Copenhagen Metro Safety Assessment Start of Test Operation 2001 Peter Wigger Institute for Software, Electronics, Railroad Technology, TÜV InterTraffic GmbH, a company of the TÜV Rheinland / Berlin-Brandenburg Group

Abstract In autumn 2002, the automatic driverless Metro will commence operation in Copenhagen. The German BOStrab (Regulation for the Construction and Operation of Tramways) was chosen as a basis for the safety approval/assessment of the Metro in conjunction with the European CENELEC standards for Railway Applications. TÜV Rheinland has been assigned the role of the Safety Assessor. For the complete system a safety case must be assessed. Using the PASC ap- proach developed by TÜV Rheinland, safety is a fixed part of the system development from the beginning. An effective course of the project and in-time start of operation can be expected as benefits. By the end of 2000 / early 2001, construction and installation has been finalized for the above ground area of the Metro whereas construction and installation is ongoing in the under- ground area. Various sub-system milestones have been achieved and several system level evalua- tions have been performed for the above ground part of the Metro. The paper describes the safety assessment process with focus on the start of system wide tests of the system operation on the above ground area. Up to six vehicles will demonstrate the system capabilities. The Acceptance of the above ground area of the Metro is planned in late 2001.

1. Introduction In autumn 2002, the Copenhagen Metro will commence revenue service. This first Danish metro will be an automatic driverless system, in the first project phase connecting downtown Copenha- gen with the university, the new fair area and the developing suburb ¯restad on Amager island. Up to 19 trains - consisting of 3 cars each - will travel with a headway of 90 s between 14 stations on a permanent way of 19 km double track. While the system will be operated in downtown Copen- hagen as an underground it will run aboveground and even across bridges and viaducts in the Am- ager area. In later project phases the system will be extended to the north-west of Copenhagen and in the south-east to the international airport. See figure 1.

044.doc 1 / 17 Figure 1: Metro Map (source ¯restadsselskabet)

As Denmark had no legal framework for the approval of systems like the Copenhagen Metro, the Danish Government decided to rely on a proven German approval procedure as e.g. performed for the Sky Line, an automatic, driverless mass transit system at Frankfurt Airport [6]. In Germany, public tracked mass transit systems fall under the German regulation for the con- struction and operation of tramways (BOStrab). This regulation does not only apply to conven- tional tramway systems - as the title may imply - but also to new, unconventional types of tracked transport systems including fully automatic rapid transit systems. The German BOStrab regulation requires a strongly regimented approval procedure under the su- pervision of a Technical Supervisory Authority (TSA). The respective Danish Authority (the Railway Inspectorate Jernbanetilsynet, an authority under the Ministry of Transport) asked for safety assessment by an independent Assessor. For the complete system a safety case must be assessed. The safety assessment process of the Copenhagen Metro with focus on the start of system wide tests of the system operation on the above ground area will be described in the following.

044.doc 2 / 17 2. Safety Assessment Process of the Copenhagen Metro TÜV Rheinland with their competence and experience in the certification of complex, safety relevant systems for railway applications was chosen after the tender phase to play the role of the independent Safety Assessor in the Copenhagen Metro project. The safety assessment of the Copenhagen Metro covers all relevant sub-systems like Permanent Way, Power Supply and Traction Power, Radio and Telecommunication, Control Centre, Sta- tions, Station Doors, Rolling Stock and Civil Works. Special attention is paid on the Automatic Train Protection (ATP) system being part of the Automatic Train Control (ATC) sub-system, the electronic heart of the Metro responsible for control and safety of the automatic driverless system. TÜV Rheinland has subcontracted Det Norske Veritas Denmark for local support in Copenhagen and safety assessment in the area of civil works.

