Urban Rail Transit (2017) 3(2):90–99

DOI 10.1007/s40864-017-0051-7 http://www.urt.cn/

ORIGINAL RESEARCH PAPERS

A Safety Management and Signaling System Integration Method

for Communication-Based Train Control System
Fei Yan1 • Chunhai Gao2 • Tao Tang3 • Yao Zhou4

Received: 25 September 2016 / Revised: 7 February 2017 / Accepted: 18 February 2017 / Published online: 2 March 2017
Ó The Author(s) 2017. This article is published with open access at Springerlink.com

Abstract The safety and the correctness of signaling sys- system with the safety management had been applied in
tem not only relate to the safety and efficiency of the rail many urban rail transit lines of Beijing, such as Yizhuang
transit operation, but also link with the life safety of pas- Line, Changping Line, Line No. 14, and Line No. 7. The
sengers. In order to guarantee the safety of a signaling CBTC signaling systems of these projects have been
system for metro, the safety certificate for the trial opera- authorized by the safety certification from a third party,
tion with carrying passengers must be obtained. In this e.g., Lloyd Register which is a British company and
paper, a suitable safety management and signaling system famous for the safety verification and validation process.
integration model are explored according to the CENELEC
standards and applied in China. With taking account of the Keywords Rail transit system
CBTC
Safety
strict safety requirements for the Communication-Based management
Signaling system
Safety verification and
Train Control (CBTC) system, a safety assurance and validation
System safety assurance
assessment method based on safety verification and vali-
dation process was put forward. This method was applied
in every phase of the CBTC system development life cycle 1 Introduction
to monitor and control each activity in the life cycle and to
review each document in system development process. At While technology is changing faster than the engineering
the same time, this method is also used to ensure the techniques to cope with the new technology are being
traceability of relevant documents and to test all the created, software is pervasive in our society: Its scope is
functions of the whole system sufficiently and completely. widening more and more in many critical domains such as
So that the safety operation of train control system can be avionics, space, railway, automotive, nuclear, medical, and
ensured. Up to now, the independently developed CBTC air traffic control. As a consequence, it is of utmost
importance to assure the society at large that deployment of
a given software-intensive system does not contribute to
& Fei Yan pose an unacceptable risk of harm. For metro system,
fyan@bjtu.edu.cn communication-based control system now has been widely
1
used in new building metro lines. And most of operational
National Engineering Research Center for Rail Traffic
Operation and Control, Beijing, China
functions are realized by software.
2
Lessons learned over centuries about designing to pre-
Beijing Traffic Control Technology Co., Ltd., Beijing, China
vent accidents may be lost or become ineffective when
3
State Key Laboratory of Rail Traffic Control and Safety, older technologies are replaced with new ones. Digital
Beijing Jiaotong University, Beijing, China
technology has created a quiet revolution in most fields of
4
School of Electronic and Information Engineering, Beijing engineering, but system engineering and system safety
Jiaotong University, Beijing, China
engineering techniques have not kept pace. Digital systems
Editors: Jiaqi Ma, Yihui Wang, Xiaolu Rao, Shane Wu and Alireza introduce new failure modes that are changing the nature of
Khani accidents.

