ( Signalling and Telecom) & RAMS Project Management, Project Engineering ( Signalling and Telecom & RAMS)
Lead Auditor Kumkum Nayak
Report No JA-17120
Conclusion
Follow-up
Total 2 observations were raised which is applicable for all functions/domains eg. Signalling, Telecom & RAMS
All the observations are closed by respective WPL
Kumkum Nayak
JA-18004
Total 2 observations were raised which is applicable for all functions/domains eg. Signalling, Telecom & RAMS
All the observations are closed by respective WPL
3.16 DOCUMENTATION AND RECORDS ASTS will maintain the Quality Records as per the ISO 9001 Standard §4.2.4. The Quality Records include but are not limited to the following: • Internal and external audit records; • Inspection and Test Plans; • calibration records; • non-conformance reports; • certificates of compliance; • training records; • personnel qualifications. Team Centre is the tool used to support the ASTS management, sharing, and storage of records. The procedure includes: Scope and categorization of control of quality records and evaluation, collection, compilation, indexing, filing, storage, maintenance, duration of storage,
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 44 of 85
Kolkata East-West Metro Rail Project 3.17 CONFIGURATION MANAGEMENT /CHANGE CONTROL ASTS has developed and maintained a specific Configuration Management Plan for the preparation and control of the configuration. For further details about the configuration management system of ASTS please refer to Project Configuration Management Plan [4] 3.18 PERSONNEL COMPETENCY AND TRAINING Please refer to corresponding section of ASTS Project Quality Management Plan. Quality audits and Follow-Up The internal auditing process is managed in accordance with ASTS Quality Systems, moreover in order to implement a common management systems for audits at KMRC project level, ASTS follows the quality audit process as mentioned in section 9 of Project Quality Management plan [4]. The lists of applicable documents are mentioned in Project Quality Management plan [4]. 3.19 DECOMMISSIONING AND DISPOSAL No hazardous materials are in the IXL equipment. The products have long lives (25-30 years) at the end of which they can be dismantled and various constituent materials (metals, plastics, etc.) can be recycled. End of life cycle disposal typology for transformers and electronic wastes must conform to the most current common practices for these types of equipment at the time of obsolesce. However disposal is the responsibility of the ATC system equipment maintainer at the end of product lifecycle.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 45 of 85
Kolkata East-West Metro Rail Project 4 SAFETY MANAGEMENT REPORT According to EN 50129 [87] this section presents all the necessary evidences that the safety of the ATC Subsystem has been, and shall continue to be, managed by means of an effective safety management process. The purpose of this process is to further reduce the incidence of safety related human errors throughout the life cycle of the ATC Subsystem, and thus minimize the residual risk of safety related systematic faults. The safety management, methods, procedures and organization applied to the ATC System are defined and documented since the early stage of the project as per ATC System Safety Plan [10] This Section is structured following the CENELEC 50129 [87], and as such includes the following sections:
Safety Lifecycle; Safety Organization; Safety Plan; Hazard Log; Safety Requirements Specification and Traceability; System Design; Safety Reviews; Safety Verification & Validation; Safety Justification; System Hand-over; Operation & Maintenance;
Within the Detailed Design phase, the following safety management activities have been performed:
preparation and updating of the ATC System Safety Plan [10] , basing on Client, and ISA comments; preparation and updating of the ATC System Verification and Validation Plan [6] basing on Client and I-ISA comments. preparation and updating of the ATC System Hazard Analysis [12] basing on Client, and ISA comments; setting up of, updating and tracking in TC of the Hazard log [18] safety and quality audits conducted in Detailed Design phase.
A list of the safety related documents for the Final Design milestone is also provided in this chapter. 4.1 SAFETY LIFE CYCLE The ATC System Safety Plan [R.10] presents a description of the planned Safety Management activities to be carried out during the entire lifecycle of the project’s phases and related documentation to be produced at ATC level, in order to identify and eliminate/control all the hazards associated with the ATC Subsystem that could lead to injury or loss of human life. In figure below the mapping of CENELEC lifecycle phases to project milestones are described. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 46 of 85
Kolkata East-West Metro Rail Project Verification & Update of Preliminary Design
Detaileesign
Construction Design
Procurement Construction Testing & & & Installation Commissioning Manufacturing
Handing Over
Out of Scope of Work
1. Concept 2. System definition and application conditions 3. Risk Analysis
11-14 Cenelec Phases 4. System requirements
10. System Acceptance
Validation
5. Apportionment of System requirements
9. Validation
6. Design and Implementation
8. Installation
7. Manufacturing
Figure 4-1 EN 50126 V diagram
This Safety Case covers the Safety Management activities performed up to the consolidation of the ATC system design (Final Design), therefore the applicable lifecycle phases are from 1 to 6. 4.2 SAFETY ORGANISATION The Safety Management Organization for the ATC system has been reported in the ATC System Safety Plan [R.10], along with the description of roles and responsibilities of all the key resources. In particular, the ATC RAMS WPL is responsible for all the Safety and V&V activities performed on the integrated ATC system, interfacing with the other RAMS WPLs (Core CBTC, IXL, ATS) and with the ASTS and Client Representative for the coordination and management of the technical safety activities. The Project Safety Team also interfaces with the Project Management as well as the Engineering and Development departments, playing an active role in the analysis and consolidation of the system requirements (e.g. reviewing project changes which could affect safety of the project, as part of the formal change control process and checking the safety classification of the requirements). The KMRC project safety team operates in an independent way with the other project teams. This allows the team to oversee the activities of each of the Development and Engineering teams to ensure that the safety requirements of the specification are attained.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 47 of 85
Kolkata East-West Metro Rail Project
Amit Srivastava (RAMS Head-India)
PRM (Shamik Haldar)
ATS WPL
Integration
(Shamik Haldar)
(Sachin Veer Singh)
Core CBTC WPL
(Myriam Marchand/ Sachinveer Singh)
RAM WPL
IXL WPL
(Yusmery Solarzano/ Jeevanjyoti Khurana)
(Shamik Halder)
V&V(Amiya Chakravarthy,Sreeja Roy)
Figure 4-2 Safety Management Organization STC Signaling System Level
4.3 SAFETY PLANS The “ATC System Safety Plan” for KMRC Project has been issued [10].The Safety Plan includes also Safety Case Plan, which identifies the planned structure and principal contents of the Safety Cases, supporting the ATC safety demonstration. Moreover, please note that the STC System Safety Plan covers also the subsystems (CBTC, IXL, and ATS) related safety activities. 4.4 HAZARD LOG The following hazard analyses have been performed for KMRC project:
ATC Preliminary Hazard Analysis and Risk Assessment System Hazard Analysis [11]
ATC System Hazard Analysis [12]
IXL Subsystem Hazard Analysis [13]
ATS Subsystem Hazard Analysis [14]
CBTC Subsystem Hazard Analysis [15]
ATC System Architecture and Interface Hazard Analysis (SAIHA)
Operating and Support Hazard Analysis (O&SHA) [16]
All hazards identified in PHA, SSHA, SHA, O&SHA and IHA have been presented in the Hazard Log [18].
