A. The Localization Function Under ETCS Operation

ETCS is broken down into equipment embedded in trains (ETCS On-board) and trackside equipment (ETCS Trackside). In ETCS L2 and L3, the localization function is ensured by ETCS On-board. The latter relies on an embedded localization unit, which has to estimate the train position with some confidence interval. Note that, in the following, the localization function is considered equivalent to the train positioning. Moreover, ‘Train positioning’ and ‘Train location management’ are different though interrelated functions. Indeed, the latter monitors the presence/absence of trains on each part of the railway line, i.e., the ‘track occupancy’, and ensures the ‘safe train separation’ on a track. As explained below, the track occupancy is determined differently in ETCS L2 and L3; however, the safe train separation relies on the same principle: ETCS Trackside regularly provides each train with an up-to-date target point until which it is allowed to proceed. The distance between the train front-end and its allocated target point, associated with the permitted speed, is called ‘Movement Authority’ (MA), while the target point is called ‘End of Authority’ (EoA). MA data are sent by the trackside sub-system through a radio communication link.

ETCS L2 uses the traditional train separation method based on dividing the line into fixed block sections. The block sections are delimited by physical devices (e.g., track circuits, axle counters). Based on the block occupancy status reported by the Trackside Train Detection devices (TTD), the ETCS Trackside determines the ‘train location’. With a TTD-based reporting, the system exactly knows the segment (or the segments, when the train is passing from one block to the next block) in which the train lies. This segment includes the train from its front-end (the head) to its rear-end (the tail). However, ETCS Trackside cannot determine the precise ‘train position’ (of the train head) in a segment.

In ETCS L3, the train separation function is, instead, based on the ‘train position’. Initially, this information allows ETCS On-board to supervise the train speed and braking curve in order to stay behind the EoA as in the case of ETCS L2. In ETCS L3, it makes also possible the track occupancy to be established in a more precise way. For this purpose, the Train Position Reports (TPR), produced on-board and transmitted by radio to ETCS Trackside, must not only include the train front-end position, but also the train rear-end position. This latter can be estimated using an embedded unit called Train Integrity Monitoring System (TIMS), which is responsible for monitoring the train integrity, i.e., the potential loss of wagons if a mechanical link is broken. Based on TPR with the associated train integrity data, ETCS L3 no longer needs TTD-related physical equipment. Therefore, both the Full Moving Block (FMB) and the Fixed Virtual block (FVB) principles can be applied. In FVB, although the blocks are fixed, they can be used for implementing an FMB-like operation. Indeed, as they are only represented in a logical form in the trackside databases, they can finely discretize a railway line in small fixed sections by adapting the digital track configuration. Nevertheless, under the FMB operation, theoretically EoA can be issued in any point of the railway line, while under the FVB operation, EoA must correspond to some block extremity.

For lines on which a migration towards ETCS L3 is foreseen, a transition phase with mixed traffic (train equipped or not equipped with Moving Block system) is possible by using hybrid implementations. In this case, the ETCS Trackside should be able to manage both physical and logical train separation. Namely, physical separation shall be based on TTD, while logical separation on TPR. Thus, four types of ETCS L3 have been defined: Hybrid FVB, Hybrid FMB, FVB without TTD and, FMB without TTD. The development of ETCS L3 is nowadays carried out according to two related, though complementary, work-streams. The first is led by the Shif2Rail partners and focuses on developing the four MB variants. The second, led by EUG (ERTMS Users’ Group) [5], focuses on a specific variant: hybrid FVB, also called hybrid Level 3 [12]. This last variant seems to be the most advanced development phase and actual tests have already been conducted on it such as those led in 2018 in Germany within the DB Living Lab [13], or those led in 2017 on a test track at the ETCS National Integration Facility (ENIF) provided by Network Rail (U.K.) [14].

Safety specification for ETCS sub-systems [9], [15] imposes very high safety requirements. The train localization function has then to meet a Tolerable Hazard Rate (THR) of 10⁻⁹ per operating hour. This constraint has been resolved in a satisfactory manner by a combination of balises3 and odometry systems. These interoperable components are today used in ETCS L2 and will surely be used in ETCS L3, as most railway actors still request them, especially due to the absolute position references provided by the balises. Nevertheless, deploying ‘physical balises’ (PB) on the track is substantially costly. Therefore, GNSS-based ‘virtual balise’ (VB) systems are envisaged in ETCS L2 and L3 (their principles will be explained in Section III).