123
Urban Rail Transit (2017) 3(2):90–99 91

Traditional methods in safety engineering therefore ground information transmission system, and the train
struggle to keep up with the development of new tech- positioning system (as shown in Fig. 1). In particular,
nologies and usages of the same. The main drawback of ZC, the core of the CBTC system, calculates the
such methods is that they are founded on an assumption of movement authority (MA) for the rear train based on the
a certain degree of predictability and decomposability. position of the front train, the status of the line obstacles,
These approaches have lately been labeled ‘‘Safety I.’’ New the interlock condition, and the speed limit of the train.
concepts, such as resilience engineering, have gained The on-board equipment compares the running speed of
attention. A common foundation for these concepts is that the train with the MA received in real time. If the speed
they all focus on adaptive capacity to stay in control when of the train exceeds the speed limit in the MA, the on-
facing unforeseen disturbances or events, labeled ‘‘Safety board equipment will automatically implement the com-
II.’’ mon brake or emergency brake to ensure the train stops
With the rapid development of urban rail transit sys- in front of the safety point. The train–ground information
tems, it is urgent to develop high-performance train control transmission system could adopt wireless communication,
system with high safety, high reliability, and high effi- cross-ground induction loop, waveguide, or other media
ciency to ensure the safety of train operations. The Com- to achieve the bidirectional communication. To ensure
munication-Based Train Control (CBTC) system is the safety, the train must accurately determine its position
trend for the most advanced train control system all over and direction, where the on-board computer, the speed
the world. meter/speed sensor/accelerometer (for measuring dis-
Compared to the traditional train control system based tance, velocity and acceleration), and the trackside balise
on track circuits, the CBTC system has the following can be operated collaboratively to obtain the accurate
characteristics: (1) the CBTC system could supply much position [1].
larger capacity to support the continuous bidirectional Beijing Jiaotong University set up an independent
train–ground communication; (2) the safety computers innovation project to carry out the research about the
platform has been used in both the ground equipment and CBTC core technology and key equipment by the way of
the on-board equipment to handle train status and control Industry–University Research (IUR) proposed by the Chi-
commands, to realize the continuous interval control, route nese government. The demonstration of the independent
control, speed protection, and automatic driving; (3) the innovation CBTC project was carried on the Beijing Yiz-
train position can be achieved with high precision; (4) the huang Line, which was formally approved and started its
number of the cables, train control equipment, and first- operation on December 30, 2010. [2].
stage costs, and operational and maintenance cost could be By referring to the advanced safety standards from
reduced; (5) the CBTC information can be superimposed other countries and the actual situations of domestic rail
on the existing signaling system to facilitate the transfor- transit engineering in China, the safety management and
mation of the existing line and to enable the interconnec- certification activities have been designed special for rail
tion of urban rail transit lines. transit project in China and carried out and tested in
The CBTC system consists of ground zone controllers practice.
(ZC), the on-board equipment, the bidirectional train– Mature safety management concepts of the rail transit
were formed in electronic and electrical standard
IEC61508 [3], aviation industry standard ARP4761 [4],
and the related European railway signal standards CEN-
ATS ELEC [5–7]. According to these standards, British railway
Data system Arrange route
Base Request
command safety and standards board (RSSB) built the safety risk
route model (SRM) based on the accumulated data of railway
Zone Ground
DSU
controller(ZC) equipment operating for decades to evaluate the safety state of railway
Train
position Stop speed Computer operation and to provide guidance [8]. The European
curve interlocking(CI)
Line Movement commission proposed the SAMRail [9] and SAMNET [10]
database Authority Train position
Movement projects, which aimed at railway risk management pro-
application ˄MA˅ Train Authority
position ˄MA˅ motion in 2002 and 2003. These projects have unified the
Wireless transmission
railway safety operation strategy and established general
Movement Authority˄MA˅
safety targets and indicators and finally formed the railway
VOBC VOBC
operation safety performance indicators and safety tar-
Balise Balise Possible Position Balise get allocation methods [11], based on the common safety
slip error
target, the common safety indicator, and the common
Fig. 1 CBTC system structure safety method.

