The case for a system integration approach to ERTMS deployment

AusRAIL 2010

23 - 24 November, Perth

Page 1 of 7

The case for a system integration approach to ERTMS deployment

Thierry Lesaine, MScE; Alstom Transport

SUMMARY

This paper aims to give an overview on the impact of the introduction of ERTMS on the processes and tools needed for integrated signalling systems. Highest level of integration shall be defined to develop a common engineering scheme and right allocation of functions to the right subsystem. Multi vendor and operators have also introduced interoperability issue with a necessity of a new process. These both integration and interoperability processes shall be clearly defined, and supported by a testing facility to verify scenarios of interaction that represent nominal functions of operation, but also those that represent abnormal situations for which a safe behaviour is expected. It is demonstrated this strategy decreases drastically the number of dynamic tests to perform on site, thus reducing the track and train possessions, and overall time and costs.

INTRODUCTION

In mainline projects, the trend started 10 years ago for a more global approach in signaling system corresponding to the introduction of ERTMS. New operating principles lead to a new approach concerning the engineering, by sharing data between different sub-systems. Customers are also claiming a tighter time schedule, with a validation of these principles at a very early stage of the contract inducing a drastic reduction of dynamic tests (and correspondence tests as done in the past), and ability to simulate higher number of scenarios with degraded modes and safety hazards injection. This paper presents the change of the approach, the new processes to put in place for both integration and interoperability, and finally the testing facility used to apply these processes in laboratory.

NOTATION

ATP Automatic Train Protection

ERTMS European Rail Traffic Management System

ETCS European Train Control System

FIVP Factory Integration and Validation Platform

UNISIG Union of (European) Signalling Industry

1. Signalling system trend

1.1. Legacy approach

In a legacy approach, the signalling system of a railway line is made of several subsystems which are managed independently. This is obviously the result of history, with the interlocking function coming first, the control centre second, and the train speed control third. Each subsystem is designed according to rules and regulations which may be international, national, or even client-specific. However, those subsystems manipulate the same static data described within a single document named track plan. In the same way, dynamic information about the train is of importance to the interlocking, the speed control system, and the control centre. The three subsystems communicate exchange and correlate the dynamic information together. For example, the train location is provided in a vital way both by the train detection system -- a function of the interlocking -- and by the location train report -- a train control function under ERTMS level 2. Refer to figure 1 “Signalling System trend”.

Thierry Lesaine The case for a system integration approach

Alstom Transport to ERTMS deployment

AusRAIL 2010


Page 2 of 7

Integrated system approach

In a project dealing with a complete signalling system for a new line or the re-signalling of an existing line, two major issues have to be looked after: � How to develop an engineering scheme

common to the three subsystems to generate the individual database and the right interfaces without extensive integration?

� Is each function allocated to the right subsystem?

ERTMS introduces major changes, as each train manages its own braking curve. This means that the length of the blocks is no longer linked to the maximum train speed and worst train braking curve. The block length can now be linked to the target capacity of the line and the expected headway and nominal speed. The block length may be adjusted to the line speed profile to avoid bottleneck at station approaches of exits. The role of the ground equipment remains with the management of train routes. But it also has to manage the train separation distance. This further allows calculating the movement authority that can be granted and transmitted to the train. The speed control used to be ensured via the interlocking and signal as a result of a Boolean calculation according to predefined targets valid for all trains. With ERTMS, the evaluation of the train interval is now more sophisticated. The interlocking is not suited for this task as it has no concept of a train. This has led us to include the separation algorithm within the Radio Block Centre (RBC) in our ERTMS level 2 system. The RBC has the knowledge of the absolute position of train in a vital way. It is also fitted with a description of the line in "sections" which can be considered as virtual fixed blocks. This description is used as a model to provide a safe distance between two successive trains. With all these elements the RBC has the complete information to calculate the train movement authority it can transmit to the train. This movement authority is not limited to any number of sections as the RBC has a complete understanding of the whole line. In addition, the RBC has a direct link with the control centre, bypassing the interlocking. This provides the control centre with the detailed information of the train. More precise information is of great help to support functions monitoring train progress such as train distance graphs. This also helps and to detect possible conflicts far more in advance. Other information about the train status is also provided to better understand the situation and to support a decision making process in case of disturbances.

