Coppilot is a safety critical railway system, which controls the opening and closing of platform screen doors at a metro station. These platform screen doors are installed to keep traffic flowing safely. Developed by ClearSy, this system has been installed, among other locations, in the Paris metro, at several platforms: station Invalides and Saint-Lazare Line 13.
It is currently being installed in the subway in Sao Paulo, where a dozen stations will be equipped during 2010/2011.
COPPILOT is a system that complements existing metro equipments, consisting of a controller and various sensors. The originality of this system relies in its ability to work with non fully automated metros. The whole system is safe and meets railway standards. To ensure system safety and automation Clearsy has used the formal B method.



The crowded nature of certain stations in the Parisian subway and the high number of traveller intrusion on the tracks have led the RATP to put a security system in place, which will put an end to the irregularities and delays observed on the most saturated lines.
In fact, the RATP has called upon the services of Clearsy within the framework of a project: the installation of prototype platform screens at the Invalides and St Lazare stations (Pier 1 and 2). The test phase lasted 9 months and involved three platform screen doors manufacturers namely CNIM, Faiveley, and Kaba.
After testing, the 3 facilities were dismantled in December 2006.


Clearsy signed a contract for the development, delivery and installation of the SIL3 COPPILOT safety critical system, responsible for controlling the opening and closing of the platform screen doors which will be installed on lines 2 and 3 of the Sao Paulo Metro.
This Brazilian contract is related to around fifteen stations and its signature is due to a strong partnership with AeS (a Brazilian company in the railway market since 1998). It confirms Clearsy’s and AeS’s unique expertise in detection-based safety systems.
Indeed, COPPILOT neither needs to be installed on the train itself nor it requires any modification of the signalling system. As such its installation is fast and efficient, and involves existing platforms and line stations, automated or not.

> Level SIL3 safety-integrated railway signaling system to EN50129 standard
> SIL3 : Potentially dangerous events <10-7 occ/hour>
> Major risk: opening the doors in error
> Safety demonstration for the RATP: AQL and AQM
> Safety demonstration for the supervisory agencies

> Use of standard industrial trade sensors (with no assumptions with regard to safety)
> Except the controller: SIL 3 industrial controller
> Development of SIL 3 safety software