123
92 Urban Rail Transit (2017) 3(2):90–99

2 Challenges in Innovation of CBTC Systems operation and one-way continuous operation reduces the
number of wayside equipment, which makes the CBTC
CBTC system is a kind of train control system which system easy to install and maintain. Moreover, it is also
adopts advanced communication and computer technolo- easy for the CBTC system to adapt to different speeds,
gies to continuously control and monitor the operation of different traffics, and different types of traction train
trains. CBTC systems were independently studied and operation control, etc. Wireless communication methods
developed by Simens, Alstom and Thales according to the are mainly divided into wireless AP transmission mode,
development process of the safety-critical control system. waveguide transmission mode, and leaky cable transmis-
In China, we started to study CBTC in 1995 and have sion mode as well as inductive loop mode.
experienced more than 20 years’ development since the
beginning of 1995. The CBTC system consists of the 2.1 Complexity of the CBTC System
control, communication, network, integration, transporta-
tion organization, material technology, and other multi- To solve the technical problems of the CBTC system in
disciplinary integrated system technologies. All related principle is not equal to achieve the feasibility; there is a
research works were carried out in accordance with the long distance between reliability and safety in engi-
requirements of the whole life cycle. neering. Rail transit CBTC signaling technology’s
The structure diagram of the CBTC system developed research and development, engineering and industrial-
by us is shown in Fig. 2. The data transmission between ization is a typical complex system. As an intelligent
trackside equipment and on-board equipment is achieved complex safety control system, CBTC systems are
by the data communication network. In addition, the CBTC required to realize a safe and reliable operation in dif-
on-board equipment controls the operation of trains and the ferent weather conditions along the whole life cycle, as
CBTC trackside equipment sends data to the ATS system, well as to achieve the collaborative control (among
which supervises and controls the train through the inter- human, trains, and railroad) with complex multivariate
locking systems. parameters characteristics.
The real-time two-way communication between on- Urban rail transit operations are affected by the weather
board equipment and wayside equipment is the cores of the and the passenger flow, and in such situation we need to
CBTC system, which can provide a large amount of ensure a continuously safe and efficient operation for
information transmission with fast transmission speed to 30 years. Even when there is rain/snow or trains are
achieve moving automatic block easily. So the expansion overloaded, e.g., 150%, the CBTC system must provide
of information utilization and function in CBTC system safe and reliable services. The CBTC system is a complex
can greatly improve the ability of the interval and the safety critical system with perfect function and clear
capacity of the tracks. The flexible organization of two-way hierarchy according to the CENELEC international safety
standards. The SIL4 level train control equipment must
adopt the risk-control development method and the fault-
tolerance redundancy computer platform in the whole life
cycle. Hence, the traditional R & D methods and safety
$76 V\VWHP
analysis theory are facing difficulties to ensure the safe
operation of the CBTC system.
&%7& DGMDFHQW &%7& The failure propagation model based on the complex
LQWHUORFNLQJ WUDFNVLGH WUDFNVLGH scenarios of train operation and the system design and
HTXLSPHQW HTXLSPHQW development method that covers the whole life cycle is
significant for the system safety requirements. The safety
management system and the integrated research and
'DWD FRPPXQLFDWLRQ QHWZRUN
$GMDFHQW
development platform should be set up to meet CEN-
LQWHUORFNLQJ ELEC standards of the highest safety integrity level SIL4.
Furthermore, the train and ground two signal dedicated,
2QERDUG
7UDLQ portable safety computer platform, and CBTC complete
&%7&
FRQWURO set of technical equipment should be developed. More-
HTXLSPHQW
over, the mechanism and evolution law of the hazard
causations (accident causes) and the establishment
7UDLQ VXEV\VWHP of the hazard log and safety integrity level requirements
can eventually control the system risk within
Fig. 2 CBTC system structure diagram acceptable limits.

123
Urban Rail Transit (2017) 3(2):90–99 93

2.2 Distributed and Collaborative Control communication to generate MA. The delay of wireless
of the CBTC System communication impacts the correctness and precise posi-
tion of the train because the train always moves forward.
The equipment of the CBTC system is distributed in the When ZC calculates the MA for next train, it needs to
train, trackside, station, and control center. Those devices consider the delay.
are connected by many different types of fiber optic cable
and have numerous interfaces. For example, to equip 1-km
track route, there are dozens of kilometers fiber optic cable 3 Processes of Safety Management and System
laying, thousands of connection points and nearly ten Integration for CBTC
thousands components. The failure of any component will
affect the stability of the CBTC system since it is required In order to deal with the challenge of CBTC system
to have high reliability. development, we try to find best practice in the world. As
The CBTC system relies on wireless communication we know, the biggest safety challenge of CBTC System is
technology to achieve train–ground communication, which that system safety cannot be simply achieved by testing and
could use wireless LAN technology based on ISM band. need to take safety management measures to deal with the
There are some problems in this technology, such as vul- human errors and software failures. And the systematic
nerable to interference and the frequent handoff because features of CBTC system need a proper integration method
the wireless transmission environment consists of the along its product life cycle. The safety management system
underground tunnel and the ground section in urban rail during the railway development, construction, operation,
transit systems. So the single transmission mode is difficult maintenance is the effective way to conduct the risk control
to meet the high reliability requirements for the CBTC and set up the implementation framework of railway safety
train–ground communication. management.
Since the doors open automatically, the safety protection European EN series standards are important guideline in
of passengers is an important requirement for the CBTC the railway industry, but simply apply the method descri-
systems. In addition, the CBTC system is also closely bed in it cannot solve the management and technical
related to the operations staff; for example, dispatchers problem encountered in our project process. In the practice,
need to use the ATS equipment, and drivers need to use we summarized our own methodology.
ATP/ATO equipment. Therefore, CBTC system is very
important to improve the service quality of the operation. 3.1 European Safety Standards and Principles

