GNSS application method within ETCS: basis for efficient

by

Aleš Filip

University of Pardubice, Faculty of Electrical Eng. & Informatics Czech Republic

GNSS application method within ETCS: basis for efficient multi-constellation

solutions

3rd IGAW 2016 Workshop: GNSS Technology advances in a multi-constellation framework Rome, SOGEI, 21-22 February, 2016

Acronyms: ETCS - European Train Control System SIL - Safety Integrity Level LDS - Location Determination System

Contents

1. ETCS safety requirements for Virtual Balise and train LDS

2. Railway Safety Integrity concept and aviation “specific risk“

3. Multi-constellation LDS solutions resulting from technical safety principles (EN 50129) to be compliant with SIL3/SIL 4

4. LDS based on reactive fail-safety, SBAS and so called Travelling Virtual Balise

2 2

3

History: Origin of Virtual GPS Balise for ETCS

u Virtual GPS Balise was introduced by B.J. Sterner, ERRI (1998)

u Terms in manuscript … mixed solution, Virtual Balise Group, linking, BTM, GPS balise telegrams, GPS Interface Unit, tolerance radius, directionality information, …

ETCS requirements for safe train position determination

Railway safety integrity concept (CENELEC)

Multi-constellation GNSS, standardized SBAS/GBAS services based on aviation Specific Risk (RTCA MOPS, SARPS).

Railway fail-safe principles for SIL3/SIL4 architectures

Independent GNSS diagnosis (odometry, map, (A)RAIM, … )

GNSS based LDS for ETCS

Development of safe train LDS based on GNSS for ETCS

u Background for development of safe train LDS

4 4

ETCS architecture with application levels (L1, L2, L3)


u ETCS Core THR allocation to Virtual Balise (VB) – according to SUBSET 088 – Part 3.

u THRBTX of 0.67e-9/ 1 hour is taken as THR for incorrect Virtual Balise detection (deletion/insertion) due to LDS failure (THRVB).

Note: BTX – Balise Transmission (failure)

Requirement for VB

5 5


u THR requirement for GNSS (THRGNSS) should result from THRVB=0.67e-9/ 1 hour, (SIL 4).

u Failure Rate for: ETCS track Information Point - lIP =1e-9/ 1 hour

u Mode of GNSS application within ETCS Virtual Balise concept must precede derivation of safety requirements for GNSS LDS.

u Efficient GNSS application can significantly influence level of safety requirements for GNSS.

u Railway should profit as much as possible from GNSS safety concept developed for aviation, from “specific“ risk concept … according to railway requirements, railway safety principles and safety standards …

u GNSS application method also determines how multi-constellation will be employed within ETCS.

ETCS on-board equipment. - lONB=1e-7/ 1 hour

6 6

Railway Safety Integrity concept (EN 50129)

u Hazard is defined with respect to the operational environment of the system or component.

u The border between systematic errors and random failures is not strictly defined in CENELEC.

u … EN50129 (Section A3) : >> Failures caused by environmental conditions (e.g. EMC, temperature … ) should be included within systematic and random failure integrity, as appropriate …. <<

u Protection against hazards within the system is assured by means of safety-related functions implemented by HW subsystems.

u Required quality of each safety-related function is achieved by means of qualitative and/or quantitative safety targets.

u Qualitative target shall be in form of Safety Integrity Level – SIL (from 1 to 4) and shall cover integrity against systematic (i.e. functional) faults.

u Quantitative target shall be in the form of a numerical Tolerable Hazard Rate (THR), and shall cover integrity against random failures.

7 7

Aviation “specific risk“ applied in GBAS/SBAS

u ICAO standards apply “specific risk“ *) approach for GBAS/SBAS.

u All safety requirements must be met for the worst combination of potential hazard causes under which an operation may be performed.

u Specific risk doesn‘t make strict distinction between random and systematic failures as it is specified in railway safety integrity concept.

u Numeric value is always sub-allocated to the specific Integrity Risk component for the specific GNSS hazard.

u Specific risk deals with all predictable potential hazard causes, that are not completely random, in a worst-case manner. Each risk is evaluated separately.

u Specific risk – probability of dangerous system state under the assumption that all potential hazard causes occur with a probability of 1.

*) S. Pullen, T. Walter, P. Enge: Integrity for Non-Aviation Users. GPS World, July, 2011

u Quantitative target for the total Signal-In-Space Integrity Risk can be used for design of railway safety-related systems.