The underlying idea behind using VB is to emulate the behavior produced by PB without resorting to physical devices (balises). In general, balises can be placed to coincide with blocks’ limits. Hence, by using VB, it becomes possible to virtually split the line into shorter sections without using additional physical devices (cf. Figure 1). However, choosing the location of the balises is an engineering matter since no rule in the specifications addresses this aspect. Besides, when upgrading existing lines toward ETCS L3 with the possible use of VB, the presence of some existing PB and new VB has also to be considered. The question of the gradual migration of an existing line by using new artifacts, such as VB, is of paramount importance. Indeed, the components which are already implemented on the line have to coexist with those to be deployed during the migration. This would not have been the case if a completely new line is built. However, in most cases, new constructions are avoided because they induce unaffordable infrastructure costs and can even be technically impossible due to geographical space unavailability, especially in dense territories.

FIGURE 1.

Example of balise implantation in ETCS Trackside.

Show All

Finally, an interesting trade-off solution is to upgrade existing lines that are operated with classic fixed blocks by enabling the use of FVB, while using both PB and VB. That is why the analysis process proposed in the present paper will consider the presence of both types of balises along a line. Such a process can advantageously serve as a guide for railway signaling engineers to set a safe configuration of virtual balises on a given railway track.

B. GNSS-Related Safety Factors

A GNSS system (such as Galileo or GPS) includes a constellation of satellites in orbit, ground monitoring installations and user receivers. The satellites transmit signals that allow a receiver to estimate its position. This estimation is calculated by triangulation based on the signal propagation delay from the transmitters to the receiver. In the railway operation environment, the presence of obstacles, such as vegetation and buildings, can lead to signal perturbations that affect the position calculation process. Moreover, another issue is pertaining to the availability of the GNSS signals such as for instance when train enters tunnels or in harsh environments. In most cases, GNSS receivers are implemented in combined architectures in such a way that GNSS technology is integrated with additional sensors/digital means, which can compensate GNSS perturbations. Such a combined architecture offers several advantages as discussed in [16]. Therefore, safety and performance features have to be associated with the calculated position, especially in safety-critical applications [17]. Namely, “a measure of the trust that can be placed in the correctness of the information supplied by the navigation system” is defined as the ‘Integrity Risk’ (IR). It refers to the probability of providing localization information out of some tolerance margin without warning the user within a given period of time [18]. The estimation of IR is based on a set of parameters that are dependent on the target application.

• The ‘Position Error’ (PE), which is the difference between the estimated position and the actual position.

• The ‘Alert Limit’ (AL), which represents the largest position error that allows for safe operation. The AL defines the error tolerance that cannot be exceeded without issuing a warning. Therefore, it is generally defined as an application-dependent safety requirement.

However, since it is not possible to know the actual position error in real time during the operation, a statistical bound to the position error, called ‘Protection Level’ (PL), needs to be computed in order to measure the risk that the alert limit has been exceeded. As the train position is constrained by the track coordinates, only the one-dimensional component of the PL, called ‘Along Track Protection Level’ (ATPL), can also be determined on the basis of the track description information.

The expected nominal operation mode implies to have a PE smaller than the calculated PL and a PL smaller than the AL (cf. Figure 2, case 1). Therefore, to allow the use of GNSS-based systems for train localization, it has to be proved that the delivered position information is never (or sufficiently rarely, i.e., with a small acceptable probability) declared reliable and available when the actual PE exceeds AL while the estimated PL is smaller than AL (cf. Figure 2, case 2). In aeronautics, the authorities have already certified that an aircraft can realize a safety-critical APV (Approach with Vertical Guidance) with GNSS, especially with the EGNOS augmentation system [6]. An analogous certification process is needed in railways to ensure the required confidence level in terms of safety.

FIGURE 2.

