FUNCTIONAL CHARACTERISTICS OF ATP/ATC SYSTEMS
Op deze pagina nog even een stukje engelse tekst uit de syllabus 'An Introduction to Intermittent and Continuous ATP' die ik een aantal malen heb gepresenteerd in de UK.
Train Stop Systems
The simplest form of ATP is to provide only a train stop function. This is based on the principle that a train is braked immediately after it passes a signal at danger. No indication whatsoever is given to the driver. For safe operation of the railway, a simple train stop system therefore requires an overlap at each signal. The length of the overlap is determined by the worst-case values for the maximum speed of the train, its braking characteristics and by the gradient. If these assumptions are not or only partially fulfilled, a certain probability of accidents remains, e.g. in the case of brake failure, adverse adhesion conditions etc. However, the level of safety provided can be judged to be sufficient, depending on the operational conditions of the railway.
For these systems, the probability of a dangerous event or wrong side failure can be calculated as a product of the probabilities of the driver not controlling the train according to the regulations, and the probability of the technical system either to fail or not to cover this scenario.
In most cases, certainly in the past, train stop systems cannot be built in a fail-safe manner or, in today’s language, to SIL4 standards. Therefore, the overall probability of a wrong side failure has to be sufficiently low. As the system does not provide any information to the driver about signal aspects or their supervision, it can be argued that driver and train stop system mutually independent. Both are considered to be diverse parts of the overall protection system and this allows for the non-fail safety of the technical system. It is considered to be sufficiently unlikely that both driver and technical system will fail at the same time, provided (latent) errors in the technical system can be revealed early enough, e.g. through frequent inspections and checks.
Another perceived advantage of this philosophy is the relatively low cost of this type of ATP system, where otherwise the advantages of ATP might not have been affordable at all. In literature, e.g.  SIL levels specified for intermittent systems are quoted as SIL 2.
Intermittent systems resemble train stop systems to the extent that information is only passed “intermittently” from track to train at certain fixed locations. Most systems of earlier design can therefore only provide intermittent supervision as well, e.g. between distant and main signals and thus will only provide protection against a signal being passed at danger. However as technology evolved they became more capable and nowadays most modern systems are able to provide continuous supervision / protection of the train and can even offer (continuous) speed supervision.
Simple ATP systems such as the German INDUSI, or AWS and TPWS in the UK operate in background mode and no indication is given to the driver, except perhaps on system health or when an emergency brake application has occurred. The driver has to observe the line side signals and react according to their aspects. Only in the case of a driver driving too fast or SPADding will the system automatically apply the emergency brake. The same safety design philosophy as mentioned above for the train stop system are applicable.
More sophisticated intermittent ATP systems, for example the British ATP systems, Dutch ATB NG, Ebicab, or indeed ERTMS/ETCS level 1, are also based on principle that the driver is still primarily responsible for observing signals and operating the train. The ATP still acts as a safety net. However, as newer technology allows more information to be transmitted, some indications can be given to the driver, for example target speed and the distance to go, i.e. to the point at which the train’s speed must be under the new target speed limit, or the distance to the signal at danger. As wrong indications could mislead the driver and so provoke unsafe reactions, the system, or at the very minimum its speed supervision sub-system, has to be fail-safe in this respect. Data generation, data transmission and data evaluation on board have to have a high level of safety integrity as well, as a failure could cause a dangerous situation with a driver relying on the cab display rather than on the line side signals.
In general the in-can signalling allows the driver to optimise his driving and certainly provides a level of “comfort” e.g. when driving in adverse weather conditions affecting visibility of signals.
Continuous ATP/ATC systems normally provide full cab signalling, which implies that the driver must be able to fully rely on the safety of the system. There are two principles in use, which differ in safety philosophy. In France, the TVM system has a vital display to the driver, the driver himself is considered fail-safe, therefore there are less technical safety requirements on the implementation of the speed supervision and emergency brake application functions. In contrary, among others, the Dutch ATB and German LZB employ a non-vital cab display but implement a vital speed supervision and access to the emergency brake. In this philosophy the driver is considered a non-vital part of the overall train control system and even if he were misled by the cab signal, the speed supervision and brake application will intervene in a fail-safe manner.
In continuous ATP/ATC systems of modern design, there is sufficient information available to feed the Automatic Train Operation (ATO) equipment as well. In case of automatic driving, ATP/ATC speed supervision and the emergency brake application has to be implemented as a vital system, as usually the ATO equipment is not fail-safe. Especially in automatic or even more so in driverless systems, the ATP/ATC system has to take full responsibility for the safe movement of the train. Therefore, a high level of integrity is required for the system.