Visualization and operating system for railways compliant to SIL2 with type approval from the Swiss Federal Office of Transport (BAV) The visualization and operating system for railways (VBBa) is used to operate and visualize interlocking systems and all the associated elements of safety systems such as switch points, barriers, routes and so on for different railway companies. The VBBa is used for the remote control and remote monitoring of interlocking systems. Although this type of function is still frequently performed today using conventional control desks, these are gradually being replaced by VBBa. VBBa is designed for the execution of critical commands. The operating and observation system is compliant with the requirements of SIL2, and so fulfills the necessary safety requirements. Its safety credentials have been verified by exhaustive testing, approved by external experts and were certified by the BAV (Swiss Federal Office of Transport) in November. This latest project engineered by LeitTec AG entailed the development of a type-approved generic system for the reliable display of signals and the (failsafe) execution of commands. The configuration and size of the system lends the necessary flexibility to adjust to the varied needs of different railways. It is modular in structure and features open interfaces to other control systems (train tracking) or other types of interlocking. It will be possible to add future interface modules to the basic system without risk of interference. End user CHEMINS DE FER DU JURA Private railway with a rail network of 85 km, 19 stations and 1.5 million passengers a year, responsible for public transport within a substantial area of the Swiss Jura. System integrator LeitTec AG Process automation and railway safety technology LeitTec AG has been a WinCC OA Premium Solution Partner since 2001, and is based in Berne, Switzerland
CEO: Jörg Boltshauser Project Manager, Head of Development VBBa: Peter Tschan WinCC OA application development: Kony Meyer For this project, the involvement of system integrator LeitTec AG encompassed a Project Manager and three additional employees in charge of implementing control and visualization (WinCC OA). Also consulted were an external expert and an independent consultant to advise on design matters. Realization The project launched in June 2012 with submission of an application to obtain type approval. Since May 2014, VBBa has been in successful operation for the private railway operator Chemins de Fer du Jura (CJ), and in November 2014 type approval was granted by the BAV. Compilation of the documentation by LeitTec AG and review of the documentation on the part of the authorities were more labor-intensive than had been originally envisaged, putting back the project by six months. Project description Essentially, VBBa comprises two sub-systems the management level and the head stations. The management level is the real nerve center of the VBBa, encompassing the higher-level operating, visualization and data acquisition system. It is here that the SIMATIC WinCC Open Architecture (WinCC OA) SCADA system and Siemens SCALANCE switches are used. As the topology illustrates, the management level comprises: A redundant pair of servers running in hot-standby mode. Each of these monitors the other, with the active server acting as master, the standby server as slave. In the event of a fault in the master server, its functions are automatically carried out by the standby server. One or more operator stations (clients) comprising a workstation, mouse, keyboard and at least two monitors. The client-server architecture means that all the data from the servers transfers to the operator stations. Network for the management level: This network links the servers to each other and to the operator stations Network for the PLC s: This network links the servers to the subordinate controls, the head stations.