Illustration of the concepts related to the localization integrity risk using a 2-dimensional space [19].

Show All

C. Related Works

In this section, we give a brief overview of the existing works that tackle the safety issues related to the use of GNSS-based localization systems in railways. With the localization function being safety-critical, such systems must go through a certification process to be adopted in railway CCS systems, such as ERTMS. In Europe, such a process is controlled by the ERA (European Union Agency for Railways)4 and national railway safety authorities (e.g., EPSF in France, EBA in Germany). It results in an authorization for placing in service or on the market.

In fact, most of the certification effort focuses on providing a safety and quality set of evidences, which endeavors to prove that the system fulfills the relevant safety requirements. Therefore, on the one hand, some existing works have intended to define safety requirements and allocate quantitative safety targets to the functional parts of satellite-based localization systems [20], [21], especially in the case of the Virtual Balise Transmission System [22]. On the other hand, some studies have proposed means to demonstrate safety performances of different technical architectures [23], [24] and to qualify hazardous positioning errors w.r.t railway safety criteria [25], [26]. Furthermore, we can also find some contributions that establish links between aeronautical and railway safety criteria [27], [28]. In order to assess these criteria, on-site testing approaches have been used in the aforementioned works, benefiting from their great power of persuasion. However, the implementation of testing approaches is both expensive and time-consuming. Moreover, the obtained results are strongly dependent on the environmental testing conditions. Consequently, complementary ‘zero on-site testing’ approaches, based on models and simulation, are needed to investigate different configurations and environments at a much lower cost. In this context and in light of the strict safety requirements in the railway sector, a long-standing effort considers the use of formal methods and tools for the analysis of railway signaling systems [29], [30], [31], [32], [33], [34], [35], [36], [37], [38], [39], [40]. Specifically, the recent works in [41] and [42] have presented a survey and a mapping study on various formal methods and tools used in railways. It should be noted here that a number of studies have addressed the assessment of railway safety properties, while tackling different use cases. In [43] and [44], the reliability of railway interlocking systems is considered, while [45] deals with the analysis of railway timetables. In [46], a moving block signaling system endowed with autonomous driving is modeled and analyzed, while considering various driving strategies. In [47], [48], [49], the authors investigate specific MB scenarios by considering the ETCS On-board interface with the train localization unit, while abstracting away the specific localization functionalities coming from balises or GNSS. In [50], the occupancy of virtual tramway track sections at a simple junction was modeled and analyzed, considering random intervals around tram location continuously provided by means of a GNSS-based system. However, to the best of our knowledge, no study has provided comprehensive formal models that allow for quantitative assessment of safety properties pertaining to the use of GNSS-based localization systems in the railway domain, in particular with the operating principles specific to Virtual Balises.

In the following sections, we focus on the investigation of the train localization process with VB while considering the localization errors that such balises can introduce. In particular, we seek to finely and rigorously investigate the localization uncertainties induced by the use of VB in railway CCS, with the help of formal models. Such models are built while making particular effort to ensure reusability, modularity, and parametrization as detailed in [10], and models in [11] serve as a preliminary basis to the models established in the present work, while showing various extensions and some additional details. Namely, the parameterization aspects intervene in these models at several places, for instance when the mentioned uncertainties related to the operational environment are characterized depending on various distribution settings. Another aspect that will be shown is related to the reusability of the elaborated models to cope with different operational configurations. Having these features associated with the formal models, we can assess how well (in a probabilistic way) the safety requirements are fulfilled for different railway operational context where VB are employed for train localization.

