System Brakes Architecture Report

Contract No. H2020 – 730539

CONTRIBUTING TO SHIFT2RAIL'S NEXT GENERATION OF HIGH CAPABLE AND SAFE TCMS AND BRAKES.

D5.1 – System Brakes Architecture Report

Due date of deliverable: 31/04/2017

Actual submission date: 09/06/2017

Leader/Responsible of this Deliverable: Gremmel, Heiko, KNR Reviewed: Y

Document status Revision Date Description 1 16/09/2016 First issue Review and completed par 3.1 scope by FTI, minor modification 2 18/11/2016 on introduction. 3 22/11/2016 Review from of sections 3.2.1 (FTI) and 3.2.3 (CAF/FTI). Review F2F Meeting 25/11/2016 and Overwork by KNR, 4 29/12/2016 New CTA Template 6 17/02/2017 Review of section 3.4, 3.5 and 3.6 (FTI). 8 13/04/2017 Document complete Draft 9 24/04/2017 Final draft for TMT review 10 19/05/2017 Amended version. Final TMT review. 11 09/06/2017 Final version. Submitted.

Project funded from the European Union’s Horizon 2020 research and innovation programme Dissemination Level PU Public X CO Confidential, restricted under conditions set out in Model Grant Agreement

Start date: 01/09/2016 Duration: 24 months

CTA-T5.1-D-KNR-015-02 Page 1 of 145 09/06/2016 Contract No. H2020 – 730539

REPORT CONTRIBUTORS

Name Company Details of Contribution Maurizio Mittino FTI Chapters 1 WP5 Leader Chapters 2 Fabio Ferrara Chapters 3.1 Paolo Giraudo Chapters 3.2 Chapters 3.3 Chapters 3.4.1 Chapters 3.4.2 Chapters 3.4.4 Chapters 3.4.5 (BSM, SB, PB, EB, ABT, LAM) Chapters 3.4.6 Chapters 3.5 Chapters 3.6 Chapters 4 Quality Review Review Heiko Gremmel KNR Chapters 3.3 Task1 Leader Chapters 3.4.1 Chapters 3.4.2 Chapters 3.4.3 Chapters 3.4.4 Chapters 3.4.5 (EB, ABT) Review Ion Solabarrieta CAF Chapters 3.3 Review Javier Goikoetxea CAF Quality Check Francesco Fumarola AST Review Richard Chavagnat SNCF Review Matthias Oberhofer SIE Review Giambattista Santopolo BT Review Safe4Rail Nier/TUV Review

Table 1: Contributors

CTA-T5.1-D-KNR-015-02 Page 2 of 145 09/06/2016 Contract No. H2020 – 730539

1 EXECUTIVE SUMMARY The contents cover and are well aligned with the CTA Grant agreement for WP5 Task 1 “Brake System Architecture”, in details:

 Chapters from 3.1 to 3.3 describe the scope, gives an overview of brake system and describe the metodology used for the funtional analisys and the safety analisys. The analised brake system are limited to the High Speed train and Multiple Units. The functional analisys uses most of the concept and method of WP1 D1.1 “Workflow methodology”. The safety analisys method is based to the Europeean relevant standard.

 Chapter 3.4 present the brake system functional analisys. Six system functions have been identified: o BSM Brake System Management o SB Service brake o EB Emergency brake o PB Parking brake o ABT Automatic Brake test o LAM Low Adhesion Management The system functions are decomposed in sub function that are described in chapter 3.4.4; for each Sub Function requirement taken from TSI are allocated. For this task purpose requirements are limited to TSI, they will be integrated with requirements from other sources in the next Tasks.

 Chapter 3.5 allocates a SIL/THR to each sub function by Hazard analisys.

 Chapter 3.6 describes the possible future brake system architecture. For each possible architecture the Sub Function involved and the Sub Function suitable to be implemented by the future TCMS are identified.

The D5.1 document contents will be the base for the WP5 Task 5.2 “Sub System Design” that starting from the proposed future brake system architectures will design the technical implementation of the related sub functions.

The other WP of CTA related to TCMS should take as input the sub function and related requirements to be included in future TCMS design.

CTA-T5.1-D-KNR-015-02 Page 3 of 145 09/06/2016 Contract No. H2020 – 730539

ABBREVIATIONS AND ACRONYMS Acronims:

Acronyms Meaning ABT Automatic Brake test AST Alstom ATP Automatic Train Protection BAT Battery BCU Brake Control Unit BSM Brake System Management BP Brake Pipe BR Brake Reservoir BT Bombardier Transport CAF Construcciones y Auxiliar de Ferrocarriles CFM Call Four Member CTA CONNECTA. DBV Driver Brake Valve EMU Electric Multiple Unit EB Emergency Brake EBU Emergency Brake Unit ECD Eddy Current Brake EP Electro Pneumatic ETCS European Train Control System EU European Union F2F Face to Face FBS Function Breakdown Structure FBT Full Brake Test FTI Faiveley Transport Italy HST High Speed Train LAM Low Adhesion Management LC Load Compensation MP Main Pipe MC Master Controller MTB Magnetic Track Brake OC Open Call P-EB Emergency Push Button PB Parking Brake SIL Safety Integrity Level SNCF Société Nationale des Chemins de fer Français THR Tolerable Hazard Ratio KNR Knorr Bremse CTA-T5.1-D-KNR-015-02 Page 4 of 145 09/06/2016 Contract No. H2020 – 730539

Acronyms Meaning PB Parking Brake RAMS Reliability, Availability, Maintainability, and Safety S4R Safe For Rail open call project complementary to CTA. SB Service Brake SBU Service Brake Unit RLY Relay Valve SIE Siemens Transport SIL Safety Integrity Level TCU Traction Control Unit TSI Technical Specifications for Interoperability TCMS Train Communication and Management System UIC Union International Chemins de Fer WP Work Package. WSP Wheel Slide Protection Table 2: Acronyms

CTA-T5.1-D-KNR-015-02 Page 5 of 145 09/06/2016 Contract No. H2020 – 730539

Definitions: Term Definition Epic An epic in the context of requirement management is the description of requirements on a very high level of abstraction. Every day language is used to formulate an epic. System A system is a set of interacting or interdependent units of a whole. System boundaries define the scope of the system. Subsystem Every system can be decomposed into several subsystems. User Story A user story describes a functional requirement. User stories have a well-defined structure, including the actor, the goal and the benefit of an interaction within the system. Everyday language in the length of one sentence is used. Use Cases This describe the interactions of actors within the system in more details. The system’s state before the interaction and the system’s state after the interaction are described. Functional Requirement They define specific behaviour or functions. They define what a system is supposed to do and how a system is supposed to be. They are usually in the form of "system shall do " Non-Functional This is a requirement that specifies criteria that can be used to judge Requirement the operation of a system, rather than specific behaviours. are in the form of "system shall be ". They describe the usability, reliability, and maintenability. System Functions Are “end-to-end” functions spanning from one point at the system border to another point of the system border Sub Function Every system function can be decomposed into several subsystems function Safety Function Contributes to one or more safety barriers to ensure safety Consist Single vehicle or a group of vehicles which are not separated during normal operation. Safety Integrity The ability of a safety related system to achieve its required safety functions under all the stated conditions within a stated period of time. Safety Integrity Level A number which indicates the required degree of confidence that a system will meet its specified safety functions with respect to systematic failures. Hazard Condition that can lead to an incident Table 3: Definitions

CTA-T5.1-D-KNR-015-02 Page 6 of 145 09/06/2016 Contract No. H2020 – 730539

TABLE OF CONTENTS Report Contributors...... 2 1 Executive Summary ...... 3 Abbreviations and Acronyms ...... 4 Table of Contents...... 7 List of Figures ...... 8 List of Tables ...... 8 2 Introduction ...... 11 3 Analysis of the Brake System...... 13 3.1 Scope of System Brakes Architecture Report ...... 13 3.2 Brake System Overview...... 14 3.2.1 Conventional brake system...... 14 3.2.2 Context of the Braking System...... 16 3.3 Definition of Methods for Functional and Safety Analysis...... 17 3.3.1 Method for Functional analysis ...... 17 3.3.2 Methods for Safety analysis...... 19 3.4 Functional analysis ...... 27 3.4.1 Epics...... 27 3.4.2 System functions ...... 27 3.4.3 Use cases of conventional brake system ...... 32 3.4.4 Conventional brake system sub-functions...... 59 3.4.5 Conventional brake system sub-function description ...... 62 3.4.6 Identification of devices implementing the brake system functions on conventional trains...... 97 3.5 Conventional Brake Systems Safety Function Allocation Analysis ...... 122 3.5.1 Hazard and Risk Analysis of Brake System Functions...... 122 3.5.2 Safety Allocation on SIL Levels of System Function and Sub-Functions...... 122 3.6 Definition of Future Brake System Architecture...... 125 3.6.1 Introduction...... 125 3.6.2 High Safety Electronic Emergency Brake Load Compensation...... 128 3.6.3 High Safety Electronic Emergency Pressure Generation ...... 133 3.6.4 High Safety Electronic Cylinder Pressure Generation and Electric Brake in Emergency...... 139 4 Conclusions ...... 145 CTA-T5.1-D-KNR-015-02 Page 7 of 145 09/06/2016 Contract No. H2020 – 730539

LIST OF FIGURES Figure 1: Context Diagram of the Braking System...... 16 Figure 2: Hierarchy ...... 17 Figure 3: Hazards management process as per EU regulation 402/2013...... 23 Figure 4: Safety allocation process as per EN 50129...... 26 Figure 5: Use Case Train System ...... 32 Figure 6: Use Case Emergency Brake...... 33 Figure 7: Use Case Parking Braking ...... 40 Figure 8: Use Case Service Braking ...... 46 Figure 9: Use Case Service Automatic Brake Test...... 49 Figure 10: Conventional Brake System Architecture...... 99 Figure 11: Safety loop circuit diagram...... 102 Figure 12 :Load Compensation Valve Characteristic...... 128 Figure 13: High Safety Electronic Emergency Brake Load compensation ...... 130 Figure 14: High Safety Electronic Emergency Pressure Generation...... 135 Figure 15: High Safety Electronic Cylinder Pressure Generation and Electric Brake in Emergency...... 141

LIST OF TABLES Table 1: Contributors ...... 2 Table 2: Acronyms...... 5 Table 3: Definitions ...... 6 Table 4: IEC 61508 parts ...... 20 Table 5: EN50126 parts ...... 20 Table 6: EN50128 parts ...... 21 Table 7: EN50129 parts ...... 21 Table 8: EN50159 parts ...... 22 Table 9: Frequency Categories...... 24 Table 10: Severity Classes...... 24 Table 11: Acceptability Matrix ...... 25 Table 12: Risks Definitions...... 25 Table 13: BSM1 Devices...... 101 Table 14: BSM2 Devices...... 103 Table 15: SB1 Devices...... 104

CTA-T5.1-D-KNR-015-02 Page 8 of 145 09/06/2016 Contract No. H2020 – 730539

Table 16: EB3 Devices...... 105 Table 17: SB3 Devices...... 105 Table 18: SB4 Devices...... 105 Table 19: SB5 Devices...... 107 Table 20: SB6 Devices...... 108 Table 21: SB7 Devices...... 108 Table 22: SB8 Devices...... 108 Table 23: SB9 Devices...... 109 Table 24: SB10 Devices...... 110 Table 25: EB1 Devices...... 111 Table 26: EB2 Devices...... 112 Table 27: EB3 Devices...... 113 Table 28: EB4 Devices...... 114 Table 29: EB5 Devices...... 114 Table 30: EB6 Devices...... 115 Table 31: EB7 Devices...... 115 Table 32: EB8 Devices...... 117 Table 33: PB1 Devices...... 117 Table 34: PB2 Devices...... 118 Table 35: PB3 Devices...... 118 Table 36: PB4 Devices...... 118 Table 37: PB5 Devices...... 119 Table 38: PB6 Devices...... 119 Table 39: PB7 Devices...... 119 Table 40: PB8 Devices...... 120 Table 41: PB9 Devices...... 120 Table 42: ABT Devices ...... 120 Table 43: LAM1 Devices...... 121 Table 44: LAM2 Devices...... 121 Table 45: LAM3 Devices...... 121 Table 46: SIL/THR Allocation to Sub Functions ...... 124 Table 47: EM Load Module SIL/THR...... 132 Table 48: EM Pressure Generation Using Electronic Sub Function SIL/THR ...... 137 Table 49 EM: Pressure Generation Using Electronic Sub Function SIL/THR ...... 143 CTA-T5.1-D-KNR-015-02 Page 9 of 145 09/06/2016 Contract No. H2020 – 730539

CTA-T5.1-D-KNR-015-02 Page 10 of 145 09/06/2016 Contract No. H2020 – 730539

2 INTRODUCTION

CONNECTA is part of EU’s programme for research and innovation (R&I), Horizon 2020, started in 2014 will run till 2020. CTA will contribute to the "Smart, green and integrated transport" challenge, one of the 8 Societal Challenges identified under H2020, and reflecting the Union's "Europe 2020" strategy. CONNECTA WP5 answers the S2R-IP1-CFM-02-2016 call under the Shift2Rail umbrella, WP5 belongs to the so called Technical Demonstrator 1.5 (TD1.5) – Next Generation Brake System. This means that the project shall contribute to the overall goals of Shift2Rail, namely by: (1) Cutting the life-cycle costs of railway transport by as much as 50%; (2) Doubling railway capacity; (3) Increasing reliability and punctuality by as much as 50%. It is part of a larger work programme described by the Multi-Annual Action Plan (MAAP), which will continue until 2022. The objectives of CONNECTA Work Package 5 (WP5) set and declared in the Grant Agreement are: (1) Performance improvement in safety relevant braking functions resulting in optimisation of the braking distances in safety braking. (2) On board system optimisation, reducing the number of sophisticated pneumatic components, improving overall LCC. (3) Use of communication standards carrying high SIL related information coordinated with other TCM WPs. (4) Validation of non-railway EN standards to be used in railways safety related application. This Deliverable ‘System Brake Architecture’ will analyse from functional point of view the conventional brake systems, a function brake down structure “FBS” will be defined and described, the correct SIL/THR will be allocated trough safety analysis to each function. This part of the analysis will follow as much as possible the methodology set up in CTA WP1 Deliverable D1.1 ‘Workflow methodology”. The actual technical implementation of the function will be analysed to identify the function that can have bigger advantage in the implementation using high SIL electronics based system. A set of future brake system implementations using high SIL Electronic sub systems will be then proposed with the indication of the advantage of the implementation including the use of future TCMS to substitute hardwired signals as well as BCU communication protocols of current railways custom networks. A set of High level requirement for future TCMS will be defined for the future brake system.

CTA-T5.1-D-KNR-015-02 Page 11 of 145 09/06/2016 Contract No. H2020 – 730539

This will be the base for the brake sub system design that will be implemented in the next WP5 tasks.

CTA-T5.1-D-KNR-015-02 Page 12 of 145 09/06/2016 Contract No. H2020 – 730539

3 ANALYSIS OF THE BRAKE SYSTEM

3.1 SCOPE OF SYSTEM BRAKES ARCHITECTURE REPORT The requirement given by WP5 is to develop an electronic HW-SW architecture designed to manage the braking functions according to proper safety levels. To reach the above goal this WP 5 High Safety Level Electronic Solutions for Brake Control first analyses and identifies the conventional safety functions of the pneumatic technologies that can be implemented by electronic HW&SW control base system with adequate safety integrity level (SIL). Procedure will be then:  Identify safety relevant functions and sub function of the conventional brake system currently implemented by means of pneumatic devices suitable to be replaced by High Safety Integrity electronic based systems  Define future brake system architectures using High SIL Electronic based sub system. For the functional brake system analysis, the Workflow Methodology specified in WP1 D1.1 for Next Generation TCMS will be used, taking in account the specificities of the brake system. The analysis steps are then: 1. Brake system overview 2. Definition of Methods for Functional and Safety Analysis 3. Functional analysis 4. Safety analysis a. Identification of hazard b. Allocation of THR and required SIL (where applicable) to Brake system functions and sub functions 5. Definition of future brake system architecture a. Abstraction from conventional brake system to future brake system architecture by replacing of standard pneumatic component with high safety integrity pneumatronic or electronic equipment b. Identification of brake system safety functions performed by the high safety integrity pneumatronic or electronic equipment c. Identification of safety brake system functions to be implemented by TCMS d. Safety Requirement (SIL/THR) allocated to the Pneumatronic/electronic equipment e. Safety Requirement (SIL/THR) allocated to TCMS

The analysis will consider EMUs (Electric Multiple Unit) used in the regional and metropolitan traffic and HST (High Speed Trains).

CTA-T5.1-D-KNR-015-02 Page 13 of 145 09/06/2016 Contract No. H2020 – 730539

3.2 BRAKE SYSTEM OVERVIEW The goal of this chapter is to describe the main references, a general overview of the status of art and the context where the brake system is introduced, which are the basis to define a method of analysis oriented to reach the goals defined in the previous chapter.

3.2.1 Conventional brake system The modern brake system for railways are the evolution of Westinghouse air braking invention patented in 1868, specially for the safety expect inherit in that brake system that are:

- Continuous it should be operated by a single command position and operate simultaneously on all vehicles composing the train. - Automatic it must be automatically activated when continuity fails (fault of the command line or split of the train), without driver intervention. This assure the train stop in case of train division in two parts due to a failure of the car coupling system.

- Inexhaustible it must not lose braking power even after repeated braking and releasing. (i.e. it shall not be possible to release the brake if it is not possible to brake again at full power).

- Adjustable it must be possible to operate the system both in brake and release mode with adjustable command;

The Westinghouse air brake fulfilling above characteristics is being widely used in all trains brakes around the world, the main functionality was included in UIC regulations (Fiche UIC540 to UIC547) that has been the relevant standard to permit brakes safety standardization and interoperability in Europe and in the major part of world. To improve performance, starting from the last 30 years, the electronic is been widely used specially for the called “service brake” control mode with relevant advantages in: - Use of electric motor brake mixed with friction brake (“blending”), allowing the maximum use of regenerative braking, with energy saving, friction pair cost saving and reduction of pollution, making modern train brakes more environment friendly. - Faster brake application and release with high accuracy in the braking force. - Easy brake operation for the driver. - Maintenance supported by on board diagnostic. - Wheel protection and higher performance in low adhesion condition (WSP system)

Electronic has been used to enhance the performance of traditional UIC brake system by electronic control of the brake pipe pressure, or to replace the UIC brake system by a so called Electro-Pneumatic Direct Brake electronically controlled.

CTA-T5.1-D-KNR-015-02 Page 14 of 145 09/06/2016 Contract No. H2020 – 730539

The “safety” level of this EP direct brake system electronically controlled is anyway not enough to cover the above safety requirements of the brake systems, so train using electronic control are still using in parallel to the electronic control the UIC – Westinghouse “Brake Pipe” concept to apply the Emergency brake to the whole train (for example high speed train running to different country) or have electro pneumatic safety loop based emergency brake system without electronic involved in the control (for safety loop example multiple unit used on regional area, see § 5.8.1 of EN 16185).

Brake pipe is in any case still needed for interoperability and rescue of faulty train purpose, and for this reasons multiple unit still need a coupling interface able to act as an UIC Brake Pipe based system for rescue in case of failure.

3.2.1.1 Types of brake Brake system can involve different type of brakes used to generate brake forces:

- friction brake, o disc brake (adhesion dependent), o tread brake (adhesion dependent), - dynamic brakes o ED brake (adhesion dependent), o eddy current brake (adhesion independent), - magnetic track brake (adhesion independent), - Parking brake o Hand brake (adhesion dependent), o Spring brake (adhesion dependent),

It is not scope of this document to describe the above types of brakes. For a brief description and related technical requirements refer to above standards. Specific standards are also available for single parts (distributor, relay valves, magnetic track brake, disc, …).

Each type of brake has its own control command and components and interacts with the other depending from the use case.

The technical characteristic and safety level of each type of brake make it suitable to be used for different functions.

CTA-T5.1-D-KNR-015-02 Page 15 of 145 09/06/2016 Contract No. H2020 – 730539

3.2.2 Context of the Braking System For clarification of the brake system context, SysML Context Diagram can be used (see Figure 1: Context Diagram of the Braking System).

It shows nearly all the actors and systems which are interacting with brake system on a train.

Figure 1: Context Diagram of the Braking System

Air generation and distribution system provides the energy to generate braking force. In this document it is considered an external system to brake system, even if it is not represented in the above Figure. The passenger alarm system is as well considered as external technical system, but not represented above. The users and external technical systems are considered the “actors” interacting with the brake system.

CTA-T5.1-D-KNR-015-02 Page 16 of 145 09/06/2016 Contract No. H2020 – 730539

3.3 DEFINITION OF METHODS FOR FUNCTIONAL AND SAFETY ANALYSIS The functional and safety analysis methods definition is based on the integration of WP5 works inside the general process used by CONNECTA to manage the requirements for next generation of safe TCMS.

The two reference document regarding the CONNECTA process are

- CTA-T1.1-D-DBA-009-05 - D1.1 – Workflow methodology

- CTA-T1.1-T-BTD-002-03 – Use Case and System Hierarchy

3.3.1 Method for Functional analysis The functional analysis is the first view in the top down method, as represented in the Abstraction level diagram in SysML Context Diagram of CTA-T1.1-T-BTD-002-03 – Use Case and System Hierarchy:

Figure 2: Hierarchy

According above definition in § 1 a system function is an “end-to-end function spanning from one point at the system border to another point of the system border.”, which means that the system functions shall be identified as the functions connecting the different actors represented in § 3.2.2 by functional requirements.

The functional requirements in this document will be sorted from the European Commission Regulation 1302/2014 (TSI Loc&Pas) which represent actually the mandatory requirement about rolling stock subsystem of the rail system in the European Union.

CTA-T5.1-D-KNR-015-02 Page 17 of 145 09/06/2016 Contract No. H2020 – 730539

In the next stage of WP5 process the requirements can be further populated by new requirements, coming from use cases analysis or by existing requirements part of already existing European standards about brake system (EN16185-1, EN15734-1, EN13452-1, EN14198).

The functional requirements have of course relation with EPICS described in CTA WP1 document D1.1 Workflow Methodology chapter 3, so the related EPICS will be identified as well.

The analysis, starting from types of brakes and context, considering the high level TSI functional requirements and WP5 participants experience, will first identify system functions, defining the inputs from any actor or system, what the system do with the input, and the output to actors and systems.

For main system functions use cases of conventional brake system will be then described, helping together with the WP5 participant know how, in the further decomposition of the system functions into sub-functions used of conventional brake system, which will be described evidencing actors, relations and functional requirements.

Once that all function and sub-functions are described the analysis will approach the logical and technical view, describing a general architecture (logical view) of the conventional system, to arrive to identify the devices (technical view) used today to implement the identified functions and sub- functions.

The further step, developed in § 3.6, is the study of possible future brake system architectures, with the identification of new high safety integrity pneumatronic or electronic equipment which, in the new architecture, can replace existing pneumatic or electro-pneumatic devices to perform safety related brake sub-functions. According above, the functional analysis will be split in the following steps:

 Selection out of a list of D1.1 EPICS which are appropriate to a brake system  Definition of system functions  Operational analysis finding of all relevant Use Cases of a conventional brake system  Identification and description of brake system sub-functions by use cases of conventional brake system  Identification of devices implementing the brake system sub-functions on conventional trains  Abstraction from conventional brake system to future brake system architecture by replacing of standard pneumatic component with high safety integrity pneumatronic or electronic equipment  Identification of brake system safety functions performed by the high safety integrity pneumatronic or electronic equipment

CTA-T5.1-D-KNR-015-02 Page 18 of 145 09/06/2016 Contract No. H2020 – 730539

3.3.2 Methods for Safety analysis

3.3.2.1 Applicable safety standards The aim of this section is to clarify which relevant Safety Standards should be used along CONNECTA’s Work Package 5 (WP5).

This section summarizes the most important Safety Standards used nowadays in the railway industry, which could be useful along the CONNECTA WP5.

The applicable version of the standards mentioned below is the one currently in force. Some of these standards are undergoing a deep review by the CENELEC community and a new release may be issued within the course of this project. As soon as these new versions will be available, their retro-active applicability to this project will be evaluated by the entire CONNECTA team.

3.3.2.1.1 IEC 61508-X Developed by the International Electro Technical Commission (IEC), which a worldwide organization for standardization compromising all national electro technical committees (IEC National Committees). The object of the IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields.

The IEC 61508 series are the International Standards for electrical, electronic and programmable electronic safety related systems. It supports the assessment of risks to minimize these failures in all Electrical/Electronic/Programmable Electronic safety-related systems, irrespective of where and how they are used.

IEC 61508 sets out the requirements for ensuring that systems are designed, implemented, operated and maintained to provide the required safety integrity level (SIL). Four SILs are defined according to the risks involved in the system application, with SIL4 being used to protect against the highest risks.

The International Standard is used by a wide range of manufacturers, system builders, designers and suppliers of components and subsystems and serves as the basis for conformity assessment and certification services. Safety system managers use it as a basis for carrying out assessments of safety lifecycle activities. The Standard is also used by many IEC TCs (Technical Committees) while preparing their own sector or product specific International Standards that have E/E/PE safety-related systems within their scope. Those include for example International Standards for the nuclear sector, for machinery and for power drive systems to mention just a few.