2.1 Basis for the Safety Assessment The assessment of the Copenhagen Metro system is performed based on the German BOStrab [1]. The European Union already stated some years ago that the use of BOStrab does not hinder com- petition and thus it may be used throughout the countries of the EU. BOStrab calls for compliance with the orders of the Technical Supervisory Authority, and with the "generally accepted rules of technology" (GARTs). These rules consist of standards and regula- tions that represent the opinion of the majority of the experts in the field of public transport technology. Besides standards like DIN, VDE, UIC, EN, IEC in Germany several of the VDV papers have the status of a GART in the field of public transport technology. The VDV is a German association of companies that operate public short-distance transport systems (tramways, light rail, busses, pri- vate railroad systems). Some of the VDV papers even have the status of a directive to BOStrab and have been acknowledged by the Federal Ministry of Transport. For the Copenhagen Metro the VDV papers in connection with the new European Standards for Railway Applications prEN 50126 [2], prEN 50128 [3], and ENV 50129 [4] have been assigned to be GARTs for the safety assessment. These standards are supplemented with the American fire standard for rapid transit systems NFPA 130 and Danish national standards. All safety activities as well as the generation of the safety documentation are performed according to these standards.

2.2 Overall Safety Approach The BOStrab distinguishes between the Inspection of documents (¤ 60), the inspection during manufacturing (¤ 61) and the final safety acceptance (¤ 62) as the different main steps of the assessment. The overall procedure of the new European Standard prEN 50126 [2] is based on the lifecycle model. The lifecycle model distinguishes between different phases starting with the Con- cept Phase, continuing with the System Definition and Application Conditions, The Risk Analy- sis, The System Requirements, Apportionment of System Requirements, System Design and Im- plementation, Manufacturing, Installation, System Validation, System Acceptance, Operation and Maintenance, Performance Monitoring, Modification and Retrofit and finally Decommissioning and Disposal. Each phase contains well defined, phase-related general, RAM (reliability, availabil- ity, maintainability) and safety tasks. In order to follow the safety approach of BOStrab in com- bination with the lifecycle model of prEN 50126 [2], the following Approval / Authority Accep- tance Milestones have been defined. The status as per 2001 is also depicted. Note, that the Mile- stones mean the finalization of the related activities, i.e. various activities have already been started for the Milestones planned to be achieved in 2002. The start of system operation tests on the above ground area is related to the Milestone FSA.

044.doc 3 / 17 Overall System Design Approval (OSD) Design Approval (DA) Engineering Approval (EA) Sub-system Acceptance (SA) Functional Section (above ground area) Acceptance (FSA) Installation Acceptance for Sections of the Metro (IAS) Acceptance of each Series Produced Train (ARS) Approval of System Operator Procedures & Organization (AOP) Approval of System Operator Staff Training (AOT) Preliminary System Operator Certificate (POC) Final System Operator Certificate (OC)

For the new Copenhagen Metro it was required, that the risk created by the planned operation of the transport system is As Low as Reasonably Practicable (ALARP) and at least as low as compa- rable modern automatic light railway systems with several years of operation history, e.g. the SkyLine in Vancouver, Canada and the VAL in Lille, France. For the risk acceptance criteria the ALARP principle was chosen in order to ensure a reasonable balance of economic feasibility against risk level. On that basis it was required, that the concept of Safety Integrity Levels (SIL«s) shall be used [5] and that the overall SIL for the entire Metro shall be four. Hazard and Risk analyses and classifica- tion can be employed to identify adequate lower-level SIL«s to subsystems and/or safety functions. The methodology used to apportion SIL«s to safety functions / sub-systems is derived from the CENELEC standards and has been performed according to the following steps: 1) Functional Analysis of the overall Metro to identify all safety related functions. 2) Identification of the required level of safety / SIL assignment to safety related functions. 3) Assignment of each safety related function to safety systems. 4) Identification, where applicable, of external risk reduction facilities. Redundant or back up risk reduction measures can be a combination of system design, procedures and external fa- cilities. The safety related functions applicable for the above ground area were considered for the start of system wide tests of the system operation on the above ground area for the system level Mile- stone FSA.