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 48 of 85
Kolkata East-West Metro Rail Project The ATC Hazard Log [18] reports all the hazards identified during the analysis performed at ATC level, following both top-down and bottom-up hazard identification approaches. More specifically: Historical hazards coming from past ASTS similar metro projects have been evaluated in order to define their applicability to the KMRC Metro project. Each hazard has been reviewed in terms of severity and frequency, according to project specific Risk Criticality Matrix. These activities have been carried out during proper hazard meetings involving Metro system experts, safety specialists and design team belonging to ASTS organization; The hazard analysis done at System level and reported in the “ATC Preliminary Hazard Analysis and Risk assessment ” [11], has been further analyzed and developed at ATC level, for those hazards involving ATC system. For each of the applicable functional requirements, a proper analysis has been performed for detecting possible hazards, arising from the failure of the functions, identified by means of guidewords and “what if” studies. This analysis has been done with the support of the operational scenarios reported in the Operation Manuals. Refer Table 4-3 KMRC O&M Manual for the list of Manuals to be submitted in the project. In order to better evaluate Operational responsibility during failure of a function or in degraded mode operation the Exported O&M Hazards are traced to Operational Manual, Railway Rules, and Indian Railway Metro Rule. Though the current version of Hazard Log maintained doesn’t record this traceability as this will be presented in next version after discussion with Cleint. In order to extend the analysis to all the functionalities implemented by the ATC, a Subsystem Hazard Analysis is conducted for IXL,ATS and CBTC subsystems, ATC interfaces have been analysed on the basis of the applicable technical specifications, applying a FMEA pattern to systematically analyse the known failure modes affecting the data exchanged between the subsystems. The following table summarizes the status of safety mitigation coming from Hazard Analysis as mentioned above as well as Safety Related Application condition and assumptions coming from IXL & CBTC System which is treated as “Resolved” at the Design stage by giving traceability of its fulfillment through design & test procedures.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 49 of 85
Kolkata East-West Metro Rail Project Table 4-1 Hazard Log Summary
IXL Requirement Total Resolved Open IXL SRACs Total Resolved Open ATS-DCS Requirement Total Resolved Open CBTC Requirement* Total Resolved Open S&TC Requirement Total Resolved Open Installation-T&C requirement Total Resolved Open OSHA Total Resolved Open Safety Requirements Total Resolved Open CBTC Assumption Dictionary D-150-1 Total Resolved Open
No’s 171 171 0 No’s 73 73 0 No’s 36 36 0 No’s 234 234 0 No’s 60 60 0 No’s 87 87 0 No’s 74 74 0 No’s 227 227 0 No’s 218 218 0
*The CBTC requirement which are exported to CBTC Specific Application V&V or S_DPSR, ZC_DPSR & CC_DPSR, the resolution of these requirements provided based on the strategy followed in other projects. These requirements can be closed only when V&V activity is finished & Systemize & CC DPSR are produced.. The allocation of export list of CBTC Requirement can be gathered from CBTC Subsystem Hazard Analysis [15]. The Exported Requirements are not presented here as the acceptance on these with other Contractors & KMRC is under progress. The acceptance certificates for exported requirements from other contractors will be covered in the final ATC System Safety Case. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 50 of 85
Kolkata East-West Metro Rail Project Hence, these exported requirements are not in the scope of detailed design under S&TC. It is to be noted that the version of ATC Hazard Log [18] presented is the first version of the document. Closure of all Hazard along with Acceptance of other Contractor on the Exported Mitigation as well as Acceptance of KMRC on the O & M related Safety Mitigations will be evidence in the next version of this Hazard Log. The final version of the Hazard Log will serve as a part of ATC System Safety Case KMRC-24110, a future deliverable in this project. The ATC Hazard Log [18] has been also uploaded in Team Center, for allowing the management of all the KMRC hazards on a common platform and thus to facilitate the transfer of hazards and mitigations among stakeholders. 4.5 SAFETY REQUIREMENT SPECIFICATION AND TRACEABILITY System requirements were derived from the original KMRC Customer Requirements as given [2] & [3] as well as various Design Meeting with KMRC / GC representatives. These requirements are uniquely indentified in Signaling and Train Control System –System Requirement Specification (SRS) [8]. The ATC Hazard Log for KMRC [18] contains all hazards identified through a Preliminary Hazard Analysis (PHA) [11],System Hazard Analysis (SHA) [12],subsystem and interface hazard analyses [13],[14],[15],[16] and SRAC/Assumptions coming from lower level subsystem document is one of the sources for developing the System Safety Requirements. All the safety requirements have been identified in ATC Hazard Log for KMRC [18] and traced to various design elements in detailed design documents. It is to be noted that ATS and ATO subsystems provided on this project are mature systems and have proven interface with ASTS CBTC and IXL. The ATS utilizes the ASTS "Hermes" ATS product, which is build using a set of pre-existing proven software modules and libraries, currently used in ATS systems in revenue service in various driverless Metro systems worldwide. The ATS subsystem was then customized with the specific application (track configuration and interface) for KMRC. There are two specific commands originate from ATS with safety implications. They are (1) Removal of a blocked signal or switch and (2) Removal of TSR. In ATS these commands have been implemented using Class-1 and TAN commands. The Removal of a block has been proven safe with ‘proven in use ‘argument. These safety commands from ATS are processed by mandatory interaction with SIL 4 system like for Block removal ATS interacts with Microlok based IXL subsystem while for TSR removal ATS interacts with ZC. The details of these functionalities are provided in Zone Controller Functional specification [40], ATS subsystem requirement specification [45] & Wayside ATP Application Logic Programming guideline [50]. Safety Requirements can be both qualitative and quantitative. Qualitative Safety Requirements arise mainly from Contract and Hazards mitigations. Quantitative Safety requirements have been derived from SIL Apportionment process, described in [R.11]. In particular, the document presents: Identification of the system safety function; Attribution of SIL to the safety related functions; Identification, where applicable, of external risk reduction facilities; Assignment of each safety related function to sub-systems; and Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 51 of 85
Kolkata East-West Metro Rail Project
Functional analysis in order to verify the safety functions and justify the subsystems involved.
The SIL levels assigned to the ATC system are reported in the table below: Table 4-2 SIL levels assigned to the ATC system
ID.
SAFETY FUNCTION
IXL
Train location determination Limit of safe movement SF2 protection Supervise/enforce SF3 authorized speed SF1
SF4
Train Door control interlocks
SF5 PSD control operation
Wayside CBTC
Onboard External System CBTC
SIL4
SIL4
SIL4
-
SIL4
SIL4
SIL4
-
SIL4
SIL4
SIL4
-
-
SIL4
SIL2
SIL2
SIL2
Passenger Vehicle Emergency Braking Passenger Vehicle Door Closed and Locked PSD – Door Closed and Locked
The handling and traceability of the qualitative safety requirements is depicted in the following figure. In particular, it highlights the link between the hazard analyses performed at ATC level and the safety requirements management flow.
Figure 4-3 KMRC Hazard Log, Safety Requirement Traceability Scheme.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 52 of 85
Kolkata East-West Metro Rail Project As this Safety case provides the Safety in Design hence the Safety requirements are traced to test procedures. The final closure of the Hazard will be provided by evidences in form of Test reports. 4.6 SYSTEM DESIGN A top-down, structured design methodology has been used with rigorously controlled and reviewed documentation. The compliance with operational and safety requirements is addressed in the Technical Safety Report (section 5). All interface aspects are being addressed as below: External interfaces (i.e. between the ATC Subsystem and other subsystems of the KMRC System) are managed by means of dedicated activities documented in the Interface Control Definition Documents (ICDDs). Refer to the S&T Interface Management plan [5] for more details. The external interfaces CBTC and Rolling Stock Detailed Interface Specification [33], C-ICDD - Platform Screen Door System [34] have been also analysed from a safety perspective by the ATC RAMS team, as documented in the ATC System Architecture and Interface Hazard Analysis. [32]. Internal Interfaces (between the different assemblies/components of the ATC supply) are coordinated by the Engineering Signaling Integrator through his review of technical documentation and through Internal Interface Meetings held regularly by the ATC design teams. Internal interfaces C12_D404 - ZC - IXL ICDD [41], Trackside Interface Specification [22] , IXL-ATS Interface Control Document [22] , CBTC-ATS internal interface is managed through “KMRC-26052 - C_D470 - CBTC foundation data are also subjected to safety analyses by the RAMS project team. Review records will be documented in Susbsyem V&V Reports ( to submitted with Final Safety cases) The results of the integration process at the ATC System level will be within the scope of the ATC System Final safety case KMRC-24110 which is deliverable document for this project. 4.7 SAFETY VERIFICATION AND VALIDATION Verification and validation activities for ATC system are described in the ATC System V&V Plan [6] The V&V process followed by ASTS during the life cycle of the ATC system ensures integration of safety aspects in all CENELEC phase at ATC level. The safety V&V activities at ATC subsystems level are covered by the respective V&V plan i.e. IXL V&V Plan [35], CBTC V&V Plan [36], ATS V&V Plan [37]. The V&V process described in the ATC System Verification and Validation Plan includes the following review steps:
Requirements Traceability Matrix (RTM) Analysis; Document Verification; Design Verification (Design Reviews) Activities; RAMS Analysis.
For what concerns the Design phase, the following V&V activities have been carried out: review of all engineering design documentation; review of requirement traceability to assess all possible impacts on safety; safety related documents have been reviewed to ensure that safety requirements, Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 53 of 85
Kolkata East-West Metro Rail Project
or assumptions made in safety verifications, are compliant with the ATC system functionality; all design and contract change requests have been approved by the Safety Management Organization.
As described in Section 3 of ATC System Verification & Validation Plan [6] , the ASTS RAMS team operates in an independent and matrix fashion with the other project teams. This allows the teams to oversee the activities of each of the development teams as well as third-party furnished products and subsystems to ensure that the safety requirements of the relevant specifications are attained. As per IMS procedure PRD 043, on every design document PEER verification is conducted which also includes independent Safety review by RAMS team. The reviews on Safety document are summarized in Subsystem V&V reports. These V&V reports will be evidence in Susbsystem Safety Cases as well as ATC system safety case a future deliverable of this project. As far as independent testing is concerned, independent testers are assigned both to the FAT and field testing of the Wayside and Vehicle Application and Central software. For the Software Factory Acceptance tests, testers from RAMS team will be performing tests. For field testing, complete independence is provided as testers are competent and qualified engineering personnel from ASTS Testing & Commissioning Team, who have not been involved at all in the design. RAMS Engineer will be reviewing the Site test reports & check them providing evidence to closure of the Hazard. The evidence of RAMS reviews on Site test reports will be provided in IXL, ATS, and Vehicle & Wayside Validation Reports which will be delivered Please note for the independence of MLK data preparation, the process includes the design of the MLK data by designer; the check of the MLK data by Peer including RAMS Engineer using Application Logic Verification specification [21]; the approval by MLK manager; the factory test by test team which is independent with designer; the field test by test team which is independent with designer; the MLK verification test by system department which is independent with designer; Joint review of the test report to validate. For the independence of CBTC data preparation, the site survey and data collection of the line profile and track data is performed by engineering team; ASTS DB engineering team starts the CBTC data preparation process upon the site survey results. Consequently, ASTS DB V&V team performs the V&V activity on the corresponding DB released by ASTS DB engineering team. The result of Verification & Validation are captured in CC, ZC & System Design Safety Preparation report (DPSRs) which will later submitted as part CBTC Specific Application Safety case KMRC- 24030 , a future deliverable document in this project phase. System Integration and testing: The system integration and testing has been defined in ATC System Validation Test Specification [19] & ATC System Validation Test Plan [20].
