Safety has played and continues to play a central role in the work of European standardization committees in the field of railway signaling. It requires the earnest endeavor of all those involved to move from an understanding of safety which was historically shaped on a country-specific basis to a new definition which can be accepted throughout Europe and applied equally to everyone. The following example from a national signaling industry highlights the problems, including the following key topics:
safety and reliability;
The planning and construction of railway installations in Europe is based on a more than 150-year-old tradition. Rules devised over several generations in individual countries are founded on years of empirical knowledge. The aim of all interested parties is to virtually eliminate accidents.
To this end, adherence to design and construction engineering requirements for wheels, rail and track bed (such as maximum axle loads, vehicle braking capability, and the use of safety glass) are as vital to safety as is compliance with the planning rules for track installations, such as:
Maintenance of overrun sections after signals.
Guaranteeing flank protection measures to ensure that trains do not come too close at points.
Eliminating level crossings on high-speed lines.
Definition of maximum curve speeds for line sections and switches according to the curve radius and grade, etc.
Furthermore, rail traffic safety is ensured by operating staff (traffic controllers, engine drivers, maintenance engineers) observing the rules that are set out in the operating regulations. Fundamental to these rules is the stipulated behavior of operating staff in safety-critical situations. Careful maintenance of the existing signaling plant is just as important as the widespread automation of rail traffic using modern control and safety technology.
The connection between control and safety technology can be represented as follows:
control-system engineering: automatic train guidance;
operating position representation: train describer, overviews of the operating position, time-distance lines;
action tools in the event of deviations from the timetable.
Safety technology ("signaling"): protects trains against collisions and derailment using:
route protection: interlocking systems, block technology and level crossings,
train protection: monitoring of adherence to the permitted train speed (INDUSI, LZB, etc).
The essential difference between the two components lies in their relationship to guaranteeing safety in rail operation. Safe operation can be realized without control technology using the current state-of-the-art on low-volume secondary lines. However, it is not possible to achieve safe rail operation without a minimum level of safety technology.
Only by using control technology in conjunction with modern safety technology is it possible to safely achieve the high train densities required by mass transit systems.
In the event of failure of a safety component, the affected system must revert to a non-dangerous (safe) state. The following examples illustrate how this can be achieved in day-to-day operations:
Train brakes to a halt should a fault occur in the continuous automatic train control system.
Signal sets to stop in the event of a fault in the interlocking system.
Switch immovably maintains its position if a fault occurs in the interlocking system.
Numerous fail-safe systems are in daily use. Common to all of them is the use of redundancy in the broadest sense. A twin-channel computer command system for the green lamp of a rail signal is a simple example. In this example, the dual-computer system which controls the lamp and performs a monitoring function is commanded by a single-channel, secure data transmission channel. This also serves in the rearward direction as a transmission channel for forwarding the "actual" state of the lamp (on/off/disturbed) to the secure central computer of the interlocking system. In reality, for reasons of economy, a dual-computer system of this type controls and monitors several signals (several bulbs) in parallel.
Safety and reliability
Without the use of reliability redundancy, if a fail-safe product breaks down, an operating restriction would be created automatically, since responsibility for the safe working of the system must now be assumed by the staff on the basis of prescribed operating instructions. Several hours may elapse until the defective component is repaired, depending on the situation and the local conditions. During this time, the risk of an accident increases substantially compared with automatic operation. In essence, the lower the incidence of direct human intervention, the greater the overall safety of passengers and freight.
Consequently, all signaling systems must be highly reliable and be designed to "fail-safe". Both characteristics have been successfully combined in the so called "two-out-of-three" principle for computer hardware, which has been in use for more than 20 years in the central control and monitoring computers of many European railways. This principle is based on a continuous automatic train control radio block center.
Today, numerous variants of this basic principle exist in all areas of safety technology, from nuclear power plants, through aviation and aerospace applications to use in military technology, as well as industrial heating and elevator technology.
Some considerable time before the start of development of a new computer-based signaling system, a detailed dialog has to take place with the future infrastructure owner(s) (rail companies, owners of private and industrial railways, metropolitan railways and mass transit enterprises) about the specifications for and risks associated with the use of the future system. Following this, a detailed quantitatively-supported risk analysis will be drawn up, either by the customer or on its behalf. It is at this stage that collaboration begins with the licensing authority that will assess and ultimately approve the risk analysis and specification as a basis for starting the development. Based on the approved risk analysis and specification, the safety certification is drawn up by the manufacturer and submitted to the licensing authority for clearance. If approval is given, development can start.
In the past, before European railway signaling standards were defined, a more qualitative approach was frequently taken, such as Mü 8004 in Germany. A quantitative risk analysis was waived, since for a new system an absolute freedom from faults was assumed. This had to be qualitatively demonstrated by the manufacturer in accordance with defined rules. To evaluate the effect of random hardware breakdowns during operation, simple formulas were provided as a basis for calculation. This approach was based on empirical values gathered over many years and was successful so long as the software was of low complexity.
For example, Figure 4 shows the approval cycle for a product for a mass transit customer or for Deutsche Bahn AG up to about the late 1990s.