044.doc 4 / 17 2.3 Project Accompanying Safety Certification (PASC) The safety assessment of fully automatic transport systems implies several specialities resulting from their characteristics and complexity. In former times, e. g. for conventional interlocking components, the assessment process only started after the development, when the safety docu- mentation had been completed. For the assessment of modern automatic transport systems (like the Copenhagen Metro) with - apart from other features - sophisticated computerized automatic train protection systems, this procedure is no longer suitable, because the time needed for the de- velopment (especially for the ATP hard- and software) is too long and the innovation cycle of technology is too short. The advanced procedure used by TÜV Rheinland for several years and various projects is the Pro- ject Accompanying Safety Certification (PASC). Using this procedure, safety experts perform their inspections and assessments concurrently with the development of the system. When fol- lowing this procedure it is very important to perform efficient project management and to plan the course of the safety assessment process thoroughly. Furthermore it is important to trace the assessment and to keep up with the assessment documentation in order to avoid serious short- comings or gaps in the system safety case to be assessed, which might shift the date of putting the system into operation. For complex systems like the Copenhagen Metro such topics are even more important as several safety experts and authorities will be involved in the assessment proc- ess. In order to apply the PASC procedure in an effective way, a detailed Assessment Plan is essential for the assessment of the Metro system. TÜV Rheinland uses a top-down structured, computer- supported assessment plan, which has been adapted to the Metro Project. Figure 2 shows a sketch of the four levels of the Assessment Plan for the Copenhagen Metro. While on level 1 the total Metro system is divided into sub-systems, on Level 2 the sub-systems are broken down into main components, and these into component groups and components which are subject to BOStrab assessment. Within level 3 these are subdivided into separate assessment objects. Every single assessment object is marked by the component-number followed by an addi- tional three-digit number, that allows the indication of the according milestone, kind of assess- ment and the assessment object. This assessment number represents the link to level 4 - the un- derlying databases. These databases do not really represent a hierarchically lower level - the num- ber of assessment objects in level 3 and 4 is the same - but contain detailed data for planning, per- forming and monitoring of all assessment activities. In order to incorporate assessments that apply to the overall system (e.g. overall safety accep- tance according to BOStrab ¤ 62, Evacuation and Rescue Concept etc.) the "dummy" sub-system "System Comprehensive 1.000" was added in level 1 of the assessment plan. This allows the breaking down of system safety items to the bottom level in the same way as for "real" sub- systems. In a similar way a block Sub-system Comprehensive was added for every sub-system on level 2. Project aspects of planning and monitoring the assessment process across the many defined as- sessment and approval milestones, also under aspects of resources and the project schedule are very important. These features were enabled by introducing these milestones into level 3 of the Assessment Plan and by incorporating of more project planning capabilities.

044.doc 5 / 17 Safety Assessment according to BOStrab of the Copenhagen Metro

Level 1 System Subsystem Subsystem Autom. Comprehensive Rolling Stock Train Control

1.000 12.000 5.000

Bogies Door System Braking System

12.200 12.800 12.700 Level 2 ATP Interface Door Control / Operator

Door Control / Operator Legend: 12.810.xxx xxx Level 3 OSD DA SA 21 Safety Concept 31 Installation Assessment item 211D 311M Assessment object 22 Electrical 312A Milestone Design (1=OSD, 2=DA, 3=SA ...)

Assessment Databases Inspection of Inspection during Safety Acceptance Level 4 Documents Manufacture D M A Documentation Database Interface Information Database

Figure 2: Principle representation of the four-level assessment plan for the Metro

Summarizing it can be stated that this tool-set supports the planning process and trac- ing/monitoring of all necessary assessment activities. This is essential to run the assessment proc- ess close to the system supplier's design, construction, installation and testing process.

044.doc 6 / 17 2.4 Assessment Results The results of every inspection, test and safety acceptance will be laid down in a report. These reports also contain an identification of the component/item and the foundations (regulations, standards etc.) of the performed assessment. After the completion of all necessary single assess- ments of a sub-system (for all sub-sub-systems or components), for each sub-system of the Metro defined in the initial assessment plan, a sub-system-comprehensive assessment report - based on the assessment of the sub-system safety cases - will be created that not only sums up the results of the single assessment activities but also judges the suitability of the component/assessment object for the Metro from the system safety point of view. Figure 3 depicts the dependencies of the dif- ferent safety cases. For the whole system, so-called Safety Trial Runs will have to be performed by the supplier in order to prove that the system is operating properly and safely under real operating conditions. This is especially important for the ATP system. The Assessor will have to perform several tasks concerning the Safety Trial Runs. On completion of the trials he will issue a report on the results of the complete safety trial period. For each milestone of the assessment plan that needs to be approved by the Technical Supervi- sory Authority (TSA) the Assessor will prepare a report showing the degree of fulfillment of the BOStrab requirements by that milestone. Finally, the Assessor will create a comprehensive report on the fulfillment of the BOStrab requirements and - after the safety acceptance on the overall system has been performed - will issue a statement on the operational safety of the overall Metro system and will recommend system approval by the TSA. After the TSA has issued the prelimi- nary permit for operation the system may be put into revenue service.