CTA-T5.1-D-KNR-015-02 Page 19 of 145 09/06/2016 Contract No. H2020 – 730539

The IEC 61508 consists of seven parts, which are defined in the following table:

Code Revision Date Description IEC 61508-1 2010 Part 1: General requirements IEC 61508-2 2010 Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems IEC 61508-3 2010 Part 3: Software requirements IEC 61508-4 2010 Part 4: Definitions and abbreviations IEC 61508-5 2010 Part 5: Examples of methods for the determination of safety integrity levels IEC 61508-6 2010 Part 6: Guidelines on the application of the IEC 61508-2 and IEC 61508-3 IEC 61508-7 2010 Part 7: Overview of techniques and measures

Table 4: IEC 61508 parts

3.3.2.1.2 EN 50126-X This European Standard was prepared by the Technical Committee CENELEC TC 9X, Electrical and electronic applications in railways. It provides Railway Authorities and the railway industry, throughout the European Union, with a process which will enable the implementation of a consistent approach to the management of Reliability, Availability, Maintainability and Safety (RAMS).

This European Standard can be applied systematically by a railway authority and railway support industry, throughout all phases of the lifecycle of a railway application, to develop railway specific RAMS requirements and to achieve compliance with these requirements. This standard provides baseline information on the subject of RAMS and RAMS engineering.

For what concerns the Safety, the EN 50126 consists of two parts, which are defined in the following table:

Code Revision Date Description EN 50126-1 1999 Part 1: Basic requirements and generic process EN 50126-2 2007 Part 2: Guide to the application of EN 50126-1 for Safety

Table 5: EN50126 parts

CTA-T5.1-D-KNR-015-02 Page 20 of 145 09/06/2016 Contract No. H2020 – 730539

3.3.2.1.3 EN 50128 This European Standard was prepared by SC 9XA, Communication, signalling and processing systems, of Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways.

This European Standard is part of a group of related standards. The others are EN 50126-1:1999 and EN 50129:2003. EN 50126-1 addresses system issues on the widest scale, while EN 50129 addresses the approval process for individual systems which can exist within the overall railway control and protection system. This European Standard concentrates on the methods which need to be used in order to provide software which meets the demands for safety integrity which are placed upon it by these wider considerations.

The EN 50128 consists of one part, which is defined in the following table:

Code Revision Date Description EN 50128 2011 Software for railway control and protection systems

Table 6: EN50128 parts

3.3.2.1.4 EN 50129 This European Standard was prepared by SC 9XA, Communication, signalling and processing systems, of Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways.

This document is the first European Standard defining requirements for the acceptance and approval of safety-related electronic systems in the railway signalling field. Safety-related electronic systems for signalling include hardware and software aspects. To install complete safety-related systems, both parts within the whole life-cycle of the system have to be taken into account. The requirements for safety-related hardware and for the overall system are defined in this standard.

Moreover, this standard is the common European base for safety acceptance and approval of electronic systems for railway signalling applications.

The EN 50129 consists of one part, which is defined in the following table:

Code Revision Date Description EN 50129 2003 Safety related electronic systems for signalling

Table 7: EN50129 parts

CTA-T5.1-D-KNR-015-02 Page 21 of 145 09/06/2016 Contract No. H2020 – 730539

3.3.2.1.5 EN 50159 This European Standard is applicable to safety-related electronic systems using for digital communication purposes a transmission system which was not necessarily designed for safety- related applications and which is

 under the control of the designer and fixed during the lifetime, or

 partly unknown or not fixed, however unauthorised access can be excluded, or

 not under the control of the designer, and also unauthorised access has to be considered.

Both safety-related equipment and non-safety-related equipment can be connected to the transmission system. This standard gives the basic requirements needed to achieve safety-related communication between safety-related equipment connected to the transmission system.

The EN 50159 consists of one part which is defined in the following table:

Code Revision Date Description EN 50159 2010 Safety-related communication in transmission systems

Table 8: EN50159 parts

3.3.2.1.6 ADDITONAL STANDARDs The previously defined standards comprise the most important Safety Standards used nowadays in the European railway industry. Moreover, some other standards could be helpful along this Work Package, as listed below:

 EU Regulation No. 402-2013 of 30 April 2013 on the common safety method for risk evaluation and assessment, amended by the Directive 1136/2015 of 13 July 2015;

 EU Regulation No. 1302/2014 of 18 November 2014 concerning a technical specification for interoperability relating to the ‘rolling stock — locomotives and passenger rolling stock’ subsystem of the rail system in the European Union (also known as TSI LOC&PAS 2014)

 EN 13452-1 (2003) and EN 13452-2 (2003)

 EN 15734-1 "Railway applications - Braking systems of high speed trains -Part 1: Requirements and definitions" November 2010

 EN 16185-1 "Railway applications - Braking systems of multiple unit trains -Part 1: Requirements and definitions" December 2014

- EN 14198-1 Requirements for the brake system of trains hauled by a locomotive

CTA-T5.1-D-KNR-015-02 Page 22 of 145 09/06/2016 Contract No. H2020 – 730539

3.3.2.2 Definition of the method used for safety allocation analysis The management of hazards for the Brake System in the scope of this project will be performed following the recommendations of the EU Regulation 402/2013, as summarized in the following scheme.

Figure 3: Hazards management process as per EU regulation 402/2013

CTA-T5.1-D-KNR-015-02 Page 23 of 145 09/06/2016 Contract No. H2020 – 730539

Whenever the “explicit risk estimation” principle is used for the acceptance of the risk, the ALARP methodology described in the EN 50126 will be applied, comprising of the following phases:  Risk Analysis = evaluation of the frequency and severity of any hazardous event in order to calculate the corresponding risk, using the categories provided in EN 50126 and summarized below:

Category Description Definition Frequency* Extremely unlikely to occur. It can be assumed that F Incredible E-3 ev/h continually experienced. Table 9: Frequency Categories.

* the quantitative assessment of each category is not specified in the EN 50126, but is based on FTI experience

Consequence to Persons or Consequence to Category Severity Environment Service Fatalities and/or multiple severe injuries 4 Catastrophic and/or major damage to the environment. Single fatality and/or severe injury and/or 3 Critical Loss of a major system significant damage to the environment. Minor injury and/or significant threat to the Severe system(s) 2 Marginal environment. damage 1 Insignificant Possible minor injury. Minor system damage Table 10: Severity Classes.

CTA-T5.1-D-KNR-015-02 Page 24 of 145 09/06/2016 Contract No. H2020 – 730539

 Risk Assessment = evaluation of the acceptability of the risk, based on a given criterion, and of the countermeasures to be implemented in case the risk is assessed as unacceptable, using the risk acceptability matrix provided in EN 50126 and summarized below:

RISK ACCEPTABILITY MATRIX Severity Frequency Insignificant (1) Marginal (2) Critical (3) Catastrophic (4) Frequent (A) Undesirable Intolerable Intolerable Intolerable Probable (B) Tolerable Undesirable Intolerable Intolerable Occasional (C) Tolerable Undesirable Undesirable Intolerable Remote (D) Negligible Tolerable Undesirable Undesirable Improbable (E) Negligible Negligible Tolerable Tolerable Incredible (F) Negligible Negligible Negligible Negligible

Table 11: Acceptability Matrix

RISK DEFINITION Risk Risk evaluation Risk reduction / control Category IV intolerable Shall be eliminated. Shall only be accepted when risk reduction III undesirable is impracticable and with the agreement of the Railway Authority Acceptable with adequate control and the II tolerable agreement of the Railway Authority I negligible Accepted by the Railway Authority. Table 12: Risks Definitions

Once a preliminary hazard analysis is performed and the brake system safety-related function are identified, the SIL and THR required for each function will be identified by means of the approach defined in the EN 50129 and summarized in the scheme below. The list of hazards analysed in the preliminary hazard analysis will be mainly based on TSI Loc&Pas EN16185-1 and in EN15734-1 hazards as well as on CTA WP5 partners experience. Basically, starting from the THR associated to a given hazardous event in the hazard analysis, the functions participating to this hazard are allocated the proper THR (through Fault Tree Analysis or other equivalent analyses) and the corresponding SIL is determined by using the SIL table of the EN 50129 to link THR and SIL As recommended by the EN 50126-2, the SIL identified for a given safety-related function should not be further allocated to the sub-system/equipment involved. This means that any SW or HW electronics participating to a safety-related function with a specified SIL, should be designed to fulfil the same SIL.

CTA-T5.1-D-KNR-015-02 Page 25 of 145 09/06/2016 Contract No. H2020 – 730539

On the other side, taking into consideration the system architecture and the independence assumptions, the THR can be further allocated to sub-systems and components involved in the safety-related functions, as shown in the scheme below.

Figure 4: Safety allocation process as per EN 50129

CTA-T5.1-D-KNR-015-02 Page 26 of 145 09/06/2016 Contract No. H2020 – 730539

3.4 FUNCTIONAL ANALYSIS

3.4.1 Epics Among the EPICS list in D1.1 Workflow methodology the ones referring to brake system are the following: E.1 Move Vehicle E.2 Detect emergencies E.3 Monitor vehicle E.4 Create vehicle arrangements E.5 Maintain vehicle

3.4.2 System functions Brakes System Functions are here identified and described. The identification of the system function is done taking into account the Brake know how of the CTA WP5 participant companies and TSI requirements. The TSI defines the purpose of the brake system as follow:

TSI §4.2.4.1 (1): “The purpose of the train braking system is to ensure that the train's speed can be reduced or maintained on a slope, or that the train can be stopped within the maximum allowable braking distance. Braking also ensures the immobilisation of a train.

Above definition indicates the main brake system functions and their goal. The TSI defines these function control modes:

TSI §4.2.4.2.1 (13): “The unit braking control system shall have three control modes: o Emergency brake: application (and release) of a predefined brake force in a predefined maximum response time in order to stop the train with a defined level of brake performance. o Service brake: application (and release) of an adjustable brake force in order to control the speed of the train, including stop and temporary immobilisation. o Parking brake: application (and release) of a brake force to maintain the train (or the vehicle) in permanent immobilisation in a stationary position, without any available energy on board.”

CTA-T5.1-D-KNR-015-02 Page 27 of 145 09/06/2016 Contract No. H2020 – 730539

The input to brake system to realize the above functions can arrive from following actors: - ATP On Board Unit - ETCS On Board Unit - TCMS - Passenger Alarm System - Driver - Vigilance Control On Board Unit - Brake Test Operator - Preparation service staff - Maintenance staff The brake system output of above functions is always the application of retardation forces. This can be done by the interface with two external technical systems: - Wheel Set (and then the wheelset transmits the force to the railway track) - Railway Track

The difference between the two interfaces is the type of retarding forces: - the forces applied to the wheelset is transmitted to the track trough the contact point between the wheel and the rail, then limited by the available adhesion, depending from the environmental condition; - The forces applied directly to the track are instead independent from available adhesion.

In addition to this 3 main system functions, additional system function has been identified based on performance of brake system and operational aspects.

The TSI remarks the factors influencing performances: TSI §4.2.4.1 (1): “The primary factors that influence the braking performance are the braking power (braking force production), the train mass, the train rolling resistance, the speed, the available adhesion.

The braking force production (service, emergency, parking brake forces) is the primary factors in influencing the brake performances. From a safety point of view, the brake system functions test become an important function to guarantee that during operation train can be stopped within the maximum allowable braking distance or can be immobilized properly. TSI as well at § 4.2.4.9 (1) writes “Information available to train staff shall allow the identification of degraded conditions concerning the rolling stock (brake performance lower than the performance required), for which specific operating rules apply.” According above a further system function identified is the Automatic Brake Test, which input (test request) can come from following actors: - Driver - Brake test operator - ATP/ETCS - TCMS

CTA-T5.1-D-KNR-015-02 Page 28 of 145 09/06/2016 Contract No. H2020 – 730539

And the output is to the same actors, by using Diagnostic system, Driver HMI and TCMS itself.

The influence of the adhesion on the application of the braking forces introduce further aspects to be taken in consideration in defining the system functions: the reaction to the loss of the adhesion, the improvement of the adhesion (sanding), the monitoring of the axle protection status (and of the blocking of the axle). Due to that a further system function identified is the Low Adhesion Management, which input come from actors - wheelset, - Tracks, - Environmental condition And the output is the wheelset again, by proper modulation of the retarding force to minimize the effect of sliding on braking performances.

The last system function identified is more operative and linked to the brake system configuration. When train is switched on the brake system shall be able to recognize the train configuration and become operative. Brake system shall be also able to brake the train with brake command degraded condition (like the failure of service brake command) to allow the train to move or in case of towing. Due to that a further system function identified is the Brake System management, which is in charge to manage the initialization of the brake system at train switching on or after coupling/uncoupling and the management of the operative mode of the brake system (nominal condition, degraded condition, towing). The input for this function comes from - Electrical energy supply - TCMS - driver And the output is the brake system itself, the TCMS, the driver.

CTA-T5.1-D-KNR-015-02 Page 29 of 145 09/06/2016 Contract No. H2020 – 730539

Resuming, the system functions identified are the following

1. BSM - Brake System Management The BSM Brake system management is the system function having the following goal - to manage the Brake System initialization and configuration at train power up or coupling/uncoupling and to manage the operative mode of the Brake system during operation.

2. SB - Service Brake Service brake is the system function used by the driver and technical systems (actors) to apply an adjustable retarding force to the track (directly or by the wheelset) with the following goals: - Reduce the speed of the train

- Maintain the speed of the train on a slope

- Immobilize temporary the train at standstill on a certain slope.

Note: on conventional trains generally the direct force application on the track is not used in service brake

3. EB - Emergency Brake Emergency brake is the system function used by the driver and technical systems (actors) to apply a predefined retarding force to the track (directly or by the wheelset), with the following goals:

- to stop the train in a predetermined distance in line with guaranteed performances considered by signalling system model

4. PB - Parking Brake Parking brake is the system function used by the driver and technical systems (actors) to apply a retarding force to the track (directly or by the wheelset), with the following goals:

- to keep the train stationary for an indeterminate period of time, at a certain load condition, on a certain slope and without energy available on board

Note: Parking brake system applying only in automatic mode are used on conventional train in some country (ie France), but being fully managed by mechanical devices (X-valve and brake reservoir), without any functional aspect managed by electric/electronic device, it is considered not relevant for the objective of this document.

CTA-T5.1-D-KNR-015-02 Page 30 of 145 09/06/2016 Contract No. H2020 – 730539

5. ABT - Automatic Brake Test Automatic brake test is the system function used by the driver and technical systems (actors) to check the functionalities of the brake functions with the following goal: - to receive a reliable information about the available brake performances of the train and of the integrity of the brake system The automatic brake test run and is controlled automatically, but certain devices (Master controller, driver’s brake valve, emergency push buttons) cannot be operated in automatic mode. For this reason, it includes also a test which is not automatic, but need an operator (driver or brake test operator, operating on the devices. It shall be possible to do partial tests only, checking single functions, for maintenance purpose or limited test asked to driver in certain condition (change of direction, etc.). Dynamic brakes of course at standstill cannot be fully tested. Their availability is permanently monitored in running time

6. LAM – Low Adhesion Management Low adhesion management is the system function having the following goal: - to maximize the train brake performances in case of reduced adhesion of the rail which can induce sliding of the wheelset on the track. This function provides both protection against sliding and increase of the available adhesion between wheelset and track in low adhesion conditions.

CTA-T5.1-D-KNR-015-02 Page 31 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.3 Use cases of conventional brake system

3.4.3.1 Use Cases of the Train System

This is the top level view which shows the uses cases on train level with actors Driver and Technical System in relation to system Train. And it is shown the dependency from the uses cases on train level to uses cases of the brake system. Additionally, there are is link from the use cases of the brake system to System Functions SF of braking which are descripted in the following uses case diagrams.

Figure 5: Use Case Train System

CTA-T5.1-D-KNR-015-02 Page 32 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.3.2 Uses Case Emergency Brake

Figure 6: Use Case Emergency Brake

CTA-T5.1-D-KNR-015-02 Page 33 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.3.3 Uses Case Description Emergency Braking

Use Case Apply Emergency Brake by Drivers Brake Valve for stopping the train ID EMB1 Actor Driver Goal G_EMB1: Stop the train in case of emergency situation detected by the driver Safety relation The use case is inherently safety critical as the non-achievement of the goal can result in serious hundreds persons and environment. The Emergency Brake is the means to stop a train in any situation, and therefore it is the most safety critical function and contributes to the safety level of the railway system. Precondition Driver is in the cab; Train is at moving. Critical condition that requires an emergency brake; Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation. Flow of events 1. Driver recognizes critical condition and puts the Drivers Brake Valve (BMC) to Emergency Brake Position. 2. EMB System decelerates and stops the train and shows that complete brake pipe pressure is decreasing down to 2,8 [bar]. The brake cylinder pressure is increasing up to the train specific emergency brake level. 3. Driver recognizes the deceleration and monitors the decreasing of the complete brake pipe pressure as well as the increasing of the brake cylinder pressure. Post condition Driver is in the cab; Train is not moving Things that can go wrong Already implemented risk At least two independent emergency brake command devices are available, Full Brake reduction measures Test (FBT) and Basic Brake Test (BBT) test the emergency brake command devices. Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

Use Case Apply Emergency Brake by Master Controller for stopping the train ID EMB2 Actor Driver Goal G_EMB2: Stop the train in case of emergency situation detected by the driver Safety relation The use case is inherently safety critical as the non-achievement of the goal can result in serious hundreds persons and environment. The Emergency Brake is the means to stop a train in any situation, and therefore it is the most safety critical function and contributes to the safety level of the railway system. Precondition  Driver is in the cab, Train is at driving, braking or coasting. Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation. Flow of events 1. Driver recognizes critical condition and puts the Master Controller (BMC) to Emergency Brake Position. 2. EMB System stops the train and shows that complete Safety Loop is de energized and Brake Cylinder Pressure is increasing up to the train specific emergency brake level. 3. Driver recognizes the deceleration and monitors the opening of the Safety Loop as well as the increasing of the Brake Cylinder Pressure.

Post condition Driver is in the cab; Train is at standstill Things that can go wrong Already implemented risk At least two independent emergency brake command devices are available, Full Brake reduction measures Test (FBT) and Basic Brake Test (BBT) test the emergency brake command devices. Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 34 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Apply Emergency Brake by Push Button for stopping the train ID EMB3 Actor Driver Goal G_EMB3: Stop the train in case of emergency situation detected by the driver Safety relation The use case is inherently safety critical as the non-achievement of the goal can result in serious hundreds persons and environment. The Emergency Brake is the means to stop a train in any situation, and therefore it is the most safety critical function and contributes to the safety level of the railway system. Precondition Driver is in the cab, Train is at driving, braking or coasting. Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation. Flow of events 1. Driver recognizes critical condition and puts the Push Button (BMC) to Emergency Brake Position. 2. EMB System stops the train and shows that complete brake pipe pressure is decreasing down to 2,8 [bar] and the Brake Cylinder Pressure is increasing up to the train specific emergency brake level. 3. Driver recognizes the deceleration and monitors the decreasing of the complete brake pipe pressure as well as the increasing of the brake cylinder pressure.

Use Case Apply Emergency Brake by Passenger Emergency Handle for stopping the train ID EMB4 Actor Passenger Goal G_EMB4: In case of emergency situation Passenger want to inform the driver or stop the train. Safety relation The use case is inherently safety critical as the non-achievement of the goal can result in serious hundreds persons and environment. The Emergency Brake is the means to stop a train in any situation, and therefore it is the most safety critical function and contributes to the safety level of the railway system. Precondition Driver is in the cab, Train is at driving, braking, coasting or standstill. Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation. Flow of events 1. Passenger recognizes critical condition and puts the Passenger Emergency Handle (PAS) to Emergency Position. 2. Passenger Alarm System (PAS) receives Passenger Alarm Signal and informs the Driver about the emergency situation. 3. Driver acknowledges the Passenger Alarm and thus activates the Emergency Brake Application. In case that the driver omits an acknowledgement, the Passenger Alarm System (PAS) activates the Emergency Brake Application. 4. The train decelerates and stops. Post condition Driver is in the cab, Train is at driving, braking, coasting at speed or braking at standstill Things that can go wrong Already implemented risk Regular Test of the Passenger Alarm System (PAS) reduction measures Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 35 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Apply Penalty Brake by Technical System ID EMB5 Actor The Technical System represents ATP On Board Unit (ATO), ETCS On Board Unit (ETCS), Vigilance Control (VIC), Emergency Overdrive (EBO), Parking Brake (PBC). Goal G_EMB5: Stop the train in case of emergency situation detected by the Technical System. Safety relation The use case is inherently safety critical as the non-achievement of the goal can result in serious hundreds persons and environment. The Emergency Brake is the means to stop a train in any situation, and therefore it is the most safety critical function and contributes to the safety level of the railway system. Precondition Driver is in the cab, Train is at driving, braking or coasting. Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation. Flow of events 1. The Technical System recognizes critical condition and activates the Emergency Brake Application. 2. EMB System decelerates and stops the train and shows that complete brake pipe pressure is decreasing down to 2,8 [bar] or complete Safety Loop is de energized. The brake cylinder pressure is increasing up to the train specific emergency brake level. 3. Driver recognizes the activation of the Emergency Brake System and monitors the deceleration and the decreasing of the brake pipe pressure or the opening of the Safety Loop as well as the increasing of the brake cylinder pressure. Post condition Driver is in the cab; Train is at standstill Things that can go wrong Already implemented risk Special Test for each Technical System to test the Interface of the Brake System. reduction measures Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 36 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Release Emergency Brake by Drivers Brake Valve ID EMB6 Actor Driver Goal G_EMB6: Release the Emergency Brake System by the driver in case that the EMB is applied while driving even though it is less risky to continue driving Safety relation The use case is inherently safety critical as the non-achievement of the goal can result in serious hundreds persons and environment. The Release of the Emergency Brake is safety critical in the scenario fire in tunnel or on bridge and contributes to the safety level of the railway system. Precondition  Driver is in the cab,  Train is braking with EMB due to applied Brake Valve  Driver by Drivers Brake Valve or Passenger Alarm System or a Technical System has activated the Emergency Brake Application,  no condition that requires an Emergency Brake Application anymore or it is too dangerous to stop the train in this scenario (fire in tunnel or on bridge);  Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation. Flow of events 1. Driver recognizes no critical condition anymore or it is too dangerous to stop the train in this scenario (fire in tunnel or on bridge) and puts the Drivers Brake Valve (BMC) to Release Position. 2. EMB System stops decelerating the train and shows that complete brake pipe pressure is increasing up to 5,0 [bar]. The brake cylinder pressure is decreasing down to release pressure < 0,5 bar. 3. Driver recognizes the stopping of deceleration and monitors the increasing of the complete brake pipe pressure as well as the decreasing of the brake cylinder pressure. Post condition Driver is in the cab; Train continues driving Things that can go wrong Already implemented risk Full Brake Test (FBT) and Basic Brake Test (BBT) test the emergency brake command reduction measures devices. Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 37 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Release Emergency Brake by Master Controller ID EMB7 Actor Driver Goal G_EMB7: Release the Emergency Brake System by the driver Safety relation The use case is inherently safety critical as the non-achievement of the goal can result in serious hundreds persons and environment. The Release of the Emergency Brake is safety critical in the scenario fire in tunnel or on bridge and contributes to the safety level of the railway system. Precondition  Driver is in the cab,  Train is braking with EMB due to applied Master Controller  Driver by Master Controller or Passenger Alarm System or a Technical System has activated the Emergency Brake Application,  no condition that requires an Emergency Brake Application anymore or it is too dangerous to stop the train in this scenario (fire in tunnel or on bridge);  Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation. Flow of events 1. Driver recognizes no critical condition anymore or it is too dangerous to stop the train in this scenario (fire in tunnel or on bridge) and puts the Master Controller (BMC) to Release Position. 2. EMB System stops decelerate the train and shows that complete Safety Loop is energized (closed) and the brake cylinder pressure is decreasing down to release pressure < 0,5 bar. 3. Driver recognizes the stopping of deceleration and monitors the closing of the Safety Loop as well as the decreasing of the brake cylinder pressure. Post condition Driver is in the cab; Train continues driving Things that can go wrong Already implemented risk Full Brake Test (FBT) and Basic Brake Test (BBT) test the emergency brake command reduction measures devices. Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 38 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Release Emergency Brake by Push Button ID EMB8 Actor Driver Goal G_EMB8: Release the Emergency Brake System by the driver Safety relation The use case is inherently safety critical as the non-achievement of the goal can result in serious hundreds persons and environment. The Release of the Emergency Brake is safety critical in the scenario fire in tunnel or on bridge and contributes to the safety level of the railway system. Precondition  Driver is in the cab,  Train is at driving, braking, coasting at speed or braking at standstill  Driver by Push Button or Passenger Alarm System or a Technical System has activated the Emergency Brake Application,  no condition that requires an Emergency Brake Application anymore or it is too dangerous to stop the train in this scenario (fire in tunnel or on bridge);  Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation. Flow of events 1. Driver recognizes no critical condition anymore or it is too dangerous to stop the train in this scenario (fire in tunnel or on bridge) and puts the Push Button (BMC) to Release Position. 2. EMB System stops decelerate the train and shows that complete brake pipe pressure is increasing up to 5,0 [bar]. The brake cylinder pressure is decreasing down to release pressure < 0,5 bar. 3. Driver recognizes the stopping of deceleration and monitors the increasing of the complete brake pipe pressure as well as the decreasing of the brake cylinder pressure. Post condition Driver is in the cab, Train is at driving, braking, coasting at speed or braking at standstill Things that can go wrong Already implemented risk Full Brake Test (FBT) and Basic Brake Test (BBT) test the emergency brake command reduction measures devices. Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 39 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.3.4 Use Case Diagram Parking Braking

Figure 7: Use Case Parking Braking

CTA-T5.1-D-KNR-015-02 Page 40 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.3.5 Use Case Description Parking Braking Use Case Apply PB by Push Button ID PB1 Actor Driver Goal G_PB1: Application of a predefined braking force to maintain the train in permanent immobilization in a stationary position, without any available energy on board. Safety relation The use case is inherently safety critical as the non-achievement of the goal can result in serious damage to persons and environment. Precondition Train is at standstill, Service Brake applied, Driver operates train within active cab, Train is supplied with electrical energy Flow of events 1. Driver triggers the Push Button “PB apply” 2. The PB System transmits the command to all local Parking Brake units 3. The Parking Brake System starts applying the Parking Brake Force and indicates the status of “applying “the Parking Brake (“blinking light = intermediate status”) 4. Driver recognizes the PB status indication 5. After applying all parking brake units, the PB System indicates the status “parking brake applied” 6. Driver recognizes the visual indication of the PB status and leaves the cab Post condition Parking brake applied, train at standstill, Driver does not operate the train, Things that can go wrong TTCGW1.1. Parking brake status erroneously indicates “parking brake applied” when parking brake is not applied. (not all Parking brake units applied) TTCGW1.2. Parking Brake System indicates “parking brake not applied” when parking brakes are applied. TTCGW1.3. Applied Braking Force is not sufficient, especially in terrain with gradient TTCGW1.4. Signal Transmission faulty or defect Already implemented risk Indication of PB status information to the driver reduction measures Observations PB command is sent to the local units via electrical train lines.

