R H I N O S “Railway High Integrity Navigation Overlay System”
IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
Some Safety Aspects related to Train Position Determination for ERTMS/ETCS:
Start of Mission on Parallel Tracks A. Filip , S. Pullen , R. Capua , A. Neri, S. Sabina, F. Rispoli
2 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
Motivation
Fulfilment of ERTMS/ETCS requirements for safety integrity related to Start of Mission.
Utilization of existing GBAS/LAAS (RTCA DO-245) concept, which was originally developed for safety operations in aviation.
Design of Track Discrimination Function according to CENELEC standards (EN 50126, EN 50129, EN 61508 2nd ed.).
Simplification of safety evidence which could be used for LDS Safety Case and Certification.
Requirements for Track Discrimination Function
3
Operational assumptions for SOM on parallel tracks:
THRVB = 1e-9/hr for ETCS Level 2 - Start of Mission (SOM)
Minimum distance between axes of parallel tracks (v< 160 km/ hr):
THRVB = 0.67e-9/hr for ETCS Level 3, SOM … derived from SUBSET-088
5 m at stations (very exceptionally 4.75 m) 6 m for level platforms on low traffic lines, possible only in narrow
conditions - AL =6 m/ 2 = 3 m … it is further used in this analysis 10 m for inland platforms … can be very often applicable for SOM 4 m between stations
The last position of train before LDS switch-off is stored in LDS OBU / RBC in compliance with SIL 4
Still-stand detector (SIL 4) is available on train/ locomotive (UIC) SOM with position UNKNOWN will be performed very seldom Place with good GNSS SIS conditions for SOM can be preselected
IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
4
Duration of SOM in Staff Responsible: 3% of mission ( SUBSET-088) Duration of mission = 1 hour, duration of SOM = 108 seconds
Application mode of multi-constellation GBAS during train mission
Requirements for Track Discrimination Function
IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
5
LDS with high-integrity GNSS augmentation
Realization of SIL 4 safety function
SIL 4 requirement represents very high demands on a safety function.
It is suggested in EN 61508 to reduce this requirement first e.g. by means of additional non electric/electronic safety-related systems or other risk reduction measures.
If such option is not possible, then a further risk assessment shall be carried out using quantitative method that takes into consideration potential CCFs – see next slide.
If THR < 1e-9/ 1 hr is required for a safety function, then this function cannot be realised as a single function according to EN 61508. This function must be composed of at least of two diverse and independent functions – let’s say Function A and Function B, and probabilistically combined using AND operator.
The systematic capability approach must be respected.
IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
6
LDS with high-integrity GNSS augmentation
Systematic capability (EN 61508 , 2nd Edition, 2011)
Systematic failures can happen every time the specific set of conditions occurs.
In order to avoid CCF, the standard EN 50129 requires a guarantee of physical, functional and process independence among safety functions of a safety-related system.
EN61508-2 (2nd Edition) introduces the term ‘systematic capability’ SC. SC is a measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of an element meets the requirements of the specified SIL for a given safety-related function.
Diversity is suggested to eliminate systematic CCF and build e.g. SIL 3 function (SC=3) using two diverse elements A and B (SCA=SCB=2) according the following justification: SC= SCA+SCB+1 = 3.
If diversity is not applied, then SC= SCA+SCB = 2 , it corresponds to SIL 2.
IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
7
Composite Fail-Safety for Start of Mission
Safety integrity requirements are strict (HRVB=0.67e-9/ hr, AL=3 m) Multi-constellation can be used to reduce PL via GBAS Kffmd lowering
2oo2 (GPS + Galileo): HR2oo2 = 2*(HRReq_const)2 * SDT
3oo3 (GPS+Galileo+Glonass): HR3oo3 = 3*(HRReq_const)3 * SDT2
4oo4 (GPS+Galileo+Glonass+BeiDou): HR4oo4 = 4*(HRReq_const)4 * SDT3
Kffmd coefficient can be further reduced via lowering of HR requirement per GNSS constellation, i.e. HRReq_const
GNSS HRReq_const can be reduced via multi-channel architectures:
Safe Down Time (SDT) is proportional to duration of SOM, i.e. 0.03 hour, because the first Virtual Balise must be detected within SOM duration.
Note: In case of GNSS there is potential to further reduce SDT
IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
8 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
Protection Level (H0) concept is valid under fault-free condition
Conversion of Hazard Rate to Probability of Missed Detection Pmd :
HRReq_const = Pmd * Nindep
where - Nindep number of independent samples per mission (i.e. 1 hour); the more independent samples, the higher uncertainty in position determination
Duration of SOM in Staff Responsible: ~ 108 s [subset-088]
Estimated correlation time between samples: 30-150 s [1]
It is assumed that Nindep= 1 for SOM function (as for PA in aviation)
Composite fail safety can be utilised for Kffmd reduction (2oo2, 3oo3, …)
PL estimation for GBAS-based Track Discrimination
[1] : Pullen, S. et al.: . SBAS and GBAS Integrity for Non-Aviation Users: Moving Away from “Specific Risk”. Int. Technical Meeting of the Inst. of Navigation, 24-26 January 2011. San Diego, CA, USA: 533-543.