044.doc 7 / 17 System Safety Plan

System Safety Case Plan CPH Metro Safety Requirements Spec System Safety Case * System Hazard Analysis

other Safety Documentation

System Level

Sub-system Level

Permanent Way Perm. Way Safety Case related Safety Cases ......

Rolling Stock Rolling Stock Safety Case

......

ATC ATC Safety Case

ATP Safety Case(s) * all Safety Cases according to ENV50129 related Safety Case(s) in structure and contents

Figure 3: Dependencies of Safety Cases

044.doc 8 / 17 3.0 Start of System Test Operation By the end of 2000 / early 2001, construction and installation has been mostly finalized for the above ground part of the Metro whereas construction and installation is ongoing in the under- ground part of the Metro. So far, various sub-system Milestones have been achieved or the achievement is foreseeable. Several system level evaluations have been performed for the above ground part of the system. The individual sub-systems have been tested after their installation and the sub-systems related functionality has been mostly demonstrated to far. Following the PASC approach described above, the Safety Assessor performed an assessment of the related test documentation and verification / validation documentation. Further, the Assessor performed various site inspections and has partly witnessed the supplier's tests to gain confirmation, that the individual sub-systems have been properly installed and tested as specified in compliance with the respective safety requirements. The depth of assessment and testing depends on the assigned Safety Integrity Level of the safety functions / the sub-systems. The most complex sub-system testing and assessment activities are performed on the sub-systems Automatic Train Control (ATC) and Rolling Stock. Completion of train sets are still rolling off the production lines at the System Supplier's factories. A total of seven trains was sent to Denmark by the end of 2000 and put trough the requisite test runs before all functions receive final approval. During the course of the year 2000, sub-system integration and testing was performed, prepara- tions for operation seriously got under way, and the System Supplier's service operator moved into the Control and Maintenance Center. A mobilization plan was developed and job descriptions have been worked out along with the comprehensive training plans. Staff size was increased and practical training especially of the coming Metro stewards has been started. Further, the so called ãBetriebsleiter“, who has a certain role and responsibility according to BOStrab [1], has been as- signed and was approved by the Railway Authority. Under his overall responsibility, a quality sys- tem has been set up and the first set of operational procedures has been developed. The Metro system level safety functions are either performed by individual sub-systems, by a combination of sub-systems and/or in combination with human intervention on the basis of opera- tional procedures. As the next logical step the system supplier has therefore planned to perform integrated tests on the above ground part of the line. The experience gained so far on a short por- tion of the track within the Control and Maintenance Area has been used to plan the further steps.

3.1 Risk Evaluation The complexity of the planned tests (up to six vehicles in automatic operation will demonstrate the system capabilities) and the use of a portion of the line with potential for interfering with public facilities may lead to additional risks with respect to those experienced so far in the testing performed on the various sub-systems and within the Control and Maintenance Area. Risk evaluation has been performed similar to the hazard analyses performed within the system design phase, i.e. definition of the top events, identification of the hazards leading to the top event, classification of the severity of the hazards, and finally verification whether sufficient safety measures are in place. Additional emphasis was given on failure modes caused by the fact, that the area under test is still a construction site. Besides the top events already defined in the early hazard analyses (e.g. collision between trains, collision with objects / persons, derailment, fire in train / in stations / on the guide-way, electrocution, structural collapse, etc.) other events have been considered as e.g. people falling from train or violation of test area limits.

044.doc 9 / 17 On the basis of the above mentioned risk evaluation and in agreement with the Railway Authority, the Safety Assessor and the System Owner, the System Supplier has established an approach in order to ensure that testing on the above ground part of the Metro can be performed with an ac- ceptable risk level for the staff and third parties. The steps were: preparation of Health & Safety procedures and implementation of site specific safety precau- tions, preparation of safety related operational procedures; these procedures are, in principle, the same procedures that will be used by the Metro staff during revenue service, training of the personnel which will be involved in the operations on the above ground area, finalization of design / installation / test / commissioning activities of the sub-systems to be used on the above ground area. As a result, various provisions and precautions have been defined as e.g. warning signs and labels, removal of power supply and buffers at the end of the testing area, etc. Many of them were tem- porary and in certain cases the adopted precautions were limiting the effectiveness of the test pro- gram. It was therefore planned and agreed to remove some of these precautions, once the performed tests have provided enough confidence that the precaution is not further needed. To remove precau- tions the System Supplier had to ask for a permit of the relevant authorities.