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 54 of 85
Kolkata East-West Metro Rail Project The system integration test reports will be given in ATC System Verification and Validation Report KMRC -24106, a future deliverable document in this project phase. 4.8 EXTERNAL SAFETY REVIEWS ISA review status on all documents agreed to share with ISA for Safety Justification for this project is contained in subsequent version of Tracking Log .This tracking log document lists the comments on very Design, RAMS & Test reports by ISA & which forms the basis of ISA acceptance on a document. As this Safety Case aims to justify fulfillment safety requirement in Design hence ISA comments on Design Documents in Tracking Log_08 forms the basis of ISA acceptance of documents referred in Section 1.3.2 4.9 EXTERNAL SAFETY AUDIT ISA has conducted an external Safety Audit - “Audit plan and report during the System Validation phase at ANSALDO STS Consortium’s factories” at Tito Scalo Zona Industriale site, Potenza, 85050, Italy. The Auditor assessed the implementation of the KEWML Factory Acceptance Test process specified into the documents:
BTM Module FAT Procedures (ref. KMRC-26118-01, revision 01) Beacon FAT Procedures (ref. KMRC-26119-01-1, revision 01) Onboard Antenna FAT Procedures (ref. KMRC-26120-01-1, revision 01)
ISA has provided the report as documented in EC_8692_0015_1_FAT_Audit_Report. 4.10 SAFETY JUSTIFICATION Evidence of safety will be provided by means of a hierarchical safety case approach presented in the ATC System Safety Plan [10] and recalled in paragraph “related safety cases” §6). Three different categories of Safety Cases are considered:
Generic Product Safety Case (independent from application); Generic Application Safety Case (for a class of applications); Specific Application Safety Case (for a specific application).
In this hierarchical approach, each safety case includes the demonstration of fulfillment of safety requirements defined at higher level by making reference to lower level safety cases (for example the Specific Application Safety Case takes advantage of the safety demonstrations included in the related Generic Product Safety Case). However, requirements from the safety related application conditions defined at lower level should also be considered (for example a Specific Application should be developed taking into account the limitations and allowed configurations of the Generic Product). The role of the several planned Safety Cases is described below: Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 55 of 85
Kolkata East-West Metro Rail Project
The ATC System Specific Application Safety Case – Physical Implementation is meant to address the demonstration that the Design, Manufacture, Supply, Installation, Testing, and Commissioning, of the whole ATC Sub-system fulfils the relevant requirements. The evidence provided applies to the entire ATC System, addressing the specific issues of each single location. This represents the final step of the Overall ATC safety justification. For KMRC it will be covered by ATC System Specific Application Safety Case KMRC-24110 a deliverable once all testing activities are concluded. The ATC System Detailed Design Safety Case (this document) is meant to address the demonstration that the design of the whole ATC system fulfils the relevant requirements. The evidence provided applies in general to the safety related functions, without addressing the specific issues of each single location. This represents the first step of the Overall ATC safety justification. The Core CBTC Generic Application Safety case address the safety justification of Functionalities used in Core CBTC solution. For KMRC CBTC Version 6.3.3 will be used & the ISA assessment report of the Generic Solution has been shared with ISA. The Core CBTC and IXL Safety Cases – Physical Implementation are meant to address the demonstration that the design of the respective Sub-system fulfils the relevant requirements, addressing the specific issues of each single location. For KMRC CBTC Specific Application Safety case KMRC-24030 & IXL Specific Application Safety case –KMRC-24036 will be delivered on conclusion of Subsystem Level Site Testing.
It should be noted that the safety demonstration related to the ATS subsystems is reported within the ATC level safety case. On the basis of the above considerations, the safety justification included in this Safety Case mainly aims to demonstrate that:
all safety functions have been identified; the safety integrity requirements for such functions can be fulfilled by the chosen architecture of the ATC sub- systems/platforms performing these functions; evidence exists that safety integrity requirements have been correctly implemented into hardware and software design; a formal verification process, compliant with the requirements of CENELEC EN 50128 and EN 50129 is in place.
Next figure reports the safety case hierarchy for the ATC System deployed on KMRC:
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 56 of 85
Kolkata East-West Metro Rail Project
Figure 4-4 Example of Safety Cases Hierarchy
4.11 SYSTEM HANDOVER Not applicable for the present phase, it will be developed in the next phases. 4.12 OPERATION AND MAINTAINENCE Through this safety case ASTS presents the planning for Operation & Maintenance phase During the Operation and Maintenance Phase, ASTS will provide all the necessary inputs to the O&M Contractor during the development of the Safety Management System for Operation and Maintenance. Following all Hazard Analysis ASTS plans to provide two types of documents to the O&M Contractor:
The first document sums up the safety requirements related to the operation, describing the procedures to put in place for the subsystem (for example for each alarm…); The second document sums up the safety requirements related to the maintenance. The safety requirements related to maintenance shall establish the link with the nomenclature and the designation of the safety components such as specified in the List of the Safety Components of the supplier. These documents shall be presented to the approval of the operator. Once approved, these documents will be used as a basis for the operator to establish his procedures, and operating and maintenance instructions.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 57 of 85
Kolkata East-West Metro Rail Project The following list tabulates the list of Operational & Maintenance Manual deliverable to Client. Table 4-3 KMRC O&M Manual
S/N 1
2 3
Document Number Interlocking Equipment Field Maintenance, Operations, and Troubleshooting Manual Interlocking Equipment Service/User Manuals
Training Material KMRC-27177
KMRC-27180
ATS Operations Manual
KMRC-25039
4
ATS Maintenance Manual
KMRC-25040
5
Vehicle ATC Operator Manual
KMRC-26106
6 7
Vehicle ATC Maintenance Manual CBTC Maintenance Manual
KMRC-26107 KMRC-26111
4.13 DECOMMISSIONING AND DISPOSAL Not applicable for the present phase, it will be developed in the next phases
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 58 of 85
Kolkata East-West Metro Rail Project 5 TECHINICAL SAFETY REPORT 5.1 INTRODUCTION This Section describes the technical principles that assure the safety of the design at overall ATC System level. It therefore covers all safety related design aspects dealing with the overall design of the ATC. According to the standard CENELEC 50129 [87] this section, mandatory for Safety Integrity Levels 1 to 4 inclusive, has to give the evidence of how the Technical and Functional Safety is achieved for the ATC system. This Technical Safety Report explains the technical principles which assure the safety of the design, including (or giving references to) all supporting evidence (for example, design principles and calculations, test specifications and safety analyses). The Safety and V&V process for the Specific Applications is described in: ATC System Safety Plan [10] ATC System Verification and Validation Plan [6] According to the CENELEC 50129 [87] this Technical Safety Report is structured as follows: Introduction (Section 5.1) Assurance of correct functional operation (Section 5.2) Effects of faults (Section 5.7) Operation with external influences Safety-related application conditions Safety Qualification Tests 5.2 ASSURANCE OF CORRECT FUNCTIONAL OPERATION This paragraph concerns correct operation of the ATC system under fault-free conditions (i.e. with no faults in existence), in accordance with the specified operational and safety requirements. 5.3 SYSTEM ARCHITECTURE DESCRIPTION The description of the ASTS System has been provided in Section 2 of this Safety Case.Further,Signalling and Train Control System - System Architecture Specification (System and Sub-system Overview) [7] includes additional considerations on the ATC system architecture and the design criteria in meeting the functional, operational, and safety requirements. Vital components have been selected to perform safety functions. Redundant configurations have been adopted to ensure a high degree of reliability wherever required. The redundancy at Vital Equipment level are referred in CC & ZC Functional specification documents [26],[27].
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 59 of 85
Kolkata East-West Metro Rail Project 5.3.1 Definitions of Interfaces Two kinds of interfaces are identified for the ATC System: Internal Interfaces (i.e. between equipment/components internal to the STC System), and External Interfaces (i.e. with other subsystems). Considering the architecture and the functional and operational requirements of the ATC Subsystem, the following interfaces are identified: IXL- Other systems
Between adjacent IXL/Depot IXL- ReferProgramming guideline [50]
Be IXL-ATS Interface Control Document between IXL and ATS, including CATS and Station ATS (LATS) Work Stations-Refer IXL-ATS Interface Control Document [23]
Between IXL and Specification [22]
Between IXL and LED Signals Refer-Trackside Interface Specification [22]
Between IXL and the Platform Screen Door System -. Refer-Trackside Interface Specification [22] & C-ICDD - Platform Screen Door System [34]
Between IXL and Emergency Stop Plunger (ESP)- Refer-Trackside Interface Specification [22]
Between IXL and Staff Protection Key Switch(SPKS) - Refer-Trackside Interface Specification [22]
Between IXL and Zone Controller – Refer - C12_D404 - ZC - IXL ICDD [41]
Between IXL and Point Machine - Refer-Trackside Interface Specification [22]
Between IXL and Level Crossing –Refer- Depot Book of Plan [65]
Between IXL & Depot Slot switch - Refer- Depot Book of Plan [65]
Axle
Counter
Wayside ATP Application Logic
Subsystem-
Refer-Trackside
Interface
ATS-Other System
Between ATS & IXL-Refer IXL-Refer -ATS Interface Control Document [23]
Between ATS & CBTC (ZC & CC via Frontam) – Refer foundation data [42]
Between ATS –SCADA (Not a part of Safety Assessment)
Between ATS – PIDS/PAS (Not a part of Safety Assessment)
C_D470 - CBTC
CBTC-Other System
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 60 of 85
Kolkata East-West Metro Rail Project
CC- Rolling Stock – Refer CBTC and Rolling Stock Detailed Interface Specification [33]
CC-ATS (Via Frontam ) - Refer - C_D470 - CBTC foundation data [42]
ZC-ATS (Via Frontam ) - Refer - C_D470 - CBTC foundation data [42]
ZC-IXL - Refer - C12_D404 - ZC - IXL ICDD [41]
CC-ZC (Via Frontam) – Internal Interface specification covered by Generic solution.
