Op deze pagina nog even een stukje engelse tekst uit de syllabus 'An Introduction to Intermittent and Continuous ATP' die ik een aantal malen heb gepresenteerd in de UK.
INTRODUCTION
In contrast to road traffic, where the driver of the individual vehicle has the responsibility for guiding his car, rail traffic is externally controlled. This is true for the lateral guidance where the train has to follow the track forced by the rim or the wheels, and the longitudinal movement, where signals impose stopping points on the driver. A signalling system has to be used, as reaction on time is not possible when a driver sees an obstacle. In rail systems, braking distances are too long to rely on driver’s vigilance.
The very first task of railway signalling therefore was to install a signalling system, which gave the driver instruction if he could proceed or if he had to stop. With the driver obeying the instructions given by the signals, collisions of trains could be avoided.
[1]A large history of railway accidents, proves that drivers do not always follow the instructions of the signalling system. To supervise the driver,”train stop” systems were introduced which caused an automatic brake application when the driver passed a signal at danger.
In the early days of railway signalling, these train stop systems were mostly mechanical. Later on, as technology evolved, the physical principle of “informing the train it had SPADded” or “Track to Train Transmission” changed to permanent magnets and later on to transponders.
In the meantime, most of the mainline railways found that a simple train stop system at the signal at danger was not sufficient to avoid all accidents. Other systems, which warned the driver or supervised train speed some distance before the signal at danger, were introduced. Excessive speed on certain sections of the line, for example speed restrictions, caused accidents. Train protection systems were also used to supervise the driver in these cases.
All systems described so far were intermittent in transmission and supervision. Information was only transmitted at specific points along the track and the information the supervision was based on and the length of the supervision was linked to the points of transmission. A driver having acknowledged the warning or complied with the speed supervision could always release the brakes or even accelerate subsequently.
More recent systems provide a continuous supervision of the train, although their transmission system is only intermittent. The driver is not allowed to exceed a speed profile / braking curve, which is based upon the data transmitted from a first transponder, until the train gets new information from the next transponder and the supervised speed profile is updated accordingly. These systems certainly increase the safety of operation considerably; on the other hand they also can restrict the throughput of the line.
Systems using continuous transmission means can provide an instantaneous update to the train of changes to the signal aspect. The supervised speed profile is updated instantaneously e.g. on approaching a signal clearing ahead of the train and therefore the impact on line capacity can be limited. Furthermore, the degree of safety is even higher, as for example emergency stop information can be transmitted with negligible delay.
All systems described derive their information from the line side signalling system and in almost all systems the commands transmitted to the driver have to be identical to or more restrictive than those given by the line side signals. Especially for high density traffic, the existing block system on railway lines is not always adequate and some form of enhanced or even moving block can be introduced to further enhance capacity utilisation. In these cases, ATP/ATC partially or totally replaces line side signals with in-cab signalling and has to have priority over the lateral signalling system. Modern ATP/ATC systems can offer operational advantages over conventional signalling systems and at the same time can reduce cost.
FUNCTIONAL CHARACTERISTICS OF ATP/ATC SYSTEMS
Train Stop Systems
The simplest form of ATP is to provide only a train stop function. This is based on the principle that a train is braked immediately after it passes a signal at danger. No indication whatsoever is given to the driver. For safe operation of the railway, a simple train stop system therefore requires an overlap at each signal. The length of the overlap is determined by the worst-case values for the maximum speed of the train, its braking characteristics and by the gradient. If these assumptions are not or only partially fulfilled, a certain probability of accidents remains, e.g. in the case of brake failure, adverse adhesion conditions etc. However, the level of safety provided can be judged to be sufficient, depending on the operational conditions of the railway.
For these systems, the probability of a dangerous event or wrong side failure can be calculated as a product of the probabilities of the driver not controlling the train according to the regulations, and the probability of the technical system either to fail or not to cover this scenario.
In most cases, certainly in the past, train stop systems cannot be built in a fail-safe manner or, in today’s language, to SIL4 standards. Therefore, the overall probability of a wrong side failure has to be sufficiently low. As the system does not provide any information to the driver about signal aspects or their supervision, it can be argued that driver and train stop system mutually independent. Both are considered to be diverse parts of the overall protection system and this allows for the non-fail safety of the technical system. It is considered to be sufficiently unlikely that both driver and technical system will fail at the same time, provided (latent) errors in the technical system can be revealed early enough, e.g. through frequent inspections and checks.
Another perceived advantage of this philosophy is the relatively low cost of this type of ATP system, where otherwise the advantages of ATP might not have been affordable at all. In literature, e.g. [26] SIL levels specified for intermittent systems are quoted as SIL 2.
Intermittent systems
Intermittent systems resemble train stop systems to the extent that information is only passed “intermittently” from track to train at certain fixed locations. Most systems of earlier design can therefore only provide intermittent supervision as well, e.g. between distant and main signals and thus will only provide protection against a signal being passed at danger. However as technology evolved they became more capable and nowadays most modern systems are able to provide continuous supervision / protection of the train and can even offer (continuous) speed supervision.
Simple ATP systems such as the German INDUSI, or AWS and TPWS in the UK operate in background mode and no indication is given to the driver, except perhaps on system health or when an emergency brake application has occurred. The driver has to observe the line side signals and react according to their aspects. Only in the case of a driver driving too fast or SPADding will the system automatically apply the emergency brake. The same safety design philosophy as mentioned above for the train stop system are applicable.
More sophisticated intermittent ATP systems, for example the British ATP systems, Dutch ATB NG, Ebicab, or indeed ERTMS/ETCS level 1, are also based on principle that the driver is still primarily responsible for observing signals and operating the train. The ATP still acts as a safety net. However, as newer technology allows more information to be transmitted, some indications can be given to the driver, for example target speed and the distance to go, i.e. to the point at which the train’s speed must be under the new target speed limit, or the distance to the signal at danger. As wrong indications could mislead the driver and so provoke unsafe reactions, the system, or at the very minimum its speed supervision sub-system, has to be fail-safe in this respect. Data generation, data transmission and data evaluation on board have to have a high level of safety integrity as well, as a failure could cause a dangerous situation with a driver relying on the cab display rather than on the line side signals.
In general the in-cab signalling allows the driver to optimise his driving and certainly provides a level of “comfort” e.g. when driving in adverse weather conditions affecting visibility of signals.
Continuous Systems
Continuous ATP/ATC systems normally provide full cab signalling, which implies that the driver must be able to fully rely on the safety of the system. There are two principles in use, which differ in safety philosophy. In France, the TVM system has a vital display to the driver, the driver himself is considered fail-safe, therefore there are less technical safety requirements on the implementation of the speed supervision and emergency brake application functions. In contrary, among others, the Dutch ATB and German LZB employ a non-vital cab display but implement a vital speed supervision and access to the emergency brake. In this philosophy the driver is considered a non-vital part of the overall train control system and even if he were misled by the cab signal, the speed supervision and brake application will intervene in a fail-safe manner.
In continuous ATP/ATC systems of modern design, there is sufficient information available to feed the Automatic Train Operation (ATO) equipment as well. In case of automatic driving, ATP/ATC speed supervision and the emergency brake application has to be implemented as a vital system, as usually the ATO equipment is not fail-safe. Especially in automatic or even more so in driverless systems, the ATP/ATC system has to take full responsibility for the safe movement of the train. Therefore, a high level of integrity is required for the system.