CTA-T5.1-D-KNR-015-02 Page 41 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Release PB by Push Button ID PB2 Actor Driver Goal G_PB2: Release of an applied Parking Brake in order to enable the mobility of the train. Safety relation The use case is not inherently safety critical, but when Parking brake system is not completely released, there is the possibility of fire emergence during driving phase. Precondition Train is at standstill, Parking brake applied, train is not supplied with electrical power,

Flow of events 1. Driver activates cab (and the power supply of the train) 2. After powering up the train, the Driver triggers the Push Button “Release PB” 3. The PB System indicates the status of “releasing “the Parking Brake (“blinking light” = intermediate status) to the driver 4. After releasing all parking brake units, the System indicates the status “all parking brakes released” 5. Driver recognizes the visual indication of the PB status and continues the operation of the train. Post condition Train is supplied with electrical power. Parking brake released, Train at standstill Things that can go wrong TTCGW2.1 Not all parking brake units are released. TTCGW2.2 PB status indication shows PB released when PB is still applied TTCGW2.23 PB status indication shows PB applied, when PB is already fully released. Already implemented risk PB status indication to the driver reduction measures Observations PB command is sent to the local units via electrical train lines.

Use Case Apply PB automatically by Train Shut Down ID PB3 Actor Driver Goal G_PB3: Automatic application of a predefined braking force to maintain the train in permanent immobilization in a stationary position, without any available energy on board when driver deactivates the train. Safety relation The use case is inherently safety critical as the non-achievement of the goal can result in serious damage to persons and environment. Precondition Train is at standstill, Service Brake applied, Driver operates active Cab, Train is supplied with electrical energy. Flow of events 1. Driver shuts down the train by deactivating power supply 2. The pneumatic system of the Parking Brake applies the Parking Brake Force 3. The Driver leaves the train without visual PB status indication and relies on automatic PB application mechanism

Post Conditions Train at standstill, Parking Brake applied, Driver does not operate the train, train is not supplied with electrical energy Things that can go wrong TTCGW_3.1: Applied Parking brake force not applied or not sufficient (especially in terrain with track gradient)

CTA-T5.1-D-KNR-015-02 Page 42 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Release Parking Brake by Cab activation ID PB4 Actor Driver Goal G_PB4: Release of an applied Parking Brake in order to enable the mobility of the train. Safety relation The use case is not inherently safety critical, but when Parking brake system is not completely released, there is the possibility of fire emergence during driving phase. Precondition Train is at standstill, Parking Brake applied, electrical power supply of the train is switched off. Flow of events 1. Driver activates the electrical power supply of the train 2. The parking brake system releases the Parking Brake Force automatically 3. Driver continues train operation without visual indication of Parking brake system status Post condition Affected PB unit is released permanently Things that can go wrong TTCGW4.1 Parking Brake unit not released completely

Already implemented risk reduction measures Observations

Use Case Indicate PB release omission failure ID PB5 Actor Driver, Train Staff Goal G_PB5: Release the parking brake force of a local Parking brake unit in case of a release omission failure Safety relation The use case is not inherently safety critical, but the non-achievement of the goal can result in loss of availability Precondition Failure Case: A Local Parking Brake unit cannot be released by train wide Parking Brake activation Flow of events 1. The diagnostic system of the parking brake system indicates a failure of a local PB unit to the driver ‘s HMI 2. Driver (or Train Staff) releases the local Parking Brake unit by a mechanical mechanism 3. The driver (or Train staff) recognizes the successful release of the parking brake unit and continues operation of the train. Post condition Affected PB unit is released Things that can go wrong TTCGW4.1 Parking Brake unit not released completely though status indicated released TTCGW4.2 Mechanic Release not possible because of technical defect Already implemented risk Status indications reduction measures Observations

CTA-T5.1-D-KNR-015-02 Page 43 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Isolate local PB unit ID PB6 Actor Driver, Train Staff Goal G_PB6: Isolate a local parking brake unit from brake cylinder or pneumatic supply system in case of failure in order to prevent the defect parking brake unit from interfering further operation. Safety relation This use case is not inherently safety related, but the operation of the train can be interfered and thus loss of availability will be the consequence. Precondition Defect Parking brake unit. Flow of events 1. PBS indicates a PB failure to the driver via HMI 2. Driver (or Train Staff) releases PB unit manually (optional) 3. Driver (or Train Staff) isolates the local parking brake unit by operating the respective local control device (e.g. mechanical lever) 4. The parking brake system indicates the isolated status of the parking brake unit via the HMI 5. The driver recognizes the successful isolation of the faulty parking brake unit and continues operation of the train Post condition Affected PB unit is isolated Things that can go wrong Already implemented risk Status indication reduction measures Observations

Use Case Apply PB manually ID PB7 Actor Driver, Train Staff Goal G_PB7: Apply a local PB Force in case of Failure in order to apply the required parking brake force for the whole train. Safety relation This use case is not inherently safety related, but the non-achievement of the goal can result in impact on train operability or serious damage. Precondition A faulty Parking brake unit cannot apply the predefined parking brake force Flow of events 1. The diagnostic system of the parking brake system indicates a failure of a local PB unit to the driver HMI 2. Driver (or Train Staff) manually applies the local parking brake unit by a mechanical mechanism 3. The driver (or Train Staff) recognizes the “manually applied” status of the faulty PB unit and continues the operation of the train. Post condition Affected faulty PB unit is applied manually Things that can go wrong Already implemented risk Status indication reduction measures Observations

CTA-T5.1-D-KNR-015-02 Page 44 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Trigger Emergency Brake ID PB8 Actor Driver, EMB System Goal G_PB8: Apply Emergency Brake in case of PB apply commission failure when train is at high speed in order to stop the train to avoid fire emergence. Safety relation The use case inherently safety critical as the non-achievement of the goal can result in serious injury to occupants and damage to the system and environment. Precondition Train is at high speed, PB commission failure, Flow of events 1. Train drives with more than 160 km/h 2. PBS applies brake units without request 3. PBS detects the critical decrease of parking brake pressure 4. The PB system indicates the failure and an automatic emergency brake application to the driver via HMI 5. PBS triggers the emergency brake 6. Train decelerates and stops Post condition Train at standstill, Failures are indicated to the driver via HMI. Things that can go wrong Already implemented risk reduction measures Observations

Use Case Apply PB manually ID PB9 Actor Driver Goal G_PB9: Indicate specific instructions to the driver when PB is inadvertently applied while train is moving in order to Safety relation This use case is not inherently safety-critical, but the non-achievement of the goal can result in damage to the train equipment. Precondition Train is moving with v > 5-15 km/h Flow of events 1. Train drives with more than 5-15 km/h 2. 2. PBS applies brake unit without request 3. 3. PBS indicates the failure to the driver via HMI 4. 4. Driver stops the train and starts investigation Post condition Train at standstill, Failures are indicated to the driver via HMI. Things that can go wrong Already implemented risk reduction measures Observations

CTA-T5.1-D-KNR-015-02 Page 45 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.3.6 Use Case Diagram Service Braking

Figure 8: Use Case Service Braking

CTA-T5.1-D-KNR-015-02 Page 46 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.3.7 Use Case Description Service Braking

Use Case Apply the Brake System by a Brake Controller ID UC_SB1 Actor Driver Goal G_UC_SB1: Application of an adjustable brake force in order to control the speed of the train, including stop and temporary immobilization by the Driver. Safety relation The use case is inherently safety related as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition Driver is in the cab, Train is at driving, braking or coasting. Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation Flow of events 1. Driver controls the speed of the train in service condition and puts the Drivers Brake Controller to Service Braking Position. 2. Service Brake System decelerates and applies service brake demand value and/or stops the train. The brake cylinder pressure is increasing up to the train specific value 3. Driver recognizes the deceleration and the increasing of the brake cylinder pressure. Post condition Driver is in the cab, Train is braking, coasting or not moving. Things that can go wrong Already implemented risk Online diagnostic, Full Brake Test (FBT) and Basic Brake Test (BBT) test the service reduction measures brake command devices. Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

Use Case Apply the Brake System automatically by a Technical System ID UC_SB2 Actor Technical System Goal G_UC_SB2: Application of an adjustable brake force in order to control the speed of the train, including stop and temporary immobilization by the Technical System. Safety relation The use case is inherently safety related as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition Driver is in the cab and the Technical System is active, Train is at driving, braking or coasting. Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation Flow of events 1. The Technical System controls the speed of the train in service condition and commands a service brake demand value. 2. Service Brake System decelerates and applies service brake demand value and/or stops the train. The brake cylinder pressure is increasing up to the train specific value. 3. Driver recognizes the deceleration and the increasing of the brake cylinder pressure. The Technical System monitors the deceleration and checks the Service Brake System status Post condition Driver is in the cab, Train is braking, coasting or not moving. Things that can go wrong Already implemented risk Online diagnostic, Full Brake Test (FBT) and Basic Brake Test (BBT) test the service reduction measures brake command devices. Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 47 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Release the Brake System by a Brake Controller ID UC_SB3 Actor Driver Goal G_UC_SB3: Release of an adjustable brake force in order to control the speed of the train by the Driver. Safety relation The use case is inherently safety related as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition Driver is in the cab; Train is in braking. Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation Flow of events 1. Driver controls the speed of the train in service condition and puts the Drivers Brake Controller to Service Brake Release Position. 2. Service Brake System decelerates less or put the service brake demand value to release completely. The brake cylinder pressure is decreasing or venting completely. 3. Driver recognizes less deceleration or the decreasing of the brake cylinder pressure. Post condition Driver is in the cab, Train is braking. Things that can go wrong Already implemented risk Online diagnostic, Full Brake Test (FBT) and Basic Brake Test (BBT) test the service reduction measures brake command devices Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

Use Case Release the Brake System automatically by a Technical System ID UC_SB4 Actor Technical System Goal G_UC_SB4: Release of an adjustable brake force in order to control the speed of the train immobilization by the Technical System. Safety relation The use case is inherently safety related as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition Driver is in the cab and the Technical System is active, Train is at braking. Integrity and continuity of the brake system checked by Full Brake Test (FBT) successfully before service operation Flow of events 1. The Technical System controls the speed of the train in service condition and commands a service brake demand value. 2. Service Brake System decelerates and put the service brake demand value to release completely. The brake cylinder pressure is decreasing or venting completely. 3. Driver recognizes the less deceleration and the decreasing of the brake cylinder pressure. The Technical System monitors the deceleration and checks the Service Brake System status Post condition Driver is in the cab, Train is braking. Things that can go wrong Already implemented risk Online diagnostic, Full Brake Test (FBT) and Basic Brake Test (BBT) test the service reduction measures brake command devices. Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 48 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.3.8 Use Case Diagram Automatic Brake Test

Figure 9: Use Case Service Automatic Brake Test

CTA-T5.1-D-KNR-015-02 Page 49 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.3.9 Use Case Description Automatic Brake Test Use Case Manuel Test of the Master Controller ID UC_FUT1 Actor Driver Goal G_UC_FUT1: This Test checks the function of the master controller and complete the results (availability, baking-power) of the Automatic Brake Test. Safety relation The use case is inherently safety critical as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition  Driver is in the cab,  Automatic Brake Test has tested the Integrity successfully  Automatic Brake Test has tested the Continuity successfully  Parking Brake applied  Train in Standstill  TCMS active  Main compressors are active  Pantograph is up to the catenaries Flow of events 4. Preconditions for Automatic Brake Test monitored successfully 5. Automatic Brake Test checks the Integrity and the continuity of the brake system and the ABT execution is successfully 6. The calculation of braking power waiting of results of the Manuel Tests of Master Controller 7. Drivers Display requests the driver to execute the Manuel Tests 8. Driver puts the Master Controller manually in Release-Apply-Release position 9. Driver checks every status during of the Release-Apply-Release position 10. Automatic Brake Test checks the result of the Manuel Test 11. Automatic Brake Test shows the availability and the calculated Braking Power on Drivers Display 12. Automatic Brake Test transmits the Brake Test Results to ATP/ATO Post condition Driver is in the cab, parking brake applied and Brake Test Results is valid Things that can go wrong Test aborted by Precondition Monitoring function or time out, Communication to Drivers Display faulty Already implemented risk Permanent monitoring of preconditions reduction measures Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 50 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Manuel Test of the Brake Lever ID UC_FUT2 Actor Driver Goal G_UC_FUT2: This Test checks the function of the Brake Lever and complete the results (availability, baking-power) of the Automatic Brake Test. Safety relation The use case is inherently safety critical as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition  Driver is in the cab,  Automatic Brake Test has tested the Integrity successfully  Automatic Brake Test has tested the Continuity successfully  Parking Brake applied  Train in Standstill  TCMS active  Main compressors are active  Pantograph is up to the catenaries Flow of events 1. Preconditions for Automatic Brake Test monitored successfully 2. Automatic Brake Test checks the Integrity and the continuity of the brake system and the ABT execution is successfully 3. The calculation of braking power waiting of results of the Manuel Tests of Brake Lever 4. Drivers Display requests the driver to execute the Manuel Tests 5. Driver puts the Brake Lever manually in Release-Apply-Release position 6. Driver checks every status during of the Release-Apply-Release position 7. Automatic Brake Test checks the result of the Manuel Test 8. Automatic Brake Test shows the availability and the calculated Braking Power on Drivers Display 9. Automatic Brake Test transmits the Brake Test Results to ATP/ATO Post condition Driver is in the cab, parking brake applied and Brake Test Results is valid Things that can go wrong Test aborted by Precondition Monitoring function or time out, Communication to Drivers Display faulty Already implemented risk Permanent monitoring of preconditions reduction measures Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 51 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Test of Friction Brake ID UC_ABT1 Actor Driver and Technical System Goal G_UC_ABT1: This Test shall check the function of the Friction Brake in Release-Apply- Release states for service and emergency braking at all parts of the train. Safety relation The use case is inherently safety related as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition  Parking Brake applied  Train in Standstill  TCMS active  Main compressors are active  Pantograph is up to the catenaries  All Brake Lever or Master Controller isolated  (No driver/ train staff on the train necessary). Flow of events 4. Driver and Technical System Request Automatic Brake Test 5. Preconditions for Automatic Brake Test monitored successfully 6. All availability data of the Friction Brake are reset 7. The train-wide function Automatic Brake Test requested Release-Apply- Release for the service and the emergency brake 8. Brake Command Lines transmits the brake demand for the service and the emergency brake 9. The local functions of the Friction Brake process the Release-Apply-Release demands for service and emergency braking at all parts of the train 10. All availability data of the Friction Brake are updated by the local brake application. Post condition Automatic Brake Test requests the Manual Test of Master Controller and/or Brake Lever; Preconditions are still monitored. Things that can go wrong Test aborted by Precondition Monitoring function or time out, Already implemented risk Online diagnostic active, Parking brake applied reduction measures Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 52 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Test of Adhesion Independent Brakes ID UC_ABT2 Actor Driver and Technical System Goal G_UC_ABT2: This Test shall check the function of the Adhesion Independent Brakes in Release-Apply-Release states for service and emergency braking at all parts of the train. Safety relation The use case is inherently safety related as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition  Parking Brake applied  Train in Standstill  TCMS active  Main compressors are active  Pantograph is up to the catenaries  All Brake Lever or Master Controller isolated  (No driver/ train staff on the train necessary). Flow of events 1. Driver and Technical System Request Automatic Brake Test 2. Preconditions for Automatic Brake Test monitored successfully 3. All availability data of the Adhesion Independent Brakes are reset 4. The train-wide function Automatic Brake Test requested Release- Apply-Release for the service and the emergency brake 5. Brake Command Lines transmits the brake demand for the service and the emergency brake 6. The local functions of the Adhesion Independent Brakes process the Release-Apply-Release demands for service and emergency braking at all parts of the train 7. All availability data of the Adhesion Independent Brakes are updated by the local brake application. Post condition Automatic Brake Test requests the Manual Test of Master Controller and/or Brake Lever; Preconditions are still monitored. Things that can go wrong Test aborted by Precondition Monitoring function or time out, Already implemented risk Online diagnostic active, Parking brake applied reduction measures Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 53 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Test of WSP ID UC_ABT3 Actor Technical System Goal G_UC_ABT3: This Test shall check the function of the WSP in the Apply state at all parts of the train. Safety relation The use case is inherently safety related as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition  Parking Brake applied  Train in Standstill  TCMS active  Main compressors are active  Pantograph is up to the catenaries  All Brake Lever or Master Controller isolated  No driver/ train staff on the train necessary Flow of events 1. Driver and Technical System Request Automatic Brake Test 2. Preconditions for Automatic Brake Test monitored successfully 3. All availability data of the WSP are reset 4. The train-wide function Automatic Brake Test requested Release-Apply- Release for the service and the emergency brake 5. Brake Command Lines transmits the brake demand for the service and the emergency brake 6. The local functions of the WSP tests its safety functions during the applied state of the friction brake at all parts of the train 7. All availability data of the WSP are updated by the local brake application. Post condition Automatic Brake Test requests the Manual Test of Master Controller and/or Brake Lever; Preconditions are still monitored. Things that can go wrong Test aborted by Precondition Monitoring function or time out, Already implemented risk Online diagnostic active, Parking brake applied reduction measures Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 54 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Determine the Availability of the Brake System ID UC_ABT4 Actor Driver and Technical System Goal G_UC_ABT4: The function Determine the Availability collects and evaluates all data of the local friction brakes and local adhesion independent brake to generate an integrity declaration for the complete brake system. Safety relation The use case is inherently safety related as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition  Parking Brake applied  Train in Standstill  TCMS active  Main compressors are active  Pantograph is up to the catenaries  All Brake Lever or Master Controller isolated  (No driver/ train staff on the train necessary). Flow of events 1. Driver and Technical System Request Automatic Brake Test 2. Preconditions for Automatic Brake Test monitored successfully 3. All availability data of the Friction Brake and adhesion independent brake are reset 4. The train-wide function Automatic Brake Test requested Release-Apply- Release for the service and the emergency brake 5. Brake Command Lines transmits the brake demand for the service and the emergency brake 6. The local functions of the Friction Brake and adhesion independent brake process the Release-Apply-Release demands for service and emergency braking at all parts of the train 7. All availability data of the Friction Brake and adhesion independent brake are updated by the local brake application. 8. The function Determine the Availability collects and evaluates all data of the all local brakes. 9. The function Determine the Availability generates an integrity declaration for the complete brake system including friction brakes and local adhesion independent brake. Post condition Automatic Brake Test requests the Manual Test of Master Controller and/or Brake Lever; Preconditions are still monitored. Things that can go wrong Test aborted by Precondition Monitoring function or time out, Already implemented risk Online diagnostic active, Parking brake applied reduction measures Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 55 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Calculate the Braking Power ID UC_ABT5 Actor Driver and Technical System Goal G_UC_ABT5: This function gets all availability and integrity data of the friction and adhesion independent brake to calculate the Braking Power for the complete brake system. Safety relation The use case is inherently safety related as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition  Parking Brake applied  Train in Standstill  TCMS active  Main compressors are active  Pantograph is up to the catenaries  All Brake Lever or Master Controller isolated  (No driver/ train staff on the train necessary). Flow of events 1. Driver and Technical System Request Automatic Brake Test 2. Preconditions for Automatic Brake Test monitored successfully 3. All availability data of the Friction Brake and adhesion independent brake are reset 4. The train-wide function Automatic Brake Test requested Release-Apply- Release for the service and the emergency brake 5. Brake Command Lines transmits the brake demand for the service and the emergency brake 6. The local functions of the Friction Brake and adhesion independent brake process the Release-Apply-Release demands for service and emergency braking at all parts of the train 7. All availability data of the Friction Brake and adhesion independent brake are updated by the local brake application. 8. The function Determine the Availability collects and evaluates all data of the all local brakes and generates an integrity declaration for the complete brake system. 9. The function Calculate the Braking Power take all availability and integrity data of the friction and adhesion independent brake and generate a value for Braking Power for the complete brake system. Post condition Automatic Brake Test requests the Manual Test of Master Controller and/or Brake Lever; Preconditions are still monitored. Things that can go wrong Test aborted by Precondition Monitoring function or time out, Already implemented risk Online diagnostic active, Parking brake applied reduction measures Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 56 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Check the Continuity of the Brake System ID UC_ABT6 Actor Driver and Technical System Goal G_UC_ABT6: This function tests takes in account the brake request of the function Automatic Brake Test and evaluate Release-Apply-Release states in the active cab and at the end of the train. Safety relation The use case is inherently safety related as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition  Parking Brake applied  Train in Standstill  TCMS active  Main compressors are active  Pantograph is up to the catenaries  All Brake Lever or Master Controller isolated  (No driver/ train staff on the train necessary). Flow of events 1. Driver and Technical System Request Automatic Brake Test 2. Preconditions for Automatic Brake Test monitored successfully 3. All availability data of the Friction Brake and adhesion independent brake are reset 4. The train-wide function Automatic Brake Test requested Release-Apply- Release for the service and the emergency brake 5. Brake Command Lines transmits the brake demand for the service and the emergency brake 6. The local functions of the Friction Brake and adhesion independent brake process the Release-Apply-Release demands for service and emergency braking at all parts of the train 7. All availability data of the Friction Brake and adhesion independent brake are updated by the local brake application. 8. The function Check the Continuity takes in account the brake request in the active cab and evaluate Release-Apply-Release states at the end of the train. Post condition Automatic Brake Test requests the Manual Test of Master Controller and/or Brake Lever; Preconditions are still monitored. Things that can go wrong Test aborted by Precondition Monitoring function or time out, Already implemented risk Online diagnostic active, Parking brake applied reduction measures Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 57 of 145 09/06/2016 Contract No. H2020 – 730539

Use Case Execute Automatic Full Brake Test ID UC_ABT7 Actor Driver and Technical System Goal G_UC_ABT7: This function checks the Preconditions before and during the automatic Brake Test, coordinates the different actions of friction and adhesion independent brake tests, requests the Manuel Brake Tests for the Master Controller and/or Brake Lever and starting the calculation of the Braking Power. Safety relation The use case is inherently safety related as the non-achievement of the defined goal can result in serious damage of hundreds persons and environment. Precondition  Parking Brake applied  Train in Standstill  TCMS active  Main compressors are active  Pantograph is up to the catenaries  All Brake Lever or Master Controller isolated  (No driver/ train staff on the train necessary). Flow of events 1. Driver and Technical System Request Automatic Brake Test 2. Preconditions for Automatic Brake Test monitored successfully 3. All availability data of the Friction Brake and adhesion independent brake are reset 4. The train-wide function Automatic Brake Test requested Release-Apply- Release for the service and the emergency brake 5. Brake Command Lines transmits the brake demand for the service and the emergency brake 6. The local functions of the Friction Brake and adhesion independent brake process the Release-Apply-Release demands for service and emergency braking at all parts of the train 7. All availability data of the Friction Brake and adhesion independent brake are updated by the local brake application. 8. The function Check the Continuity takes in account the brake request in the active cab and evaluate Release-Apply-Release states at the end of the train. 9. Starting the requests, the Manuel Brake Tests for the Master Controller and/or Brake Lever 10. Starting the Function Calculation of the Braking Power 11. Generates the valid results of the Automatic Brake Test Post condition Automatic Brake Test requests the Manual Test of Master Controller and/or Brake Lever; Preconditions are still monitored. Things that can go wrong Test aborted by Precondition Monitoring function or time out, Already implemented risk Online diagnostic active, Parking brake applied reduction measures Observations Status Information and Online Diagnostic Event are show on the Driver’s Display.

CTA-T5.1-D-KNR-015-02 Page 58 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.4 Conventional brake system sub-functions The above described functions on conventional brake system are decomposed in several sub- functions which can be derived from above use cases and from experience on existing brake systems. The decomposition is of course influenced by the presence of different types of brakes (friction-direct/indirect, dynamic, adhesion dependent, adhesion independent), by the architecture of the brake system (command generation, command transmission, brake force generation), by the requirements.