The task of the head station is to accept interlocking information from the telecontrol system and forward it to the management level. In the other direction, commands are accepted from the management level and transmitted to the interlocking console by the telecontrol system. The control also executes a variety of testing functions in order to guarantee the consistency and reliability of data transmission. SIMATIC S7-41xHF PLC s are used for the head stations. These form the interface to the telecontrol systems. The name stems from the fact that they simultaneously fulfill the function of head station for the type-approved FWS-S7 remote transmission system (product of LeitTec AG, also with type approval, shared hardware and operating system software). The system boundary runs within the head station. Topology control level
Project sequence Decisive in determining the project sequence were the stipulations of the BAV and the railway standards (predominantly EN50129). From the initial phase, an expert was contracted to act as an advisor throughout the term of the project. The issue of a type approval requires proof of safety in the form of a safety case, which has to be drawn up in compliance with wide-ranging regulations and standards: AB-EBV: 2012 Implementing provisions of the railways regulations AB38.1 points 1.0-1.4 and AB39.2 point 4.3 SN EN 50126:1999 Railway applications. The specification and demonstration of reliability, availability, maintainability and safety SN EN 50128:2011 Railway applications - Communication, signaling and processing systems - Software for railway control and protection systems this part of the IEC 61508 standard series. SN EN 50129:2003 Railway applications - Safety related electronic systems for signaling SN EN 50159: 2010 Railway applications - Safety-related communication in transmission systems EN 61000-6-2:2005 EMC immunity for industrial environments EN 61000-6-4:2007 EMC emission standard for industrial environments Guideline for the implementation of safety-critical projects (Safety Manual from ETM) The structure of safety case documents complies with the standard EN50129. The safety case must contain the following documents: Part 1: Definition of the system Part 2: Quality management report Part 3: Safety management report Part 4: Technical safety report Part 5: Related safety cases Part 6: Summary The actual launch of the project came with submission of the application to obtain type approval for the VBBa with the BAV. The application included a target specification which served as a basic working document for initial talks with the BAV and further development of the system, as well as the basis for the type approval documentation.
After obtaining the consent of the BAV, work started on the requirements specification and hazard analysis. The system requirements specification describes all the VBBa interfaces, the detailed topology, as well as all the requirements the VBBa has to fulfill. This document provides the basis for all further documents and developments. The hazard analysis is used to identify hazards associated with the system and any incidents which could conceivably arise from any such hazards. The hazard analysis analyzes the risks associated with the identified hazards and sets out a process for continuous risk management. The hazard analysis calls for specialist process knowledge which allows different hazard case studies and the resulting (hazard) situations to be highlighted. The purpose of the hazard analysis was to define the safety integrity level (SIL) level for each identified hazard. The outcome of the hazard analysis was that VBBa as an overall system must achieve compliance with SIL2 for critical commands (commands which permit safety devices in the interlocking system to be bypassed). The same also applies to the display of interlocking feedback messages. On the basis of the hazard analysis, the basic documentation (comprising the system definition, quality management, safety management and technical safety reports, as well as the report on related safety cases), were revised. The purpose of the quality management report is to minimize the frequency of human error at every stage of the life cycle and so reduce the risk of systematic faults in the system, sub-system or facility. The document describes the organizational structure used to develop the VBBa, the quality management system in place at LeitTec AG for development of the VBBa, the organization of verifications and reviews, and the documentation required across the whole of the VBBa life cycle. The purpose of the safety management report is to guarantee safety through an effective safety management process which must agree with the management process for ensuring RAMS as defined by EN 50126. Content of the document: Description of all processes and documents required across the various life cycle phases of VBBa (system development and validation, project engineering and commissioning, operation and maintenance, disposal) Description of the safety organization (depending on the SIL level) Description of the safety plan (what is carried out and when, what is reviewed and when, and the impact of reviews performed) Description of required documentation for the entire life cycle of VBBa The purpose of the technical safety report is to provide evidence of the functional and technical safety of VBBa.