3.2 Test Runs In May 2000, the above ground part of the Metro between Sundby Station and Vestamager Station by the Control and Maintenance Center was opened for testing. The test runs were planned ac- cording to a plan presented by the System Supplier and agreed on by the Railway Authority, the Safety Assessor and the System Owner. The testing program has been subdivided into four test phases of increasing level of complexity. The phases are: Phase 1: Early Testing: one vehicle at low speed in manual mode, Phase 2: Automatic single train testing, Phase 3: Automatic dual train testing, Phase 4: Multiple train (3 to 6 vehicles) testing.

044.doc 10 / 17 Test Environment

Testing Phase Test Group No of trains Mode Speed Switch Tracks Vehicle Operation 1 Early Testing Wayside Dynamic Tests 1 15 km/h Clipped All Manual Single Vehicle Low Speed Wayside Integration 1 15 km/h Clipped All ATP Automatic Single Single Vehicle 2 Train Testing Low Speed Assurance 1 20 km/h Auto All ATP Single Vehicle Line Speed Assurance 1 80 km/h Auto All ATP Single Vehicle Shuttle Mode 1 80 km/h Auto All ATP 3 Automatic Dual 2 vehicle ATP Protection Assurance 1 train Train Testing Parallel Tracks, Low Speed 2 20 km/h Clipped per track ATP 2 vehicle ATP Protection Assurance 1 train Parallel Tracks 2 80 km/h Clipped per track ATP 2 vehicle ATO Operation 1 train Parallel Tracks 2 80 km/h Auto per track ATO 2 vehicle ATP Operation Same Following Moves, Low Speed 2 20 km/h Auto track ATP 2 vehicle ATP Operation Following Moves Same Rescue Operation 2 80 km/h Auto track ATP 2 vehicle ATP Operation Same Following Moves 2 80 km/h Auto track ATO 2 vehicle ATP Protection Converging Moves, Low Speed 2 20 km/h Auto All ATP 2 vehicle ATP Protection Converging Moves 2 80 km/h Auto All ATP 2 vehicle ATO Operation Converging Moves 2 80 km/h Auto All ATO 4 Multiple Train Multiple Train Operation Testing System Startup & Stress Testing ATC Sub-system Demonstration Tests 3 - 6 80 km/h Auto All ATO

ATC: Automatic Train Control ATP: Automatic Train Protection ATO: Automatic Train Operation

Table 1: Test Phases for the above ground part of the Metro

The test runs were carried out planned according to the above described program. Successful com- pletion of each phase was a prerequisite for the start of the next phase. After the completion of each phase, the Safety Assessor was involved in the System Supplier's evaluations to start the next phase. Corresponding permits were given by the Railway Authority, each. Plans and procedures for future operation and maintenance are currently being prepared. The service operator is actively taking part of the System Supplier's test running of trains and facili- ties. In this way coming operational staff can gain experience in the practical handling of the Metro system from early on. The following figures give a few impressions of the Metro site.

044.doc 11 / 17 Figure 4: Train on the above ground area passing highway and railroad (source Ansaldo)

Figure 5: Train on the above ground area passing the channel (source Ansaldo)

044.doc 12 / 17 Figure 6: Train on the above ground area at Vestamager Station (source ¯restadsselskabet)

Figure 7: Control and Maintenance Center (source TÜV InterTraffic) 044.doc 13 / 17 3.4 Acceptance of the above ground area In parallel to the above described testing activities, various system level activities have been car- ried out during the year 2001. The further development of the Fire Protection Concept as well as the Evacuation and Rescue Concept are to be mentioned here. Complex system level scenarios have to be considered in order to ensure the proper integration of technical systems with the sys- tem operator as well as further third parties as e.g. the fire brigade, the police, the community, rescue authorities, etc. Hazard Analyses and Risk Assessments have been carried out on the basis of the approved sub-system design and the experience gained so far from system testing and op- eration. Safety Planning has been updated to plan the further steps and milestones in more detail. The Acceptance of the above ground area is planned for 2001 and comprises the demonstration of full system operation and capabilities to the limits of the above ground area.