3.4.4.1 BSM - Brake System Management sub-functions BSM1. Train Topology and Brake System Integrity BSM2. Manage brake operating modes. BSM2.1. Normal mode BSM2.2. Degraded mode BSM2.3. Towing mode

3.4.4.2 SB - Service brake sub-functions SB1. Service brake train retardation request SB1.1. Driver request acquisition SB1.2. Technical system request acquisition. SB2. Service brake request transmission SB3. Train Load Calculation SB3.1. Local (bogie/car) load acquisition SB3.2. Train load calculation SB4. Train Brake Force Calculation SB5. Blending SB5.1. Service Brake Acquisition of the Brake Availability of all brake subsystems SB5.2. Train brake force distribution on different type of brakes SB5.2.1. Train Electro-Dynamic Brake Force Calculation. SB5.2.2. Train Friction Brake Force Calculation SB5.2.3. Train Eddy current brake force Calculation SB5.2.4. Train Electro-hydraulic retarder brake force Calculation SB5.2.5. Electro-Dynamic Local Brake force request SB5.2.6. Friction Local Brake force request a. Direct b. Indirect SB5.2.7. Eddy current local brake force request SB5.2.8. Electro-hydraulic retarder local brake force request SB5.3. Train Achieved Dynamic Force Acquisition. SB5.4. Service brake force application SB5.4.1. Local friction brake force generation a. Direct b. Indirect

CTA-T5.1-D-KNR-015-02 Page 59 of 145 09/06/2016 Contract No. H2020 – 730539

SB5.4.2. Local electro dynamic brake force generation SB5.4.3. Local eddy current service brake generation SB5.4.4. Local electro-hydraulic brake force generation SB6. Service brake force application energy storing SB7. Holding brake SB8. Traction cut off SB9. Service brake state and fault detection and indication SB9.1. Train wide service brake Status SB9.2. Local Friction service brake Status (Function 6.d.i) SB9.3. Local Electro-dynamic service brake Status (Function 6.d.ii) SB9.4. Local Eddy current service brake Status (Function 6.d.iii) SB9.5. Local Electro-hydraulic retarder service brake Status (Function 6.d.iv) SB10. Service brake isolation SB10.1. Local friction service brake isolation SB10.2. Local Electro-dynamic service brake isolation SB10.3. Local Eddy current service brake isolation SB10.4. Local Electro-hydraulic retarder service brake isolation

3.4.4.3 EB - Emergency brake sub-functions EB1. Emergency brake command generation EB1.1. Driver request acquisition EB1.2. Technical system request acquisition. EB1.3. Passengers Alarm request acquisition. EB2. Actual Emergency Braking Power Calculation EB2.1. Emergency Brake Acquisition of the Brake Availability of all brake subsystems EB2.2. Emergency Braking power calculation EB2.3. Emergency Braking power indication to driver EB2.4. Emergency Braking power transmission to technical systems EB3. Emergency brake command transmission EB4. Emergency Local brake force generation EB4.1. Local load acquisition EB4.2. Friction brake force generation (load dependent and speed dependent) EB4.3. Local electro dynamic brake force generation (load dependent and speed dependent) EB4.4. Local Electro-hydraulic retarder brake force generation (load dependent and speed dependent) EB4.5. Adhesion independent brake force generation (speed dependent) EB4.5.1. Magnetic track brake EB4.5.2. Eddy Current brake EB5. Emergency brake energy storing EB6. Traction cut off EB7. Emergency brake state and fault detection and indication. CTA-T5.1-D-KNR-015-02 Page 60 of 145 09/06/2016 Contract No. H2020 – 730539

EB7.1. Train wide brake state and fault detection and indication EB7.2. Local Friction brake state and fault detection and indication EB7.3. Local Electro-dynamic brake state and fault detection and indication EB7.4. Local Eddy current brake state and fault detection and indication EB7.5. Local Electro-hydraulic retarder brake state and fault detection and indication EB8. Emergency brake isolation EB8.1. Driver Emergency command isolation EB8.2. Local friction emergency brake isolation EB8.3. Local Electro-dynamic emergency brake isolation EB8.4. Local adhesion independent emergency brake isolation EB8.4.1. Magnetic track brake EB8.4.2. Eddy Current brake EB8.5. Local Electro-hydraulic retarder emergency brake isolation

3.4.4.4 PB - Parking brake sub-functions PB1. Parking brake command generation PB1.1. Driver request acquisition PB1.2. Technical system request acquisition PB2. Parking brake train command transmission PB3. Parking brake local force generation PB3.1. By train command PB3.2. By local command (manual application) PB4. Parking brake energy storing PB5. Anti-compound PB6. Parking brake state and fault detection and indication PB6.1. Local parking brake state (applied/released/faulty/isolated/no info) PB6.2. Train level parking brake applied status PB6.3. Train level parking brake released status PB7. Monitoring Parking brake applied at speed detection and speed reduction request PB8. Parking brake manual release PB9. Parking brake isolation

3.4.4.5 ABT - Automatic Brake test sub-functions ABT1. Automatic Brake Test request generation ABT1.1. Driver request acquisition (only in brake test mode) ABT1.2. Technical system request acquisition (only in brake test mode) ABT2. Check of preconditions of brake test ABT3. Direct brakes and Safety Loop Test ABT4. Indirect Brakes and Brake Pipe Test ABT5. Adhesion independent Brake Systems Test ABT6. Dynamic Brake Systems Test ABT7. Brake performances calculation ABT8. Air Supply Test CTA-T5.1-D-KNR-015-02 Page 61 of 145 09/06/2016 Contract No. H2020 – 730539

ABT9. Wheel Slide Protection (WSP) Test ABT10. Adhesion Management Function Test (sanding) ABT11. Cab Brake Devices Test ABT11.1. Test of the Master Controller of Direct Brakes (Integrity) ABT11.2. Test of the Brake Lever of Indirect Brakes (Integrity) ABT11.3. Test of the Emergency Push Button (Integrity) ABT12. Optional Functions Test ABT12.1. Test of Passenger Alarm System (PAS) ABT12.2. Emergency Brake Override (EBO) ABT13. Brake Tests Result Indication

3.4.4.6 LAM – Low Adhesion Management sub-functions LAM1 Wheel slide protection LAM1.1 Speed acquisition LAM1.2 Braking force reduction/restoring (slide dependent) LAM1.3 Brake force reduction timeout (watchdog) LAM2 Adhesion improvement LAM3 Adhesion management state and fault detection and indication

3.4.5 Conventional brake system sub-function description In this chapter sub-functions description is provided evidencing involved actors, the relations of each sub-function with the other sub-functions in order to be able to follow the flow “border to border” of the system function, and the TSI functional requirements applicable to each sub- function. The technical systems are not always explicitly written in details, only when relevant. In the next phase the actors definition will be deployed in a more precise way. Same functional requirements can be applicable to different sub-functions. Among the functional requirements must be evidenced the requirement about running capability (TSI §4.2.10.4.4). Since few years ago the safe condition for the train was the braking capacity. The way to put a train in a safe condition was to apply the brake. Now the running capability requirement introduce the opposite principle applicable in fire condition (on the train or outside the train): the release of the brake shall be guaranteed. This principle changes a lot the implementation of the functions, because now the safety requirements are applicable also to the release command in presence of fire. For this reason, this requirement is present in each function involving brake release.

CTA-T5.1-D-KNR-015-02 Page 62 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.1 BSM - Brake System Management sub-functions

3.4.5.1.1 BSM1 Train Topology and Brake System Integrity. This sub function is in charge to identify the train composition and brake control system integrity. It is normally performed during train power up and is in charge to initialize the brake communication network and, if multiple configuration for brake system are possible, identifies the one in use (this information for example is needed by the SB5 Blending) a. Actors involved: . Driver . Technical system b. Linked Sub-function . BSM2 Manage brake operating modes. . SB2 Service brake request transmission . SB3 Train Load Calculation . SB5 Blending . SB7 Holding brake . SB9 Service brake state and fault detection and indication . EB2 Actual Emergency Braking Power Calculation . EB7 Emergency brake state and fault detection and indication. . PB2 Parking brake train command transmission . PB6 Parking brake state and fault detection and indication c. TSI Functional requirements

None

3.4.5.1.2 BSM2 Manage brake operating modes. This sub function is in charge to select the train brake mode during operation: - Normal - Degraded - Towing The driver is able to change the brake mode by the Cabin brakes equipment the mode activates all the brake system function necessary to manage the selected operative mode.

a. Actors involved: . Driver . Technical System b. Linked Sub-function . All System Functions. c. TSI Functional requirements. Related to towing: CTA-T5.1-D-KNR-015-02 Page 63 of 145 09/06/2016 Contract No. H2020 – 730539

FR.1 For units intended to be operated on other track gauge systems than 1 520 mm system, it shall be possible, following a failure during operation, to rescue a train with no energy available on board by a recovery power unit equipped with a pneumatic brake system compatible with the UIC brake system (brake pipe as braking control command line). (TSI §4.2.4.10 (2)). FR.2 During the rescue, it shall be possible to have a part of the brake system of the rescued train controlled by means of an interface device; in order to meet this requirement, it is allowed to rely on low voltage provided by a battery to supply control circuits on the rescued train. (TSI §4.2.4.10 (3)).

3.4.5.2 SB - Service brake sub-functions

3.4.5.2.1 SB1 Service brake train retardation request This sub-function shall transform the brake request coming from Driver or on board Technical System (ATO, TCMS, etc.) via proper interface devices into a train retardation input to SB2 Service brake request transmission sub-function (see use case Service brake). The brake request can arrive from different devices depending from the operative mode (normal - degraded - towing). The train retardation request includes the definition of brake status (driving, braking, coasting) a. Actors involved: . Driver . Technical System b. Linked Sub-function . SB2 Service brake request transmission . SB9 Service brake state and fault detection and indication c. TSI Functional requirements FR.3 The service brake function shall allow to apply a retardation force to the train by following actors: i. Driver (TSI §4.2.4.4.2 (2)). ii. Automatic speed regulation system - ATO (TSI §4.2.4.4.2 (Note)). iii. ETCS iv. Brake system (in case of major fault, to reduce the speed, ie in case of undue parking brake application) v. Passenger alarm system (TSI §4.2.5.3.3 (2)). FR.4 The service brake function shall allow the driver to adjust (by application or release) the brake force between a minimum and a maximum value in a range of at least 7 steps (including brake release and maximum brake force), in order to control the speed of the train (TSI §4.2.4.4.2 (2)). FR.5 The service braking command shall be active only in one location in a train (TSI §4.2.4.4.2 (3)). FR.6 Any service brake application request shall take control of the brake system, even in case of active brake release command (TSI §4.2.4.2.1 (4)). CTA-T5.1-D-KNR-015-02 Page 64 of 145 09/06/2016 Contract No. H2020 – 730539

FR.7 The maximum service brake retardation request shall be lower than 2,5 m/s2 (TSI §4.2.4.5.1 (5)).; FR.8 The service brake command shall apply an adjustable brake force (TSI §4.2.4.2.1 (13)). FR.9 It shall be possible to limit the maximum service braking performance at a level lower than the emergency braking performance (TSI §4.2.4.5.3 (3)). FR.10 it shall be possible, following a failure during operation, to rescue a train with no energy available on board by a recovery power unit equipped with a pneumatic brake system compatible with the UIC brake system (brake pipe as braking control command line). During the rescue, it shall be possible to have a part of the brake system of the rescued train controlled by means of an interface device; in order to meet this requirement, it is allowed to rely on low voltage provided by a battery to supply control circuits on the rescued train (TSI §4.2.4.10 (2) -(3)) FR.11 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.2.2 SB2 Service brake request transmission This sub-function transfer the retardation request generated by the SB1 ‘Service brake train retardation request’ to the SB4 Train Brake Force Calculation sub-function or directly to the SB5 Blending sub-function. a. Actors involved: . None or TCMS b. Linked Sub-function . SB1 Service brake train retardation request . SB4 Train Brake Force Calculation . SB5 Blending . SB9 Service brake state and fault detection and indication

c. TSI Functional requirements FR.12 The brake system shall be continuous: the brake application signal is transmitted from a central command to the whole train by a control line (TSI §4.2.4.2.1 (3)) FR.13 The loss of integrity of control line or train separation generate a brake application on all vehicles of the train – automaticity (TSI §4.2.4.2.1 (11)) FR.14 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4):

CTA-T5.1-D-KNR-015-02 Page 65 of 145 09/06/2016 Contract No. H2020 – 730539

— braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.2.3 SB3 Train Load Calculation This sub-function calculates the train load and transfer it to SB4 Train Brake Force Calculation and SB7 Holding brake sub-functions or directly to SB5 Blending sub-function. The load calculation is needed in the train with relevant mass changes during operation due to passengers or other particular load. The train load calculation is done by local load acquisitions on each bogie/car and summing them at train level. a. Actors involved: . Bogie b. Linked Sub function: . SB4 Train Brake Force Calculation . SB5 Blending . SB7 Holding brake . SB9 Service brake state and fault detection and indication c. TSI Functional requirements FR.15 The braking force generation shall take in account (TSI §4.2.4.1 (2)): i. train mass,

3.4.5.2.4 SB4 Train Brake Force Calculation This sub-functions calculates the train needed total brake effort as input to SB5 Blending sub- function. The total train force will depend from retardation request, train load, rolling resistance and speed. a. Actors involved: . None b. Linked Sub function . SB2 Service brake request transmission . SB3 Train Load Calculation . SB5 Blending c. TSI Functional requirements FR.16 The braking force generation shall take in account (TSI §4.2.4.1 (2)): i. train mass, ii. train rolling resistance iii. speed iv. available adhesion

3.4.5.2.5 SB5 Blending This sub-function is in charge to share the train brake force calculated by SB4 within the available type of brakes. The forces can be speed and/or adhesion and/or load and/or brake disk

CTA-T5.1-D-KNR-015-02 Page 66 of 145 09/06/2016 Contract No. H2020 – 730539

temperature dependent. The algorithm for the braking force sharing depends from several factor and has the following objectives: - Apply as much as possible the regenerative brakes types - Compensate when possible the isolated /not available brakes/degraded performances of dynamic brakes. - Do not over pass the maximum applicable force by respecting adhesion limits - Do not overpass the friction thermal limit of the friction brake Each type of brake has then to generate the requested braking force to Wheelset or Track a. Actors involved: . Wheelset . Track b. Linked Sub function . SB2 Service brake request transmission . Train Load Calculation . SB4 Train Brake Force Calculation . SB6 Service brake force application energy storing . SB9 Service brake state and fault detection and indication c. TSI Functional requirements FR.17 The purpose of the train braking system is to ensure that the train's speed can be reduced or maintained on a slope, or that the train can be stopped within the maximum allowable braking distance. Braking also ensures the immobilisation of a train (TSI §4.2.4.1 (1)) FR.18 The service brake command shall apply an adjustable brake force (TSI §4.2.4.2.1 (13)). FR.19 The maximum average deceleration developed with all brakes in use, including the brake independent of wheel/rail adhesion, shall be lower than 2,5 m/s2; (TSI §4.2.4.5.1 (5)) FR.20 For speeds higher than 5 km/h, the maximum jerk due to the use of brakes shall be lower than 4 m/s3 (TSI §4.2.4.2.1 (15)). FR.21 The dissipation of the braking energy shall be considered in the design of the braking system, and shall not cause any damage to the components of the braking system in normal operation conditions (TSI §4.2.4.2.1 (6)) FR.22 The brake energy capacity shall be verified by calculation showing that the braking system in normal mode is designed to withstand the dissipation of the braking energy (TSI § 4.2.4.5.4. (3)) FR.23 The maximum line gradient, associated length and operating speed for which the brake system is designed in relation with brake thermal energy capacity shall also be defined by a calculation for the load condition ‘maximum braking load’, with the service brake being used to maintain the train at a constant operating speed. (TSI § 4.2.4.5.4. (4)) FR.24 It is permitted to complement the main brake function by additional brake systems described in clause 4.2.4.7 (dynamic brake — braking system linked to traction

CTA-T5.1-D-KNR-015-02 Page 67 of 145 09/06/2016 Contract No. H2020 – 730539

system) and/or clause 4.2.4.8 (braking system independent of adhesion conditions). (TSI §4.2.4.2.1 (5)) FR.25 It is permitted to use a dynamic brake independently from other brake systems, or together with other brake systems (blending) (TSI § 4.2.4.4.4 (2)) FR.26 Successive applications and releases of the brake shall be considered in the design of the braking system (inexhaustibility) (TSI §4.2.4.2.1 (10)) FR.27 Until the ‘open point’ is closed, the values of maximum longitudinal braking force applied to the track by the eddy current track brake specified in the clause 4.2.4.5 of the TSI HS RST 2008 and used at speed ≥ 50 km/h are deemed to be compatible with HS lines. (TSI §4.2.4.8.3 (4)) FR.28 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.2.6 SB6 Service brake force application energy storing This sub function is in charge to supply the needed energy for the different types of brakes used to generate the train service brake force.

a. Actors involved: . Electrical Energy Supply . Air generation and distribution b. Linked Sub function . SB5 Blending . SB7 Holding brake . SB9 Service brake state and fault detection and indication . SB10 Service brake isolation c. TSI Functional requirements FR.29 The brake system shall be inexhaustible: there shall be sufficient braking energy available on board the train (stored energy), distributed along the train consistent with the design of the brake system, to ensure the application of the required brake forces. Successive application and release of the brake shall be considered (TSI §4.2.4.2.1 (9) -(10)). FR.30 The brake system shall ensure the train’s speed can be reduced or maintained on a slope or that the train can be stopped within the maximum allowable braking distance. Braking also ensures the immobilisation of a train (TSI §4.2.4.1 (1)) FR.31 In the event of the braking energy supply being disrupted or the power supply failing, it shall be possible to hold in a stationary position a unit with maximum braking load CTA-T5.1-D-KNR-015-02 Page 68 of 145 09/06/2016 Contract No. H2020 – 730539

(as defined in clause 4.2.4.5.2) on a 40 ‰ gradient by using the friction brake of the main brake system alone, for at least two hours (TSI §4.2.4.2.1 (12)) FR.32 it shall be possible, following a failure during operation, to rescue a train with no energy available on board by a recovery power unit equipped with a pneumatic brake system compatible with the UIC brake system (brake pipe as braking control command line). (TSI §4.2.4.10 (2)) FR.33 During the rescue, it shall be possible to have a part of the brake system of the rescued train controlled by means of an interface device; in order to meet this requirement, it is allowed to rely on low voltage provided by a battery to supply control circuits on the rescued train (TSI §4.2.4.10 (3)) FR.34 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.2.7 SB7 Holding brake This sub function is in charge to apply a brake force when the train is at stand still. It is automatically applied at train stop and automatically released when driver apply traction power to move the train. The release of the holding brake shall be performed in controlled way to avoid train roll back due to the rail slope. Friction brake is normally used for this function thanks to its capacity to maintain for long time the brake force without energy supply available. This function can be at train level (in which case the command is an input for SB1 sub-function) or at local level (using sub-function SB5.4.1 Local friction brake force generation to apply the force)

a. Actors involved: . Wheelset . Track b. Linked Sub functions . SB1 Service brake train retardation request . SB2 Service brake request transmission . SB3 Train Load Calculation . SB5 Blending . SB6 Service brake force application energy storing . SB9 Service brake state and fault detection and indication c. TSI Functional requirements FR.35 The brake system shall be inexhaustible: there shall be sufficient braking energy available on board the train (stored energy), distributed along the train consistent with the design of the brake system, to ensure the application of the required brake CTA-T5.1-D-KNR-015-02 Page 69 of 145 09/06/2016 Contract No. H2020 – 730539

forces. Successive application and release of the brake shall be considered (TSI §4.2.4.2.1 (9) -(10)). FR.36 The brake system shall ensure the temporary immobilisation of a train for at least 2 hours without braking energy supply available – holding brake (TSI §4.2.4.2.1) The brake system shall ensure the train’s speed can be reduced or maintained on a slope or that the train can be stopped within the maximum allowable braking distance. Braking also ensures the immobilisation of a train (TSI §4.2.4.1 (1)) FR.37 In the event of the braking energy supply being disrupted or the power supply failing, it shall be possible to hold in a stationary position a unit with maximum braking load (as defined in clause 4.2.4.5.2) on a 40 ‰ gradient by using the friction brake of the main brake system alone, for at least two hours (TSI §4.2.4.2.1 (12))

3.4.5.2.8 SB8 Traction cut off This sub function is in charge to require the traction cut off to the traction system to inhibit the traction torque application when brake application it is required by the SB1 Service brake train retardation request .

a. Actors involved: . Traction System b. Linked Sub function . SB1 Service brake train retardation request . SB9 Service brake state and fault detection and indication d. TSI Functional requirements FR.38 When the speed of the train is higher than 15 km/h, the service brake activation by the driver shall lead automatically to the cut-off of all tractive effort; this cut-off shall not be reset until the traction cut-off command is cancelled by the driver (TSI §4.2.4.4.2 (4)). FR.39 When the speed of the train is higher than 15 km/h, the service brake activation by automatic speed regulation shall lead automatically to the cut-off of all tractive effort; (TSI §4.2.4.4.2 (4)). FR.40 The brake system shall ensure the train’s speed can be reduced or maintained on a slope (TSI §4.2.4.1 (1)). FR.41 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.2.9 SB9 Service brake state and fault detection and indication. CTA-T5.1-D-KNR-015-02 Page 70 of 145 09/06/2016 Contract No. H2020 – 730539

This sub function is in charge to detect the service brake status and diagnostic information and to show them to the Driver and/or send to Diagnostic System and or to other sub-functions for the management of degraded condition.

a. Actors involved: . Driver . Diagnostic System b. Linked Sub function . All SB sub-functions. SB1, SB4, SB5, SB7 can use the output for managing their degraded functionality c. TSI Functional requirements FR.42 The design of the brake system shall include means for monitoring and tests as specified in clause 4.2.4.9 of this TSI (TSI §4.2.4.1 (7)) FR.43 it shall be possible at certain phases during operation for the train staff to identify the status (applied or released or isolated) of the main (emergency and service) and parking brake systems, and the status of each part (including one or several actuators) of these systems that can be controlled and/or isolated independently (TSI §4.2.4.9 (1)) FR.44 When at a standstill, train staff shall be able to check from inside and/or outside of the train (TSI §4.2.4.9 (4)): — The continuity of the train brake control command line, — The availability of the braking energy supplies along the train, — The status of the main brake and parking brake systems and the status of each part (including one or several actuators) of these systems that can be controlled and/or isolated separately, excepted for dynamic brake and braking system linked to traction systems. FR.45 When running, the driver shall be able to check from the driving position in the cab (TSI §4.2.4.9 (5)): — The status of the train brake control command line, — The status of the train brake energy supply, — The status of the dynamic brake and braking system linked to traction system where they are included in the performance of the emergency braking in normal mode. — The status applied or released of at least one part (actuator) of the main brake system which is controlled independently (e.g. a part which is installed on the vehicle fitted with an active cab). FR.46 The function providing the information described above to the train staff is a function essential to safety, as it is used for the train staff to evaluate the braking performance of the train. Where local information is provided by indicators, the use of harmonised indicators ensures the required safety level. Where a centralised control system allowing the train staff to perform all checks from one location (i.e. inside the driver cab) is provided, it shall be subject to a reliability study, considering the failure mode of components, redundancies, periodic checks CTA-T5.1-D-KNR-015-02 Page 71 of 145 09/06/2016 Contract No. H2020 – 730539

and other provisions; based on this study, operating conditions of the centralised control system shall be defined and provided in the operating documentation (TSI § 4.2.4.9 (6)). FR.47 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.2.10 SB10 Service brake isolation This sub function is in charge to isolate the faulty parts of the brake system to permit the service continuation or the rescue of the faulty Train Consist. Typically, is needed when a fault condition lead to a permanent brake application with consequent impossibility to move the Train. The isolation is normally performed by the Driver or Train Guard, the isolation shall be provided by SB9 sub function to driver and Diagnostic system and to the SB4 Train Brake Force Calculation, SB5 Blending function, SB7 Holding brake sub-functions.

a. Actors involved: . Driver . Diagnostic System b. Linked Sub function . SB9 Service brake state and fault detection and indication . SB4 Train Brake Force Calculation . SB5 Blending . SB7 Holding brake c. TSI Functional requirements FR.48 All brakes (emergency, service, parking) shall be fitted with devices allowing their release and isolation. These devices shall be accessible and functional whether the train or vehicle is: powered, non- powered or immobilised without any available energy on board (TSI §4.2.4.10 (1)) FR.49 it shall be possible at certain phases during operation for the train staff to identify the status (applied or released or isolated) of the main (emergency and service) and parking brake systems, and the status of each part (including one or several actuators) of these systems that can be controlled and/or isolated independently (TSI §4.2.4.9 (1))

CTA-T5.1-D-KNR-015-02 Page 72 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.3 EB - Emergency brake sub-functions

3.4.5.3.1 EB1 Emergency brake command generation This sub-function transforms the Emergency brake request coming from Driver or on board Technical System into a train emergency request (apply or release). The Use Case diagram SF Emergency Brake shows the actors interacting. a. Actors involved: . Driver . Technical System (ATP, ETCS, TCMS, Vigilance….) . Passenger Alarm System b. Linked Sub function . EB3 Emergency brake command transmission . EB7 Emergency brake state and fault detection and indication. c. TSI Functional requirements FR.50 The emergency braking command function of a train shall have at least two independent emergency brake command devices allowing the activation of the emergency brake by a simple and single action from the driver in his normal driving position, using one hand. (TSI §4.2.4.4.1 (2)) FR.51 The emergency braking command function of a train shall have at least a red punch button (mushroom push button). (TSI § 4.2.4.4.1 (2)) FR.52 The emergency braking command function of a train shall have a shall be self- locking by a mechanical device; unlocking this position shall be possible only by an intentional action. (TSI § 4.2.4.4.1 (2)) FR.53 The activation of the emergency brake shall also be possible by the Control- Command and signalling on-board system, as defined in the TSI CCS. (TSI § 4.2.4.4.1 (3)) FR.54 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

CTA-T5.1-D-KNR-015-02 Page 73 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.3.2 EB2 Actual Emergency Braking Power Calculation This sub-function takes into account all subsystem actual availabilities of friction brakes, dynamic brakes and adhesion independent brakes to calculate automatically the Emergency Braking Power of the train. This actual Emergency Braking Power is indicated to driver on drivers display and can be transmitted to technical systems like ATO or ETCS.

a. Actors involved: . Driver . Technical System b. Linked Sub function . EB7 Emergency brake state and fault detection and indication . EB8 Emergency brake isolation c. TSI Functional requirements FR.55 The primary factors that influence the braking performance are the braking power (braking force production), the train mass, the train rolling resistance, the speed, the available adhesion. (TSI §4.2.4.1 (2)) FR.56 The minimum train braking performance required to operate a train on a line at an intended speed is dependent on the line characteristics (signalling system, maximum speed, gradients, line safety margin) and is a characteristic of the infrastructure (TSI §4.2.4.1 (5)) FR.57 Information available to train staff shall allow the identification of degraded conditions concerning the rolling stock (brake performance lower than the performance required), for which specific operating rules apply. (TSI §4.2.4.9 (1))

3.4.5.3.3 EB3 Emergency brake command transmission This sub function transmit the Emergency brake request received by EB1 Emergency brake command generation to all local brake subsystems for the generation of the local emergency brake force by friction, dynamic and adhesion independent brakes. It operates with train brake control command line and acts simultaneously on all vehicles composing the train. The continuity of the train brake control command line has to be checked during brake test. When the train is running, the driver shall be able to check the status of the train brake control command line.

a. Actors involved: . None b. Linked Sub function: . EB1 Emergency brake command generation . EB4 Emergency Local brake force generation . EB7 Emergency brake state and fault detection and indication. c. TSI Functional requirements

CTA-T5.1-D-KNR-015-02 Page 74 of 145 09/06/2016 Contract No. H2020 – 730539

FR.58 The emergency braking function of a train shall be continuous: the brake application signal is transmitted from a central command to the whole train by a control line. (TSI § 4.2.4.2.1 (3)) FR.59 When at a standstill, train staff shall be able to check from inside and/or outside of the train the continuity of the train brake control command line. (TSI § 4.2.4.9 (4)) FR.60 When the train is running, the driver shall be able to check from the driving position in the cab the status of the train brake control command line. (TSI § 4.2.4.9 (5)) FR.61 Unless the command is cancelled, the emergency brake activation shall lead permanently, automatically to the following actions (TSI § 4.2.4.4.1 (4)): - to the transmission of an emergency brake command along the train by the brake control line - an inhibition of all ‘release brake’ commands or actions. FR.62 For units assessed in fixed formation(s) or predefined formation(s), the equivalent response time (*) and the delay time (*) evaluated on the total emergency braking force developed in case of the emergency brake command shall be lower than the following values for the equivalent response time: — 3 seconds for units of maximum design speed higher or equal to 250 km/h — 5 seconds for other units and the Delay time: 2 seconds. (TSI § 4.2.4.5.2 (1)) FR.63 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.3.4 EB4 Emergency Local brake force generation This sub-function shall apply a predefined emergency brake force using the energy from the local energy storage when emergency brake request is received by sub-function EB3 Emergency brake command transmission or there is an unintentional train separation, the loss of energy on board (electrical or pneumatic). The sub-function is in charge to measures the load and to generate load compensated and speed dependent predefined brake forces by friction-, electro dynamic-, electro-hydraulic retarder- and adhesion independent braking subsystems to guarantee the maximum allowed brake distances based on train brake performances. The load compensation is not mandatory, but convenient in case of train with high load variation to guarantee at the same time good performances and adhesion constraints The local emergency brake force application shall fulfil the inexhaustibility requirements (the emergency brake can be released and train can move again only if the brake system is able to apply again the predefined brake forces).