2.3 Multivariate Parameters Adjustment SC9XA Committee of the European electrification Stan-
dards Committee (CENELEC) established a set of stan-
Moving block signaling system can achieve a larger line dards which includes s IEC62278, IEC 62279, IEC 62280
capacity when compared with the fixed block signaling and IEC 62425 (as shown in Fig. 3) for rail transit train
system because a train can be allowed to move to the tail of control system based on computer control [12, 13].
the front train with a certain safety distance. The CBTC Because these standards have strong pertinence and better
system with moving block could secure safe, fast, reliable, practicality, they have been promoted in many countries
punctual, comfort, and energy-efficient operation of trains. and been adopted by the IEC Committee as an international
The objectives for the operation of trains are contra- standard.
dicted with each other, such as the safety and the fastness. IEC62278 (EN 50126) defines the reliability, availabil-
For passengers, they want trains to run as fast as possible; ity, maintainability, and safety (RAMS) for rail transit train
however, the speed of trains is limited by the signaling control system and the relationships among them. In
systems, train characteristics, etc., to ensure the safety. So
the CBTC systems need to find a trade-off between these Software
objectives to achieve the maximum capacity allocation. Rail Train control Sub-system
Compared with the traditional signaling system, the transit system (ATS,ATP,ATO...) Hardware
Communication
control precision of the CBTC system is greatly improved. system
For example, the train positioning error can be limited
within centimeter level. The parking control precision of a IEC 62280-1
IEC 62279
IEC 62280-2
train with hundreds of tons can be less than 30 cm. The
IEC 62425
solution of each problem requires careful theoretical
IEC 62278
deduction and a large number of field tests. Besides, the
location of the train needs to be sent to ZC by wireless Fig. 3 International safety standards for rail transit

123
94 Urban Rail Transit (2017) 3(2):90–99

addition, it also standardizes the credibility system’s risk acceptable or tolerable. In addition, the overall risk of
framework of the life cycle and the works that need to be the system should be reduced as much as possible.
done at every stage of the life cycle to ensure the RAMS of From a formal perspective, the GAMAB principle and
the system. IEC62425 (EN 50129) makes the IEC62278 the MEM principle clearly define the safety requirements
improved according to safety case of train control and in the form of the risk acceptance thresholds, which is
system safety integrity level, etc. Furthermore, IEC62279 represented by the ‘‘existing similar system’’ and ‘‘mini-
(EN 50128) is the safety-related design standard for train mum national population natural mortality’’ and have a
control system software and it complements the content of strong universality and objectivity. The limitation of the
software engineering under the framework of IEC62278. MEM principle is that it does not consider the differences
IEC62279 also provides the technology and management in risk perception among different types of systems. For
for different safety-level software design. IEC62280 (EN example, the acceptance of the risk for rail transit and civil
50159) is a rail transit communication system safety stan- aviation, highways and other means of transport systems
dard, which involves two parts: open communication sys- could be different.
tem and closed communication system. The ALARP principle encourages the maximal reduc-
In rail transit, IEC62278 recommends three international tion of risk to improve safety by taking the cost into
common safety principles: the Globalement Au Moins account. To a certain extent, it promotes the research and
Aussi Bon (GAMAB) principle of France, the Minimum application of risk reduction technology. Compared with
Endogenous Mortality (MEM) Principle of Germany and the GAMAB and MEM principles, the ALARP principle is
the British As Low as Reasonably Practicable (ALARP) more stringent since it needs to analyze a variety of risk
principle. GAMAB requires all new systems must provide reduce measures and then choose the most reasonable
the best safety performance, and at least it should be solution during the design process. British Health and
equivalent to the safety performance of the existing similar Safety Executive (HSE) issued a number of regulations on
systems. the interpretation and constraints of the ALARP principle
MEM principle means that the application of the new and provided many court cases as references. Rail transit
system cannot increase the probability of casualties. In regulatory authorities also issued the ALARP principle
Germany, casualties caused by rail transit systems are guidance, the engineering safety management (Yellow
below the country’s lowest natural mortality rate (the nat- Book) and other industry standards to provide detailed
ural mortality rate for the 5–15 years old is the lowest, application procedures and steps for the ALARP principle
which is 1/20000 per year in Germany). Thus, the rail in system design, operation, maintenance, and safety
transit system in general set the safety objectives demonstration.
RM = 10-5 catastrophic risk/person years. During the development process of the CBTC system
The ALARP principle means that a reasonable and for China practice, the requirement analysis, risk analysis,
feasible method is adopted to reduce the risk as far as system design, product realization, system testing, and
possible in the case of cost. This principle divides the risk other works were carried out according to the CENELEC
into three levels, as shown in Fig. 4. The focus of the standard. The ‘‘standards, methods, processes, people’’ of
ALARP principle is to make a final overall judgment about each task is analyzed based on its own characteristics. The
the risk associated with the system and try to make every final product obtained the SIL4 safety certification from a
foreign third-party certification company, and it can be
applied in the actual project.