3.5 Outlook on the underground area In early 2001, tunnel boring through the ground of downtown Copenhagen and Frederiksberg came to an end. Track laying in the tunnels has been almost completed. Civil Works on the under- ground stations as well as the further installation of the various systems like Power Supply, Light- ning, Tunnel Ventilation and Communication Systems is planned to be finished end 2001/ early 2002. The following figures give a few impressions of the underground area.

Figure 8: Tunnel Section (source ¯restadsselskabet)

044.doc 14 / 17 Figure 9: Model of Deep Underground Station (source ¯restadsselskabet)

A similar testing approach will be followed as for the above ground part of the Metro. Testing will start step wise by defining test phases with increased complexity of the tested scenarios, whereas special emphasis is given to the typical underground sub-systems like Platform Screen Doors and typical underground safety functions like the tunnel ventilation. In summer 2002, completion of testing is planned, so that the Metro can start the so-called Safety Trial Runs in order to prove that the system is operating properly and safely under real operating conditions. This is especially important for the ATP system. The Assessor will have to perform several tasks concerning the Safety Trial Runs.

4. Conclusion By using the Project Accompanying Safety Certification (PASC) procedure for the Safety As- sessment of complex automatic Mass Transit Systems like the Copenhagen Metro, the assessment activities are synchronized with the system development process. Early start of testing activities following a step-wise approach in closed co-operation with the Railway Authority, the Safety Assessor and the System Owner allows the System Supplier to gain experience with the system in order to ensure proper functionality and safety of the system. Plans and procedures for future operation and maintenance are being prepared from early on. Time- and cost intensive design changes are avoided and system safety is a fixed part of the system development and testing from the beginning. An effective course of the project and in-time start of operation can be expected as benefits.

044.doc 15 / 17 References [1] Verordnung über den Bau und Betrieb der Stra§enbahnen Ð BOStrab (Federal Regulation for the Construction and Operation of Tramways) Issue: 11 December 1987 [2] prEN 50126 Railway Applications The Specification and Demonstration of Dependability, Reliability, Availability, Maintainability and Safety (RAMS) Issue: June 1997 [3] prEN 50128 Railway Applications Software for Railway Control and Protection Systems Issue: June 1997 [4] ENV 50129 Railway Applications Safety Related Electronic Systems for Signalling Issue: June 1997 [5] Railway Applications Systematic Allocation of Safety Integrity Requirements CENELEC Report prR009-004 Issue: Final Draft March 1999 [6] Frederiksen, G.S. & Haspel, U. The New Automatic Metro for Copenhagen: Modern Approach to the Safety Assess- ment, World Conference on Railway Resarch (WCRR «97), Florence, Italy, 1997 [7] Wigger. P. & Haspel, U. Safety Assessment of Copenhagen driverless automatic mass transit system 6th International Conference COMPRAIL 98, Lisbon, Portugal, pp 63 - 72, 1998 [8] Haspel, U & Wigger. P. Safety aspects of driverless metros - assessment of the Copenhagen Metro 7th International Conference on Automated People Movers '99, Copenhagen, Denmark, pp 88 - 95, 1999 [9] Schäbe H. & Wigger P. Experience with SIL Allocation in Railway Applications, Proc. of the fourth int. symposium on Programmable Electronics Systems in Safety Related Applica- tions Cologne, Germany, 2000

044.doc 16 / 17 Contacts and Web Sites

Author Contact: Dipl.-Ing. Peter Wigger TÜV InterTraffic GmbH Institute for Software, Electronics, Railroad Technology (ISEB) Am Grauen Stein D - 51105 Cologne Phone: +49 221 806 3322 Fax: +49 221 806 2581 e-mail: [email protected]

Further information can be found on the following Web Sites:

Information on the TÜV Rheinland/Berlin-Brandenburg Group and the Institute for Software, Electronics, Railroad Technology (ISEB) can be found under www.tuev-rheinland.de www.iseb.com

Information on the Copenhagen Metro Project can be found under www.ansaldo.dk (Copenhagen Metro System Supplier Ansaldo Trasporti S.p.A.) www.m.dk (Copenhagen Metro System Owner ¯restadsselskabet I/S)

044.doc 17 / 17