We use cookies when you visit our website. Using our website means that you agree with our use of cookies. Please see the Data Protection Declaration for more information.

You canof cookies for personal data.

{huk:LocalizateMediaInline(image:'TYPO3\CMS\Extbase\Domain\Model\FileReference:136754
{huk:LocalizateMediaInline(image:'TYPO3\CMS\Extbase\Domain\Model\FileReference:136755
  1. Publications
  2. Switch control for Amsterdam trams – state of the art

Points control for Amsterdam trams– State of the art

The Uithoornlijn is a new section of the Amsterdam tram network that connects Uithoorn, a suburb, with Amsterdam. In order to ensure that trams can leave and return to the depot during operations, a switch complex has been realised at the depot’s entrance / exit. A switch controller system is required to ensure that operations occur safely due to the fact that the trams travel through this area at 50 km/h and because of the presence of the entrance / exit. This article showcases the system that is used to ensure safe operations on the Uithoornlijn.

links: Route Uithoornlijn, rechts: Übersicht Depot

1 Projekt Information
Die Zahl der ÖPNV-Nutzer in der Region Amsterdam, zu der Amstelveen und Uithoorn gehören, ist in den letzten Jahren gestiegen. Es wird erwartet, dass die Zahl der Passagiere in den kommenden Jahren weiter steigen wird. Um auch in Zukunft eine gute Erreichbarkeit der Region zu gewährleisten, wird das öffentliche Verkehrsnetz in der Region im Auftrag der Verkehrsregion Amsterdam (VRA) weiter ausgebaut. Eine der Entwicklungen ist die Verlängerung der erneuerten Amstelveenlijn bis zum Dorfzentrum von Uithoorn: die Uithoornlijn. Eine neue, hochwertige Straßenbahnlinie, die zuverlässiger und schneller ist als die aktuelle Buslinie (Uithoornlijn, 2022).

1.1 Vorstellung Erweiterung Linie
Die neue Uithoornlijn ist 4,4 km lang und läuft von Amstelveen bis nach Uithoorn (Bild 1). Insgesamt gibt es auf der Neubaustrecke drei Weichenkomplexe. Der erste befindet sich bei der Ein- und Ausfahrt zum Depot (Bild 2). Hier ist es möglich, über insgesamt fünf Weichen ins Depot oder auf die Strecke zu fahren. Beim zweiten Komplex, der Haltestelle Uithoorn Station, ist es möglich, auf der Strecke zu wenden oder eine defekte Straßenbahn auf einem Abstellgleis abzustellen. Am Ende der Linie, bei der Haltestelle Uithoorn Centrum, wird über einen Kreuzgleiswechsel die Haltestelle mit anschließender Richtungsumkehr bedient.

1.2 Vorstellung Erweiterung Depot
Neben der Verlängerung des bestehenden Netzes wird auch die Kapazität des Straßenbahndepots erweitert. Die Erweiterung beinhaltet den Bau einer Waschanlage, Quick Repair Möglichkeiten, extra Abstellgleise und einen Zugang zur Strecke zwischen Amstelveen und Uithoorn.

Tracklayout

2. Installation WK2701
As a speed of 50 km/h is to be used in the area of the depot entrance and exit, and availability requirements are high due to the critical location, control and protection of the switch complex must be ensured by a traffic signal system with Safety Integrity Level 3 (SIL 3 according to CENELEC EN 50129) for the protective functions. Of particular importance are:

  • Safe route management to rule out collisions between trains
  • Additional flank protection by flank-protection switches due to the increased speed
  • Secure and continuous detection of vehicles in the entire safe segment
  • Safe control of the point machines or reliable protection against changeover
  • Reliable signalling of passability

On behalf of the municipality of Amsterdam, HANNING & KAHL, as system supplier, has built signalling installation WK2701, which, in addition to the required safety functions, also implements other requirements stipulated by asset manager GVB:

  • Vehicle-induced request for routes with the VECOM system
  • Possibility of manual correction or replacement request by the tram driver on the route
  • Partial dissolution of routes to increase throughput
  • Improved fault management to optimize availability
Route process
Route overview

2.1 Route management
A signalling installation for driving on sight must have a safe route management system in accordance with the integrity requirement 2.5.4 Route formation of the VDV331. For this purpose, HANNING & KAHL uses a route process that works according to Figure xx :

A route request is followed by an approval check, which checks, among other things, the status of the elements that can be set, the availability of detection agents, exclusions and more. If the approval check is successful, the setting process takes place: all elements are set in target position, locked accordingly and any route exclusions become active. After successful setting, the route is released and can be safely driven by the driver. When the driver has crossed and cleared the route correctly, the route is dissolved and is now available again.