Next figure reports graphically the main ATC following internal and external interfaces. Physical and protocol interface between On-board CBTC ( Carborne Controller assembly) and Wayside CBTC (Beacon assembly) subsystems, Physical and protocol interface between On-board CBTC ( Carborne Controller assembly) and DCS (On- Board Network assembly) subsystems, Physical and protocol interface between Wayside CBTC ( Frontam assembly) and DCS (Wayside Network assembly) subsystems, Physical and protocol interface between Wayside CBTC (Zone Controller assembly) and DCS (Wayside Network assembly) subsystems, Physical and protocol interface between ATS (ATS Server assembly) and DCS (Wayside Network assembly) subsystems, Physical and protocol interface between IXL and DCS (Wayside Network assembly) subsystems, Functional interface between On-board CBTC (Carborne Controller assembly) and Wayside CBTC (Frontam assembly), Functional interface between On-board CBTC (Carborne Controller assembly) and Wayside CBTC (ZC assembly), Functional interface between Wayside CBTC (Frontam assembly) and ATS server assembly, Functional interface between Wayside CBTC (ZC assembly) and IXL subsystem (MLK assembly), Functional interface between ATS subsystem (ATS server assembly) and IXL subsystem (MLK assembly), Physical and functional interface between ATS subsystem (ATS Maintenance Workstation).
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 61 of 85
Kolkata East-West Metro Rail Project Wayside Devices
Passenger Information System
PSD
PSD DID
CC RST DID
Train Management System
CC RST DID
Train Lines
CC TOD IIS
Train Operator Display (TOD)
CC Odo IIS
Tachometer
CC BTM IIS
Balise Transmission Module
-
SIG IXL Way sid e DID
Interlocking MicroLok II
Zone Controller
ZC-IXL DID
CC ZC IIS
Carborne Controller
FT M IIS
ZC
IXL VDU IIS
CC FTM IIS
Frontam CBI VDU IXL ATS IIS
ATS - CBIVDU IIS
ATS F TM I IS
LATS
CATS -ATS IIS ATS IIS
OCC
CC Ante n na NTP DID -
ATS
ON BOARD
TETRA DID
Euroantenna
-
ATS
EuroBalise
Time Distribution System
PIDS DID PSD DID -
ATS
TETRA RADIO
Communication Systems (PAS/PIDS)
SIG
Legend IIS: Internal Interface specification DID: Detailed Interface Document
PSD
WAYSIDE
Not in ATC Scope ATC Scope
Figure 5-1 Schematic representation of Internal & External Interface.
Consistency and completeness of the interface requirements is ensured by the System Project Engineer, who is also responsible to manage the interfaces among the STC Systems and supervises the identification and resolution of interface issues with the other sub-systems. More technical detail about interfaces can be found within Signalling and Train Control System - System Architecture Specification (System and Sub-system Overview) [7] 5.3.2 Fulfillment of Systems Requirements Specification System requirements (both in terms of functionality and performance) have been traced from the customer specifications to the ASTS ATC system documentation and in the Signaling System Traceability Specification [9]. This document provides the evidence that all relevant customer requirements have been taken into consideration and that the ATC architecture and configuration have been verified in Design to satisfy them .The review record (PEER verification) of the Signaling System Traceability Specification is contained in Ansaldo configuration management tool Team Centre. As already reported in §4.5, and according System requirements were derived from each contract requirement and reported in Team Center in Signaling and Train Control System –System Requirement Specification (SRS) [17] The following documentation is considered the reference requirement specification at ATC System level: Contractual documentation, as reported in 1.3.1 Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 62 of 85
Kolkata East-West Metro Rail Project
Signaling and Train Control System - System Architecture Specification (System and Sub-system Overview) [7]
The following documentation is, instead, applicable only at ATC Sub System level:
IXL Subsystem Requirements Specification [24] CBTC system specifications [25] Zone controller functional specification [26] Carborne Controller functional specification [27] ATS Sub-System Requirements Specification (SRS) [28]
5.3.3 Fulfillment of Quantitative Safety Requirements This paragraph provides the evidence that the overall safety targets allocated to the ATC Subsystem, in terms of Safety Integrity Levels (SILs) can be met by the ATC subsystem’s architecture and components. In order to come up with the SIL demonstration, this section first discusses how SILs are allocated to the ATC functions and components, then provides the ATC hazards summary. 5.3.4 Safety Integrity Level Allocation and Demonstration Process The Safety Integrity Level allocation and demonstration process at ATC level is depicted in the following figure.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 63 of 85
Kolkata East-West Metro Rail Project
Figure 5-2 SIL allocation and demonstration process for ATC system
ATC safety related functions have been identified as part of the safety analysis described in ATC Preliminary Hazard Analysis and Risk Assessment [11]. During PHA, for each safety function involving ATC a quantitative safety requirement in terms of SIL has been determined. Next table reports the list of identified safety functions, along the respective required SIL allocated to the involved ATC subsystem. Whereas an external subsystem is involved in the implementation of the function, this is reported in a separated column. Table 5-1 SIL levels assigned to the ATC system
ID.
SAFETY FUNCTION
IXL
Train location determination Limit of safe movement SF2 protection Supervise/enforce SF3 authorized speed SF1
SF4
Train Door control interlocks
SF5 PSD control operation
Wayside CBTC
Onboard External System CBTC
SIL4
SIL4
SIL4
-
SIL4
SIL4
SIL4
-
SIL4
SIL4
SIL4
-
-
SIL4
SIL2
SIL2
SIL2
Passenger Vehicle Emergency Braking Passenger Vehicle Door Closed and Locked PSD – Door Closed and Locked
Next figure reports the two type of conditions that need to be fulfilled for achieving the SIL demonstration for a function: Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 64 of 85
Kolkata East-West Metro Rail Project
SIL Qualitative target conditions: (Design and V&V process required by CENELEC according to assigned formalized in Safety Cases): • • •
Quality Management Conditions; Safety Management Conditions; Technical Safety Conditions (Technical defenses against systematic faults)
Quantitative target conditions: Quantified Safety Targets (FR); Technical Safety Conditions (for the achievement of random failure integrity)
.
• . Figure 5-3 SIL Demonstration Conditions.
Qualitative conditions demonstration has been done, in accordance with requirements from EN CENELEC standards in chapter 3 (Evidence of Quality Management) and chapter 4 (Evidence of Safety Management), and additional demonstration is presented in the sections of as mentioned in this safety case. The achievement of ATC technical safety requirements (qualitative) for mitigating both the systematic and the random faults are dealt with in §5.4. Next paragraph reports, instead, the approach followed and the detailed analysis performed for the evaluation and demonstration of achievement of the Quantified Safety Targets for the ATC safety related functions. 5.3.5 Demonstration of Safety Quantative targets 5.3.5.1 Quantitative safety targets demonstration approach. The demonstration of the quantitative safety requirements at ATC level requires the calculation of the failure rates of the safety functions for which the ATC system is involved as Leader. To achieve the appropriate demonstration for the quantitative SIL requirement, the unsafe failure rates associated to each safety function must be calculated starting from the underlying equipment/component and generic application failure rates. In particular, while the generic products provide the failure rate of the respective equipment and components, the generic applications use these figures for evaluating their respective failure rates, taking into account the architecture adopted for using the generic products (e.g. components in series or parallel, redundancy, etc.). The failure rates shall be provided in the relevant GP/GA safety cases and reported in terms of THR (Tolarable Hazard Rate i.e. unsafe failures). If the product/application is not covered by a Safety Case (e.g. component/application involved only in SIL0 functions), the failure rates provided by respective RAM analysis/reports are used. It should be noted that the RAM figures always represent a more conservative data with respect the safety ones, i.e. the RAM failure rates for a component are always greater or equal than the respective THR. Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 65 of 85
Kolkata East-West Metro Rail Project At ATC Specific Application level, the failure rate of each safety related function is evaluated by considering the relevant equipment/components involved in a “unit” hazardous event, for which a conservative configuration in terms of number of trains, number of stations and specific location and length of track involved with the hazardous event shall be defined.This equipment/components configuration is called “Generic Location”. The “Generic Location” thus provides the number of safety-related subsystems/equipment pieces/components involved around a train performing each safety function. If needed, the scope of one or more trains can be considered for collision related hazards. Besides the specific number of equipment pieces/components involved in the performance of each safety function, also the particular contribution to the safety integrity provided by each subsystems/equipment pieces/components should be considered. This aspect considers not the number of pieces involved but the type of contribution from each type of equipment/components (e.g. serial, parallel contributions can be considered) to the particular safety function in which it is involved. To show the type of contribution for all the equipment/components involved in the performance of each safety function, a functional block diagram for each ATC safety related function is provided. The most conservative demonstration for a safety function shall consider all components/equipment involved to contribute serially, i.e. assuming that the safety function fails whenever one of the components/equipment fails. In this case failure rates for each equipment piece/component shall be added in order to obtain the failure rate of the safety function. Only in case the quantitative safety target is not reached by considering all the components/equipment in series (most conservative functional block diagram), the functional block diagram may be adjusted (if possible) in order to better modelling the safety function (e.g. introducing parallels and redundancies, if they are applicable) and/or additional analysis/considerations on the affected hazard scenarios may be performed to justify the reduction of the functional failure rate. 5.3.5.2 General Considerations and Assumptions This paragraph provides typical assumptions for the subsystem/ equipment/ component configuration involved in a generic safety function, which will help in the definition of the generic location for the evaluation of the unsafe failure rates of the ATC safety related functions. The following considerations apply:
The train under consideration might be endangered either by a fault of its Carborne Controller (CC) or by an adjacent train, which is acting incorrectly (i.e. rear collision, side collision at an interlocking, head-on collision). Therefore, in a collision hazard scenario, the number of considered CC units will be 2; The stand-by units are not considered for the purpose of this analysis, since the unsafe failures of the ATC components are, by definition, undetectable. For this
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 66 of 85
Kolkata East-West Metro Rail Project
reason the failover procedure is not expected to be invoked in case of occurrence of an unsafe failure of the component; One train is always under the control of an Interlocking (IXL). Though, in case the train is approaching a section change or a change of track, then this train will also be affected by the neighbor Interlocking device. Therefore the number of IXL units will be 4 considering the maximum no’s of Microlok that can be involved in a route from one Interlocking to another. One train is always under the control of a Zone Controller (ZC). As there is only 1 ZC for KMRC in PH1A hence considered number of ZC units will be 1.