Unless in a special 3.2 The General Method of Safety Management

environment, the risk of
intolerable Region
this region is intolerable for Rail Signaling System
ALARP region or This area risk can be tolerated
tolerable Region when further risk reduction is The life cycle of a system refers to the various stages of the
˄only when the
difficult to achieve, or the cost is whole process from the initial concept to retirement and
huge. tasks at each stage (as shown in Fig. 5). The entire phase
need more benefits
can bear the risk Of includes a plan, management, control, and supervision of a
this region)
safety-related system. System life cycle (Lifecycle System)
Acceptable Region Need to continue to maintain is a description of the process of system development and
(without a detailed proof the risk in this area
usage. System life cycle provides a unified framework for
of this area corresponds to
ALARP) negligible Region
planning, management, control and supervision of the
quality, and the performance, construction period, cost and
Fig. 4 ALAP principle other aspects of the system. System safety is the result of

123
Urban Rail Transit (2017) 3(2):90–99 95

The concept of the system 1 on Urban Rail CBTC system research’’ for the first time.
The team at Beijing Jiaotong University was assigned to
System definition and
application environment 2 develop the automatic train protection (ATP) and auto-
matic train operation (ATO) system which was once
Risk analysis 3 Need to repeat in
many stages dependent on technology import and restricted the further
System functions and development of signaling system in China.
requirements 4 By the end of 2007, the team overcome the difficulties
System functions and of the CBTC system’s key technologies and completed the
requirements allocation 5 integrated test of the whole CBTC system. The function
Design and Implementation 6
and performance test were carried out on the 1.3-km test
line of Beijing metro afterward. Finally, the CBTC systems
Manufacturing 7 were checked and accepted by the experts. Moreover, the
Installation 8
various functions and performance indicators have reached
the international advanced level. The resulting CBTC
System verification 9 system also broke the technical monopoly in China [14].
System Receiving 10 The system design theory was established and the self-
developed complete sets of systems and equipment were
Supervision and Operation and maintenance Modify and
inspection 12 11 upgrade 13 developed, which include: (1) the system design theory of
System retirement 14 moving block; (2) the design method of safety critical
Depending on the system in the whole life cycle; (3) self-developed safety
specific circumstances
determine whether to re computer platform; (4) technology and equipment based on
implement the entire life the integrated design, e.g., the two-level scheduling model
cycle
and three kinds of control level [11].
Fig. 5 Life cycle of the system In view of the complexity of CBTC system, we use the
scene analysis method to analyze. According to the
EN50129, combined with the actual characteristics of the
many factors working together, and these factors are dis- Beijing metro project, a safety life cycle model for the self-
tributed in all the system life cycle stages. In particular, the developed CBTC products was established and the details
factors involved in different stages are different. Therefore, are shown in Fig. 7 [15].
we need to carry out the system safety work in system life
cycle to control and monitor the different factors at dif- 3.3.1 Design of Safety Management Process
ferent stages. The system life cycle that includes the system
safety work is called the safety life cycle, also called Safety A general overview of the system/subsystem/device design
Lifecycle. describes the main functions of the system, as well as the
From the activities of the whole life cycle, it could be internal and external interface, so that the relevant staff can
found that the management concept-based risk is adopted clearly understand the principles and techniques used in the
to control the risk of the system within the system or system.
project life cycle. In the process of the actual rail transit Safety management process is composed of a number of
project implementation, the whole life cycle is usually stages and activities, which are connected to the safe life
divided into 5 milestones, as shown in Fig. 6. The objective cycle. The design and validation of the system life cycle
of the first milestone is to generate the system require- can be seen as a ‘‘top-down’’ stage and is accompanied by a
ments, and this includes the first 4 phases. The second ‘‘down-top’’ phase, as shown in Fig. 7, which looks like a
milestone needs to distribute the safety requirements to V-type.
subsystems and give detail design outline. Before the third
milestone, implementation and installation of the system 3.3.2 Safety Organization and the Safety Plan Establishing
need to be finished. The main activity of milestone 4 is
system certification and safety inspection. The final mile- The safety management process should be performed under
stone is to state commercial operation. the control of a suitable safety organization via a personal
that is competent for the relevant work; Fig. 8 shows the
3.3 The Processes of Safety Lifecycle for CBTC organization structure of CBTC project. According to the
requirements of the relevant system’s safety integrity level,
In October 2004, Beijing Scientific and Technological there should be a proper independence between different
Committee carried out the project ‘‘Communication based personals.