8 8

u Fail-safety is highly recommended for railway safety-related systems compliant with SIL 3 and SIL 4 (EN 50129, Annex B) … systems must remain safe in the event of any kind of single HW fault.

u It can be achieved by means of: w Inherent fail-safety (single channel structure; none of faults can cause

hazardous state of system) – Not applicable for GNSS LDS w Composite fail-safety (safety function is performed at least two

independent channels) w Reactive fail-safety (single-channel structure with rapid diagnosis)

Reactive fail-safety (Improvement of safety of position determination)

Safety principles vs. single/ multi-constellation LDS solution

Composite fail-safety (Improvement of GNSS SIS integrity) 9 9

Example: Train LDS solution using composite fail-safety

u Dual-constellation EGNOS-R interface was proposed to meet ETCS safety requirements (SIL 4 / HRSIS ≤ 1e-8/ 1 hr, CI of 14 m) for GNSS SIS.

10 10

11 11 11 11 11

Example: Train LDS solution using composite fail-safety

u Composite fail-safety applied at high system level with intention to simplify safety evidence required according to CENELEC standards.

Example: LDS based on reactive fail-safety and SBAS

u SBAS hazards can be mitigated using rapid and independent diagnosis. u Amount of time system operates in a dangerous mode can be reduced. u Multi-constellation SBAS can be used for availability improvement.

u Aviation IR requirement for SBAS SoL is 2e-7/ 150 s ≈ 4.8e-6/ 1 hour (PA). u LDS with reactive fail-safety was proposed to meet THR for Virtual Balise

(THRVB=0.67e-9/ 1 hr, SIL 4) using single-constellation SBAS.

12 12

13


Markov + FTA

w P0 – GNSS position is OK, GNSS diagnosis is OK

u Markov model of LDS based on existing SBAS and reactive fail-safety.

u Independent GNSS fault diagnosis cannot improve THR/ SIL of GNSS ( SBAS), but it can maintain required trains safety in case of LDS failure.

States of Markov model:

w P1 – Safe faulty state GNSS dangerous fault, GNSS diagnosis is OK

w P2 – Fail-safe state after GNSS fault detection and negation w P3 – Hazardous state of LDS Diagnosis fault, i.e.

Markov model of LDS with reactive fail-safety

Markov + FTA u Solution of Markov model ð Safe faulty state probability P1(t):

u Probability P1(t) after simplification :

u THRVB = THRLDS of 0.67e-9/ 1 hour can be met by existing SBAS for TD ≈ 500 ms.

P1 (t)= -(HRSBAS*(1/exp(t*(HRSBAS + HRDiag)) – 1/exp(µ*t)))/(HRSBAS + HRDiag - µ)


P1 (t) ≈ HRSBAS / µ= HRSBAS× TD

THRVB = HRSBAS× TD × 1 hour -1

P1(t) is t invariant, depends on TD

u Tolerable Hazard Rate per 1 hour for Virtual Balise (and LDS) can be expressed as …

15

Diagnosis of ETCS balise groups and on-board unit

u Mitigation of ETCS hazards due to track Balise Group (BG) and on-board (ONB) failure is efficiently performed by linking of BGs using safe odometry (SIL 4).

u Disadvantage - Diagnosis of BG and ONB (BTM) can be only performed in BG sites.

Average distance ~ 400 m Max. distance 2500 m

16

Diagnosis of virtual balise detection using abundant positions

u Diagnosis of Virtual Balise (VB) detection by linking can be realized more efficiently …

u It is because GNSS train position is also provided on track section between VBs or at least in the VB vicinity (depending on SIS visibility) VBs are placed in location with nominal SIS reception conditions.



17

u GNSS train positions determined on track section between Virtual Balises (VB) are not needed for train position reporting to RBC …

u Abundant GNSS positions between VBs together with odometry and other diagnostic data can be used for fast diagnosis of GNSS.



18

u Deletion of 1st Balise Group (BG) in ETCS is not hazardous. As lately as 2nd BG is missed (detected by odometry), service brake is applied …

u GNSS PVT data from can be used for diagnosis of GNSS …

u 80 km/h – avg. speed for conventional lines, 400 m – avg. VB spacing ð 1 track section between 2 VBs is passed during 18 s.

u For GNSS receiver with 10 Hz output 180 PVT solutions can be used for consistency check of one VB detection.


u Probability of on-board (ONB) failure proportional to duration of failure ….

u Since deletion of 1st Balise Group (BG) in ETCS is not hazardous, then hazard rate of ONB per mission (i.e. 1 hour) can be calculated as …

THR determination for onboard unit when linking is applied

0.33e-9/ 1 hr = THRONB * (2*TL) * 1 * hour-1

u It is desirable to increase THR for On-board unit in order to reduce safety requirement for GNSS … i.e. utilise existing SBAS if possible.

u Increase in THRONB can be achieved via reduction of ONB failure duration.