The previous assumptions derive in the following basic equipment configuration for the generic safety function’s “Generic Location.
n° 1 of Zone Controller; n° 2 of Carborne Controller; n° 4 of IXL (MLK); n° 1 FrontAM (the only one, located at Depot); Axle counter(only in degraded mode operation) Miscellaneous Wayside Safety-related Components (e.g. points, vital relays, signals, balises); Miscellaneous Vehicle Safety-related Components (e.g. speed sensors, vital relay, etc.); DCS equipment; ATS equipment
Considering all the equipment to contribute serially to the failure rate of the generic safety related function (i.e. the failure of each single equipment lead to the failure of the function), the following functional block diagram applies:
Computer Based Interlocking (MLK II, Axle Counter, Switch Machine, Vital relays, Signals)
Wayside CBTC (ZC)
Onboard CBTC (Balise, CC)
DCS (Onboard & Wayside network)
Figure 5-4 Reliability Block Diagram for a Generic Location
Other general considerations apply in order to simplify the above functional block model.
The miscellaneous wayside vital components are not expected to contribute significantly to the total number of unsafe failures, as: o Vital Relays are intrinsically fail-safe by design. In other words, every failure mode is known to result in a more restrictive, or safer, state. For this reason, the occurrence probability of unsafe failures due to Vital Relays is considered to be negligible;
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 67 of 85
ATS (Central & Local)
Kolkata East-West Metro Rail Project o
o
o
o
Switch Machines are also considered to be intrinsically fail-safe, and therefore are assumed to have negligible contribution to the overall probability of unsafe failures. This consideration is supported by the available safety certification for Point Machine (refer to chapter 6 for details), that ensures the achievement of a SIL4 safety target. Additionally, it has to be considered that, once a route has been established for a train, power is cut from the switch which is therefore incapable of spontaneously moving to an unsafe position when not commanded to move. Also, the ability of the switch machine to provide safe correspondence data is ensured through the use of intrinsically fail-safe equipment, taking into account that any systematic correspondence control failure rate is made negligible by the application of a SIL4–compliant process for design, installation and testing; Balises are used for providing position reference to the train, so they are crucial for the ATP function. All the systematic faults are negligible since their configuration, installation and check is done in accordance to a SIL4 process (evidence are provided in the core CBTC Safety Case, refer to chapter 6). The random faults are related to the data corruption of the transmitted telegrams, but the likelihood of a corrupted valid message (false positive) is minimized by the protocol adopted in the communication with the BTM (air-gap interface). Furthermore, any non-transmitting balise can be detected by the Onboard CBTC system (since the on-board track database contains the position of the balises), that reports the information to the Frontam for diagnostic and maintenance purposes. Balises are laid out in such a manner that loss of any single balise does not affect the CBTC functions. For these reasons, the occurrence probability of unsafe failures due to Balises is considered negligible; Signals can be excluded from the analysis for all those functions that are related, in nominal mode, to the operations with CBTC mode. In all other cases (degraded modes with CBTC bypassed) it has to be considered that the signals are vital components controlled by IXL, and are intrinsically fail-safe by design. Every failure mode (e.g. lamp out) is detected by IXL and result in a more restrictive, or safer, state. For this reason, the occurrence probability of unsafe failures due to signals is considered to be negligible. Axle counters are fail safe device which ensures track section vacancy. The Safety assessment report is mentioned in Chapter 6. The Tolerable Hazard Rate are taken from the Safety Certificate.
All Communication Equipment is considered to be a source of corrupting
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 68 of 85
Kolkata East-West Metro Rail Project noise that may be introduced into the communications channel. In other words, it is both permissible and expected that data corruption may occur as a result of Communication Equipment failure. Nevertheless, it should be noted that DCS implements a variety of defenses (e.g. sequence numbers, time stamps, time-out, cryptographic techniques etc.) against a list of identified threats (e.g. corruption, delay, repetition, deletion, etc.). Therefore, all the failure modes affecting the DCS system are assumed to have negligible effect on the overall occurrence probability of unsafe failures.
The Frontam can be excluded from the analysis since it is mainly in charge of collecting CBTC subsystem maintenance information. Frontam also stores the track database used by the CBTC trains to determine their position and driving speeds (portions of the track database are downloaded by the CC on the basis of their location). Since the track database is protected by a vital checksum and a configuration number, any Frontam failure mode that affect the integrity of the database is assumed to have negligible effect on the overall occurrence probability of unsafe failures.
ATS subsystem, implementing vehicle regulation functions, is not supposed to contribute to the System functions’ unsafe failure rates, based on the consideration that IXL and CBTC are designed to ensure the system safety regardless of ATS contribution (refer to System Hazard Analysis [14]). The miscellaneous vehicle vital components are not expected to contribute significantly to the total number of unsafe failures, as: o Vital Relays, as already mentioned for the wayside system, are intrinsically fail-safe. Therefore, by design, every failure mode is known to result in a more restrictive, or safer, state; o According S Signaling and Train Control System - System Architecture Specification (System and Sub-system Overview) [6] (System and Subsystem Overview) there are used two speed sensors with different technology on each vehicle. These sensors exhibit intrinsic fail-safety, and are incapable of producing electrical output pulses above the threshold count without corresponding axle rotation. Dual sensors are used primarily to enhance slip/slide detection capability. However, as the two sensors are continuously compared, this configuration also dramatically reduces the possibility of unsafe failure due to speed sensor error. Therefore, because the two sensors are intrinsically failsafe, and also continuously compared, speed sensor failure is assumed to have no contribution to the overall unsafe failure rate;
Given the above considerations, the majority of unsafe ATC System failures are assumed to result mainly from the Interlocking, Zone Controller and Carborne Controller. These three systems employ microprocessors using diversity and self-checking fail-safe software Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 69 of 85
Kolkata East-West Metro Rail Project techniques to ensure that reactive fail-safety is achieved. While these systems possess no known unsafe failure modes, they do possess an essentially infinite number of total failure modes, thereby making it impossible to prove their fail-safety absolutely. Therefore, quantitative analysis must be used to place an upper limit on the probability that each system will contribute to an unsafe system failure. Therefore, for the evaluation of the unsafe ATC failure modes, the following simplified functional block diagram applies: Therefore, for the evaluation of the unsafe ATC failure modes, the following simplified functional block diagram applies:
Computer Based Interlocking (MLK II, Axle Counters,)
Wayside CBTC (ZC, ZCR)
Onboard CBTC (, CC)
Figure 5-5 Simplified Block Diagram for a Generic safety function
Next table reports the available unsafe failure rate for the components to be taken into account. Table 5-2 Tolerable Hazard Rate Chart
ATC Unsafe Document Reference Notes Component Failure Rates [events/hour] MLKII 6.265x10-10 ISA Safety Assessment Report MICROLOCK II version CC 3.2 2011/QTL/61 REP_CCS_01 Rev 1.0 -09 Zone 1.181x10 Core CBTC System Hazard Hazard Rate (when IXL Controller Analysis / Interface Hazard is MLK) Analysis (C_D2101 - Revision : 06-01-01-00) -09 Carborne 2.879x10 Core CBTC System Hazard CC Failure Rate for a Controller Analysis/Interface Hazard Mono-CC configuration Analysis (C_D2101 - Revision : 06-01-01-00)
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 70 of 85
Kolkata East-West Metro Rail Project ATC Unsafe Document Reference Component Failure Rates [events/hour] Axle 1 x10-09 Safety Assessment Report Counter Assessment according to EN 50129 FAdC – R2 Report-No.: FS86457G Revision: 01.01 Date: 2015-03-13
Notes
The THR associated with the event TOP3 (in case of Dual configuration, IO-EXB & annual average temperature greater than 40 deg Centigrade) is greater than 1 x10-08 and is less than 1 x10-09 in all other cases. The project does not use Dual configuration hence a THR of 1 x10-09 is considered