CTA-T5.1-D-KNR-015-02 Page 75 of 145 09/06/2016 Contract No. H2020 – 730539

a. Actors involved: . None b. Linked Sub function: . EB3 Emergency brake command transmission . EB5 Emergency brake energy storing . EB7 Emergency brake state and fault detection and indication. . EB8 Emergency brake isolation c. TSI Functional requirements FR.64 The purpose of the train braking system is to ensure that the train's speed can be reduced or maintained on a slope, or that the train can be stopped within the maximum allowable braking distance. Braking also ensures the immobilisation of a train. (TSI §4.2.4.1 (1)) FR.65 The primary factors that influence the braking performance are the braking power (braking force production), the train mass, the train rolling resistance, the speed, the available adhesion (TSI §4.2.4.1 (2)) FR.66 The braking performance could vary with the mass of the train or vehicle. (TSI §4.2.4.1 (4)) FR.67 an inadvertent disruption (loss of integrity, line de-energised, etc.) of the control line leads to brake activation on all vehicles of the train – automaticity (TSI §4.2.4.2.1 (4)) FR.68 The braking performance shall be consistent with safety requirements expressed in clause 4.2.4.2.2 in case of inadvertent disruption of the brake control line, and in the event of the braking energy supply being disrupted, the power supply failing or other energy source failure. (TS 4.2.4.2.1 (8)) FR.69 There shall be sufficient braking energy available on board the train (stored energy), distributed along the train consistent with the design of the brake system, to ensure the application of the required brake forces. (TSI §4.2.4.2.1. (9)) FR.70 Successive applications and releases of the brake shall be considered in the design of the braking system (inexhaustibility). (TSI §4.2.4.2.1 (10)) FR.71 The unit braking control system shall have three control modes: — emergency braking: application of a predefined brake force in a predefined maximum response time in order to stop the train with a defined level of brake performance. (TSI §4.2.4.2.1 (13)) FR.72 For units assessed in fixed formation(s) or predefined formation(s), the equivalent response time (*) and the delay time (*) evaluated on the total emergency braking force developed in case of the emergency brake command shall be lower than the following values for the equivalent response time: — 3 seconds for units of maximum design speed higher or equal to 250 km/h — 5 seconds for other units and the Delay time: 2 seconds. (TSI § 4.2.4.5.2 (1)) FR.73 The braking system of a unit shall be designed so that emergency brake performance (dynamic brake included if it contributes to the performance) and the service brake performance (without dynamic brake) do not assume a calculated CTA-T5.1-D-KNR-015-02 Page 76 of 145 09/06/2016 Contract No. H2020 – 730539

wheel/rail adhesion for each wheelset in the speed range > 30 km/h and < 250 km/h higher than 0,15 with the following exceptions: — for units assessed in fixed or predefined formation(s) having 7 axles or less, the calculated wheel/ rail adhesion shall not be higher than 0,13, — for units assessed in fixed or predefined formation(s) having 20 axles or more the calculated wheel/rail adhesion for the load case ‘minimum load’ is permitted to be higher than 0,15, but shall not be higher than 0,17. Note: for the load case ‘normal load’, there is no exception; the limit value of 0,15 applies. This minimum number of axles may be reduced to 16 axles if the test required in Section 4.2.4.6.2 related to the efficiency of the WSP system is performed for the load case ‘minimum load’, and provides positive result. In the speed range > 250 km/h and < = 350 km/h, the three limit values above shall decline linearly in order to be reduced by 0,05 at 350 km/h. (TSI §4.2.4.6.1 (1)) FR.74 Where the braking performance of the dynamic brake or of braking system linked to the traction system is included in the performance of the emergency braking in normal mode defined in clause 4.2.4.5.2, the dynamic brake or the braking system linked to traction: (1) Shall be commanded by the main brake system control line (or by its disruption). (2) Shall be subject to a safety analysis covering the hazard ‘after activation of an emergency command, complete loss of the dynamic brake force’. This safety analysis shall be considered in the safety analysis required by the safety requirement N° 3 set out in clause 4.2.4.2.2 for the emergency brake function. For electric units, in case the presence on-board the unit of the voltage delivered by the external power supply is a condition for the dynamic brake application, the safety analysis shall cover failures leading to absence on-board the unit of that voltage. In case the hazard above is not controlled at the level of the rolling stock (failure of the external power supply system), the braking performance of the dynamic brake or of braking system linked to the traction system shall not be included in the performance of the emergency braking in normal mode defined in clause 4.2.4.5.2. (TSI §4.2.4.7) FR.75 It is permissible to include the contribution of brakes independent of wheel/rail adhesion in the braking performance in normal mode defined in clause 4.2.4.5 for the emergency brake; (TSI 4.2.4.8.1 (2)) FR.76 the brake system independent of adhesion condition shall be commanded by the emergency brake request line (or by its disruption). (TSI 4.2.4.8.1 (3)) FR.77 the brake system independent of adhesion condition shall be subject of a safety analysis covering the hazard ‘after activation of an emergency command, complete loss of the brake force independent of the wheel/rail adhesion’. This safety analysis shall be considered in the safety analysis required by the safety requirement No 3 set out in clause 4.2.4.2.2 for the emergency brake function. (TSI 4.2.4.8.1 (4)) FR.78 Requirements on magnetic brakes specified by the CCS subsystem are referenced in clause 4.2.3.3.1 of this TSI. (TSI 4.2.4.8.2 (1)) CTA-T5.1-D-KNR-015-02 Page 77 of 145 09/06/2016 Contract No. H2020 – 730539

FR.79 A magnetic track brake is allowed to be used as an emergency brake, as mentioned in the TSI INF, clause 4.2.6.2.2. (TSI 4.2.4.8.2 (2)) FR.80 The geometrical characteristics of the end elements of the magnet in contact with the rail shall be as specified for one of the types described in the specification referenced in Appendix J-1, index 31. (TSI 4.2.4.8.2 (3)) FR.81 Magnetic track brake shall not be used at speed higher than 280 km/h. (TSI 4.2.4.8.2 (4)) FR.82 the values of maximum longitudinal braking force applied to the track by the eddy current track brake specified in the clause 4.2.4.5 of the TSI HS RST 2008 and used at speed ≥ 50 km/h are deemed to be compatible with HS lines (TSI §4.2.4.8.3 (4)) FR.83 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.3.5 EB5 Emergency brake energy storing This sub function is in charge to supply the needed energy for the different types of brakes used to generate the train emergency brake force. a. Actors involved: . Electrical energy supply . Air generation and distribution b. Linked Sub function: . EB4 Emergency Local brake force generation . EB7 Emergency brake state and fault detection and indication. . EB8 Emergency brake isolation c. TSI Functional requirements FR.84 There shall be sufficient braking energy available on board the train (stored energy), distributed along the train consistent with the design of the brake system, to ensure the application of the required brake forces. (TSI §4.2.4.2.1. (9)) FR.85 Successive applications and releases of the brake shall be considered in the design of the braking system (inexhaustibility). (TSI §4.2.4.2.1 (10)) FR.86 In the event of the braking energy supply being disrupted or the power supply failing, it shall be possible to hold in a stationary position a unit with maximum braking load (as defined in clause 4.2.4.5.2) on a 40 ‰ gradient by using the friction brake of the main (Emergency) brake system alone, for at least two hours. (TSI § 4.2.4.2.1. (12)

CTA-T5.1-D-KNR-015-02 Page 78 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.3.6 EB6 Traction cut off In case of the emergency brake activation these sub function shall provide a Traction Cut Off signal to the traction system Traction. a. Actors involved: . Traction System b. Linked Sub function: . EB1 Emergency brake command generation c. TSI Functional requirements FR.87 Unless the command is cancelled, the emergency brake activation shall lead permanently, automatically to the following actions: transmission of an emergency brake command along the train by the brake control line, cut-off of all tractive effort in less than 2 seconds; this cut-off shall not be able to be reset until the traction command is cancelled by the driver, (TSI § 4.2.4.4.1 (4)) FR.88 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.3.7 EB7 Emergency brake state and fault detection and indication. This sub function is in charge to detect the emergency brake status and diagnostic information and to show them to the Driver and/or send to Diagnostic System and or to other sub-functions for the management of degraded condition. a. Actors involved: . Driver . Diagnostic System b. Linked Sub function: . All sub-functions, EB2 and EB4 could use the information to manage the degraded condition c. TSI Functional requirements FR.89 Information available to train staff shall allow the identification of degraded conditions of the Emergency brake systems concerning the rolling stock (brake performance lower than the performance required) (TSI § 4.2.4.9 (1)) FR.90 It shall be possible at certain phases during operation for the train staff to identify the status (applied or released or isolated) of the emergency systems. (TSI § 4.2.4.9 (1)) FR.91 When at a standstill, train staff shall be able to check from inside and/or outside of the train: (TSI § 4.2.4.9 (4)) - The continuity of the train brake control command line, CTA-T5.1-D-KNR-015-02 Page 79 of 145 09/06/2016 Contract No. H2020 – 730539

- The availability of the braking energy supplies along the train, - The status of the Emergency brake systems and the status of each part (including one or several actuators) that can be controlled and/or isolated separately, excepted for dynamic brake and braking system linked to traction systems. FR.92 When the train is running, the driver shall be able to check from the driving position in the cab: (TSI § 4.2.4.9 (5)) - The status of the train brake control command line, - The status of the train brake energy supply, - The status of the dynamic brake and braking system linked to traction system where they are included in the performance of the emergency braking in normal mode, - The status applied or released of at least one part (actuator) of the main brake system which is controlled independently (e.g. a part which is installed on the vehicle fitted with an active cab). FR.93 The function providing the information described above to the train staff is a function essential to safety, as it is used for the train staff to evaluate the braking performance of the train. Where local information is provided by indicators, the use of harmonized indicators ensures the required safety level. Where a centralized control system allowing the train staff to perform all checks from one location (i.e. inside the driver’s cab) is provided, it shall be subject to a reliability study, considering the failure mode of components, redundancies, periodic checks and other provisions; based on this study, operating conditions of the centralized control system shall be defined and provided in the operating documentation described in clause 4.2.12.4. (TSI § 4.2.4.9 (6)) FR.94 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

CTA-T5.1-D-KNR-015-02 Page 80 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.3.8 EB8 Emergency brake isolation The sub function shall allow to isolate the devices of the Emergency brake system in case of faults and transmit the status to sub-function EB7 Emergency brake state and fault detection and indication.

a. Actors involved: . Driver b. Linked Sub function: . EB7 Emergency brake state and fault detection and indication c. TSI Functional requirements FR.95 All brakes (emergency, service, parking) shall be fitted with devices allowing their release and isolation. These devices shall be accessible and functional whether the train or vehicle is: powered, non- powered or immobilised without any available energy on board. (TSI § 4.2.4.10. (1))

CTA-T5.1-D-KNR-015-02 Page 81 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.4 PB - Parking brake sub-functions

3.4.5.4.1 PB1 Parking brake command generation This sub-function generates the apply and release signal to be address to PB2 Parking brake train command transmission sub-function when an input is received by driver or technical systems. Normally the parking brake apply signal shall be inhibited when speed is > 0 km/h (if not differently defined by the customer) to avoid undue parking brake application. For safety reason the release of parking brake at standstill is possible only on enabled cab. a. Actors involved . Driver . Technical systems (TCMS) b. Linked sub-functions . PB2 Parking brake train command transmission . PB6 Parking brake state and fault detection and indication c. TSI Functional requirements FR.96 The parking braking command shall lead to the application of a defined brake force for an unlimited period of time (TSI §4.2.4.4.5 (2)) FR.97 It shall be possible to release the parking brake at standstill including for rescue purposes (TSI §4.2.4.4.5 (3)). FR.98 the parking brake command shall be activated automatically when the unit is switched off (predefined formation trains). For other trains, the parking brake command shall be either activated manually, or activated automatically when the unit is switched off (TSI §4.2.4.4.5 (4)). FR.99 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

CTA-T5.1-D-KNR-015-02 Page 82 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.4.2 PB2 Parking brake train command transmission This function is in charge to transmit the parking brake application or release command to all PB3 Parking brake local force generation.

a. Actors involved . None or TCMS b. Linked sub-functions . PB1Parking brake command generation . PB3Parking brake local force generation . PB6 Parking brake state and fault detection and indication c. TSI Functional requirements FR.100 The parking braking command shall lead to the application of a defined brake force for an unlimited period of time, during which a lack of any energy on board may occur (TSI §4.2.4.4.5 (2)) FR.101 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.4.3 PB3 Parking brake local force generation This function uses the apply and release command received by the PB2 sub-function or by proper manual interface device to apply and release a parking brake force at the track.

a. Actors involved . Maintenance staff b. Linked sub-functions . PB2 Parking brake train command transmission . PB4 Parking brake energy storing . PB5 Anti-compound . PB6 Parking brake state and fault detection and indication . PB7 Monitoring Parking brake applied at speed detection and speed reduction request . PB8 Parking brake manual release . PB9 Parking brake isolation c. TSI Functional requirements FR.102 Parking brake force shall not assume wheel/rail adhesion higher than 0,12 (TSI §4.2.4.6.1 (3)).

CTA-T5.1-D-KNR-015-02 Page 83 of 145 09/06/2016 Contract No. H2020 – 730539

FR.103 The parking braking command shall lead to the application of a defined brake force for an unlimited period of time, during which a lack of any energy on board may occur (TSI §4.2.4.4.5 (2)) FR.104 It shall be possible to release the parking brake at standstill, including for rescue purposes (TSI §4.2.4.4.5 (3)). FR.105 The application of parking brake force may depend from the status of application of service/emergency brake force (TSI §4.2.4.4.5 (Note)). FR.106 unit (train or vehicle) in load condition ‘design mass in working order’ without any power supply available, and stationary permanently on a 40 ‰ gradient, shall be kept immobilised (TSI §4.2.4.5.5 (1)) FR.107 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI §4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.4.4 PB4 Parking brake energy storing This sub-function shall guarantee the availability of the energy to apply the parking brake force so that it shall be available for unlimited period of time and without energy available on board (pneumatic or electric). This function is what make the parking brake function inexhaustible. a. Actors involved . None b. Linked sub-functions . PB3 Parking brake local force generation . PB6 Parking brake state and fault detection and indication . PB8 Parking brake manual release . PB9 Parking brake isolation c. TSI Functional requirements FR.108 The parking braking command shall lead to the application of a defined brake force for an unlimited period of time, during which a lack of any energy on board may occur (TSI §4.2.4.4.5 (2)) FR.109 It shall be possible to release the parking brake at standstill, including for rescue purposes (TSI §4.2.4.4.5 (3)).

CTA-T5.1-D-KNR-015-02 Page 84 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.4.5 PB5 Anti-compound This sub-function shall guarantee that in case of contemporary application of parking brake and service/emergency friction brake forces by the same device, the device itself is not damaged. a. Actors involved . None b. Linked sub-functions . PB3 Parking brake local force generation . SB5 Blending c. TSI Functional requirements FR.110 The application of parking brake force may depend from the status of application of service/emergency brake force (TSI §4.2.4.4.5 (Note)).

3.4.5.4.6 PB6 Parking brake state and fault detection and indication This sub-function shall monitor the applied / released status of the parking brake both at train level or local level, providing related indication to driver (in the driver’s cab) and to maintenance staff (in the driver’s cab and/or on the side of the vehicles and by diagnostic information). It shall monitor also the correct functionality of the sub-functions in charge of the system function parking brake. a. Actors involved . None b. Linked sub-functions . PB1 Parking brake command generation . PB2 Parking brake train command transmission . PB3 Parking brake local force generation . PB4 Parking brake energy storing . PB8 Parking brake manual release . PB9 Parking brake isolation c. TSI Functional requirements FR.111 it shall be possible at certain phases during operation for the train staff to identify the status (applied or released or isolated) of the main (emergency and service) and parking brake systems, and the status of each part (including one or several actuators) of these systems that can be controlled and/or isolated independently (TSI §4.2.4.9 (1)) FR.112 When at a standstill, train staff shall be able to check from inside and/or outside of the train (TSI §4.2.4.9 (4)):

— The continuity of the train brake control command line, — The availability of the braking energy supplies along the train, — The status of the main brake and parking brake systems and the status of each part (including one or several actuators) of these systems that can be controlled and/or isolated separately, excepted for dynamic brake and braking system linked to traction systems. CTA-T5.1-D-KNR-015-02 Page 85 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.4.7 PB7 Monitoring Parking brake applied at speed detection and speed reduction request This sub-function shall detect an undue application of parking brake at speed, shall inform the driver and shall automatically command a service or emergency brake request when the application is at speed > TBD km/h, to protect the disc from overheating. To guarantee running capability the automatic brake application could be released below a certain speed, but the run cannot continue indefinitely. a. Actors involved . Drivers, Driver HMI b. Linked sub-functions . PB3 Parking brake local force generation . SB1 Service brake train retardation request . EB1 Emergency brake command generation c. TSI Functional requirements FR.113 The brake system shall be properly dimensioned in terms of energy dissipation (TSI §4.2.4.2.1 (6)). FR.114 The dissipation of the braking energy shall be considered in the design of the braking system, and shall not cause any damage to the components of the braking system in normal operation conditions; (TSI § 4.2.4.5.4. (3)) FR.115 Running capability compliance shall be demonstrated by application of the specification EN50553, in which the system functions impacted by a ‘type 2’ fire shall be (TSI§4.2.10.4.4): — braking for rolling stock of fire safety category A: this function shall be assessed for a duration of 4 minutes. — braking and traction for rolling stock of fire safety category B: these functions shall be assessed for a duration of 15 minutes at a minimum speed of 80 km/h.

3.4.5.4.8 PB8 Parking brake manual release This sub-function shall allow a user to release a parking brake manually, releasing the parking brake energy stored by PB4 Parking brake energy storing sub-function. The manual release is strictly linked to the isolation and anti-compound, because, to have permanent release (ie not rearming of the parking brake after release) it shall be avoided, on conventional solution, that a rearming air pressure can reach the parking brake force application unit Note 2: it is also possible to have a centralized command doing this function. It is a possible alternative to the automatic application of service or emergency brake in case of undue application, because it releases the undue applied parking brake. Of course it shall be possible by separate command and command line respect PB1 and PB2 sub-functions and separate local control

CTA-T5.1-D-KNR-015-02 Page 86 of 145 09/06/2016 Contract No. H2020 – 730539

respect the one used for the normal release in PB3.1 sub-function. Even if present in some application, it is not considered in this analysis a. Actors involved . Driver . Train staff . Maintenance staff b. Linked sub-functions . PB3 Parking brake local force generation . PB4 Parking brake energy storing . PB5 Anti-compound . PB6 Parking brake state and fault detection and indication . PB9 Parking brake isolation c. TSI Functional requirements FR.116 It shall be possible to release the parking brake at standstill, including for rescue purposes (TSI §4.2.4.4.5 (3)). FR.117 All brakes (emergency, service, parking) shall be fitted with devices allowing their release and isolation. These devices shall be accessible and functional whether the train or vehicle is: powered, non- powered or immobilised without any available energy on board (TSI §4.2.4.10 (1))

3.4.5.4.9 Parking brake isolation This sub-function shall allow a user to isolate locally parking brake force application in case of any failure or in case of maintenance on the brake units. Linked to the manual release allow a permanent release of the parking brake.

a. Actors involved . Driver . Maintenance staff b. Linked sub-functions . PB3 Parking brake local force generation . PB6 Parking brake state and fault detection and indication . PB8 Parking brake manual release c. TSI Functional requirements FR.118 All brakes (emergency, service, parking) shall be fitted with devices allowing their release and isolation. These devices shall be accessible and functional whether the train or vehicle is: powered, non- powered or immobilised without any available energy on board (TSI §4.2.4.10 (1))

CTA-T5.1-D-KNR-015-02 Page 87 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.5 ABT - Automatic Brake test sub-functions The TSI requirements linked to brake test are limited practically to §4.2.4.9, for this reason they are listed here and in the next sub-function description only actors and relation will be mentioned - TSI requirements FR.119 Individual unit performance for units operated in various train formations is defined so that the overall braking performance of the train can be derived (TSI 4.2.4.1 (3)) FR.120 Information available to train staff shall allow the identification of degraded conditions concerning the rolling stock (brake performance lower than the performance required), for which specific operating rules apply. To that end, it shall be possible at certain phases during operation for the train staff to identify the status (applied or released or isolated) of the main (emergency and service) and parking brake systems, and the status of each part (including one or several actuators) of these systems that can be controlled and/or isolated independently. (TSI 4.2.4.9 (1)) FR.121 When at a standstill, train staff shall be able to check from inside and/or outside of the train: (TSI § 4.2.4.9 (4)) - The continuity of the train brake control command line, - The availability of the braking energy supplies along the train, - The status of the Emergency brake systems and the status of each part (including one or several actuators) that can be controlled and/or isolated separately, excepted for dynamic brake and braking system linked to traction systems. FR.122 When the train is running, the driver shall be able to check from the driving position in the cab: (TSI § 4.2.4.9 (5)) - The status of the train brake control command line, - The status of the train brake energy supply, - The status of the dynamic brake and braking system linked to traction system where they are included in the performance of the emergency braking in normal mode, - The status applied or released of at least one part (actuator) of the main brake system which is controlled independently (e.g. a part which is installed on the vehicle fitted with an active cab). FR.123 The function providing the information described above to the train staff is a function essential to safety, as it is used for the train staff to evaluate the braking performance of the train. Where local information is provided by indicators, the use of harmonised indicators ensures the required safety level. (TSI 4.2.4.9 (6)) FR.124 Where a centralised control system allowing the train staff to perform all checks from one location (i.e. inside the driver’s cab) is provided, it shall be subject to a reliability study, considering the failure mode of components, redundancies, periodic checks and other provisions; based on this study, operating conditions of the centralised control system shall be defined and provided in the operating documentation described in clause 4.2.12.4. (TSI 4.2.4.9 (6))