9 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
PL ≈ Kffmd * σ pos ; let‘s assume σpos = 0.5 m for GBAS
Scaling factor Kffmd - is calculated from Gaussian distribution
MatLab … Kffmd = norminv(Pffmd/2, 0,1)
P(H0) – a priori probability under fault free conditions, it is equal to 1
M – is number of Reference Receivers RRs in reference station; (M+1) means that (M+1) different hypothesis exist, i.e. M hypothesis for RRs and one H0 hypothesis.
)2
P(K ffmd1Gaussffmd−Φ=
)1M()H(PN
HR
P0
Indep
const_qRe
ffmd +×=
PL estimation for GBAS-based Track Discrimination
10 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
2oo2 : HRReq_const = 5e-5/ hr; STD=0.03 hr HR2oo2 = 2*(HRReq_const)2 * SDT = 1.5000e-010 / hr
3oo3 : HRReq_const = 5e-3 / hr; STD=0.03 hr HR3oo3 = 3*(HRReq_const)3 * SDT2 = 3.3750e-010 / hr
4oo4 : HRReq_const = 1e-2 / hr; STD=0.03 hr HR3oo3 = 4*(HRReq_const)4 * SDT3 = 1.0800e-012 / hr
2oo2 : HRReq_const = 5e-5/ hr; M=3; σpos = 0.5 m Pffmd = 1.25e-005, Kffmd = 4.3687 , PL ~ 2.1843 m
3oo3 : HRReq_const = 5e-3/ hr; M=3; σpos = 0.5 m Pffmd = 0.0013, Kffmd= 3.2160 , PL ~ 1.6080 m
4oo4 : HRReq_const = 1e-2/ hr; M=3; σpos = 0.5 m Pffmd = 0.0025 , Kffmd= 3.0233 , PL ~ 1.5117 m
1oo1: PL ~ 3.1943 m
GPS+Galileo+Glonass; BeiDou - backup
Examples: HRReq_const and PL estimation for HRVB
Multi-channel structures …
Effect of 4oo4 is not so high
11 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
Common Mode Failure / Common Cause Failure analysis Diversity can mitigate CMF (e.g. use of GPS vs. Galileo) Completely independent technologies can also protect against CCF –
e.g. ionospheric storms, local effects - multipath, EMI … CCF analysis must demonstrate fulfillment of THRVB=0.67e-9/hr & AL < 3 m.
12 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
Meaning of Protection Level for Track Discrimination In aviation Position Error (PE) cannot be estimated
On railway PE can be independently estimated (PEe) with respect to known track geometry
In case of Track Discrimination it is a Decision Problem. Question: Train on track No. X? Answer: Yes or No … (with HR < 0.67e-9/ hr !!)
13 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
Meaning of Protection Level for Track Discrimination Composite fail-safety with at least 2 safety functions must be used,
because THR < 1e-9/ hr (EN 61508, 2nd edition 2011).
Each of safety functions will have HR > THRVB=0.67e-9/hr, e.g. 1e-6/ hr It could limit availability of track discrimination – see below.
14 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
Meaning of Protection Level for Track Discrimination Single function with THR = 0.67e-9/ hr ... possible only theoretically
because track discrimination for HR < 1e-9 / hr cannot be realised as a single function according to CENELEC standards
Correct track selection: PL < 3 m = AL and PEei ≤ PL ; i=0, 1
Engineering rules related to safety margin must be elaborated
15 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
Meaning of Protection Level for Track Discrimination
Dangerous fault (1e-6/hr) Not available Correct (1e-6/hr)
Failure modes for single Track Discrimination Function
Availability of track discrimination: PEei ≤ PL< 3 m = AL ; i=0, 1
16 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017
SOM with track discrimination function with position UNKNOWN can be based on Composite Fail-Safety e.g. using 3oo3 architecture.
3 GNSS constellations within GBAS provide sufficiently low PL for track selectivity. The 4th constellation can be used as back-up.
After LDS initialization is completed, Reactive Fail-Safety can be used for VB detection under Full Supervision mode. Integrity requirement for GNSS is significantly relaxed. (HRGNSS_SOM=0.67e-9/ hr HRFS = 4.8e-6/ hr) .One constellation is needed for integrity, other remaining constellations provide high availability of integrity.
Track discrimination via 3oo3 structure can be performed in predetermined locations. In most of locations single constellation (within GBAS or SBAS) is sufficient for LDS safety integrity.
Conclusions
Acknowledgement
This work was supported from the European H2020 research and innovation programme budget within
the RHINOS project (2016-2017).
17 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017