In the following paragraphs, for each safety related function involving ATC a proper evaluation of the unsafe failure rate is provided. 5.3.6 SF 1 : Train Location Determination According to table 5-3 , the target frequency of occurrence of an unsafe loss of train location determination function is the one associated to the SIL4, as per EN 50129 [87]. During Normal operation, the train detection and localization is done by CBTC. For degraded mode of non-communicating trains IXL is used for location determination. Normal Mode calculations: For the calculation of the unsafe failure rate of this function, the following elements are of CBTC are considered: CC: 1 number as each train in controlled by a single CC at any given instant of time. ZC :1 Numbers as one train is always under the control of a Zone Controller (ZC). There is single ZC in KMRC Ph-1A. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF1N 1 ZC 1 CC 1x1.181x10-09 +1x 2.879x10-09 = 4.06x10-09 Degraded Mode calculations: For the degraded mode, the trains are located based on fixed block signaling principles. Each block is bounded by an axle counter detection system. So for the calculation of the unsafe failure rate of this function, the following elements of IXL system are considered: Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 71 of 85
Kolkata East-West Metro Rail Project MLK - II: 4 numbers. The project has 3 zones on mainline and all time during any cross boundary route (one Interlocking to another) can have maximum 4 no’s of Microloks Axle Counter: Maximum 3 set is considered as each block, platform section & a switch zone track section has one axle counter for making a route. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF1D 4 MLK 3 AC 4x6.265x10-10 +1x 1x10-09 = 3.5x10-09 The calculated unsafe failure rate demonstrates that the safety function achieves its required quantitative target for SIL4. 5.3.7
SF 2: Limit of Safe movement Protection
According to table 5-3 the target frequency of occurrence of an unsafe loss of safe movement protection is the one associated to the SIL4, as per 50129 [87]. During Normal operation, the train safe movement protection is ensured by CBTC (wayside and onboard). For degraded mode of non-communicating trains IXL alone or along with CBTC is used for safe movement protection. Normal Mode calculations: For the calculation of the unsafe failure rate of this function, the following elements of CBTC are considered: CC: 2 number as each train in controlled by a single CC at any given instant of time and location of 2 trains are involved in the event. ZC: 1 Numbers as one train is always under the control of a Zone Controller (ZC). There is single ZC in KMRC Ph-1A. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF2N 1 ZC 2 CC 1x1.181x10-09 +2x 2.879x10-09 = 6.939 x10-09 Degraded Mode calculations: For the degraded mode, one of the trains is located based on fixed block signaling principles and the second communicating train is located by CBTC. The fixed block is bounded by an axle counter detection system. So for the calculation of the unsafe failure rate of this function, the following elements of IXL & CBTC system are considered:
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 72 of 85
Kolkata East-West Metro Rail Project MLK - II: 4 numbers. The project has 3 zones on mainline and all time during any cross boundary route (one Interlocking to another) can have maximum 4 no’s of Microloks. Axle Counter: 2 set is considered as ahead train using fixed block signaling can occupy 2 Axle counter section at a time. CC: 1 number as each train in controlled by a single CC at any given instant of time. ZC : 1 Numbers as one train is always under the control of a Zone Controller (ZC). There is single ZC in KMRC Ph-1A. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF2D 4 MLK 2 AC 1 ZC 1 CC 4x6.265x10-10 +2x 1x10-09 +1x1.181x10-09 +1x 2.879x10-09 = 8.56x10-09 The calculated unsafe failure rate demonstrates that the safety function achieves its required quantitative target for SIL4. 5.3.8
SF 3: Supervise/enforce authorized speed
According to table 5-3 the target frequency of occurrence of an unsafe loss of supervision/enforcement of authorized speed function is the one associated to the SIL4, as per as per 50129 [87]. During Normal operation, the train speed supervision is done by CBTC. For degraded mode of non-communicating trains operator is responsible to drive at speed less than 25KMPH. Hence SIL computation is done only for the normal case. The Automatic Train Protection (ATP) system running on the Onboard CBTC has the responsibility of: Supervise the authorized speed at any time (only Onboard CBTC is involved), and; Command the brakes in case an over-speed is detected. In this case, the actual enforcement of brake/speed reduction is implemented in cooperation with Rolling Stock, which has the direct responsibility for traction cut-off and the brake application. Refer to the figure below. < --S&TC-- >
IXL
Wayside CBTC ZC
Onboard CBTC (CC)
< --RS-- >
RS Vital Relays & Train lines
RS Brake System
Figure 5-6 Supervise/enforce authorized speed Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 73 of 85
Kolkata East-West Metro Rail Project Since Rolling Stock safety assurance is out of the scope of this Safety Case (it is covered within RS contractor’s scope of work), in the following it is demonstrated the achievement of quantified safety target only for the S&TC system part. Normal Mode calculations: For the calculation of the unsafe failure rate of this function, elements of the over speed detection and braking command generation function of CBTC are considered: CC: 1 number as each train in controlled by a single CC at any given instant of time. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation: MLK - II: 4 numbers. The project has 3 zones on mainline and all time during any cross boundary route (one Interlocking to another) can have maximum 4 no’s of Microloks. ZC : 1 Numbers as one train is always under the control of a Zone Controller (ZC). There is single ZC in KMRC Ph-1A.
SF3N 4 MLK + 1 ZC + 1 CC 4x6.265x10-10 + 1x1.181x10-09 +1x 2.879x10-09 = 6.653 x10-09 The calculated unsafe failure rate demonstrates that the safety function achieves its required quantitative target for SIL4. 5.3.9 SF 4: Train Door Control Interlocks According to table 5-3 the target frequency of occurrence of an unsafe loss of Train Door Control Interlocks function is the one associated to the SIL4, as per 50129 [87]. During Normal operation, the Door Control Interlocks is ensured by CBTC. For degraded mode of non-communicating trains operator is responsible to open the doors. Hence SIL computation is done only for the normal case. Referring to the picture below, the Automatic train Protection (ATP) system running on the Onboard CBTC shall issue the Door Enable & Door Open commands, sequentially, to the Rolling Stock when Zero Speed and correct side platform is detected. The correct opening of all the train doors shall be the responsibility of Rolling Stock Contractor. Based on this argument the following paragraph addresses the SIL4 nature of the command generation of Signaling & Train Control system.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 74 of 85
Kolkata East-West Metro Rail Project < --S&TC-- > Onboard CBTC (CC)
< --RS-- > RS Door Control Train lines
RS Door Control Units
Figure 5-7 Block diagram Train Door Control Interlocks
Normal Mode calculations: For the calculation of the unsafe failure rate of this function, elements of the door control interlocking command generation function of CBTC are considered: CC: 1 number as each train in controlled by a single CC at any given instant of time. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF4N 1 CC 1x 2.879x10-09 = 2.879x10-09 The calculated unsafe failure rate demonstrates that the safety function achieves its required quantitative target for SIL4. 5.3.10 SF 5: PSD Control Operation According to table 5-3 the target frequency of occurrence of an unsafe loss of PSD Control operation function is the one associated to the SIL2, as per EN 50129 [87]. Referring to the picture below, the Automatic train Protection (ATP) system running on the Onboard CBTC shall issue the Door Enable & Door Open commands, sequentially, to the ZC when Zero Speed and correct side platform is detected. ZC in turn will transmit the commands to CBI (IXL), which will in turn provide the door enable & door open commands to the PSD. The correct opening of all the platform screen doors shall be the responsibility of PSD Contractor. Based on this argument the following paragraph addresses the SIL4 nature of the command generation of Signaling & Train control system.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 75 of 85
Kolkata East-West Metro Rail Project <-----S&TC-----------> Onboard CBTC (CC)
Wayside CBTC (ZC)
<--PSD-- > CBI (MLK)
PSD
Figure 5-8 PSD Control Operation
Normal Mode calculations: For the calculation of the unsafe failure rate of this function, elements of the PSD Door operation command generation function of CBTC and CBI are considered: CC: 1 number as each train in controlled by a single CC at any given instant of time. ZC: 1 number as the ZC receives the commands from CC and transmits it to CBI MLK: 1 number as the MLK receives the commands from ZC and transmits it to CBI. The numeric target associated for this function can be expressed as the sum of the contributes of the participating components, as showed in the following equation:
SF6D 1 MLK 1 ZC 1 CC 6.265x10-10 + 1.181x10-09 + 2.879x10-09 = 4.69x10-09 The calculated unsafe failure rate demonstrates that the safety function achieves its required quantitative target for SIL2. 5.4 DEMONSTRATION OF THE SAFETY QUALITATIVE REQUIREMENTS Safety Qualitative requirements are demonstrated according to the process described in §4.5. Next paragraph reports the evidence of the activities performed at design phase to support the demonstration that the safety requirements have been identified and implemented into the ATC design. 5.5 ASSURANCE OF CORRECT HARDWARE FUNCTIONALITY Correct hardware functionality of the KMRC signaling system equipment at system level is assured through extensive verification and validation (V&V) of Safety Requirements as well as through extensive RAM analyses. V&V evidence of Safety requirements is provided in the project Hazard Log, performed during their development phases as described in V&V Plans. Though this Safety case present the linking of Design principle & testing procedure for Fulfillment of System Requirement as well as Safety requirement. Evidences can referred in
Signaling System Traceability Specification [9]
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 76 of 85
Kolkata East-West Metro Rail Project
ATC Hazard Log [18]
ATC System Validation Test Specification [19]
Evidence of RAM Analysis
ATC Preliminary RAM Analysis and Apportionment [28]
CBTC RAM Prediction Analysis [29]
IXL RAM Prediction Analysis [30]
ATS RAM Prediction Analysis [31]
DCS RAMS Prediction Analysis [32]
FOTS RAM Prediction Analysis [38]
ATC System RAM Prediction Analysis- Phase 1[39]
It is to be noted that field installation, field testing, Integration tests and reliability demonstration will be provide the final assurance of correct hardware functionality: The relevant reports on the above activities will be evidenced in ATC System Safety Case – KMRC-24110, a future delivery in this project. 5.6 ASSURANCE OF CORRECT SOFTWARE FUNCTIONALITY Correct software functionality had been assured by compliance with the requirements of EN 50128 to the extent required by the Safety Integrity Level (SIL) of the functions performed by each software program/module. The ATC system was designed and developed following the process in accordance with the standard of EN 50128:2001 [87]. According to the safety functions performed by the ATC and the relevant SIL requirements defined in Section 4.5, compliance with the Software Integrity Levels as on basis of the functions performed by each software program/module is presented table 5-3 in where the required SIL level associated with relevant software is mentioned. Table 5-3 SIL levels assigned to the ATC system
S.No SOFTWARE PROGRAM/MODULE
COMPLIANCE
1 2 3 4 5 7 8 9 10
SIL 0 SIL 4 SIL 4 SIL 4 SIL 4 SIL 0 SIL 4 SIL 4 SIL 0
ATS Software* MICROLOK II Executive Software Wayside ATP Application Software (running on MLK II) Carborne Controller platform software (DIVA) Carborne Controller ATP application software Data Communications Subsystem (DCS) Zone Controller platform software (DIVA) Zone Controller ATP application software FRONTAM
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 77 of 85
Kolkata East-West Metro Rail Project (*) Setting and removal of TSRs are the safety related functions implemented in current CBTC version via ATS. The detailed safety analysis of TSR management is included in ATS Subsystem Hazard Analysis [14] the test traceability to the safety mitigations are provided in the ATC Hazard Log [18] .The safety analysis has identified the safety constraints expressed as risk reduction measures, which are either being exported as the safety related conditions to the Metro operation and maintenance, or have been fulfilled by the related subsystems. Concerning item 1 (ATS), the hazard analyses (whose result is documented in the Hazard Log) did not identify any mitigations which would require a SIL level to be assigned to these subsystems. Further, it interacts with CBTC and IXL systems which are SIL-4 systems. Since no safety-related function is assigned to the ATS therefore by definition its SW SIL is 0. In addition, ATS is not a new product and utilizes the "Hermes" ATS product which is ‘proven in use’, that is a set of pre-existing proven software modules and libraries which are currently used in ATS systems in revenue service in various systems worldwide. The product was then customized with the specific application (track configuration and interface) of KMRC –Ph-1A. Though ATS Software functionality tests are conducted at Lab & Field .There is dedicated ATS Software Factory Acceptance Test (FAT) Procedure [47] for Lab testing and ATS Partial Acceptance Test Procedure [49] & ATS Software System Acceptance Test (SAT) Procedure [50]. It is to be noted that testability of Vital Functions from ATS System like Removal of Block & Removal of TSR are part of respective IXL Software and CBTC Software test in Lab using KMRC-27118 [43] & KMRC-26075 [51] and at Field using Interlocking Partial Acceptance test procedure [44] & CBTC System Acceptance Test Procedure [52]. The status of ATS Tests for all locations (FAT, PIT, PAT, SAT) will been summarized in the ATS Specific Application Verification Report KMRC-24047 & ATS Specific Application Validation Report KMRC-24048,these are future deliverable once the Field testing activities concludes. Concerning items 2 (Microlok II executive software), item 4 (Carborne Controller platform software – DIVA) and item 5 ( Carborne Controller ATP Application Software) please see Section 6 – Related Safety Cases. Concerning item 3, interlocking MLK specific application software [81],[82],[83],[84] Safety Case provides evidence of how independent Design Review & Validation is conducted by Safety team. Concerning item 8 (Zone Controller platform software – DIVA) and item 9 (Zone Controller ATP Application Software) please see section 6 – Related Safety Cases. Concerning item 10 (FRONTAM), since no safety-related function is assigned to the FRONTAM, therefore by definition its SW SIL is 0.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 78 of 85
Kolkata East-West Metro Rail Project Concerning the Core CBTC data preparation process for CC, which is a SIL 4 process and is included in the Core CBTC Generic Application Safety Case (see section 6 Related Safety Cases). Further, the Design Preparation Safety report of CC, ZC & System will be conducted by CBTC SA V&V team on the CBTC Database. These reports will be delivered as a part of CBTC Specific Application Safety Case – KMRC- 24030, a future deliverable in this project. Wayside IXL Subsystem The Microlok Product is certified as SIL-4 product & in service in many station in Indian Main Line (surface railway) since last 15 years. For KMRC the same hardware as used in Main line railway is used while the Software for the Wayside MLK Specific Application, the Interlocking Application Logic Programming guidelines [50] forms the reference for design and further the V&V activities are performed using the and IXL V&V Plan [35] .The application logic for each station has been verified by Independent RAMS team using Application Logic Verification specification [21]. Further the IXL Software will be tested in Lab using KMRC-27118 [43] and at Field using Interlocking Partial Acceptance test procedure [44] & Interlocking System Acceptance test procedure [44] The status of IXL Tests for all locations (FAT, PIT, PAT, SAT) will been summarized in the IXL Specific Application Verification Report KMRC-24051 & IXL Specific Application Validation Report KMRC-24052,these are future deliverable once the Field testing activities concludes. Wayside and CBTC Onboard System. Further to Database Verification process the functionality of CBTC On board & Wayside System are checked in Factory, Field and also in Integrated Lab & Field environment. The Factory testing is conducted using CBTC Factory Acceptance Test Procedure [51] whereas for Field testing CBTC System Acceptance Test Procedure [52]. Final test campaign is conducted using ATC System Validation Test Specification [19] when respective Lab & Site CBTC Test Campaign are over. For Onbaord CC Integration testing with Rolling Stock, CC Static Test procedure KMRC26076 [53] & CC Dynamic Test procedure KMRC-26124 to be used [54]. The summary of Wayside & Vehicle test reports will be covered in Wayside ATC Verification & Validation Test Report KMRC-24108 and KMRC-24107.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 79 of 85
Kolkata East-West Metro Rail Project 5.7 EFFECT OF FAULT This section provides evidence of KMRC signalling system/subsystems/equipment to continue to meet their specified safety requirements in the event of random hardware faults and, as far as reasonably practicable, systematic faults. In order to achieve these targets, the core CBTC platforms such as the MicroLok II IXL, the CC and ZC have been designed using the following fail-safe design principles outlined in EN 50129 [87]
The MLK II uses inherent fail-safety and reactive fail-safety (also known as diversity & self-checking) techniques and controls the Point Machines (SIL-4 Product), and Signals.
The CC, ZC, Balises and Tag Readers use a combination of composite fail-safety and inherent fail-safety techniques.
Axle Counter Subsystem model FAdC-R2 provided by FRAUSCHER carries a certificate of approval to EN 50129 series from TUV SUD Rail.
