THE tragic events associated with major fires in the Mont Blanc Tunnel in 1999 and the Gotthard Road Tunnel in 2001, which would never have assumed such proportions in open terrain, highlight the need for a resolute approach to safety in the world's longest main line railway tunnel.

Fig 06Strong cooperation between the tunnel's systems and the railway contributes substantially to meeting these safety requirements, with the Tunnel Automatic Gotthard (TAG) system, which was developed specifically for the project, playing a critical role.

This system provides the data flow between the railway and the tunnel management systems and complements the tunnel's automatic route setting system (ARS) to realise novel safety functions.

For example, the functions for monitoring minimum speed and track-conflict detection play a central role in TAG, which will trigger a suitable response in the event of a safety-related incident.
It should be noted that the extent of damage following an event in a tunnel typically increases considerably if the event is not detected in a timely manner and the appropriate emergency measures are not initiated. To control risk in the Gotthard, additional safety requirements were established, which fall into the following basic principles:

  • prevention to avoid accidents, incidents and irregularities
  • early detection and if possible, immediate detection of faults and irregularities, even before they result in damage
  • reducing the extent of damage by limiting the effects of events that have occurred
  • self-rescue: ensuring that in the case of an accident or danger, people can escape quickly and autonomously to safe places, and
  • external rescue, which provides support during an evacuation or rescue.

Based on these five principles, the tunnel's safety measures have been defined, and are laid down in the current European TSI for safety in railway tunnels (TSI SRT) which can be divided into four categories:

  • infrastructure measures: separate tunnel tubes; lighting and markings for escape and evacuation; installations to ensure communications; increased availability requirements for all components and elements in the tunnel; permanent checking of conditions
  • adjustments to rolling stock: fire prevention measures; bridging the emergency brake; minimal running properties of vehicles in case of emergencies
  • operational measures: operating rules for handling events and irregularities; special safety functions including speed monitoring; operating rules for the treatment of trains causing an event and other trains during an event; special handling of hazardous materials, and
  • personnel: regular training, including exercises replicating accidents held alongside external bodies.

While extensive, the capability of these requirements to cope with an emergency can only be realised through significant support from the tunnel's IT systems. On open railway lines and in existing railway tunnels which do not have enhanced safety features, classic railway safety and automation systems, based on interlockings and automatic route setting, are responsible.

Early studies have shown that the increased safety requirements in very long tunnels can only be met with a bi-directional flow of data between the railway and tunnel systems in order to make full use of the continually emerging mutual insights.


For the Gotthard's system, TAG sits above the classic railway safety and automation systems (Figure 1), where a direct process interface also exists with the parent dispatching system. Communication with the tunnel control system is schematically drawn towards the left. Additional interfaces to the emergency management, telecoms systems, the wayside monitoring systems for hot wheel detection and the traction current control system are shown to the right.

However, exchanging data alone cannot meet the tunnel's high security requirements. For this, a new family of functions is necessary, which is achieved through cooperation by the railway and tunnel system families.

To fulfil the principle of early detection, monitoring railway traffic and all the systems involved in operation is much more stringent. In addition, there are special restrictions on the freedom of operation in order to avoid approaching the vicinity of sensitive situations pre-emptively.

When an event does occur, the dispatcher can initiate and coordinate measures to evacuate the tunnel almost automatically. In addition, based on the prevailing formation and location of the trains in the tunnel, TAG supplies the tunnel's control system with data in order for it to initiate measures, such as activating ventilation systems in the event of a fire.


One example of the special safety functions is preventing restrictions on operations by utilising route conflict detection. The main goal here is to prevent situations where all trains are blocked and reversing of at least one train is required. While some simple versions of deadlock prevention are well known, the Gotthard's version takes into account the state of a number of additional vital systems, such as the actual current coverage of ETCS Level 2.

table1Such a case is shown in the upper part of Figure 2. Here the element which is non-navigable due to a lack of radio coverage is marked with a red square. If train 123 was to proceed unhindered from D to B on the left leg of the switch, it would be stopped by the obstacle and could be freed only by reversing. TAG prevents this by automatically setting a direction dependent lock (DDL) on the left leg of the switch, so that neither the automatic train management system nor the dispatcher can lead the train into this predicament accidentally.

In the lower part of Figure 2, a situation with three trains is shown, in which the missing radio coverage potentially causes a different kind of deadlock. As before, a DDL prevents the direct entry of a train into the impassable section. However, either train 444 or train 555 must not vacate track A or B before train 123 may move over the right leg of the switch. In such cases TAG again automatically sets and removes the required DDLs.

Many thousands of individual data packets, often hundreds of megabytes in size, are exchanged between the railway and tunnel subsystems to allow an individual train to successfully operate through the Gotthard Base Tunnel. TAG is playing a critical role in managing this process. It could also potentially be applied in future projects in similarly sensitive areas such as long bridges, or open terrain that is difficult to access. For such systems the Safety Integrity Level (SIL) -0 is usually sufficient, which renders them cost effective and flexible to any future changes.