CTA-T5.1-D-KNR-015-02 Page 88 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.5.1 ABT1 Automatic Brake Test request generation. This sub-function coordinates the initiating and execution of an Automatic Brake Test ABT. The Automatic Brake Test can be requested by the Driver or by an on board Technical System typically by the TCMS. The Use Case diagram SF Automatic Brake Test above shows the actors interacting with the ABT use cases. The sub-function shall allow the actors to select the type of test to be performed, if a full brake test or if single function test, and shall coordinate the progressive execution of all sub-function, providing start command, collecting results and interrupting in case of missing pre-condition Note: the automatic brake test has sense only in Normal mode. a. Actors involved: . Driver . Technical System

b. Linked Sub function . All sub-functions

3.4.5.5.2 ABT2 Check of preconditions of brake test This sub function shall check that all the precondition to start the selected test are fulfilled and monitor during the test execution that the permanent test conditions are fulfilled. In case of not compliance it shall cause the abortion of the test by sub-function ABT1. The typical conditions are: - Automatic Brake Test is only activated one cab of the train. - train-wide bus communication available The train-wide bus communication shall be guaranteed the data exchange between all local units which are involved in the Automatic Brake Test. - The sub function Check of Preconditions shall check whether the train configuration not change during the Automatic Brake Test, - Train stationary - Train immobilized - No emergency brake - Initial service brake status: released

a. Actors involved: . None or TCMS for data transmission b. Linked Sub function . ABT1 Automatic Brake Test request generation

CTA-T5.1-D-KNR-015-02 Page 89 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.5.3 ABT3 Direct brakes and Safety Loop Test This sub function, when receive the starting command by ABT1 sub-function shall perform following tests and provide tests results to sub-function ABT7 and ABT13:

 Test of the Continuity of the Safety Loop initiating Emergency Braking of Direct Brake  Opening and closing of the Safety Loop testing contact  Observation of the safety loop status at all local Units  Status of the emergency brake valves of direct brake (pre-pressure of direct brake)  Status of the emergency brake valves of indirect brake (pre-pressure of indirect brake)  Observation of the C-Pressure in all cars.  Test of Integrity of the Safety Loop by checking Direct Brake  Test of the Emergency Brake Valves of Direct Brake

a. Actors involved: . None or TCMS for data transmission b. Linked Sub function . ABT1 Automatic Brake Test request generation . ABT7 Brake performances calculation . ABT13 Brake Tests Result Indication

3.4.5.5.4 ABT4 Indirect Brakes and Brake Pipe Test This sub function, when receive the starting command by ABT1 sub-function shall perform following tests and provide tests results to sub-function ABT7 and ABT13:  Test of Tightness of the Brake Pipe  Test of Continuity of Brake Pipe (BP)  Testing the C-Pressure at the cylinder  Test of the Emergency Brake Valves of Indirect Brake

CTA-T5.1-D-KNR-015-02 Page 90 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.5.5 ABT5 Adhesion independent Brake Systems Test This sub function, when receive the starting command by ABT1 sub-function shall test the Magnetic Track Brake and /or the Eddy Current Brake and provide test results The Mg-Brake (MTB) will execute the local tests of the Mg-Brake. • operating the speed contact of Safety Loop, • monitoring the current value or magnetic flux, • checking the Mg-Brakes on raised position, • operating speed contact Brake Pipe Path • checking the MTB pressure • local diagnostic and availability data of the Mg-Brake. The Test of Eddy Current Brake will execute the local tests of the Eddy Current Brake. • Manage the electrical energy supply delivered by the Traction Control Unit, • monitoring the current value or magnetic flux, Traction Control Unit controls the current • checking the tracks of Eddy Current Brake on raised position, • local diagnostic and availability data of the Eddy Current Brake. • Control low position of ECB during service to an air gap between ECB coils and track • monitoring of communication between BCU and Traction Control Unit The Test of Eddy Current Brake is not a fully automated test step. The Automatic Brake Test can only test the charger and the mechanical components of the Eddy Current Brake. a. Actors involved: . None or TCMS for data transmission b. Linked Sub function . ABT1 Automatic Brake Test request generation . ABT7 Brake performances calculation . ABT13 Brake Tests Result Indication

3.4.5.5.6 ABT6 Dynamic Brake Systems Test This sub function, when receive the starting command by ABT1 sub-function shall test the Electro- dynamic or Hydro-dynamic brake system and provide test results. The Dynamic Brakes cannot be tested in standstill completely today. But in future the Traction Control Units are able to test most it functions in standstill to get the status and the availability. As well the communication between Brake System and Traction Control Unit of Electro-Dynamic (ED) Brake should be possible for testing. a. Actors involved: . None or TCMS for data transmission b. Linked Sub function . ABT1 Automatic Brake Test request generation . ABT7 Brake performances calculation . ABT13 Brake Tests Result Indication

CTA-T5.1-D-KNR-015-02 Page 91 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.5.7 ABT7 Brake performances calculation This sub-function, when receive the starting command by ABT1 sub-function, shall collect the result of ABT3 Direct brakes and Safety Loop Test, ABT4 Indirect Brakes and Brake Pipe Test, ABT5 Adhesion independent Brake Systems Test, ABT6 Dynamic Brake Systems Test if foreseen, to calculate the available brake performance of the train. The final calculation of the brake percentage shall be indicated on the display to the driver and to technical system.

a. Actors involved: . TCMS for data transmission . HMI display . Technical system b. Linked Sub function . ABT3 Direct brakes and Safety Loop Test . ABT4 Indirect Brakes and Brake Pipe Test . ABT5 Adhesion independent Brake Systems Test . ABT6 Dynamic Brake Systems Test . ABT13 Brake Tests Result Indication

3.4.5.5.8 ABT8 Air Supply Test This sub function, when receive the starting command by ABT1 sub-function, shall perform MRP- continuity test, including the compressor test and Test of Tightness of Main Reservoir Pipe (MRP).

a. Actors involved: . None or TCMS for data transmission b. Linked Sub function . ABT1 Automatic Brake Test request generation . ABT13 Brake Tests Result Indication

3.4.5.5.9 ABT9 Wheel Slide Protection (WSP) Test This sub function, when receive the starting command by ABT1 sub-function, shall test the Fail- Safe-Function of the WSP equipment and provide test results. The too long energizing of venting of the WSP valves is simulated and tested and hence the supervision computer is switching off the electrical power for the valves. With pressure transducers in the C-pressure circuit near to the WSP valves, the function of the WSP valves and the WSP control can be tested automatically. a. Actors involved: . None or TCMS for data transmission b. Linked Sub function CTA-T5.1-D-KNR-015-02 Page 92 of 145 09/06/2016 Contract No. H2020 – 730539

. ABT1 Automatic Brake Test request generation . ABT13 Brake Tests Result Indication

Note: The "Test of Wheel Slide Protection" is not mandated in the "Full Brake Test”, it can be managed separately with different frequency.

3.4.5.5.10 ABT10 Adhesion Management Function Test (sanding) This sub function, when receive the starting command by ABT1 sub-function, shall test the Adhesion improvement sub-function (sanding) and provide test results Test of Sanding is not a mandated part of the Automatic Brake Test in all European Railways. In the UK and IRL the sanding test is safety relevant and is mandatory. In IRL the sand quantity is explicitly checked as part of the "Test of Sanding". A functional test of all sand facilities in the context of preconditions and conclusion service can be operationally prescribed, if the safety requirements of the vehicle make it necessary for safety requirements. The sand quantity is not measured, but it is checked whether the level of the storage vessel is sufficient. Any existing after blow function is not tested with this test. This will be performed later by the driver. For maintenance and service an automatic test can perform a blow out of a certain quantity of sand.

a. Actors involved: . None or TCMS for data transmission b. Linked Sub function . ABT1 Automatic Brake Test request generation . ABT13 Brake Tests Result Indication

3.4.5.5.11 ABT11 Cab Brake Devices Test This sub function, when receive the starting command by ABT1 sub-function, shall requires the driver, by monitor to operate on different brake devices. The driver operates - the Drivers Brake Valve and the BP pressure is checked, - the master controller for direct brakes and the applying and releasing of the brakes along the whole train is checked, - the emergency push button and the venting of brake pipe and safety loop opening is checked. At the end the test results shall be provided a. Actors involved: . Driver . Cab HMI b. Sub functions involved:

CTA-T5.1-D-KNR-015-02 Page 93 of 145 09/06/2016 Contract No. H2020 – 730539

. ABT1 Automatic Brake Test request generation . ABT13 Brake Tests Result Indication

3.4.5.5.12 ABT12 Optional Functions Test This sub function, when receive the starting command by ABT1 sub-function, shall perform any optional test which is foreseen in the specific application, for example passenger alarm test and Emergency brake override, and provide test results. a. Actors involved: . None b. Linked Sub function . ABT1 Automatic Brake Test request generation . ABT13 Brake Tests Result Indication

3.4.5.5.13 ABT13 Brake Tests Result Indication This sub-function, when receive the starting command by ABT1 sub-function, shall collect, e sub function Brake Tests Result Indication summarize and evaluates the results of the Automatic Brake Test including diagnostics (failure/isolation status). The sub function Brake Tests Result Indication has following actions and results:  brake weight percentage  calculation of deceleration profile  storing of result non-volatile  supervising the result due to the current brake status  time dependent validity (configurable during SW-development)

a. Actors involved: . Driver . Cab HMI b. Sub functions involved: . all

CTA-T5.1-D-KNR-015-02 Page 94 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.5.6 LAM – Low Adhesion Management sub-functions

3.4.5.6.1 LAM1 Wheel slide protection This sub-function is in charge to detect the sliding of the wheels on the track during braking and modulate the braking force applied to the wheelset with the goal to maximize the train brake performances in low adhesion condition and prevent wheel damages.

a. Actors involved . Wheelset b. Linked sub-functions . SB5 Blending . EB4 Emergency Local brake force generation . LAM2 Adhesion improvement c. TSI Functional requirements

FR.125 The purpose of the train braking system is to ensure that the train's speed can be reduced or maintained on a slope, or that the train can be stopped within the maximum allowable braking distance. (TSI 4.2.4.1 (1)) The primary factors that influence the braking performance are the braking power (braking force production), the train mass, the train rolling resistance, the speed, the available adhesion. (TSI 4.2.4.1 (2)) FR.126 A wheel slide protection system (WSP) is a system designed to make the best use of available adhesion by a controlled reduction and restoration of the brake force to prevent wheelsets from locking and uncontrolled sliding, thereby minimising the extension of stopping distances and possible wheel damage. ((TSI § 4.2.4.6.2 (1)). FR.127 Wheel slide protection system shall apply to emergency brake and service brake, both to adhesion dependent friction brake and dynamic brake (TSI § 4.2.4.6.2 (4)). FR.128 When dynamic brake WSP system is not available, the dynamic brake force shall be inhibited, or limited in order not to lead a wheel/rail adhesion demand higher than 0.15 (TSI §4.2.4.6.2 (5)). FR.129 WSP system shall be designed according EN15595 clause 4 (TSI §4.2.4.6.2 (6)) FR.130 The relevant components of the wheel slide protection system shall be considered in the safety analysis of the emergency brake function required in clause 4.2.4.2.2 (TSI §4.2.4.6.2 (7)) FR.131 Units of design maximum speed higher or equal to 250 km/h shall be equipped with a wheel rotation monitoring system to advise the driver that an axle has seized; the wheel rotation monitoring system shall be designed according to the specification EN15595 clause 4.2.4.3. (TSI §4.2.4.6.2 (8))

3.4.5.6.2 LAM2 Adhesion improvement This function is in charge to increase the available adhesion between rail and wheels. The activation of this function can be automatic during sliding or manual by driver’s desk push button

CTA-T5.1-D-KNR-015-02 Page 95 of 145 09/06/2016 Contract No. H2020 – 730539

a. Actors involved . Driver . Technical system b. Linked sub-functions . SB5 Blending . EB4 Emergency Local brake force generation . LAM1 Adhesion improvement c. TSI Functional requirements FR.132 In case where an automatic sanding function is provided, it shall be possible for the driver to suspend its use on particular points of the track identified in operating rules as non-compatible with sanding. (TSI 4.2.3.3.1.1) FR.133 Locomotives and power head units shall be provided with sanding devices in Austria, France and Germany (TSI 7.4)

3.4.5.6.3 LAM3 Adhesion management state and fault detection and indication This function shall monitor the status of the wheel slide protection sub-function and adhesion improvement sub-function, providing related indication to driver (in the driver’s cab) and to maintenance staff (by diagnostic information).

a. Actors involved . Driver . Technical system b. Linked sub-functions . LAM1 Adhesion improvement . LAM2 Adhesion improvement

c. TSI Functional requirements FR.134 Information available to train staff shall allow the identification of degraded conditions concerning the rolling stock (brake performance lower than the performance required), for which specific operating rules apply. To that end, it shall be possible at certain phases during operation for the train staff to identify the status (applied or released or isolated) of the main (emergency and service) and parking brake systems, and the status of each part (including one or several actuators) of these systems that can be controlled and/or isolated independently. (TSI 4.2.4.9 (1)) FR.135 The relevant components of the wheel slide protection system shall be considered in the safety analysis of the emergency brake function required in clause 4.2.4.2.2. (TSI 4.2.4.6.2 (7))

CTA-T5.1-D-KNR-015-02 Page 96 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.6 Identification of devices implementing the brake system functions on conventional trains

3.4.6.1 Conventional brake system architecture Conventional train brake system architecture is dependent by the type of brakes installed on the train, by the solution chosen to apply the friction brake and to command the emergency brake (brake pipe or safety loop). a. Type of brakes installed: Generally, on conventional trains the following type of brake are used: o Electro-Dynamic brake/Hydro-Dynamic brake: It is the preferred type of service brake. o Friction brake adhesion dependent: it is used in service brake and emergency brake o Magnetic track brake: it is used in emergency brake o Eddy current brake: it is used in service and emergency brake

b. Friction brake application It can be applied by o direct brake electronically controlled o indirect brake. o Both direct and indirect

In modern solution the direct brake is the preferred one at least for service brake, but indirect brake is still present when the emergency brake is performed by traditional brake pipe solution (with UIC or not UIC distributor).

c. Emergency brake command Emergency brake is applied without involvement of electronics, but electronics is used for wheel slide protection and to generate signals in charge of the control of speed dependant brake forces (friction brake double stage forces, due to adhesion limits on high speed trains; magnetic track brake force inhibition at low speed, due to jerk limits at low speed) There are two typical solutions to command emergency brake: o Brake pipe: pneumatic solution, using indirect brake architecture with brake pipe and distributor piloting the proper pressure to the brake cylinders. Brake pipe pressure pilots as well the dynamic brake and adhesion independent brake application in emergency when foreseen. o Safety loop: electro-pneumatic solution, using safety loop to transmit the emergency brake command and safety solenoid valve, supplied by safety loop, piloting the proper pressure to the brake cylinders. Safety loop pilots as well the dynamic brake and adhesion independent brake application in emergency when foreseen. CTA-T5.1-D-KNR-015-02 Page 97 of 145 09/06/2016 Contract No. H2020 – 730539

The direct service brake is managed by brake control units (BCUs) distributed along the train in charge of the service direct brake control and of the brake system status and fault detection. In case of indirect service brake pipe, sometime control unit (BPCU) is used to control brake pipe pressure. The BCUs in this case have mainly diagnostic function, if present. The wheel slide protection is normally managed by separate control unit (WSP-CU) that often is integrated with the BCUs. Parking brake control is controlled by train wires or TCMS, generally independently from the BCUs for availability reason, even if the BCUs often contributes to the diagnosis. All Control units are normally connected to train bus to exchange information with TCMS; brake system has often its own communication bus to manage independently the communication between its control units. Considering that the Conventional brake system is involving both pneumatic and electric components auxiliary pneumatic and electric devices are of course necessary to guarantee the proper functionality of the system (pneumatic joints, pipes, check valves, test fittings, …., circuit breakers, diodes, wires, bus cable, connectors, ….). The quantity of this device depends of course by the architecture and devices used to perform the functions. The analysis will not consider them even if they affect the cost of the system. In the moment that a simpler future brake system is defined it will be intrinsically reduced the number of auxiliary devices.

Most of the possible solution combining the above mentioned possibilities can be represented by the following diagram, where not all devices shall be present on the train.

Note: in this analysis the pneumatic direct brake applied only on leading car, typical of locomotives and some specific application (for example to immobilize the train during brake test when the parking brake is not voluntary) is not considered.

CTA-T5.1-D-KNR-015-02 Page 98 of 145 09/06/2016 Contract No. H2020 – 730539

Conventional Brake System

SAFETY LOOP Train lines and bus BP MP

BR MTBR TECH DBV- SB+EB SB+EB P-EB PB LC EBP SBP E-BCU PBA MTB BAT ECB-CU E-BPCU T-CUT Driver Cab MC- SB+EB RLY

TCU P-WSP To Traction E-WSP Sys. Motor

Cars Susp. Speed

Bogie Track

Figure 10: Conventional Brake System Architecture. CTA-T5.1-D-KNR-015-02 Page 99 of 145 09/06/2016 Contract No. H2020 – 730539

Symbols:

BAT Batteries BP Brake Pipe BR Brake reservoir DBV-SB-EB Driver’s indirect brake valve with service brake and emergency brake command EBP Emergency Brake Panel ECB-CU Eddy Current Brake Control Unit E-BPCU Brake Pipe Electronic Control Unit E-BCU Service Brake Electronic Control Unit E-WSP Wheel Slide Protection Electronic Control Unit LC Load Compensation. MC-SB-EB Master controller with direct service brake and Emergency brake command. MP Main pipe MTB Magnetic Track Brake Application panel MTBR Magnetic Track Brake Reservoir PB Parking Brake Command PBA Parking Brake Application panel P-EB Emergency Push Button P-WSP WSP dump valves RLY Relay valve SBP Service Brake Panel TCU Traction Control Unit Tech SB+EB Technical service sub system that require service brake or emergency brake application as example ERTMS, FIRE Alarm, Passenger Alarm etc.. T-CUT Traction Cut off

Note DBV-SB-EB, EBP, LC, MTB, PBA, P-EB, P-WSP, SBP, Tech SB+EB, T-CUT are integrated using pneumatic/electric devices. CTA-T5.1-D-KNR-015-02 Page 100 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.6.2 Devices used in conventional brake system In this paragraph, the devices normally used on conventional train architecture above described to performed the functions described in §. 3.4.4 are identified. Certain devices can be used to perform more than one function; in such a case they will be mentioned every time. All or only some of them could be present on the same train. Brake control units (BCUs) are generally one per vehicle; depending from the specific architecture some of them could have train level functions.

3.4.6.2.1 BSM - Brake System Management sub-functions BSM1 Train Topology and Brake System Integrity This function is performed by on-board BCUs and TCMS control units. They use train configuration information received by TCMS and other technical system by train wide buses, wires, contact of switches, relays, selectors (shared with other systems of the train) and brake system configuration signals given by isolation switches or life/fault signals.

Pneumatic/Electro-pneumatic Electric/Electronic devices devices . BCUs . BPCU . WSP-CU . Brake Communication bus . Train battery switch selector/key . Cab enabling key switches . Brake enabling key switches . Train configuration switches (coupler, …) . Train configuration relays . Isolation cocks with switches

Table 13: BSM1 Devices

BSM2 Manage brake operating modes. This function is managed by proper electrical or pneumatic interface on driver’s cab, to be selected by the driver or, in certain case, automatically operated by TCMS, configuring the TCMS, brake system, Traction system in a way able to manage in the proper way the brake function depending from the operating mode. In normal mode configuration the enabling of the brake on the front car is done by pneumatic cock with switches or by solenoid valve automatically controlled by driver’s cab enabling signals or by dedicated brake enabling electric signal.

CTA-T5.1-D-KNR-015-02 Page 101 of 145 09/06/2016 Contract No. H2020 – 730539

The degraded mode configuration command operates generally on brake demand sub-functions.

 Service brake function

the degraded mode command enables back-up devices able to apply and release the brake in case of fault of the nominal device. These devices can be different depending from the type of nominal service brake type used (direct or indirect) and the type of back-up brake (direct or indirect).

o Nominal service brake type: Direct:

In case of direct back up brake the degraded mode configuration command enables, back-up electrical signal on master controller or separate device, providing brake request signal in substitution to the faulty one.

In case of indirect back-up brake, used often in case of brake system with emergency brake commanded by brake pipe, the degraded mode configuration command enable indirect brake driver’s brake valve allowing adjustable brake pipe pressure control

o Nominal service brake type: Indirect:

the degraded mode is generally present only in case of electronically controlled brake pipe and the command enable a fully pneumatic control of the brake pipe. This is obtained by operating on three-way cock or solenoid valves activating fully pneumatic back-up driver’s brake valve (position dependent or time dependent).

 Emergency brake o by brake pipe: no degraded mode is generally existing on emergency brake function

o by safety loop:

The degraded mode generally forces the safety loop status by proper bypass switches, to be activated in case of undue opening of safety loop (see for example by-pass switch on below safety loop scheme by EN16185).

Supply +

Figure 11: Safety loop circuit diagram CTA-T5.1-D-KNR-015-02 Page 102 of 145 09/06/2016 Contract No. H2020 – 730539

The towing mode selection configure in the proper way pneumatic and electrical system in order to receive the command from the rescuing train or to command a rescued train. In towing mode, the brake signal transmission between the rescuing train/loco and rescued train can be transmitted pneumatically in the case the rescued train is equipped with indirect brake pipe or has an interface device able to transform brake pipe pressure brake request into electrical signals. In such a case the connection can involve automatic coupler or only pneumatic coupling hoses with end cocks, cocks or solenoid valves, pipes and any auxiliary device. In certain case (metro) the rescuing could be possible by electrical signal connections only, transferring both service and emergency brake command signals.

Brake test is done by automatic or semiautomatic procedures using the already existing devices and testing the brake system by proper predetermined commands. No additional devices are necessary

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . Brake enabling cocks with micro . Brake Mode Configuration Selector switches . BCUs . Brake enabling Solenoid valves . BPCUs . Service brake degraded mode . Brake Communication bus selection cock with micro switches . Train configuration switches (coupler, …) . Solenoid valve . Train configuration relays . Back-up driver’s brake valve . Cab enabling key switches . Automatic coupler pneumatic . Brake enabling key switches connections . . Coupling hoses . Master controller redundant position . Brake pipe interface device sensor or switches . End cocks . Driver’s desk brake mode indication lamps

Table 14: BSM2 Devices

Pneumatic/Electro-pneumatic devices are necessary only in case of indirect brake present on the train.

CTA-T5.1-D-KNR-015-02 Page 103 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.6.2.2 SB - Service brake sub-functions

SB1 Service brake train retardation request

SB1.1 Driver request acquisition  Direct brake: the driver request is done by adjustable electric signals coming from master controller or its back up device

 Indirect brake: the driver request is done by pneumatic driver’s brake valve controlling the brake pipe or its back-up device

adjustable electric signal coming from driver’s brake valve used to control the brake pipe pressure by additional electro-pneumatic panel, BPCU and auxiliary pneumatic devices (electronically controlled driver’s brake valve).

Normally there is also an air reservoir providing a certain amount of pressurized air available to refill the brake pipe, to release the brake in case of broken main pipe.

In towing mode, the request could arrive by the towing interface device transforming the command received from rescuing train into electrical brake request signal.

SB1.2 Technical system request acquisition.

The service brake requested by technical system (ETCS, TCMS) are normally transmitted by technical systems to BCU’s or BPCU via bus, digital or analogic electric signals.

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . Driver’s brake valve (fully pneumatic . Master controller or electronically controlled) . Back – up of master controller . Back indirect brake command for . BPCU electronic driver’s brake valve . Brake Communication bus . Brake command reservoir . Brake pipe interface device (for towing) Table 15: SB1 Devices

CTA-T5.1-D-KNR-015-02 Page 104 of 145 09/06/2016 Contract No. H2020 – 730539

SB2 Service brake request transmission For direct brakes the transmission is done using dedicated train wires: is quite common to use an analogical signal PWM coded or a train BUS TCMS or proprietary brake supplier communication bus plus a couple of digital train wire for BRAKE/TRACTION/Coasting information. For indirect brake the brake pipe is used.

Pneumatic/Electro-pneumatic devices Electric devices . Brake pipe . PWM train wires . Digital train wires . TCMS . BCUs . Brake communication bus

Table 16: EB3 Devices

SB3 Train Load Calculation The function is performed by BCUs collecting data from each vehicle, when the blending is managed at train level (cross blending) and there is a load management of the brake effort.

SB3.1 Local (bogie/car) load acquisition The function is done by BCUs reading pressure sensor signals detecting the air suspension pressure.

SB3.2 Train load calculation The function is done by the BCUs, no additional devices

Pneumatic/Electro-pneumatic devices Electric/Electronic devices Air suspension pressure sensors . BCUs . Pressure sensor on each bogie. . Brake communication bus

Table 17: SB3 Devices

SB4 Train Brake Force Calculation The function is performed by the BCUs.

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . BCUs

Table 18: SB4 Devices

CTA-T5.1-D-KNR-015-02 Page 105 of 145 09/06/2016 Contract No. H2020 – 730539

SB5 Blending Blended brake request is managed by BCUs or BPCUs (on train with indirect service brake electronically controlled), the service brake force application command is managed by BCUs and applied by local brake system and traction system.

SB5.1 Service Brake Acquisition of the Brake Availability of all brake subsystems

This function is performed by the BCUs or BPCU using information published by BCUs and traction system on bus communication system or directly by isolation devices.

SB5.2 Train brake force distribution on different type of brakes

This function is performed by the BCUs or BPCU or TCMS using the defined blending logic and the result of above sub-function SB5.1. The blending logic take care of train load, max adhesion speed dependency, thermal load limitation on friction brake discs, dynamic brake characteristics, ECB characteristics and the feedback about ED brake force coming from next sub.-function SB5.3 in case of electrical traction. More fine blending logic are possible with direct brake, very rough blending logic are possible with indirect brake

SB5.3 Train Achieved Dynamic Force Acquisition.

This function is performed by the BCUs or BPCU or TCMS collecting the information from traction system by communication bus or by wired signals. The traction system uses internal status and fault detection system to define the achieved ED force, normally by motor current sensors.