It contains: Evidence of fulfillment of the requirements contained in the EN50128 standard Evidence of fulfillment of the individual requirements arising from the requirements specification Evidence of fulfillment of the requirements set out in the framework and operating conditions in the WinCC OA safety manual Evidence of fulfillment of the requirements set out in the EN50128 and EN50159 standards The document setting out related safety cases includes a list of all other cases to which reference was made for the VBBa safety case (e.g. SIL Certificate WinCC OA, SIL Certificate SIMATIC S71xx F). The next step was to draw up the system specification for the hardware and software. This contained A description of the topology, A description of all hardware and software components, A description of the individual functions in VBBa Assignment of the individual requirements to the individual functions of VBBa. On the basis of this specification, the management level was installed. This was then documented and validated, and subsequently the basic functionalities of the management level were specified and validated. An essential aspect of this project was the ability to ensure correct transmission of signals and commands. For this, special function modules and objects for communication were developed, as well as a watchdog system to monitor communication. For the first project with CJ (Tavannes interlocking), additional project-specific functions and objects (such as signal, block, switch points, track and route) were additionally implemented. This was followed by the start of fundamental integration and installation tests. Following their successful completion, the first VBBa application, the Tavannes interlocking, was specified in detail. This entailed drawing up a target specification, the control system, management level and a simulator application for the Tavannes interlocking. A functional safety test was then performed in order to validate all functions to date. In addition, an expertise was prepared by an independent expert for the BAV. This was designed to appraise the VBBa safety case, and contains an evaluation of the safety case from the viewpoint of the independent expert (compliance with all standards, adherence to procedure, completeness of evidence presented etc.), a
report on the appraisal, a list of deficiencies and recommendations and a recommendation for type approval. Once this milestone had been reached, it was possible for the external expert to carry out an initial safety assessment. The next step was to further expand the basic documentation. Project manuals, operating instructions and various training documents for the operator, for the VBBa system manager, for electrical maintenance and for disposal procedure were prepared. Specifications also had to be prepared setting out a procedure for possible system expansion, for the development and application of additional function modules and for periodical maintenance and servicing work, as well as a logistics concept. At the same time as compiling the documentation, the standard VBBa application was developed and the initial project implemented at CJ, the Tavannes interlocking. The management level, the control section and the VBBa simulator were delivered and installed. After induction of the CJ personnel, the VBBa was ready to be commissioned. However, for Tavannes to be commissioned, LeitTec AG required approval for an operational trial from the BAV. To obtain this approval, the entire safety case had to be submitted and appraised in advance. LeitTec AG drew up a concept for operational testing of the Tavannes interlocking, which was also appraised by an external expert. Following testing by the BAV, finally a release for the operational trial was granted in April 1014. Appraisal by the BAV took somewhat longer than planned, as for all those involved this was the first time a system of the complexity of VBBa had been approved in accordance with the new standards. The rail operator then submitted an application for permission to modify its safety installation (PGV). After receiving the consent of the BAV, there were no longer any obstacles to commissioning of the VBBa with control of the Tavannes interlocking. After a two-month operational trial period, the results were evaluated and reviewed by the BAV. This meant that the conditions for VBBa type approval had been fulfilled, and approval was officially issued by the BAV in November 2014.
Technical data Around 350 objects with a total of 1,200 variables are processed per interlocking (appr. 300 interface signals with the interlocking). A maximum of 50 interlockings are linked. Standard safety components used: SIMATIC S741x HF (up to SIL 3) SIMATIC WinCC Open Architecture (up to SIL 3) KERBEROS VPN with IPSEC protocol for remote access CRC (TCP/IP) Benefits The SIL 3 certification of WinCC OA, alongside the relevant documentation, played a major role in enabling approval of the VBBa to be obtained in this way. Without the SIL certificate, the work load would have been at least doubled, as key safety aspects would have required additional verification by LeitTec AG. The scalability and redundancy concept of WinCC OA in conjunction with the high level of WinCC OA availability were considerable benefits when it came to implementation. LeitTec AG s long-standing WinCC OA partnership was a decisive advantage in the execution of this project, given the broad fund of experience it had gathered with WinCC OA, and the fact that it was already familiar with wideranging aspects of WinCC OA functionality. With ETM, the project benefited from a partner which was capable of providing excellent support where needed, had the ability to respond rapidly in the event of problems and was willing to discuss specific issues relating to the SIL3 concepts and project implementation through the medium of workshops. The end client CJ is highly satisfied with the VBBa system. Since it was commissioned at the beginning of May 2014, the system has been operating reliably. CJ was also delighted with the flexibility and straightforward approach taken by LeitTec AG during project execution. Another renowned railway operator, Regionalverkehr Bern Solothurn" (RBS), has already come on board and plans to implement remote control for its entire railway network using VBBa.
Pictures
Panels From a console to a screen:
Operation: Switch point: Section block