123
96 Urban Rail Transit (2017) 3(2):90–99

Milestone 5
1.concept ISA System acceptance
Start commercial
2.System definition and operation
12.Operation
application environment supervision
11.operation and 14.Scrap and
Cooperation with 3.Hazard maintenance disposal
safety authorities analysis 13.Renovation and
4.safety Cooperation with refurbishment
10.System safety authorities
requirements
approved
Milestone 1
Milestone 4
Finish the system
5.safety Subsystem integration
requirement
requirements Safety acceptance
distribution 9.system certification and
Milestone 2 train operation
safety inspection
Finish the
sub-system Milestone 3
6.design and
design 8.installation Finish the Sub-system
achieve
installation
Cooperation
7.production with product
manufacturers

Fig. 6 Life cycle milestone diagram

Safety Operating
Safety integrity requirements define the level of safety
Planning and
Planning
SMS and integrity required for each safety-related function.
Requirement O&M
Stage Operation
ISA Plan &
Criteria (Goals) Final Certificate 3.3.3 Safety Audit, Verification and Validation
& Report
Safety Analysis, Design Testing &
Risk Assessment Stage Commission Safety At the appropriate stage of the system life cycle, safety
Demonstration,
Audits/ FRACAS audit should be carried out to monitor the safety manage-
Assessments & Implementat
Initial Certificate ion Stage ment process in accordance with the requirements of the
Test Witness,
System Validation
safety plan and the relevant standards.
Change
Monitoring and Verifying the content of each phase for the life cycle
Verification Inspection should meet the safety requirements specified in the pre-
& audit
vious stage and finally confirm that the system/subsystem/
Fig. 7 Independent research and development of CBTC product life equipment meets the initial safety requirements. According
cycle to the opinions of the safety authorities, the assessment
staff should be authorized by the safety authorities, be
completely independent from the project team, and report
directly to the safety authorities. Furthermore, the evidence
A safety plan should be made in the early stage of the for a system/subsystem/device meeting the safety accep-
system life cycle. This plan should determine the organi- tance criteria shall be listed in a structured document called
zational structure of the safety management which involves ‘‘Safety Case.’’ Before Safety Case sent to independent
the entire life cycle, the need for a review of safety plans company, internal verification and validation activities
within the appropriate intervals, and all aspects of the need to be done.
system/subsystem/device (including hardware and
software). 3.3.4 Safety Management for System/Subsystem/
In the early stage of the system design, we should create Equipment Transfer, Operation and Maintenance
a hazard source log based on the results of hazard analysis
(including PHA, SHA, SSHA, IHA, and OSHA) and System/subsystem/equipment should meet the conditions
maintain the hazard log throughout the entire safety life of the safety acceptance before the delivery to the railway
cycle. Safety requirements can be considered from two authorities. The delivery also includes the submission of
aspects, i.e., the functional safety requirements and the ‘‘Safety Case’’ and ‘‘safety assessment report.’’ After the
safety integrity requirements. Safety functional require- system is put into operation, it should meet the process,
ments are the actual safety-related functions which the support system and safety monitoring requirements that are
system, subsystem, or equipment is required to carry out. defined in the safety plan and technical safety report.