SB5.4 Service brake force application

SB5.4.1 Local friction brake force generation

This function is performed by pneumatic brake cylinder, supplied by relay valves (load dependent or not load dependent, double stage or single stage). The piloting of the relay valve arrives from different devices depending from the type of service brake

. Direct brake: the piloting pressure is generated by Electro- Pneumatic Panel, with apply and release valves controlled by BCUs, supplied by brake reservoir. The load dependency, speed dependency, thermal limitation on disc is managed by the BCU by function SB5.2. The load management can be done as well by load dependent relay valve or load valve, which are used in emergency brake because there is not in emergency an electronic load management. (see EB4.1)

CTA-T5.1-D-KNR-015-02 Page 106 of 145 09/06/2016 Contract No. H2020 – 730539

Indirect: the piloting pressure is generated by distributor (UIC or not UIC) with its auxiliary devices, supplied by brake reservoir and piloted by brake pipe. Interlock valve are used to manage blending on motor axle. Load management can be performed by load dependent relay valve or load valve (see EB4.1). Speed dependency is normally done by double stage valve controlled by WSP-CU in conjunction with double stage relay valve.

SB5.4.2 Local electro dynamic brake force generation This function is performed by traction system

SB5.4.3 Local eddy current service brake generation This function is performed by dedicated control unit

SB5.4.4 Local electro-hydraulic brake force generation This function is performed by traction system

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . Brake cylinders . BCUs . Relays valves, load dependent, single . WSP-CU or double stage . TCMS . Relays valves, not load dependent, . Traction system (TCU) single or double stage . Eddy current brake control unit (ECB- . Load valve CU) . Distributor . Motor current sensors . Interlock valve . Brake communication bus . Double stage valves . Brake reservoir . Direct brake control electro- pneumatic panel (with brake and release valves, pressure regulator, etc.) . Isolation cocks

Table 19: SB5 Devices

CTA-T5.1-D-KNR-015-02 Page 107 of 145 09/06/2016 Contract No. H2020 – 730539

SB6 Service brake force application energy storing Pneumatic/Electro-pneumatic devices Electric/Electronic devices . Brake reservoir

Table 20: SB6 Devices

SB7 Holding brake The function is performed by BCUs or TCMS piloting proper brake force demand at zero speed. The force application is done with the above described device in SB5.

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . BCUs . TCMS . Brake communication bus

Table 21: SB7 Devices

SB8 Traction cut off The traction cut off is done by traction system receiving an electrical/bus signal by one or more of the following device. Note: in service brake the traction inverter is not switched off because ED brake force shall be generated.

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . Pressure switch on brake pipe . Micro-switch/sensor on master controller . Micro-switch/sensor on driver’s brake valve . BPCU . BCUs . TCMS

Table 22: SB8 Devices

CTA-T5.1-D-KNR-015-02 Page 108 of 145 09/06/2016 Contract No. H2020 – 730539

SB9 Service brake state and fault detection and indication TCMS, BCUs, BPCUs, WSP-CU, Eddy Current Brake CU, Traction system compare signals coming from available sensors/switches to identify the status and fault. Fault impacting on performances, train integrity (wheel flats), thermal load on the disc are normally shown to the driver by lamps or monitor:

 Brake applied  Dragging brake  Missing brake  Double stage failure  Blocked axle  Not protected axle  Brake pipe leakage  Low main pipe  Low brake reservoir pressure  Not continues brake  …

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . Pressure switches/sensors on brake . BPCU pipe . BCUs . Pressure switches/sensors on main . WSP-CU pipe . Eddy Current CU . Pressure switches/sensors on brake . TCMS reservoir . Traction system . Pressure switches/sensors on brake . Brake communication bus cylinders . Monitors . BP Pressure gauge . Lamps . MP Pressure gauge . Micro-switches on valves . Brake cylinder pressure gauge . Proximity sensors . Temperature sensor . Current sensors

Table 23: SB9 Devices

CTA-T5.1-D-KNR-015-02 Page 109 of 145 09/06/2016 Contract No. H2020 – 730539

SB10 Service brake isolation

SB10.1 Local friction service brake isolation The independent isolation of friction service brake is possible only in case of direct service brake. The pneumatic isolation disables the electro-pneumatic panel controlling it. In case of indirect brake, the pneumatic isolation isolate emergency brake as well. In this case the isolation is done by distributor isolation cock and brake reservoir isolating and venting cock. Cocks can be replaced by solenoid valves. In this case the isolation command can arrive by selective cab monitor input. Single axle isolation is also possible (to limit the impact in case of not protected axle detection due to failure on single speed sensor).

SB10.2 Local Electro-dynamic service brake isolation SB10.3 Local Eddy current service brake isolation SB10.4 Local Electro-hydraulic retarder service brake isolation The local isolation of ED brake, Electro-hydraulic Eddy Current brake is normally done by switching off or disabling the local control unit, by local selectors or cab command (by monitor). Total isolation at train level is also possible by selector/monitor command on driver’s cab

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . Direct brake isolation cock/solenoid . Selectors valve . BCUs . Distributor isolation cock/solenoid . TCMS valve . Eddy Current Brake control unit . Brake reservoir isolation . Cab Monitor cock/solenoid valve . Brake communication bus . Axle isolation cocks

Table 24: SB10 Devices

CTA-T5.1-D-KNR-015-02 Page 110 of 145 09/06/2016 Contract No. H2020 – 730539

3.4.6.2.3 EB - Emergency brake sub-functions EB1 Emergency brake command generation EB1.1 Driver request acquisition The devices available for the driver to trigger an emergency brake are  master controller, which can be connected to brake pipe or not (fully electrical),  driver’s brake valve, venting completely brake pipe in emergency position,  emergency push button, venting completely brake pipe when pushed. All of them open the safety loop, if present.

The safety loop is a permanently energized loop at which safety solenoid valves are connected, in charge to apply locally the emergency brake (direct brake) or venting the brake pipe (indirect brake). The safety loop typical circuit is represented in above Figure 11.

EB1.2 Technical system request acquisition.. Technical system generally opens the safety loop or has dedicated devices operating directly on brake pipe. ETCS has normally its own pneumatic panel connected to brake pipe, but solution is already used operating on safety loop by safety relay. Vigilance system has generally an electrical signal output which is used to energize a solenoid valve connected to brake pipe or a safety relay connected to safety loop TCMS is operating normally on safety loop

Pneumatic/Electro-pneumatic devices Electric devices . Driver’s brake valve . Fully electrical master controller . Emergency push button . Safety loop . Master controller with connection to . Safety relays brake pipe . ETCS pneumatic panel . Emergency application valve Table 25: EB1 Devices

CTA-T5.1-D-KNR-015-02 Page 111 of 145 09/06/2016 Contract No. H2020 – 730539

EB2 Actual Emergency Braking Power Calculation EB2.1 Emergency Brake Acquisition of the Brake Availability of all brake subsystems This function is performed at train level by BCU (train master) collecting information about status and fault by different local BCUs in charge of controlling the brake force application (friction and adhesion independent brake), by the eddy current brake control unit ECB-CU and by traction system when ED brake is as well used in emergency brake.

EB2.2 Emergency Braking power calculation This function is performed by BCU (train master).

EB2.3 Emergency Braking power indication to driver This function is performed by master BCU using visual indications (lamps) or monitor information

EB2.4 Emergency Braking power transmission to technical systems This function is done by bus communication and involves generally the diagnostic system only, because actually the available braking power input to ETCS or equivalent signalling system is done manually by the driver.

Pneumatic/Electro-pneumatic devices Electric devices . BCUs . TCMS . Traction system . Monitor . Brake communication bus . Lamps . Safety loop

Table 26: EB2 Devices

CTA-T5.1-D-KNR-015-02 Page 112 of 145 09/06/2016 Contract No. H2020 – 730539

EB3 Emergency brake command transmission The transmission is done in a safe way by brake pipe and/or safety loop. In parallel bus communication can replicate the request as well.

Pneumatic/Electro-pneumatic devices Electric devices . Brake pipe . Safety loop . Brake bus communication

Table 27: EB3 Devices

EB4 Emergency Local brake force generation The emergency force generation is done by local brake pneumatic panel using part of components used for service brake and/or additional components used for emergency only. EB4.1 Local load acquisition Differently from service brake, the load acquisition is done only by pneumatic solution. Two type of solution are generally used:  Load dependent relay valves, receiving the emergency brake nominal pilot pressure by device described in EB4.2, the load information by air suspension pressure and controlling the output pressure to the brake cylinder in a proportional way based on both input signals (in this case the Load Compensation Module LC in Figure 10 is integrated in the relay valve, which has an input of the bogie suspension pressure)  Load valves, doing the same function above described, but on the pilot signal to the relay valve (in this case the Load Compensation Module LC in Figure 10 is the Load valve)

The input load pressure could arrive from a further device making an averaging of the pressure of the two bogies.

EB4.2 Friction brake force generation (load dependent and speed dependent) It is performed by pneumatic cylinder acting on the brake disc and by the wheelset to the track. They are supplied by the above mentioned relay valves. The relay valve can be load dependent or not load dependent, double stage or single stage. The piloting of the relay valve can arrive from safety valve energized by safety loop, in case of pure direct brake and/or by distributor, in case of indirect emergency brake. The speed dependency of the force due to max adhesion is given by double stage valve controlled by WSP-CU in conjunction with double stage relay valve. In case of dynamic brake active in emergency interlock valve is used to avoid to apply at the same time maximum friction and dynamic brake.

EB4.3 Local electro dynamic brake force generation (load dependent and speed dependent) The ED brake force is generated by traction system. The proper application of the force is monitored normally by motor current sensors.

CTA-T5.1-D-KNR-015-02 Page 113 of 145 09/06/2016 Contract No. H2020 – 730539

EB4.4 Local Electro-hydraulic retarder brake force generation (load dependent and speed dependent) The Electro-Hydraulic Retarder brake force is generated by traction system controlling the power package on diesel trains. Electrohydraulic retarder is normally not applied in emergency.

EB4.5 Adhesion independent brake force generation (speed dependent) The adhesion independent force is generated by  Magnetic Track Brake MTB, which is activated by safety loop or pressure switch on brake pipe, which electrical signal activate solenoid valves activating pneumatic cylinders lowering MTB on the rail. In parallel electrical circuit energize the coils. The lowering valve and coil are de-energized at low speed by WSP- CU to limit the jerk.  Eddy current brake, piloted by safety loop or pressure switch on brake pipe, controlled by Eddy Current Brake control unit and powered by its electrical command circuit.

Pneumatic/Electro-pneumatic devices Electric devices . Brake cylinders . Safety loop . MTB lowering cylinders . WSP-CU . Relays valves, load dependent, single . MTB electrical command or double stage . Eddy Current Brake control unit . Relays valves, not load dependent, . Eddy Current Brake electrical command single or double stage . Eddy Current Brake . Load valve . Magnetic Track Brake . Load averaging valve . Safety valve . Pressure regulator . Distributor . Interlock valve . Double stage valve . MTB lowering valve Table 28: EB4 Devices

EB5 Emergency brake energy storing

Pneumatic/Electro-pneumatic devices Electric devices . Brake reservoir . Batteries . MTB reservoir

Table 29: EB5 Devices

EB6 Traction cut off

CTA-T5.1-D-KNR-015-02 Page 114 of 145 09/06/2016 Contract No. H2020 – 730539

The traction cut off is done by traction system receiving an electrical/bus signal by one of the following device. In emergency brake, if the ED brake is not used, the traction inverter is normally switched off for safety.

Pneumatic/Electro-pneumatic devices Electric devices . Traction cut off pressure switches on . Traction cut off relay on safety loop brake pipe (set < 3,3 bar)

Table 30: EB6 Devices

EB7 Emergency brake state and fault detection and indication Emergency brake application shall be automatic in case of command fault. This is obtained by intrinsically safe command like brake pipe and safety loop. Locally, faults impacting performances are detected by TCMS, BCUs, BPCUs, WSP-CU, eddy current CU, Traction system by proper sensors and sent to the driver:

. Missing brake . Double stage valve fault . MTB not lowered . MTB not energized . MTB not lifted up at low speed . Eddy Current Brake not applied . ED brake missing Other faults are stored in the diagnostic system

Table 31: EB7 Devices

EB8 Emergency brake isolation EB8.1 Driver Emergency command isolation This function can be provided by sealed selector allowing the driver to release un undue emergency brake triggered by electric contacts of the device CTA-T5.1-D-KNR-015-02 Page 115 of 145 09/06/2016 Contract No. H2020 – 730539

EB8.2 Local friction emergency brake isolation This is done by pneumatic cocks isolating distributor or Electro pneumatic panel of direct brake and venting the auxiliary reservoir. Cock can be replaced by solenoid valves as well Axle isolation cocks can be present as well

CTA-T5.1-D-KNR-015-02 Page 116 of 145 09/06/2016 Contract No. H2020 – 730539

EB8.3 Local Electro-dynamic emergency brake isolation EB8.4 Local adhesion independent emergency brake isolation EB8.5 Local Electro-hydraulic retarder emergency brake isolation The local isolation of ED brake, Electro-hydraulic, MTB, Eddy Current brake is normally done by switching off or disabling the local control unit, by local selectors or by cab command (by monitor or selectors). Total isolation at train level is also possible by selector on driver’s cab

Table 32: EB8 Devices

3.4.6.2.4 PB - Parking brake sub-functions PB1 Parking brake command generation PB1.1 Driver request acquisition The driver request is normally done by push button on the driver’s desk. The request is transmitted by contacts or relays to train lines or communication bus.

PB1.2 Technical system request acquisition The request is sent to communication bus by BCU/TCMS or by relays operating on train lines.

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . PB push button . Relays . BCU . TCMS

Table 33: PB1 Devices

PB2 Parking brake train command transmission The transmission is done by train lines (apply and release trail lines for bi-stable valve solution or single train line in case of mono-stable valve) or by bus communication.

CTA-T5.1-D-KNR-015-02 Page 117 of 145 09/06/2016 Contract No. H2020 – 730539

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . . PB train lines . Communication bus

Table 34: PB2 Devices

PB3 Parking brake local force generation PB3.1 By train command PB3.2 By local command (manual application) The force is applied by PB portion inside brake cylinders, activated by venting the piloting port. The pilot is controlled by mono-stable or bi-stable valve connected to train lines or controlled by relays piloted by BCUs or TCMS reading the command on communication bus (train command). The local command is obtained by local manual operation acting on same devices above described (mechanical commands directly implemented on bi-stable valve or local electric command to mono-stable or bi-stable valve in parallel/series to the train one).

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . PB brake cylinders . BCUs . Mono-stable solenoid valve with . TCMS manual command . Relays . Bi-stable solenoid valve with manual . Push-button command

Table 35: PB3 Devices

PB4 Parking brake energy storing The energy to apply the parking brake is stored on the cylinder spring, the energy to release is stored on brake reservoir and/or main pipe reservoir (if parking brake shall be still active with service brake isolated).

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . Parking brake cylinder . . Main pipe reservoir . Brake reservoir Table 36: PB4 Devices

PB5 Anti-compound The function is performed at cylinder level or by pneumatic circuit using double check valve connecting parking brake line with service brake line.

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . PB cylinder .

CTA-T5.1-D-KNR-015-02 Page 118 of 145 09/06/2016 Contract No. H2020 – 730539

. Double check valve Table 37: PB5 Devices

PB6 Parking brake state and fault detection and indication PB6.1 Local parking brake state (applied/released/faulty/isolated/no info) The indication is available locally, by pneumatic indicators or control lamps installed on the side of the train. They status is detected by pressure switches/sensor or by micro-switches installed on the PB cylinders, read also by BCU and/or TCMS.

PB6.2 Train level parking brake applied status PB6.3 Train level parking brake released status The train status definition is based on local level status above and shown to the driver by lamps or monitor by electrical circuits or master BCU or TCMS

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . PB pneumatic indicator . BCUs . PB pressure switch . TCMS . PB pressure sensor . Communication bus . . Lamps . Monitor

Table 38: PB6 Devices

PB7 Monitoring Parking brake applied at speed detection and speed reduction request This function is done by TCMS or BCUs monitoring continuously the status and applying automatically the service or emergency brake in case of undue status applied in running condition. The undue application is shown to driver by above defined solutions (lamp and/or monitor alarm)

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . . BCUs . TCMS . Communication bus . Monitor . Lamp

Table 39: PB7 Devices

PB8 Parking brake manual release The manual release is acting at cylinder level. It can be performed by manual interface close to the cylinder or by pneumatic command controlled by solenoid valve, energized by remote command by the driver. Pneumatic/Electro-pneumatic devices Electric/Electronic devices . PB cylinder . . Manual release mechanism CTA-T5.1-D-KNR-015-02 Page 119 of 145 09/06/2016 Contract No. H2020 – 730539

. Solenoid valve Table 40: PB8 Devices

PB9 Parking brake isolation The isolation is done by isolation cock venting the cylinder command line and followed by manual release

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . PB cylinder . . PB isolation cock Table 41: PB9 Devices

3.4.6.2.5 ABT - Automatic Brake test sub-functions The Automatic brake test checks the above described device to assess their nominal functionality. No additional device is therefore requested except interface with the driver to start the test and acknowledge the results. This is done by push buttons/selector present on the driver’s desk or by monitor

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . . BT start push button/selector . BT result acknowledgement push button . Monitor

Table 42: ABT Devices

3.4.6.2.6 LAM – Low Adhesion Management sub-functions LAM1 Wheel slide protection

LAM1.1 Speed acquisition This function is performed by WSP-CU by reading speed sensors on the wheel. LAM1.2 Braking force reduction/restoring (slide dependent) This function is performed by WSP-CU controlling WSP dump valves and ED-Brake force reduction and restoring by proper interfaces with traction system. Regulation algorithms are certified. LAM1.3 Brake force reduction timeout (watchdog) This function is performed by independent electronics board inside WSP-CU.

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . Dump valves . WSP-CU . Traction system

CTA-T5.1-D-KNR-015-02 Page 120 of 145 09/06/2016 Contract No. H2020 – 730539

. Speed sensors

Table 43: LAM1 Devices

LAM2 Adhesion improvement

This function is performed by distributing sand on the rail when slip or slide is detected, in automatic mode or by command by the driver (push button). The slip/slide detection is done by WSP-CU. Often the sanding is automatic in emergency brake. The sanding device is composed of sand box, sand distributor, sand drier, sand pipe, sanding valves

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . sand box, . WSP-CU . sand distributor, . Sanding Push button . sand drier, . sand pipe, . sanding solenoid valves Table 44: LAM2 Devices

LAM3 Adhesion management state and fault detection and indication

The fault detection of the wheel slide protection is done by WSP-CU itself, monitoring the open/short circuit to the dump valves or sanding valves and speed sensor. The WSP-CU defines the status sliding/slipping based on comparison between the 4-wheel sensor normally read to manage the wheel slide protection. For diagnosis some time the cylinder pressure sensor is as well used during WSP test. One additional diagnosis performed by WSP-CU is the detection of not rotating axle.

The sanding is as well monitored by sand level sensors and controlled by automatic brake test or forced manual activation.

Pneumatic/Electro-pneumatic devices Electric/Electronic devices . Cylinder pressure sensors . WSP-CU . Speed sensors . Sand sensor

Table 45: LAM3 Devices

CTA-T5.1-D-KNR-015-02 Page 121 of 145 09/06/2016 Contract No. H2020 – 730539

3.5 CONVENTIONAL BRAKE SYSTEMS SAFETY FUNCTION ALLOCATION ANALYSIS

3.5.1 Hazard and Risk Analysis of Brake System Functions A Preliminary Hazard Analysis (PHA) has been conducted based on the process described in §3.3.2.2 and on the Functional Analysis described in the previous section. The analysis has been done considering the generic hazards described in the TSI Loc&Pas 2014 and on the EN16185-1 and EN15734-1 standards. This generic hazards list has been complemented with additional hazards based on the experience of the partners of the CONNECTA WP5. This high level PHA shall be further developed for the next deliverables of the WP5, focusing on the architectural solutions that will be retained.

3.5.2 Safety Allocation on SIL Levels of System Function and Sub-Functions In the PHA the system functions and sub-functions participating to each hazard have been identified. A Tolerable Hazard Rate, which allows reaching an acceptable risk, has been identified for each hazardous event and indirectly allocated to all the functions involved in the hazard. Using the THR-SIL correlation table of the EN 50129, the SIL level expected for each safety- related sub-function (in case the sub-function is performed by means of electronics and/or software) has been identified. The following table summarizes the THR and SIL associated to each identified sub-function. It shall be noted that, by default, all the sub-functions below are considered as train-wise functions; therefore, any THR or SIL target is assumed to be related to the train level. Many Sub- functions are indeed only local function; in this case the THR has been allocated based on experience, while the SIL (whenever applicable) will not be further allocated unless the sub-function is in redundant and fully independent configuration with at least another one. The allocations performed in the following table shall be fine-tuned in the next steps of the CONNECTA project, when a clearer view of the system architecture will be available. The allocation may also need to be reviewed for any future commercial project. Sub-function Identification THR (events/hour) SIL Remarks * The THR and SIL associated to this Emergency brake command EB1. * * function depends generation on its level of automaticity EB1.1 Driver request acquisition 10-7 < THR ≤ 10-5 SIL1-SIL2 (1) Technical system request EB1.2 ≤ 10-9 SIL4 acquisition Actual Emergency Braking Power EB2. 10-7 < THR ≤ 10-6 SIL2 (1) Calculation Emergency brake command EB3. ≤ 10-9 SIL4 transmission Emergency Local brake force EB4. 10-7 < THR ≤ 10-6 (2) (2) generation EB5. Emergency brake energy storing 10-7 < THR ≤ 10-6 (2) (2) Traction cut off (brake system EB6. 10-7 < THR ≤ 10-6 (2) (2) interface to traction) CTA-T5.1-D-KNR-015-02 Page 122 of 145 09/06/2016 Contract No. H2020 – 730539

Sub-function Identification THR (events/hour) SIL Remarks Emergency brake state and fault EB7. detection and indication (applied/ 10-7 < THR ≤ 10-6 SIL2 (1) released/ faulty/ isolated/ no info) EB8. Emergency brake isolation 10-7 < THR ≤ 10-6 (2) (2) Service brake train retardation SB1. 10-7 < THR ≤ 10-5 SIL1-SIL2 request Service brake request SB2. 10-7 < THR ≤ 10-5 SIL1-SIL2 transmission SB3. Train Load Calculation 10-7 < THR ≤ 10-5 SIL1-SIL2 SB4. Train Brake Force Calculation 10-7 < THR ≤ 10-5 SIL1-SIL2 Blending (speed and/or adhesion SB5. and/or load and/or brake disk 10-7 < THR ≤ 10-5 SIL1-SIL2 temperature dependent) Service brake force application SB6. 10-7 < THR ≤ 10-5 SIL1-SIL2 energy storing SB7. Holding brake 10-7 < THR ≤ 10-5 SIL1-SIL2 SB8. Traction cut off - - Service brake state and fault SB9. detection and indication (applied/ 10-7 < THR ≤ 10-5 SIL1-SIL2 released/ faulty/ isolated/ no info) SB10. Service brake isolation 10-7 < THR ≤ 10-5 SIL1-SIL2 * The THR and SIL associated to this Parking brake command PB1. * * function depends generation on its level of automaticity PB1.1 Driver request acquisition 10-7 < THR ≤ 10-6 SIL2 (1) Technical system request PB1.2 ≤ 10-9 SIL4 acquisition Parking brake train command PB2. ≤ 10-9 SIL4 transmission Parking brake local force PB3. 10-7 < THR ≤ 10-6 (2) (2) generation PB4. Parking brake energy storing 10-7 < THR ≤ 10-6 (2) (2) PB5. Anti-compound local 10-7 < THR ≤ 10-6 (2) (2) Parking brake state and fault PB6. 10-7 < THR ≤ 10-6 SIL2 (1) detection and indication Monitoring Parking brake applied PB7. at speed detection and speed 10-7 < THR ≤ 10-5 SIL1-SIL2 reduction request Parking brake manual release (2) PB8. 10-7 < THR ≤ 10-6 (2) local PB9. Parking brake isolation local 10-7 < THR ≤ 10-6 (2) (2) Automatic Brake Test request ABT1. 10-7 < THR ≤ 10-5 SIL1-SIL2 generation Check of preconditions of brake ABT2. 10-7 < THR ≤ 10-5 SIL1-SIL2 test Direct brakes and Safety Loop ABT3. (3) Test 10-7 < THR ≤ 10-6 SIL2 ABT4. Indirect Brakes and Brake Pipe 10-7 < THR ≤ 10-6 SIL2 (3) CTA-T5.1-D-KNR-015-02 Page 123 of 145 09/06/2016 Contract No. H2020 – 730539

Sub-function Identification THR (events/hour) SIL Remarks Test ABT5. Brake performances calculation 10-7 < THR ≤ 10-6 SIL2 (3) Adhesion independent Brake ABT6. (3) Systems Test 10-7 < THR ≤ 10-6 SIL2 ABT7. Dynamic Brake Systems Test 10-7 < THR ≤ 10-6 SIL2 (3) ABT8. Air Supply Test 10-7 < THR ≤ 10-6 SIL2 (3) Wheel Slide Protection (WSP) ABT9. (3) Test 10-7 < THR ≤ 10-6 SIL2 ABT10. Assist Functions Test 10-7 < THR ≤ 10-6 SIL2 (3) Adhesion Management Function ABT11. Test (sanding) - - ABT12. Function Test 10-7 < THR ≤ 10-6 SIL2 (3) ABT13. Brake Tests Result Indication 10-7 < THR ≤ 10-6 SIL2 (3) LAM1 Wheel slide protection 10-8 < THR ≤ 10-7 (2) (2) LAM2 Adhesion improvement 10-7 < THR ≤ 10-6 (2) (2) Adhesion management state and LAM3 10-7 < THR ≤ 10-6 SIL2 (1) fault detection and indication Train Topology and Brake System BSM1. (4) Integrity - - BSM2. Manage brake operating modes. - - (4) Table 46: SIL/THR Allocation to Sub Functions

(1) A THR and SIL allocation has been performed, as this sub-function does not individually lead to the top-level hazard thanks to the presence of other mitigations, such as driver reaction or other design features in the system architecture.