If ERTMS has revolutionized the engineering of the trackside signalling system, it is also designed to support onboard train control systems that may be provided by diverse manufacturers. Even if every piece of equipment is compliant to the ERTMS standard, this does not ensure that it is interoperable with the equivalent one from a different supplier. The compliance is a prerequisite only. As ERTMS is a compendium of different needs, no one operator uses 100% of all the features. It is important to verify the behaviours and features that are effectively needed for a specific type of operation. This is generally done at a national level. Thus, to verify the interoperability, it is necessary to define scenarios of interaction that represent nominal functions of operation, but also those that represent abnormal situations for which a safe behaviour is expected. Alstom has developed such a simulation laboratory that allows testing the wayside equipment against trainborne computers. These tests have been systematically carried out on the projects we have completed in Europe, in particular for the Swiss, Dutch, Belgium and Italian operators. It has been possible to fully test onboard equipment from Alstom and competitor in the lab. Operators and infrastructure managers witnessed these tests and reached conclusions relative to equipment homologation. Deploying ERTMS is not just an overlay of an existing signalling system. To get the most of it, the signalling system should be re-designed according to operation expectations so that ERTMS can bring its full benefits in regards to the level of safety and increase of line capacity. To complete the deployment of ERTMS, it is necessary to plan ahead the interoperability testing before the trackside is commissioned in order to avoid unnecessary delays between the completion of the work and the operation of the line.



AusRAIL 2010


Page 3 of 7

2. System integration process

Engineering scheme to support integrated system shall rely on a dedicated, well defined, and agreed with the customers, process.

Fig 2.System Integration Process

Requirement capture phase: What are the functional and non-functional requirements expressed by the customers?

• Applicable Standards,

• Contracts Requirements: o Superimposition with national

systems, o Compliance with national regulations, o Specific operational needs (both for

nominal and degraded operation).

• Contracts Amendments. => Identification & impact assessment. Interfaces Specifications: What are the functional and non-functional requirements applicable between the various constituents / sub-systems?

• Operational Requirements: are they consistent through the sub-systems?

• RAM Requirements: are they architecture dependent?

• Additional Safety Requirements: has OSHA been performed?

Hazard Analysis’s: Identification (HAZID), operational analysis (HAZOP) and specific focus on interfaces (IHA).

• HAZID & HAZOP:

• To identify any potential hazard associated with the Operation in the broad meaning,

• To identify any hazard resulting of operational interactions between the systems (e.g. transition to / from ASFA system),

• Also assess the consistency of the training, human factors (MMIs), maintenance policies, fallback solutions.

• IHA:

• Aims to identify any potential hazard associated with malfunctioning at interfaces, and to make sure that the adequate protection mechanisms are in place.

Factory Testing: To guarantee all aspects of the interface specifications have been implemented and are operating in full compliance:

• to guarantee that the testing processes provide 100% coverage on all the interfaces:

• Integration testing of ETCS trainborne with national systems provided by others.

• use of Supplier ETCS Testing Architecture:

• integration with national equipment

• Full functional testing of each sub-systems,

• Nominal & degraded modes. Site Integration: To guarantee that the actual system, once implemented within the actual environment, is operating in full compliance with the customers’ requirements.

• Although the sub-systems are exhaustively factory tested, there is a requirement to confirm that the physical equipment is actually connected as per the allocation against which factory testing was conducted.

• It is not possible to fully replicate the environment (mainly the dynamic behaviour of the complete system) during the factory testing.

Pre-Commissioning: To exercise the integrated system in conditions as close as possible of the revenue service. In addition to building the reliability of the system, it also confirms the consistency and robustness of its operating principles and provides hands-on training of the staff.

• Limited training of staff (track operators, drivers, maintenance staff, station / platform staff) in using the system under real conditions,

• Passengers reaction in case of perturbation,

• Global system dynamic behaviour in case of perturbation / failure.



AusRAIL 2010


Page 4 of 7

3. The Interoperability Process

The “Mattstetten-Rothrist” line in Switzerland was one of the first to put on the table the interoperability issue with multi vendor equipments equipping or trackside or trains. All projects were based on the same SRS version, but…interpretation gaps exist and operation concepts are not aligned. There was a need to develop a concept of integration testing to guarantee full technical and operational interoperability. Trackside context:

• Homologation for the line is given based on: o lab tests using an agreed set of

scenarios, o site tests, o All ERTMS products selected by the

trackside supplier.

• The lab test bench covers the whole system: o Train detection, Interlocking, track

ERTMS, link to Control Centre and on-board sub-systems.

• On-board is not part of the deliverables, but necessary for testing.

Trainborne context:

• The supplier is delivering on-board product with:

o ISA certification, o NoBo certification.

• The train owner is responsible of the global train acceptance and certification.