123
Urban Rail Transit (2017) 3(2):90–99 97

Project Director
Tao Tang

LR Project Manager
Independent Safety
Chunhai Gao
Assessor

RAMS Team Leader VOBC & SCL Design ZC & DSU Application DCS Design Team Safety Platform Deisgn Test Team Leader V&V Team Leader
Fei Yan Team Leader Design Team Leader Leader Team Leader Jianming Zhang Youneng Huang
Bo Liu Haifeng Wang Bing Bu Lianchuan Ma

RAMS Engineer
Ru Niu Test Engineer
VOBC DI ZC Application DI DCS DI Wei Wang
ZC Platform DI V&V Engineer
Datian Zhou Shuo Liu Hongli Zhao
RAMS Engineer Xi Wang Xiaoyan Li
Xinfa Sha Test Engineer
VOBC DI ZC Application DI DCS DI Qiang Zhang
ZC Platform DI Zhuliang Zhang
Hongjie Liu Chao Liu Hailin Jiang Binbin Yuan
Test Engineer
VOBC DI ZC Application DI DCS DI Dapeng Xu
Qijin Lu Xuwen Yang Wenhua Wang
Test Engineer
VOBC DI DSU Application DI DCS DI Yuetong Lou
Baosheng Liu Kai Li Yang Zhang

LR Give guidance to VOBC DI

Mentoring Team RAMS team Zhenyu Shan
System Engineer Configuration Manager Quality Manager EMC Consultant
SCL DI Guosheng Zhi Yan Qi Wei Zhang Yun Zhu
Bobo Zhao

Responsible line Report line

Fig. 8 Organization structure for CBTC project

After the revision of the document and passing the ISA

review, the improvement opinions will be closed.
(2) On-site audit
According to EN50128, EN50129, and other stan-
Fig. 9 Process for independent certification
dards, the ISA staff applies the on-site audit to the
3.3.5 Processes of Safety Certification systems integrators and the core technology supplier
during the stage of the system requirements and
Safety certification needs a proper process, as Fig. 9 system design, as well as the implementation stage
describes. Before conducting an independent evaluation, a and system testing stage from the aspects of the
checklist is required about user requirements and related system assurance, software quality assurance and
standards. This checklist can provide a systematic method management, etc. The staff then put forward a
to record the results of independent evaluation and evi- written audit report. System integrators and core
dence and save as the evaluation document for traceability. technology supplier need to respond to the audit
opinions presented by the ISA staff and provide the
(1) Document Review relevant evidence. After that, the ISA staff can close
In the beginning of the project, the independent their views.
safety assessment (ISA) staff will review the For the problems existing in the audit process, the
project plan, safety plan, quality plan, configuration owners, the independent safety assessment staff, as
management plan, test plan, and system require- well as systems integrators and core technology
ments specification, etc. The staff then put forward provider will hold a weekly safety meeting to
written improvement opinions. communicate and resolve the problems.
After the integrators and subcontractors finish the (3) Safety confirmation
development of related subsystems, ISA staff will In order to ensure the safety of the signaling system
review the test specifications of the integration after testing, debugging and operation, the single train
testing and system testing for each subsystem, the commissioning, multi-train commissioning, trial oper-
test plans and test reports and then put forward ation, operations need to be carried out under special
written improvement opinions. monitoring mechanism. System integrators and core

