ClearSy Systems Engineering · and standards, transmission by induction loop, sensors ......

FERSIL I CLEARSY’S RAILWAY PRODUCTS

Confidential and proprietary information – Property of ClearSy1

u

15 DÉCEMBRE I 2011

ClearSy

Systems EngineeringProvides turnkey safety critical systems and

software

Fersil: ClearSy’s railway systems

portfolio

q

[email protected] 2017 V2

WWW.FERSIL-RAILWAY.COM

WWW.CLEARSY.COM



u Summary

1

2

3

ClearSy

Safety integrity level

ClearSy’s railway solutions

4 ClearSy’s services and software



u Company profile

Small to Medium Enterprise (SME) created in 2001

Independent: 90% of the shares owned by employees

Located in Paris, Aix-en-Provence, Lyon, Strasbourg and Canton (CT, USA)

100 engineers & PhDs

Partnership with five factories to provide industrial equipments

Partnership with RATP (Paris metro) to adapt and distribute RATP systems and

components

Partnership with companies to add new technologies and new systems

1



u ClearSy

Uses the B formal method to develop

safety critical software and to prove

system specifications

Provides the safety cases and the

support for approval or ISA

certification

Supports the software development

toolkit: Atelier B, used by Alstom and

Siemens to develop ATP Safety

critical systems

Safety critical systems design

and production

Defines new specific safety systems,

adapts its systems to specific

requirements

Provides safety critical systems SIL2

to SIL4

Provides safety critical software SIL2

to SIL4

Safety engineering services

1



u ClearSy’s fields of expertise

Safety critical architecture design and development

Electronic fail-safe design

Safety critical electronic hardware design and development

Safety cases using IEC 61508 and EN50126, 128,129 standards

Safety critical software and hardware commissioning

Project

In-depth knowledge of railway standards and rules

Software and system mathematically proved (B method)

Signalling, CBTC, ERTMS, interlocking, rolling stock rules

and standards, transmission by induction loop, sensors

Particular Skills

1



u Formal methods - definition

In software engineering and hardware engineering, formal methods are a

particular set of mathematically based techniques for the specification,

development and verification of software and hardware systems.

The use of formal methods for software and hardware design is motivated by

the expectation that, as in other engineering disciplines, performing

appropriate mathematical analysis can contribute to the reliability and

robustness of a design.

(Source Wikipedia)

B method is based on mathematical proof

1



u Railway clients and partners 1



uDesign and implementation of certified

safety critical systems and software1



u Safety Integrity Level

SIL 1Probability of failure (PFH) is between 10-5 and 10-6 per hour. A failure is

unlikely to happen before 10 years of continuous operation

All ClearSy certified systems are certified by an independent safety assessor

ClearSy makes safety cases to certify systems

Based on impacts of unwanted events (hazardous events), a Safety Integrity Level is

targeted for a system. It defines a targeted risk reduction. There are four different SIL

based on the European functional safety standards IEC 61508:

SIL 2PFH is 10-6-10-7 per hour. A failure is unlikely to happen before 100 years of

continuous operation

SIL 3PFH is 10-7-10-8 per hour. A failure is unlikely to happen before 1 000 years of

continuous operation. Used for a death hazard of one person

SIL 4PFH is 10-8-10-9 per hour. A failure is unlikely to happen before 10 000 years

of continuous operation. Used for a death hazard of several people

2



u ClearSy’s railway solutions 3

Passenger flow and safety

Train operation safety

& signallingCost reduction

ClearSy systems are designed for the following applications:



u ClearSy’s railway solutions


COPP, DOF1, COPPILOT: Platform screen doors

control system SIL3

DIL: Detection of a person between train and

platform screen doors SIL3

Track intrusion detection system (SIL2 to SIL4)

LP2S & GAPS: Platform detection and gap filler

control system SIL2

3



u

Independent system:

Doesn’t depend on train

CBTC – faster response

time and easy integration

Positioning and no

cross-talk:

Communication only

possible when sensor is

above loop antenna

SIL3: Opens platform

screen doors if there are

train doors in front of the

platform doors

SIL4: Enables train doors

to open according to the

platform side

DOF1 & COPP: SIL3/4 Safety critical

screen doors control system

Cubicle Loop

Antenna


3



u

Paris metro line 1 (four years of operation) and in service on line 13

u DOF1 and COPP are independent from the CBTC system

and complete it

DOF1 designed for RATP and Bombardier 3

DOF1-L designed for Bombardier in Kingston (developed but not in service)

u Select doors you want to open

u Automatic re-opening when a door is obstructed

u LAN connectivity


Quick Calculation for line 1:

25 stations and 400 trains per day

1 second saved per stop, we saved 5,5 hours per day (5H30)

For this calculation, we assume that traffic is the same during all the

day, which is wrong. Saving time is only useful during peak periods.



u COPP system – Station overview

Châtillon- Montrouge:

End of the line

Automatic Turn Back system

3



uCOPPILOT: SIL 3 safety critical screen

doors control system

Positioning: Wheel

sensor detects train at the

right position

Safe PSD opening:

Lasers detect opening of

train doors

Control PSD (SIL3)

No equipment on-board

only on the wayside

Independent of train

systems: easy integration

3




u

Used in Paris during PSD test period

In service in Sao Paulo metro

u 4 stations : Tamanduateí, Vila Matilde, Sacomã, Vila

Prudente

u 7 different train types. No equipment on-board

In test in Stockholm

u Additional functions: 2 train lengths and doors selectivity

In test in Sao Paulo Monorail

u SIL4 certification

On-going project on Los Teques Line in Caracas

u Additional functions: 2 train lengths and 2 train types

Easy to install on new and existing stations

Guaicaipuro – Los Teques

3



uDIL: SIL 3 platform gap safety monitoring

system

GAP SAFETY MONITORING

In operation in PARIS line 1, deployment in PARIS on Line 4, safety critical system

System to detect a person in the gap zone between platform door and train door

Laser sensors monitoring gaps

3




u DIL - Monitoring these spaces

Zone to be

monitoredTrain

17001818,8

Dectection zone

Platform

gate

Bastille station in Paris

Lasers are also used to detect people who try to escape

into the tunnel

System is in revenue service in 3 stations in Parisian network:

Charles de Gaulle Etoile, Nation and Bastille

3



uFlexible gap filler between platform and

door edge on Paris metro line 1 and Lyon

« Fuse » Device

Gap filler prevents accidental fall if a person

steps between platform and train

Fixed on the platform

Rubber material - Flexible

Already in Service

Paris metro line 1

Lyon

3




u Track intrusion detection system

Safety Track monitoring

Detects falling passenger on track


3

1

Laser pictures

They are analysed to discern an

object as a rodent or a human

Alarm and Stroboscope

They are activated to warn the

train officer in the case of a

passenger falling

2

3

System is available with or without redundancy



uLP2S and GAPS: Detects platform and

measures gap between train and platform (SIL2)

Software

Will authorise the car doors to open or the gap filler to move if

platform is present in front of doors

Laser sensors

Record and send

data

1

CPU Box

Analyses laser sensors

pictures

2

3

ALL SYSTEM COMPONENTS ARE MOUNTED ON BOARD

GAPS operating on ALSTOM Train STI PMR

3





Train operation safety & signalling

KFS: Automatic train stop and over speed control system

(SIL2)

KPVA: Train overspeed control

Axle counter (SIL4): Safety train detection

Flat tyre detection system

DPAS: Safety train detection – Research & Development

DBC: Hot box detector and dragging equipment detector

3



uSIL2 KFS - Automatic Train Stop (ATS) (Certifer Certificate)

Apply emergency brake control if the train overruns a restrictive

signal

3




u SIL2 KFS – Automatic Train Stop (ATS)

Emergency brake controlled !!

French Valenciennes tramway

French Lyon Tram train

3

Baku metro - AzerbaijanTrain operation safety & signalling



uKPVA - Train over speed control system

Avoid train over speed, track side independent system

3

installed on all Paris metro lines (Parisian metro authority RATP patent)




u SIL4 Axle Counter - TÜV certificate

SAFETY TRAIN DETECTION

SIL4 certificate for multi zone counter system

Function similar to a track circuit

3




uDRF MP - flat tyre detection and steel

wheel detection

Detects steel wheel

presence up to 70 mm

Wheel

steel

Flange

Sensor

Zk24 M

Bracket

Rail

Tyre

3




uDPAS - hyper frequency barrierIn Research & Development

Alternative to steel wheel sensor: when a train crosses the barrier, it is

detected.

SIL4 system

Hyper frequency technology

Less maintenance than infrared sensor:

better availability

Fit for outdoor and indoor applications

Plug and play system: system is very compact


Already in test in Lyon

3



uDBC - Hot box detector and dragging

equipment detector

Partnership with Progress Rail (Caterpillar Company)

Dragging equipment detection

Hot box and hot wheel detector:

3





Cost reduction

RS4: Vital relays SIL4

SATURN: Safety remote I/O network (SIL0,SIL2 and SIL4)

LCHIP: PLC for SIL4 applications – Research &

Development

3



uRS4 - SIL4 safety critical relays -

Safety vital relays3

Reference Number of SIL 4

contacts guaranteed

to open

Number of NC

contacts

RS4.DIN.202.24V 2 2

RS4.DIN.202.72V 2 2

RS4.3U.202.24V 2*2 (2 relays 202) 2*2

RS4.DIN.304.24V 3 4

RS4.DIN.402.24V 4 2

RS4.DIN.406.24V 4 6

RS4.DIN.202.110V 2 2

RS4 Safety Critical Relays are not based on gravity but they are guaranteed to open.