A. The Localization Process With VB

As explained in Section II, railway localization is fundamental for performing the safe control of train movement. Traditionally, trains use on-board odometry to continuously estimate their position. Concretely, the odometer calculates the ‘traveled distance’ from a ‘reference position’ by monitoring the number of wheels revolutions. The reference position is acquired by means of physical balises installed along the track (set in groups). These balises allow odometry errors to be corrected punctually. Such errors are due to wheel jamming and slipping phenomena and are accumulated as the traveled distance increases until the next balise group is met. In between two successive groups of balises, the localization process involves a ‘confidence interval’ (cf. Figure 3.a)) that is centered on the estimated train head position and whose calculation process must be designed to include the actual train position with a minimal margin. According to ERTMS specifications [51], the ‘distance measured on-board’ can have an error that must not exceed $\pm (5+5\%\cdot s)$ meters, $s$ being the estimated traveled distance. Hence, if the actual train position is in front (resp. in rear) of the estimated position, this latter is under-estimated (resp. over-estimated). Consequently, the mentioned requirement can be expressed as follows: the ‘under-reading amount’ (resp. the ‘over-reading amount’) shall be at most $5+5\%\cdot s$ meters. This threshold is a maximal value for the ‘under/over-reading amount’ (illustrated in Figure 3.a)). Note that this requirement specifically refers to on-board localization errors, including odometry errors and ‘balise detection’ related errors [52].

FIGURE 3.

‘Confidence interval’ and ‘expectation window’ concepts in ETCS.

Show All

As mentioned above, the traveled distance is calculated w.r.t some reference position. Today, in ETCS L2, this reference position is provided by physical balises (PB) installed on the track and is updated to the location of the last activated balise. Moreover, by readjusting the estimated train position with the balise position, the ‘over/under-reading amount’ is reset. Yet, a ‘residual error’ still remains, corresponding to the uncertainty related to the balise location itself. In ERTMS specifications, this error is referred to as the Q_LOCACC parameter, which is a fixed value (cf. Figure 3.a)).

As mentioned earlier in the paper, some ongoing research projects are investigating the possibility of replacing the physical balises with virtual balises [6]. Concretely, each of these VB corresponds to a reference position stored in the ETCS On-board module. By means of the GNSS-based localization unit, the on-board module launches the calculation of the train position in every interval where it expects to encounter a virtual balise; such interval is called ‘expectation window’ in ERTMS specifications (cf. Figure 3.b)). Namely, when the traveled distance estimated on-board (including associated uncertainties) reaches the expectation interval, the ETCS on-board module continuously monitors whether the GNSS-based position matches the position of the VB. As soon as this matching occurs, the VB is activated (emulating the activation of a PB), and its position is used as a new reference position. Accordingly, a protection level (PL) (cf. Section II-C) is associated with the GNSS-based position at the time of the VB activation, and this PL serves as a ‘residual error’ related to the location of VB.

It should be noticed that the value of the residual error in the case of PB is fixed and bounded by 5 meters, as required in the ERTMS specifications. In contrast, the residual error value related to VB activation is unknown and bounded by the PL, which may exceed 5 meters. Moreover, the PL may vary from one balise to another, and from one passage to another, depending on several parameters mainly related to the operating environment. Consequently, as it is not possible to predict with certainty the PL value that shall be used for readjusting the train position estimated on-board, a new uncertainty factor arises. Therefore, a new variable must be accounted for when studying balise arrangements during the design phase of a railway line.

For the safe configuration of balises, the process proposed in the present paper allows for analyzing, globally on a line, how likely the train position error ‘bound’ may exceed some predetermined threshold. In the following section, we will discuss the developed models involved in the performance/safety analysis.

B. Development of the Formal Models

1) Behavioral Models

Our aim through this modeling phase is to set rigorous models to describe the behavior of the localization function presented previously. In fact, we do not seek to model the position error at each time step. Instead, we focus our modeling process on the maximum tolerated interval that has to include the actual and estimated positions. This allows us to adopt a safety-oriented point of view. It is worth mentioning that this ‘global uncertainty on the train position’ will be determined while considering the various sources of uncertainties.

These models will serve to check a number of properties on this function while considering various configurations. In this respect, our modeling process ensures modularity and parameterization so as the generated models can be updated to various settings. It is worth recalling that the results obtained from the model-based approaches are obviously as good as the elaborated models are realistic, i.e., reflect the actual behavior faithfully [53]. Hence, the modeling activity remains a crucial phase in these approaches and highly relies on the user expertise, both in terms of modeling and system comprehension [54], [55].

In our work, we mainly focus on the following features:

1. modelling the train dynamics as it moves. This allows the travelled distance to be updated according to a set of parameters.