123
98 Urban Rail Transit (2017) 3(2):90–99

technology suppliers provide related design docu- of CBTC system came into being. The method was proved
ments, test report and safety documents. ISA then in the process of pilot test on test line, single train com-
conduct the safety assessment by means of document missioning, multi-train commissioning, trial operation on
review, on-site audit, and witness testing according to mail line, and the carrying passenger trial operation, and
the requirements of EN50128 and EN50129. After that, finally the CBTC system and related products developed by
ISA provides the safety assessment report and publish Beijing Jiaotong University has obtained the safety integ-
the safety certificate. When achieving the certificate, rity level 4 (SIL4) certificate.
the testing, debugging, system operation, etc., could be After the successful application of independently
carried out. developed CBTC system, the advanced fully automatic
In the safety assessment of metro projects, ISA will operation system is currently under development and the
check each of the safety critical system products new technologies will be used in the Beijing Yanfang Line
provided by suppliers to make sure that they have which is expected to be opened by the end of 2017.
obtained the product safety certification. The safety
certification process for the CBTC system is as follows: Open Access This article is distributed under the terms of the Creative
a. Products design Commons Attribution 4.0 International License (http://creative
commons.org/licenses/by/4.0/), which permits unrestricted use, distri-
The design and dev med by the design team, and they
bution, and reproduction in any medium, provided you give appropriate
make a detailed record for the works that completed credit to the original author(s) and the source, provide a link to the
in each stage of the system design process and Creative Commons license, and indicate if changes were made.
development process. The record could be the
system and subsystem requirements specification,
system architecture specification, etc. References
b. System test
The implementation of the system, subsystems, 1. Yan F, Tang T (2005) Development of safety technology of rail
components, and modules needs to be verified by transit signaling system and the research status of foreign coun-
testing according to the corresponding test specifica- tries. J China Saf Sci J 15(6):94–99
2. Gao CH (2014) Research on the core technology of independent
tions at every stage of the CBTC system development innovation CBTC system. J Modern Urban Rail Transit
[16]. In the testing process, the engineers use the test 24(1):7–10
cases that described in the specifications and test each 3. IEC61508-2010 Functional safety of electrical/electronic/pro-
function and performance individually. grammable electronic safety-related systems
4. Society of Automotive Engineers (SAE) (1996) Guidelines and
c. Verification and validation (V&V) methods for conducting the safety assessment process on civil
This work is done independently from the project airborne systems and equipment (ARP4761). SAE International:
team and is performed by the V&V staff. In each Warrendale, PA. [Aerospace Recommended Practice]
phase of the project life cycle, the V&V staff needs to 5. IEC 62278-2002 Railway applications—specification and
demonstration of reliability, availability, maintainability and
ensure that the work done at each stage is correct [17] safety (RAMS)
and generates a validation report for each phase. 6. IEC 62279-2002 Railway applications—communications, sig-
nalling and processing systems—software for railway control and
The safety certification for CBTC covered the certifica- protection systems
tions in the test line, single train commissioning, multi-train 7. IEC62425-2007 Railway applications—communication, sig-
commissioning, trial operation, and the carrying passenger nalling and processing systems—safety related electronic systems
for signalling
trial operation, etc. At each stage of the whole life cycle of the 8. RSSB (2011) Safety risk model risk profile bulletin (version 7)
system, the safety is measured and evaluated by the inter- [R]. http://www.rssb.co.uk/risk-analysis-and-safety-reporting/
national advanced and practical standards and scientific risk-analysis/safety-risk-model-(srm)
methods. In addition, an independent third-party assessment 9. European Commission-2004 (2004) Safety management in rail-
way, WP.2.2.2: guidance for the safety management system
team is hired to carry out safety audits and assessments in 10. EI Koursi EM, Tordai L (2003) SAMNET: Safety management
each process to ensure the CBTC system with independent and interoperability thematic network in railway systems.
intellectual property rights can be used safely and reliably in WCRR2003, Edinburgh, pp 198–202
the application of urban rail transit in China. 11. Common safety targets, common safety indicators and common
safety methods. A joint paper of the Safety Systems Harmoni-
sation Working Group and the Technical Interfaces Working
4 Conclusions Group of the UIC Safety Platform, Sept’2002
12. CENELEC EN50129-1999 (2003) Railway applications:safety
related electronic systems for signalling [S]
After absorbing the essence of international safety stan- 13. CENELEC EN50126-1999 (1999) Railway applications:the
dards and adapting China urban transit construction prac- specification and demonstration of reliability ,availability,main-
tice, the safety management and system integration method tainability and safety (RAMS) [S]

123
Urban Rail Transit (2017) 3(2):90–99 99

14. Tang T, Niu YM, Gao CH (2010) Research and innovation of 16. Gao CH, Yan F, Tang T (2005) Research on safety assessment
CBTC system for rail transit. J Munic Technol S2:349–353 method of rail transit signaling system. J China Saf Sci J
15. Yan F, Gao CH, Tang T (2011) Safety management and assess- 15(10):74–79
ment mode research for rail transit signalling engineering project. 17. Morisio M (2000) Commercial-off-the-shelf (COTS): a survey a
Urban Rapid Rail Transit 24(4):12–16 DACS state-of-the-art report[R]

123