The effect of faults for the KMRC specific application is directly addressed at generic application for CBTC and at Generic Product for IXL and the Specific Application is therefore completely covered by the following details:
Effects of single faults: The effect at Core CBTC level of single faults is analysed in Core CBTC GASC [57] . The analysis of the effect of single faults at On-Board and Wayside equipment level is presented in Core CBTC GASC [57], and MLK II GPSC [55], respectively. Independence of items: The redundancies inside the On-Board equipment are analysed at CC level and presented in the Core CBTC GASC [57]. The redundancies inside the Wayside equipment are analyzed at ZC and MLK level presented in the Core CBTC GASC [57] and MLK II GPSC [55],, respectively. Detection of single faults: The detection of single faults for the On-Board equipment is presented in the Core CBTC GASC [57]. The detection of single faults for the Wayside equipment is presented in the Core CBTC GASC [57] and MLK II GPSC [55], respectively. Action following detection: The actions following detection of on-board equipment fault is presented in the Core CBTC GASC [57]. The actions following detection of a ZC and MLK equipment fault is presented in the Core CBTC GASC [57] and MLK II GPSC [55], respectively. Effect of multiple faults: The effect at Core CBTC level of multiple faults is analysed in Core CBTC GASC. The analysis of the effect of multiple faults at On-Board and Wayside equipment level is presented in Core CBTC GASC [57] and MLK II GPSC [55] respectively.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 80 of 85
Kolkata East-West Metro Rail Project Protections against systematic faults: The analysis of the protections against systematic faults at On-Board and Wayside equipment level is presented in Core CBTC GASC [57]and MLK II GPSC [55],, respectively. In summary the CBTC generic functions have been developed and analyzed at generic level and presented in the Core CBTC GASC [57]. For the verification of specific application in KMRC (DB and the corresponding parameters), it is fulfilled via the site tests and the data preparation process which is defined in the Generic Application Safety Case. Further, the core platforms have been designed and certified to Safety Integrity Level 4 in accordance with the requirements of EN50126 [85], EN50128 [86] and EN50129 [87] for Systematic Failure Integrity. Table 5-4 Product and Generic Application Safety Certificate Status
Product definition Microlock II Executive SW
Date September 2011
Two out of three vital architecture (basic architecture of ZC and CC) MTOR vital input/output board for train interface unit
June 2001
DIVA vital platform 2-o-o-3 vital computer Bi-standard DIVA- v6.0.3b BTM version 6.21 Bi-standard diva- v6.0.3b Odometer 3.1.2 Bi-standard DIVA- v6.0.3b CSD DIVA
November 2005 May 2006
Bi-standard DIVA- v6.0.3b MTOR Bi-standard DIVA- v6.0.3b DMI software Bi-standard DIVA- v6.0.3b DMI hardware Axle Counter
February 2007
September 2003
February 2007 February 2007
February 2007 March 2007
Core CBTC Generic Application
March 13, 2013 July , 2018
Certification report Safety Assessment Report MICROLOK II_CC 3.2 from RINA SpA, of Genoa, Italy Homologation of LGVMéditerrannée by SNCF Certificate By CERTIFER, French Notified Body Independent safety assessment report by SNCF IG-SF Assessment report BTM version 6.21, by RAILCERT Report on evaluation of Central Odometry – by CERTIFER Independent safety evaluation of CSD DIVA 2.2, final report by IGSF. Evaluation report on MTOR FTT, by CERTIFER DMI software evaluation report, by CERTIFER DMI hardware final evaluation report, by CERTIFER FS86457G Revision: 01.01 Safety Assessment Report System Core CBTC V6.3.2_R3
ASTS had undertaken elaborate Hazard Analysis at specific application level for Kolkata Metro 1 to identify various hazards and assigned mitigations. Some of these mitigations have been traced to product level while others have been mitigated at specific application level. Please refer ATC System Hazard Log [18] . Hence the effects of various faults have Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 81 of 85
Kolkata East-West Metro Rail Project been resolved at Design level to ensure that over all ATC system could be operated at SIL-4 level of safety. 5.8 OPERATION WITH EXTERNAL INFLUENCES Correct operation includes fulfillment of both operational and safety requirements under specified external influences such as temperature and humidity extremes, mechanical vibration and shock, electromagnetic interference from other systems of the Metro or surrounding facilities, etc. The KMRC signaling system and its constituent subsystems/ equipment have been designed and verified to work safely and reliably under the specified external influences.
All certified products were subject to Shock, Vibration, Environmental and EMI/EMC testing according to EN standards. An EMI/EMC testing on the KMRC Signaling system and its subsystems will be performed based on following plans.
EMC Control Plan Signaling Level EMC Wayside Survey Test Plan EMC On-board Survey Test Plan EMC Wayside Integration Test Plan (Phase 1) EMC On-board Integration Test Plan
It is to be noted the reports based on these plans will be part of ATC System Safety Case KMRC-24110 5.9 SAFETY RELATED APPLICATION CONDITION This Section describes the safety-related conditions and constraints that must be obeyed for the operation of the KMRC signalling system. As this Safety Case deals with the whole Signaling System as designed for the KMRC system, safety related application conditions mainly consist of those rules that guarantee the correct operation of the Signalling System in the KMRC environment according to the principles used for the system and subsystems design. Specifically, these conditions and constraints include:
Application design safeguards that must be in place to account for the inherent characteristics of the core platforms (exported safety application conditions from CBI, and CC), the Axle Counter subsystem, other wayside equipment, which require specific operation and/or maintenance actions. These includes -
SRAC Mentioned in CC.3.2 Safety Assessment Report by RINA Microlok II Platform Safety Assessment issues SRACs from Axle Counter System SRACs from CBTC Generic Application Solution.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 82 of 85
Kolkata East-West Metro Rail Project It is to be noted that all SRACs related to IXL, ATS & CBTC Design are resolved & evidence in ATC Hazard Log. [18]
Application conditions and operational safeguards that are a result of interfaces with other systems of the Metro (e.g., rolling stock, platform screen doors). These were identified during the interface hazard analyses and documented in the hazard log. These SRACs are a part of Hazard Log & acceptance report of these SRACs with other Contractors will be evidenced in the next version of Hazard Log.
Safeguards to be practiced by the operations & maintenance personnel, given the inherent characteristics of the signalling system, documented in the relevant manuals. These SRACs are a part of Hazard Log & acceptance report of these SRACs with on O&M will be evidenced in the next version of Hazard Log.
Application conditions corresponding to the exported requirements of data verification process, which shall be transferred to KMRC for operation and maintenance. These SRAC list will be coming only after Design/Database verification.
5.10 SAFETY QUALIFICATION TEST The complete list of the integration system level field tests is reported in ATC System Validation Test Plan [19] and ATC System Validation Test Specification [19]. These tests are planned at the Factory and Field. The Reports of these tests will be documented in ATC System Verification & Validation Test Report KMRC-24106, a future deliverable document in this project.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 83 of 85
Kolkata East-West Metro Rail Project
6
RELATED SAFETY CASES
As already outlined in 4.10 the following safety cases are related to this document: -
ML2-QS-009 Rev. 11 dated 9 Sep 2011 - MICROLOK II Generic Product Safety Case
-
STD_CBTC_GASC_06-03-03
The following are the Generic Product Safety Case and Generic Application Safety cases are supported by the respective product level ISA Reports as shown in below table
Axle Counter Table 6-1 – Generic Product Safety Assessment Report
Generic Product/Application Axle Counter Microlok CBTC ATS
Safety Assessment Report Report-No:FS86457G 2011/QTL/61 REP_CCS_01 EC_8379_1400_5_CORE_CBTC_STD_Funct_Report_v6 3.3 2016QTL09 REP_CCT_01 - ATS Safety Subsystem
The ATC subsystems’ safety cases rely, on their turn, on Generic Application and Generic Product safety cases, implemented and assessed outside the specific KMRC project. Details are reported in the safety cases listed above. It is to be noted that the assessment report of ATS Safety subsystem on removal of TSR is on v4.9.3 of ATS Generic Application. The generic application of ATS is further updated due to global projects needs .The version of GA of ATS for KMRC current phase will be updated than v4.9.3 and which is v5.1.8. The ATS version description document will evidence that the SIL 2 functions are unaltered and changes are done for different project needs. The official version of ATS version description document which will be referred in Signaling Safety case (document to be submitted later in this project) will clearly elucidate that Checksums of SIL 2 tasks. KMRC System Hardware and Software configuration document will evidence the use of same checksum for Site loaded kits. The safety functions in ATS are also validated at Lab & at Site for which the ATS Lab & Site test reports will be evidenced with Signaling Safety case.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 84 of 85
Kolkata East-West Metro Rail Project 7 CONCLUSIONS In compliance with the requirements of the CENELEC EN 50129 and the provisions contained in the contract, this Safety Case has described how safety matters have been dealt with during the Detailed Design Phase of the ATC System to be deployed on the KMRC-Ph-1A, also providing all the required evidences for the demonstration that the ATC System designed for KMRC achieves adequate safety levels for the functions it implements within a Metro application. This document is not a self-contained document, but it refers to the documentation that has been prepared during the ATC Design phase to support the ATC system technical safety assurance activities. As reported in 1.1 this Safety Case follows the structure of the EN 50129 and covers the phases 1 to 6 of the CENELEC lifecycle. In particular, this document has provided:
a clear description of the ATC System in terms of functionalities, architecture, boundaries and interfaces (see Section 2.2); the demonstration that the ATC Design has been undertaken in accordance with a well-defined quality management process (see Section 3); the demonstration that all relevant safety management processes and activities have been correctly implemented (see Section 4); the demonstration that the safety requirement applicable to the Specific KMRC Application have been comprehensively identified and correctly implemented into the design (see Section 5); the evidence that the Safety Related Application Conditions are identified which are to be exported to the other Interfacing Contractors (Refer ATC Hazard Log [18]); the demonstration that the ATC safety related functions can achieve an acceptable level of safety and meet the quantitative safety targets assigned to ATC system, specified in PHA [11] (see Section 5.3.5);
Therefore, this Safety Case, being associated to a first Design milestone of the project, has provided the assurance that the safety principles applicable to a KMRC Signaling system have been properly implemented throughout the Design phase. Nevertheless, it cannot provide a conclusive evidence of the ATC System safety, since:
as reported in 4.7 verification & validation activities on ATC requirements are in progress are still ongoing & further traceability to Safety Mitigation from Hazard Analysis are to be evidenced.
Updates of this Safety Case will be provided in future to capture the review comments if any from ISA/Customer.
Document Number: KMRC-24025 Revision: 04
Title: Overall ATC Detailed Design Safety Case
Date: 14-Apr-2019 Page 85 of 85
Related Documents
Ram Analysis
January 2021 2
Guideline For Ram Analysis
January 2021 1
Ram Tank
March 2021 0
Ram To Do Now
January 2021 2
Kuz Ram Model
February 2021 0
Manual Ceta Ram 2
March 2021 0More Documents from "andresantiago"
Ram Analysis
January 2021 2
Ak.keu (problem)
February 2021 0
Portalbergoyangmerekiiia-170516141313
January 2021 1