• There is a no or limited operational requirement at system level:

o ERTMS compliancy does not guarantee safety at system level (IXL, CTC…).

• In case of problems, there might be a case involving all parties.

Thus a process has been developed which allows to guarantee safe operations when the trackside ERTMS and the on-board ERTMS sub-systems are not from the same supplier (cf. Fig 3. the Interoperability process). Homologation for operation of trains on a given line is based on lab and site testing using an agreed set of scenarios. The set of scenarios must be formalised between:

• the infra-owner,

• the supplier,

• The safety authority. Lab testing facilities need to be made available with the actual configuration of the trackside. The concept has been successfully implemented in Switzerland, Italy, Netherlands, Spain, and Belgium…

4. Factory Integration and Validation Platform

Site tests versus laboratory tests: • Site tests need:

− To book possessions, − To use one / many test trains, − Drivers, − Luck.

• FIVP tests are: − Cheaper & comfortable, − Easily reproducible, − Quickly available (no need for installed

equipment): � early testing of requirements & implementation.

• Necessity for site tests: − To confirm FIVP test results, − The dynamics and / or the

environment matters. Why an integrated testing facility? • Improve the I&V process: Saving time:

− With the FIVP we can reach > 70% of the system tests done in factory. In this way, we avoid huge rework after site installation and testing,

− The FIVP allows the tests’ automation and so a 24h/24 7days/7 use,

− The FIVP can simulate complex situations not possible with classic simulation environment (ex: customer operation situations).

Saving money, reducing the risk to discover problems on site. • Compliance with customer needs:

− System test coverage in factory means that the system will work more properly once installed on site, even during the T&C phase,

− Same with data validation tests, like data correspondence done in legacy projects,

− With > 70% of the tests done in factory, revamping projects could avoid long site tests while old system is still in operation => the operation is not disturbed,

− The customer can see the System at work before complete site installation.

• Invest once for the future: The FIVP can evolve for taking in account different solutions and architectures (e.g.: system evolutions asked by the customer).



AusRAIL 2010


Page 5 of 7

An integrated testing facility as a FIVP provides off-site Integration and validation of a complete signalling system including interoperable constituents:

• ATS / IXL / RBC / ETCS / Data communication / GSM-R),

• an integrated set of Human Oriented Tools

• Methods, guidelines…for Integration Activities.

It is obvious the FIVP is and shall be able to interface constituents (not only RTMS ones) coming form different manufacturers.

Fig 4.FIVP architecture and overview

It is an effective environment for the validation of:

• Signalling Related Operating principles,

• Degraded modes effects,

• System & Sub-System Functions,

• Performance,

• Endurance. Cf. picture of a real laboratory FIVP in figure 5. The overall objective is de-risk and secure projects Design & deployment phases by minimizing site activities, line possessions with early detection & quick response to anomalies. The benefits for a project are a major reduction of on-site T&C work and a major support during actual T&C process: software releases, non-regression tests, replay scenarios, troubleshooting…

5. Conclusion

Introduction of ERTMS (especially Level 2) has pushed to reorganize or adapt operating principles. The new processes put in place to perform integration, validation and interoperability demonstration in laboratory are now in place in all Alstom projects. Experience is now more than 10 years within all projects -Urban (which started to use FIVP earlier than mainline) and ERTMS -, to enrich libraries of scenarios, failure simulations, degraded modes… FIVP allows not only decreasing the time to market of a project, the overall cost, and the dynamic tests needs (by inversion of lab. vs site rates), but by giving the capability to repeat / change / introduce the project, allowing faster cycle for any change in the referential. We are not yet at the time where no dynamic site tests are needed, no train run before entering in revenue service, but we are currently at the time where only few train’s runs are needed on top of the complete laboratory work for a complete signaling system project.



AusRAIL 2010


Page 6 of 7

Telecom & Network

Convent ional Products

Automat ic Train Cont rol Interlocking (IXL)

Cent ralized Traf fic Cont rol

The trend is moving from subsystems…

Telecom & Network

SMARTWAY

ETCSSMARTLOCK

ICONIS

Interlocking control through Smartlock

ETCSlevel 1 & 2

Automatic Train

Supervision through

the IconisOperation Control Center

Smartway range of tracksideproducts

GSM-R for Network & Telecom

…to a full system approach optimizing overall performance

Fig 1.Signalling system trend



AusRAIL 2010


Page 7 of 7

Fig 3.The Interoperability process

Fig 5.FIVP overview picture

Documents

The case for a system integration approach to ERTMS deployment