HR ONB = lONB * (2*TL) * 1 * hour-1 = lONB * (2*DL/v) * hour-1

u Let‘s assume: BGs are functional and THRBTX-Deletion = 0.33e-9/ 1 hr, then

ETCS THR requirement for track BG deletion

Required THR for on-board unit

19

20 20

From static balise to Travelling Virtual Balise …

u Duration of ONB failure can be reduced e.g. by means of a hypothetical „testing“ Balise Group (BG).

u Testing BG enables to specify THR for ONB (BGs are assumed as functional).

0.33e-9/ 1 hr = THRONB * TD * 1 * hour-1

u Let‘s assume: THRBTX-Deletion/ Insertion = 0.33e-9/ 1 hr, then

ETCS THR requirement for BG deletion/ insertion

THR requirement for on-board unit (locator)

u Installation of „testing“ track BG would be inefficient … u GNSS enables to introduce such „testing“ balises more efficiently than

classical ETCS with track balises.

From static balise to Travelling Virtual Balise …

u Location of GNSS „testing“ balise is not a priori known as in case of physical balises.

u Therefore so called Travelling Virtual Balise (TVB) was introduced. u Reason for TVB: It enables to specify THR for GNSS LDS and it

provides continuity in ETCS balise concept evolution. 21

Travelling Virtual Balise

u The TVB is validated GNSS train position on section between two VBs. u The TVB arises from the Last Relevant Virtual Balise (LRVB). u Validation of TVB and VB detection can be performed using independent

diagnosis.

u Advantage: TVB enables to preserve or even enlarge BG spacing (> 2500 m). Required safety is not achieved at the expense of shortening of VB spacing.

22 22

Estimation of safe down time (TD) for LDS based on SBAS

u Duration of hazardous failure TD corresponds to Safe Down Time (SDT) according to EN 50129.

0.67e-9/ 1 hr = THR GNSS * TD * 1 hour-1

ETCS THR requirement for incorrect VB determination

HR for SBAS

a) THRSBAS (PA, LPV-200) = 2e-7/ 150 s = 4.8e-6 /1 hour; b) THRSBAS (NPA) =1e-7/ hour.

a) TD = 6.7e-10/ 4.8e-6 * 1 hour = 1.39e-4 hour = 0.5 s (for PA); b) TD = 6.7e-10/ 1e-7 * 1 hour =6.7e-3 hour= 24 s (EGNOS for NPA).

u Let‘s assume:

u GNSS receiver 10 Hz output (0.1 s). TD values are realistic …

u Real EGNOS performance (THREGNOS = 6e-8/150 s), TD = 1.6 s

23 23

24

THR allocation for LDS based on SBAS and reactive fail-safety

u Example : THR allocation for LDS based on existing EGNOS u SBAS hazardous failure is mitigated by RRF of ~ 2500 in this example.

Single-constellation EGNOS

25

Protection against multipath error using 3D track map

u Train position is validated using individual pseudorange pairs and 3D map (SIL 4) for all satellite (SV) combinations.

u Advantage - protection against multipath error in train stand-still possible.

26

Multi-constellation LDS for ETCS

u S u Railway technical safety principles highly recommended for SIL3/SIL 4 safety-related systems (EN 50129) determine how GNSS multi-constellation can be utilised for ETCS LDS.

u LDS with composite fail-safety (competitive approach): Multi-constellation intended for higher GNSS integrity, lower LDS availability.

u LDS with reactive fail-safety (cooperative approach): Reduced integrity requirement for GNSS. Multi-constellation can improve LDS availability.

u Multi-constellation/ multi-frequency LDS based on reactive fail-safety could be in line with multi-constellation/ multi-frequency SBAS for aviation (significant availability of integrity improvement for LPV-200).

u Way of GNSS multi-constellation employment for signalling including safety evidence according relevant safety standards should be subject of international LDS standardization.

27

u GNSS application mode within ETCS can significantly influence specification of ETCS safety requirements for GNSS LDS and also efficiency of GNSS utilization.

u THR requirement for Virtual Balise (0.67e-9/ 1 hour) could be met by means of LDS with reactive fail-safety for reasonably short fault detection/negation time if independent diagnosis (SIL 4) available.

u Travelling Virtual Balise (TVB) was introduced to justify enlargement of ETCS THR requirement for GNSS SoL service.

u Introduction of TVB doesn’t influence the ETCS safety concept because TVB is used in on-board unit only.

u Abundant GNSS positions together with odometry and other diagnosis data on track section between Virtual Balises can be efficiently used for VB validation for the required safety integrity.

Conclusions

u GNSS application method within LDS should be subject of international standardization.

28

Acknowledgement

This work was supported from the European H2020 research and innovation programme budget within

the RHINOS project (2016-2017).

Documents

GNSS application method within ETCS: basis for efficient