(2) Only the THR has been indicatively allocated, as this is a local function and not a train-wide function. Nevertheless, if this function is performed by means of the same electronics and/or SW on the entire train, the SIL defined for the top level function cannot be further allocated, as systematic defects in the HW and/or SW may affect the entire train and can lead to the top-level hazard.

(3) Although this sub-function has not been associated to any hazard in the PHA, a THR/SIL target is identified based on CONNECTA WP5 partners experience and on operational constraints.

(4) The Safety Allocation for the BSM sub-function may need a further analysis in the next steps of the WP5. In the conventional brake system architecture, no relation between these sub-functions and the generic hazards has been identified. Nevertheless, when analysing improved solution for the future brake system, a THR/SIL may be identified

CTA-T5.1-D-KNR-015-02 Page 124 of 145 09/06/2016 Contract No. H2020 – 730539

3.6 DEFINITION OF FUTURE BRAKE SYSTEM ARCHITECTURE In this chapter the existing pneumatic equipment which can be replaced fruitfully by new pneumatronic device with High SIL level are identified, some possible solutions with related new Brake System architectures are described, the brake system function and sub function involved by the new equipment and its control are than identified, the related functional requirement specified in par 3.4.5 are than applicable to the technical sub system to be developed in next CTA WP5 tasks.

3.6.1 Introduction The conventional brake system analysis done in §3.4.6 and the Safety Allocation done in §3.5.2 allow to identify the “EB4 Emergency Local brake force generation” as the most interesting safety related sub-function to be considered for a new pneumatronic device able to replace existing pneumatic components. Even not considering the device in charge to apply the braking force (cylinder, MTB cylinders), the pneumatic or electro-pneumatic devices used for that sub-function are several, complex in certain case (distributor, relay valves) and they are present on each vehicle of the train with consequent impact in terms of quantity: . Relays valves, load dependent, single or double stage . Relays valves, not load dependent, single or double stage . Load valve . Load averaging valve . Safety valve . Distributor . Interlock valve . Double stage valve

These devices are used for emergency brake system function, but some of them are shared with service brake system function:

. Relay valves . Distributor (in case of indirect service brake) . Interlock valves (in case of ED brake used in emergency) . Double stage valves (in case of indirect service brake)

Following aspects are considered suitable to be improved by new solution

a. Relay valve

Relay valve is a pneumatic component that is dimensioned at the beginning of the project based on brake calculation, but which final configuration could change during the project due to different vehicle final weight or changed type of pad or other reason. The change requires retrofit activity with cost impact on the project. Retrofit could be just a tuning (with consequent quality control of the correct implementation of the hardware tuning) or replacement of parts of the relay valve (diaphragm).

CTA-T5.1-D-KNR-015-02 Page 125 of 145 09/06/2016 Contract No. H2020 – 730539

b. Load dependency

The load dependency is an aspect of the sub-function that has particular impact on the economy of the brake system, first because it introduces a further complexity in the system, second because it is a sub-function that could need a tuning during commissioning phase due to the fact that the freezing of the weight of single vehicles can be reached only in that project phase. The load dependency, as written in §3.4.6.2.2 and $3.4.6.2.3, can be obtained by two alternative devices:

 Load valve  Load dependent relay valve

Load valve can be used by service brake system functions only in case of indirect friction brake type, load dependent relay valve can be used by service brake system functions with both direct or indirect friction brake type.

c. Speed dependency

The speed dependency of the EB4 sub-function is an aspect that has impact on train performances:

 To be compliant with the constraints of the maximum allowed adhesion the emergency brake force for speed > 250 km/h is reduced by double stage valve (or triple) in one (or two) additional step, without using fully the maximum adhesion curve for the whole speed range.  In case of ED brake application in emergency, having the ED brake a not linear characteristic with the speed, the combination of emergency friction brake (not electronically controlled) and ED brake cannot allow to use fully the maximum adhesion curve for the whole speed range

d. Cylinder pressure accuracy

The EB4 sub-function generate the cylinder pressure by a chain of fully pneumatic devices, the final result is that the cylinder pressure has the sum of the tolerances of the different devices:

 Direct brake: pressure regulator + relay valve  Indirect brake: distributor + (load valve + relay valve) OR (relay valve load dependent)

The accuracy is normally worse than the accuracy obtained with electronically controlled relay pilot pressure control (as in the case of service brake performed by direct brake)

e. Indirect emergency brake

When the EB4 sub-function need as emergency brake command the pressure of the brake pipe, if it is not present in parallel a safety loop the brake system bring back the limits of the indirect brake:

 Double pneumatic pipe along the train  Expensive pneumatic device (distributor/driver’s brake valve)  Long equivalent time in case of long trains (coupled composition)

CTA-T5.1-D-KNR-015-02 Page 126 of 145 09/06/2016 Contract No. H2020 – 730539

If it is present, the safety loop the second and third aspect could be a bit mitigated by simplified distributor and application valve in different point of the train venting the brake pipe.

f. Dynamic brake in emergency

The application of dynamic brake (electric or hydraulic) in emergency is very limited due to the difficulties to have a high safety level of the dynamic brake function, involving complex software functions and several traction devices, including rheostat for ED brake and heat exchanger for hydraulic brake.

Conclusion According above the conventional implementation of “EB4 Emergency Local brake force generation” sub-function has the follow drawbacks: 1) If cylinder pressure needs to be changed, for example to use new friction pair type, need a costly retrofit of the parts. 2) The cylinder pressure set up adjustment in commissioning can require a new load/relay valve version. In some case if the nominal set up has to be changed beyond a certain tolerance, internal parts need to be replaced. This adjustment leads in production disruption and retrofit of the already delivered parts (production/logistic issues). 3) The accuracy on pressure output is normally worse than the one achieved in electronic service brake and it is difficult to be maintained with wide environment temperature range. 4) The emergency performances in certain case could be not maximized (continuous regulation with the speed, ED brake in emergency) 5) Brake systems with emergency brake controlled by brake pipe can be limited in terms of equivalent time (coupled train composition), requires double pipe installed on the train, can requires particular complicated pneumatic or electro-pneumatic components (driver’s brake valve, distributor) 6) Dynamic brake application in emergency is limited by low safety level of dynamic brake control.

In the next chapters the following 3 new solutions are proposed improving the above mentioned drawback of the conventional solutions: I. High Safety Electronic Emergency Brake Load Compensation II. High Safety Electronic Emergency Pressure Generation III. High Safety Electronic Emergency Pressure Generation and Electric Brake in Emergency

CTA-T5.1-D-KNR-015-02 Page 127 of 145 09/06/2016 Contract No. H2020 – 730539

3.6.2 High Safety Electronic Emergency Brake Load Compensation New equipment The emergency load compensation module is a pneumatronic equipment generating a pilot pressure to the relay valve controlling the cylinder pressure. This module has as input the suspension pressure signal coming from pressure transducer (proportional to the car load); the output is the pressure to be applied to the cylinder in emergency condition, piloting the relay valve supplying the cylinder. A typical I/O characteristic is shown in Figure 12.

Pout

Ps Tare Crush Fault

Figure 12 :Load Compensation Valve Characteristic Design improvement The design improvement for this future architecture it is the use of high SIL electronic based subsystem to replace: - the load valve (‘LC’ module in conventional architecture described in 3.4.6.2.3), - the load averaging valve reaching the goal to overcome the above mentioned drawback 1), 2) and 3) of the conventional system. With the right procedure the emergency cylinder pressure can be adjusted by modifying software parameter without need of retrofit of mechanical parts. It allows:  Easy set up adjust during commissioning.  Easy (cheaper) adjustment of the pressure during train life in case of upgrade on friction pair. Further advantage is the improved accuracy thanks to the use of precise temperature compensated pressure transducers that’s today modern MEMS technology as made available with cost effective solution.

CTA-T5.1-D-KNR-015-02 Page 128 of 145 09/06/2016 Contract No. H2020 – 730539

New architecture The new architecture shown in Figure 13 represent how the brake system architecture change with the use of this module. The emergency brake request is still received on the train local application unit (car, boogie) through a safety loop or the BP, as described in par. 3.4.6.2.3. The cylinder pressure is still generated by a pneumatic relay valve. This new architecture does not reduce the complexity on train level (wires, pipes, devices) as do not take the advantage of using the future TCMS system. Sub-function involved The brake system function involved is Emergency brake, in particular the following sub-functions: EB4 Emergency Local brake force generation by the following sub-functions EB4.1 Local load acquisition EB4.2 Friction brake force generation (load dependent and speed dependent) EB7 Emergency brake state and fault detection and indication.

CTA-T5.1-D-KNR-015-02 Page 129 of 145 09/06/2016 Contract No. H2020 – 730539

High Safety Electronic Emergency brake Load compensation Compensation Brake System SAFETY LOOP Train lines and Bus BP

El. Based TECH SB+EB P-EB MC-SB+EB PB SBCU PBA MTB T-CUT LC EBP Driver Cab

To Traction WSPCU TCU Sys.

Speed Cars Susp.

Bogie Track \ Figure 13: High Safety Electronic Emergency Brake Load compensation

CTA-T5.1-D-KNR-015-02 Page 130 of 145 09/06/2016 Contract No. H2020 – 730539

Symbols:

EBP Emergency Brake Panel SBCU Service Brake Control Unit (pneumatic+electronics) LC Load Compensation module (electronic based). MC-SB-EB Master controller with direct service brake and Emergency brake command. MTB Magnetic Track Brake Application panel PB Parking Brake Command P-EB Emergency Push Button TCMS Train Control and Monitoring System TCU Traction Control Unit Tech SB+EB Technical service sub system that require service brake or emergency brake application as example ERTMS, FIRE Alarm, Passenger Alarm etc.. T-CUT Traction Cut off WSPCU Wheel Slide Protection integrated Control Unit (pneumatic+electronics)

Note EBP, MTB, P-EB use pneumatic and electric devices

CTA-T5.1-D-KNR-015-02 Page 131 of 145 09/06/2016 Contract No. H2020 – 730539

3.6.2.1 Safety Requirement (SIL/THR) allocated to the Pneumatronic/Electronic functions.

The system function and sub-function related to the new architecture and the required SIL/THR as for par. 3.5 analysis, are reported in the follow table.

Id. Sub Function THR SIL EB4 Emergency Local brake force generation (See the 10-7 < THR ≤ 10-6 note 2 in Table 46) EB7 Emergency brake state and fault detection and 10-7 < THR ≤ 10-6 SIL2 indication.

Table 47: EM Load Module SIL/THR

3.6.2.2 Safety Requirement (SIL/THR) allocated to TCMS No requirement allocated to TCMS for this new architecture.

CTA-T5.1-D-KNR-015-02 Page 132 of 145 09/06/2016 Contract No. H2020 – 730539

3.6.3 High Safety Electronic Emergency Pressure Generation New equipment A development of the pneumatronic equipment described in §3.6.2 is the additional ability to receive the emergency brake demand from a network (TCMS) with high safety integrity level (>2). The new equipment EBCU includes totally the LC and the EBU module of the conventional architecture, intended as pneumatronic unit able to generate as output the Emergency Brake cylinder pressure pilot in front of an emergency brake request received by TCMS. Design improvement The design improvement for this solution is the use of high SIL electronic based equipment to replace: - load valve - Load averaging valve - Safety valve - Distributor - Double stage valve And the use of new generation TCMS, to replace with simpler electric/electronic devices the following components (see §3.4.6.2.2 SB1 and SB2; §3.4.6.2.3 EB1 and EB3): - brake pipe - safety loop - Driver’s brake valve (fully pneumatic or electronically controlled) - Back indirect brake command for electronic driver’s brake valve - Brake command reservoir - Emergency push button - Master controller with connection to brake pipe - ETCS pneumatic panel - Emergency application valve reaching the goal to overcome the above mentioned drawback 1), 2), 3), 4) and 5) of the conventional system. It has the same advantages of the architecture described in par 3.6.2 plus the following: 1) Improve the cylinder pressure output accuracy. 2) Simplification of the train wiring and piping by removing brake Pipe and safety loop. 3) Coupling of train brakes for towing or consist composition can be achieved at TCMS level. The standardization of future TCMS will permit the composition of train and towing by locomotive without need of UIC standard Brakes. 4) Possibility to standardize and share between brake system and TCMS some train wide sub function like Automatic Brake Test, Brake Status, Diagnostic etc... 5) Possibility to regulate emergency brake effort by speed in a continuous way.

CTA-T5.1-D-KNR-015-02 Page 133 of 145 09/06/2016 Contract No. H2020 – 730539

New architecture In Figure 14, the new architecture allowed by the implementation of this device is represented. The safety loop is still shown to include also a possible configuration with TCMS without adequate safety level.

Sub-function involved The brake system sub-function involved by this new solution are: BSM - Brake System Management BSM1 Train Topology and Brake System Integrity BSM2 Manage brake operating modes.

EMB Emergency Brake EB1 Emergency brake command generation EB2 Actual Emergency Braking Power Calculation EB3 Emergency brake command transmission EB4 Emergency Local brake force generation EB6 Traction cut off EB7 Emergency brake state and fault detection and indication EB8 Emergency brake isolation

ABT Automatic Brake Test ABT2 Check of preconditions of brake test ABT3 Direct brakes and Safety Loop Test ABT4 Indirect Brakes and Brake Pipe Test

Note: Safety Loop and Brake pipe test are of course replaced by TCMS integrity check

CTA-T5.1-D-KNR-015-02 Page 134 of 145 09/06/2016 Contract No. H2020 – 730539

High Safety Electronic Emergency Pressure Generation

TCMS SIL>2 TCMS SIL<=2 SAFETY LOOP

TECH MC SIL>2 SIL<=2 SB+EB P-EB SB+EB PB EBCU SBCU PB MTB Driver Cab T-CUT

WSPCU TCU To Traction Sys.

Cars Susp. Speed

Bogie Track

Figure 14: High Safety Electronic Emergency Pressure Generation

CTA-T5.1-D-KNR-015-02 Page 135 of 145 09/06/2016 Contract No. H2020 – 730539

Symbols:

EBCU Emergency Brake integrated Control Unit (pneumatic+electronics) SBCU Service Brake Control Unit (pneumatic+electronics) LC Load Compensation. MC-SB-EB Master controller with direct service brake and Emergency brake command. MTB Magnetic Track Brake Application panel PB Parking Brake Command P-EB Emergency Push Button TCMS Train Control and Monitoring System TCU Traction Control Unit Tech SB+EB Technical service sub system that require service brake or emergency brake application as example ERTMS, FIRE Alarm, Passenger Alarm etc.. T-CUT Traction Cut off WSPCU Wheel Slide Protection integrated Control Unit (pneumatic+electronics)

Note MTB, P-EB use pneumatic and electric devices

CTA-T5.1-D-KNR-015-02 Page 136 of 145 09/06/2016 Contract No. H2020 – 730539

3.6.3.1 Safety Requirement (SIL/THR) allocated to the Pneumatronic/electronic functions.

The system function and sub-function related to the new architecture and the required SIL/THR as for par. 3.5 analysis are reported in the follow table.

Id. Sub Function THR SIL BSM1 Train Topology and Brake System Integrity (See the note 4 in (See the Table 46) note 4 in Table 46) BSM2 Manage brake operating modes. (See the note 4 in (See the Table 46) note 4 in Table 46) EB2 Actual Emergency Braking Power 10-7 < THR ≤ 10-6 SIL2 Calculation EB3 Emergency brake command transmission ≤ 10-9 SIL4 EB4 Emergency Local brake force generation (See the 10-7 < THR ≤ 10-6 note 2 in Table 46) EB6 Traction cut off (See the 10-7 < THR ≤ 10-6 note 2 in Table 46) EB7 Emergency brake state and fault detection 10-7 < THR ≤ 10-6 SIL2 and indication EB8 Emergency brake isolation (See the 10-7 < THR ≤ 10-6 note 2 in Table 46) ABT2 Check of preconditions of brake test 10-7 < THR ≤ 10-5 SIL1-SIL2 ABT3 Direct brakes and Safety Loop Test 10-7 < THR ≤ 10-6 SIL2 ABT4 Indirect Brakes and Brake Pipe Test 10-7 < THR ≤ 10-6 SIL2

Table 48: EM Pressure Generation Using Electronic Sub Function SIL/THR

CTA-T5.1-D-KNR-015-02 Page 137 of 145 09/06/2016 Contract No. H2020 – 730539

3.6.3.2 Safety Requirement (SIL/THR) allocated to TCMS In this new architecture TCMS main function is to provide the train consist wide communication of the Emergency brake command, the Emergency Brake states and fault detection and indication at an adequate Safety integrity level.

The sub function suitable to be implemented by TCMS are:

BSM - Brake System Management the sub functions: BSM1 Train Topology and Brake System Integrity BSM2 Manage brake operating modes.

EMB Emergency Brake the sub functions: EB2 Actual Emergency Braking Power Calculation EB3 Emergency brake command transmission EB6 Traction cut off EB7 Emergency brake state and fault detection and indication

ABT Automatic Brake Test the sub functions: ABT2 Check of preconditions of brake test

The relevant functional requirements of this sub functions are specified in chapter 3.4.5 and can be applied to the future TCMS system. The safety allocation SIL/THR is shown in Table 48.

CTA-T5.1-D-KNR-015-02 Page 138 of 145 09/06/2016 Contract No. H2020 – 730539

3.6.4 High Safety Electronic Cylinder Pressure Generation and Electric Brake in Emergency New equipment A development of the pneumatronic equipment described in §3.6.3 is the additional ability to generate cylinder pressure for both Service Brake and Emergency using an electronic base device receiving the emergency brake request from a network with high safety integrity (>2) and the service brake request through a network with lower safety integrity (<=2). Both the network can be implemented by the future TCMS. The solution includes, in addition to the new high safety integrity level module including LC and EBCU and to the new generation TCMS with SIL ≥ 2 described in the previous chapter, a unit “TORQ” able to measure with adequate safety integrity level the brake torque applied by electric brake. This signal can be read, via TCMS, by the new pneumatronic equipment generating cylinder pressure, permitting the use of the ED brake in Emergency brake application thanks to a high safety integrity level on ED brake force application diagnosis.

Design improvement This solution has the same advantages of the solution described in par 3.6.3 (replacement of several pneumatic devices) with the following additional advantages: 1) Simplification of the brake system: only one Cylinder pressure generation unit for both Emergency and Service brake (high safety integrity pneumatronic device). 2) Possibility to use Electro Dynamic brake during Emergency with advantages in friction pair LCC, pollution due to friction pair dust, noise reduction and energy saving. The advantages of point 2 are limited to the emergency brake because service brake of conventional system already uses the ED brake. The advantage is not on the improved reliability of the ED brake, but on the ability to detect in a safe way the real application, and thanks to that provide the proper amount of mechanical friction braking force. This advantage is less relevant respect a real safe and reliable ED brake application. An analysis considering the use of Emergency brake in normal operation shall be performed to evaluate if the cost of the torque measuring unit with high safety integrity (>2) is compensated by the above advantages. The solution permits to overcome the above mentioned drawback 1), 2), 3), 4), 5) and partially 6) of the conventional system.

New architecture In Figure 15 the new architecture permitted by the implementation of this device is represented. The safety loop is still shown to include also a possible configuration with TCMS without adequate safety level. In such a case also the TORQ signal availability would be affected.

CTA-T5.1-D-KNR-015-02 Page 139 of 145 09/06/2016 Contract No. H2020 – 730539

Sub-functions involved The brake system sub-function involved by this new solution are:

BSM - Brake System Management BSM1 Train Topology and Brake System Integrity BSM2 Manage brake operating modes.

SB - Service Brake SB2 Service brake request transmission SB8 Traction cut off SB9 Service brake state and fault detection and indication SB10 Service brake isolation

ABT Automatic Brake Test ABT2 Check of preconditions of brake test ABT3 Direct brakes and Safety Loop Test ABT4 Indirect Brakes and Brake Pipe Test ABT6 Dynamic Brake Systems Test

CTA-T5.1-D-KNR-015-02 Page 140 of 145 09/06/2016 Contract No. H2020 – 730539

High Safety Electronic Cylinder Pressure Generation and Electric Brake in Emergency

TCMS SIL>2 TCMS SIL<=2 SAFETY LOOP

TECH MC SIL>2 SIL<=2 SB+EB P-EB SB+EB PB EBCU E-SBCU PB MTB T-CUT Driver Cab

WSPCU TCU To Traction Sys. TORQ

Cars Susp. Speed

Bogie Track

Figure 15: High Safety Electronic Cylinder Pressure Generation and Electric Brake in Emergency. CTA-T5.1-D-KNR-015-02 Page 141 of 145 09/06/2016 Contract No. H2020 – 730539

Symbols:

EBCU Emergency Brake integrated Control Unit (pneumatic+electronics) E-SBCU Service Brake Electronic Control Unit LC Load Compensation. MC-SB-EB Master controller with direct service brake and Emergency brake command. MTB Magnetic Track Brake Application panel PB Parking Brake Command P-EB Emergency Push Button TCMS Train Control and Monitoring System TCU Traction Control Unit Tech SB+EB Technical service sub system that require service brake or emergency brake application as example ERTMS, FIRE Alarm, Passenger Alarm etc.. TORQ Electric Torque sensor T-CUT Traction Cut off WSPCU Wheel Slide Protection integrated Control Unit (pneumatic+electronics)

Note MTB, P-EB use pneumatic and electric devices

CTA-T5.1-D-KNR-015-02 Page 142 of 145 09/06/2016 Contract No. H2020 – 730539

3.6.4.1 Safety Requirement (SIL/THR) allocated to the Pneumatronic/electronic equipment The system function and sub-function related to the new architecture and the required SIL/THR as for par. 3.5 analysis are reported in the follow table.

Id. Sub Function THR SIL BSM1 Train Topology and Brake System Integrity (See the note 4 in (See the note 4 Table 46) in Table 46) BSM2 Manage brake operating modes. (See the note 4 in (See the note 4 Table 46) in Table 46) SB2 Service brake request transmission 10-7 < THR ≤ 10-5 SIL1-SIL2 SB8 Traction cut off - - SB9 Service brake state and fault detection and 10-7 < THR ≤ 10-5 SIL1-SIL2 indication SB10 Service brake isolation 10-7 < THR ≤ 10-5 SIL1-SIL2 EB2 Actual Emergency Braking Power 10-7 < THR ≤ 10-6 SIL2 Calculation EB3 Emergency brake command transmission ≤ 10-9 SIL4 EB4 Emergency Local brake force generation (See the note 2 10-7 < THR ≤ 10-6 in Table 46) EB5 Emergency brake energy storing (See the note 2 10-7 < THR ≤ 10-6 in Table 46) EB6 Traction cut off (See the note 2 10-7 < THR ≤ 10-6 in Table 46) EB7 Emergency brake state and fault detection 10-7 < THR ≤ 10-6 SIL2 and indication EB8 Emergency brake isolation (See the note 2 10-7 < THR ≤ 10-6 in Table 46) ABT2 Check of preconditions of brake test 10-7 < THR ≤ 10-5 SIL1-SIL2 ABT3 Direct brakes and Safety Loop Test 10-7 < THR ≤ 10-6 SIL2 ABT4 Indirect Brakes and Brake Pipe Test 10-7 < THR ≤ 10-6 SIL2 ABT6 Dynamic Brake Systems Test 10-7 < THR ≤ 10-6 SIL2

Table 49 EM: Pressure Generation Using Electronic Sub Function SIL/THR

CTA-T5.1-D-KNR-015-02 Page 143 of 145 09/06/2016 Contract No. H2020 – 730539

3.6.4.2 Safety Requirement (SIL/THR) allocated to TCMS In this new architecture TCMS main function it to provide the train consist wide communication of the Emergency brake command, the Emergency Brake status and fault detection and indication, the actual achieved torque at an adequate Safety integrity level. At different (lower) safety level should also provide the service brake request to the EBU.

The sub function suitable to be implemented by TCMS are:

SBM - Brake System Management. the sub functions: BSM1 Train Topology and Brake System Integrity BSM2 Manage brake operating modes.

SB - Service Brake the sub functions: SB2 Service brake request transmission SB8 Traction cut off SB9 Service brake state and fault detection and indication

EB - Emergency Brake EB2 Actual Emergency Braking Power Calculation EB3 Emergency brake command transmission EB6 Traction cut off EB7 Emergency brake state and fault detection and indication

ABT Automatic Brake test the sub functions: ABT2 Check of preconditions of brake test

The relevant functional requirements of this sub functions are specified in chapter 3.4.5 and are here reported to be applied to the future TCMS system. The safety allocation SIL/THR is shown in Table 49.

CTA-T5.1-D-KNR-015-02 Page 144 of 145 09/06/2016 Contract No. H2020 – 730539

4 CONCLUSIONS This deliverable cover and conclude the activity of Task 5.1 of CTA WP5. contents are in line with the expected, stated in the CTA grant agreement, the results are being achieved with all participant active participation according the CTA WP5 available budget.

The contents cover wide engineering fields going from System functional analysis methodology, Brake System Technical, Safety Analysis, Electronic to the relevant European standard. Due to that an intense discussion was needed among the participants to have a glue in the contents to be included and in the document consistency.

The innovative solution proposed in this document only covers the Brake Control part of the Brake System. In the frame of the Horizon2020 programme, there can be projects in the future dealing with innovation solutions for the brake force application devices. Any impact on the currently proposed solution can be evaluated in a later stage of the project, if more details about this innovative solution will be available in due time

CTA-T5.1-D-KNR-015-02 Page 145 of 145 09/06/2016