Signalling installation WK2701 controls six routes: one route for each direction on the mainline and four routes for entering and exiting the depot. As there are several crossing points due to depot access, exclusions are necessary to prevent collisions of the crossing routes with the routes on the mainline. Furthermore, due to the high speed of up to 70 km/h, special emphasis is placed on the use of flank-protection switches: with the principle of "driving on sight", train control leading to forced braking if stop signals are disregarded is generally not necessary. As in road traffic, the driver is always responsible for foresighted and adapted driving to stop in time if necessary. Nevertheless, human error, deceleration or other events can lead to a stop signal being crossed. In this case, flank switches are set in deflecting position and locked to protect the secured track so that a collision cannot occur.

As some of the tracks to be secured are very long due to track dimensioning, they have been divided into route parts to enable partial dissolution. As a result, other excluded routes can be approved and set earlier in order to ensure an increase in operational throughput.

Route request is always from the vehicle side. As a fallback level, however, drivers can make corrections and replacement requests along the route. In principle, the driver can help himself or herself and is not dependent on technical personnel. On special request, maintenance personnel also have the option of setting and cancelling routes from the control cabinet and controlling individual points for maintenance purposes.

2.2 Degrade mode/ automatic reset
If errors or malfunctions occur in the system, the signalling installation reacts restrictively and towards the safe side, depending on the error: adjustable elements remain or are locked, signals indicate STOP or become dark. Serious errors, such as the failure of components, channel malfunctions in the safe processor system, coupling-in of voltages must be examined and dealt with by maintenance personnel and lead to a shutdown of the system. Minor errors, such as the inadmissible passing of stop signals or an inadmissible manual change of point-setting which have occurred due to a mistake made by the driver, are intercepted by the so-called "degraded mode": similar to shutdown, all switches are locked and all signals indicate "STOP", but there is the possibility of automatic return to normal operation. When all minor errors have been remedied and the entire safe segment covered by the “free” report is “free” for a defined period, the system returns to normal operation and is available again for further operation. For this to succeed, the entire segment covered by signalling installation has safe and continuous vehicle detection.

V-Modell

3. SIL3 Certification
The standards of the CENELEC EN5012X series regulate the RAMS requirements for railway systems. The V-model in Figure XXX shows the life cycle model from concept to decommissioning. It illustrates the need for close cooperation between the operator and the manufacturer to ensure the safety of the equipment.

The risk analysis for the WK2701 requires Safety Integrity Level 3 for the safety functions. To achieve this, it is necessary to counteract the occurrence of systematic errors in the development and manufacturing process by means of procedures such as the four-eye principle or the independence of those involved. For each phase, the requirements are detailed, specified, and independently verified. For this purpose, the necessary techniques and measures of the CENELEC standards are applied and documented. Upon completion of one phase verification, transition to the next phase follows.

In phase 5, the systematic hazard analyses based on the system design begin. This includes determination of the failure rates (TFFR) of each safety function with the associated system components as well as the Failure Mode, Effects and Criticality Analysis (FMECA) to control random failures. Their calculation must prove that random errors of individual components or parts on the safety functions are sufficiently small and can therefore be controlled. For the safety functions of the WK2701 system, a value ≤ 10-7 failures/h applies here.

In addition to the hazard rates, values are also calculated for reliability, availability and maintainability. They are also based on standards for failure rates of components such as the SN29500 and indicate an availability of the WK2701 system of > 99.99% with an average repair time (MTTR) of ≤1.5h for each assumed component failure.

New hazards which emerge along the phases are reported and entered in the hazard logbook by the safety manager and tracked until they are resolved. For example, while determining the failure rates, it was noticed that the safety goal could not be achieved for all required functions with the originally planned vehicle detection. Therefore, in an iteration of phase 5, a redesign of a subsystem was carried out.

Finally, the safety case summarizes the entire development process and certifies the achievement of the required safety integrity level, considering the specifically formulated safety-related application conditions (SRACs). In addition, the validation report confirms that all system requirements have been implemented and are suitable for the planned application, it also confirms compliance with the required independence, application of the appropriate techniques and measures, and correct transition of the project phase.

4. Eventviewer and DMS
In Amsterdam, the asset manager GVB uses the EventViewer supplied by VAB (Verkehrsautomatisierung Berlin) for maintenance purposes. With the help of the EventViewer, the process data of the control system can be bundled and visualized. This gives technicians the ability to search for simple errors and analyze faults. In addition, the system has an interface to the Depot Management System (DMS), which makes it possible to open gates and automatically direct trams to the correct tracks.

5. Conclusion
With the WK2701 system, HANNING & KAHL has implemented a state-of-the-art system developed in line with the CENELEC process. With the introduction of the "Automatic Reset" function, it is possible to restore normal operation from certain failure modes without the need for a service technician. This functionality is valuable for the operators, as it allows them to resume operations more quickly after failures, which ultimately benefits passengers on the Uithoornlijn. Thanks to the good cooperation between HANNING & KAHL, the municipality of Amsterdam and GVB, the installation was delivered on time and within budget.

Authors
Dipl. Ing. (FH) Eduard Emmich, HANNING & KAHL
Dipl. Ing. Jan Engels, Mott MacDonald

Contact

Nico Liesenfeld
Head of Sales Management

+49 5202 707-644

nico.liesenfeld@hanning-kahl.com

vCard