They fit on-board (EN50155) and wayside application

They are also very compact

High cutting power relay

RS4 relay is also available as a plug version (RS4.3U.202.24V)

Cost reduction



u SATURN – Mixed SIL2, SIL4 I/O network

Reducing wiring for onboard or wayside application

Safety wiring

reduced

Different safety level

modules on the

same network

Network response

time: 10 to 15 ms,

Data rates: 12

Mbits/s over 100 m

Partnership with:

Leroy Automation

3

Cost reduction



u SATURN Certificates 3



u

LCHIP - Safe execution platform for SIL4

applicationIn Research & Development

3

Cost reducing

LCHIP will combine:

A complete development environment in

formal language (B mathematical language)

A safety executing platform to safely execute

programs

Purposes of LCHIP are:

Ease development of SIL4 certified systems

and software

Drastically reduce costs associated with their

development

a

LCHIP: Low-Cost High Integrity Platform

Cost reduction



u ClearSy’s services and software

ClearSy is expert in safety critical systems and its engineers can offer support for

vital applications and software

Safety Cases

ClearSy engineers provide supporting documentation for accreditation and

assistance to demonstrate the safety of a system

4

ClearSy’s Engineers use B models to prove a set of data is compliant with

safety requirements

For instance: they use B models to ensure signals and automatic train stop are

correctly installed, as it is specified

Software and consulting

Data validation



uSystem verification -

Safety verification of the CBTC of NYCT4


Address every design detail in the

early phase

This organisation was used for the NYCT project

We used the method for verifying the CBTC

of the line 7 in New York, for CBTCs for

Paris metro (RATP), for ERTMS for SNCF

Save time

Define sufficient tests which need to

be passed before daily operation

Define tests for acceptance of

subcomponents

Enhance Safety

Ease subcomponents integration

thanks to a model of the system.

Less dependent to one supplier

Less dependent

This study is useful to demonstrate properties are compliant with specifications and which

assumptions need to be verified to ensure safety.



u ERTMS/ETCS 4


We have an in-depth knowledge

of ERTMS/ETCS

SUBSET 026, ERA DMI specification

DMI development (SIL0, SIL2)

Track plan editor

EVC development

And in-depth expertise in

Simulation and Testing

Training

Testing (SUBSET 094, SUBSET

110/111/112)

Train behavior simulation

Trackside simulation (IXL, RBC, …)

We propose assistance to develop the following systems:

Development of EVC

Development of RBC

Development of interlocking

Development of BTM

Development of train integrity device

Any specific development of a system based on software/hardware



u ERTMS/ETCS on-board part

ETCS DMI

EVC

4




u ERTMS/ETCS trackside part

RBC

IXL

4




u

DAME - High performance railway

operation SCADA data logger, monitoring

system

Real-time supervision of large

complex systems (PLC, digital

I/O devices, …)

Real-time calculation and Alarms

triggering

Collection and archiving of input

data

Archiving of alarms

Extend on demand the range of

supported devices and protocols

Provides Data and Alarms in HMI,

Modbus, OPC


4

RATP line 1 on 3 stations (DIL): PLC and

laserscan data

Sao Paulo Monorail line 15 (Coppilot): Modbus

IP, Laserscan data, video (13 stations)

Caracas Los Teques line (6 stations) (Coppilot):

PLC, Modbus IP server (export to SCADA)

Honolulu Line (21 stations): I/O board, RS485

(ATC), Modbus RTU (Doors Control Unit)



u Interlocking development

Design of signalling safety logical software

Use of SIL4 automata compliant with

CENELEC (EN50128, EN50129)

Code generation, validation and

verification

Evaluation and approval from an external

Independent Safety Assessor (ISA)

Supply of interlocking cubicle with all the

necessary equipment to safely command

signalling systems on the track

Galvanic isolation with RS4 Relays

(between automata and trackside

equipment)


4

Example of realisation:

Tramway of Luxembourg: 7 cubicles, 200 relays, 3

safety critical software modules, DAME based test

bench and simulator.



u Usage of B method

Development of automatic driving subway systems: ALSTOM

(URBALIS), SIEMENS (TRAINGUARD)

• Teams in safe software design and development, V&V

Systems study using the B-method

• New York City Subway (Flushing line finished in 2015, in

progress for other)

• SNCF: NEXTRégio (ERTMS) (in progress)

• RATP: Octys (CBTC) (in progress)

Validation of safety critical data (configuration)


4



u

Panama

Ningbo

TaichungMalaga

Toronto

4



u Services offered by CLEARSY

As a conclusion, at ClearSy, we are specialised in safety critical (vital)

systems and software and we propose the following related services:

Any specific development of a system based on software/hardware, potentially

based on our existing products

Assistance at any stage of system and software development

(specification, design, implementation, validation, …)

Delivery of certified safety critical turnkey solutions

Technical advice in railway safety

Elaboration of safety cases (up to SIL 4)

Safety critical data validation (B method)

Critical system study (B Method)

Technical advice about ERTMS/ETCS/CBTC matters

Training (B Method, ERTMS/ETCS)



u Contact

www.fersil-railway.com

[email protected]

http://www.fersil-railway.com/

mailto:[email protected]

ClearSy Systems Engineering · and standards, transmission by induction loop, sensors ......

Documents

Transcript of ClearSy Systems Engineering · and standards, transmission by induction loop, sensors ......