2. modelling the evolution of the train position error bound, i.e., the continuous evolution of the maximal position error permitted according to the measured travelled distance.

3. modelling the activation of physical and virtual balises.

4. updating the error bound when a PB or a VB is encountered. Concretely, this induces a punctual down jump, in nominal conditions, of the error bound due to the resetting function, while the corresponding residual error is kept.

To meet the requirements of our modeling process as discussed above, we chose the UPPAAL model-checking5 tool employed in several works mentioned in Section II-C. UPPAAL [56] allows for handling a network of parameterizable timed and probabilistic automata, hence making it possible to establish modular and configurable models. First, the behavioral modules in UPPAAL have to be established as a number of parameterizable timed automaton templates. Then, the actual behavioral model is generated as a product of timed automaton models instantiated from these template models. Moreover, the tool includes a number of model-checking algorithms that allow the evaluation of various types of properties expressed as temporal logic assertions. If some property is not satisfied on the model, a counter-example is generated showing a trace that violates the property, which offers a valuable feature for debugging. Finally, it is worth noting that UPPAAL also offers simulation facilities that can be advantageously used for both modeling and verification phases.

Figure 4 and Figure 5 show the main modules that have been developed to describe the behavior of the localization function. Besides these five modules, a module allowing the initialization of PB and VB location on the track, and another allowing the time to be elapsed have been developed. Figure 4 exhibits a high-level view of the global model with the shared data and the synchronization messages among the interacting modules, while Figure 5 exhibits four detailed automata along with the module variables and their role. The PL (Protection Level) module is not represented here as it is related to random variable generation according to some stochastical distributions that depend on the surrounding environment encountered by the train (cf. Section IV), and due to the consideration of different classes of environment as explained in [10]. The main features of the four modules are described below; for a deeper insight into the modules, all the behavioral models are made available in a public GitHub repository with many technical details.6

FIGURE 4.

High-level view of the global model.

Show All

FIGURE 5.

Modeling modules of the localization function [11].

Show All

In the first module dedicated to translating the train dynamics, a variable is set to represent the value of the train acceleration. This variable allows us to represent the variation of the train speed due to acceleration and braking. From the acceleration, the instantaneous speed of the train can be easily deduced using the integral function. Likewise, the distance traveled by the train can be calculated from the velocity. This module is built in such a way as to be able to vary the speed according to the characteristics of the different track areas, and according to the maximum speed of the trains. The latter depends on the category of the trains to be considered and their load.

The distance variable in the first module serves as an input of the second module dedicated to the determination of the localization error bound. Namely, the value of this variable is used to model the acceptable error bound on the traveled distance. For that to happen, we consider the OdoError_dyn variable in the second module to model the odometry accumulated uncertainty. At each time step, the value of OdoError_dyn is incremented according to the traveled distance (while considering a rate of 5%) to represent the maximal odometry error bound as stated in the ERTMS specifications. In parallel to OdoError_dyn, the maximal residual error linked to the current reference position (i.e., the balise activation uncertainty) is also considered in our model and noted BaliseError. Hence, the global uncertainty on the train position can be represented as follows:

$\begin{aligned} \begin{array}{l} \textit {Global uncertainty on the train position =} \\ \textit {balise activation uncertainty} + {5\% \times }\textit{ distance} \\ \textit {from the last reference position} \end{array} \end{aligned}$

Using the model variables, it leads to: PositionError = BaliseError + OdoError_dyn.

In the third and fourth modules, we model the balise activation. In these modules, the actual relative train position, i.e., the real traveled distance modeled with variable $P$ _${int}$ is taken as an input. This variable is only accessible because the train dynamics is modeled. In reality, the on-board system waits for the electromagnetic activation of PB or verifies if the GNSS-based estimated position (in distance) matches the VB position stored on-board. In the model, $P$ _${int}$ is compared to the location of the next expected balise. When both values match, the position of the balise is retained as the new reference position. Thus, the value of uncertainty on the position is recalculated, keeping only the value related to the uncertainty at the detection time of the balise (max. 5 meters for PB and PL meters for VB).

A. Verification Principle

Unlike classic Model-Checking (MC), which issues a binary result (whether the property is satisfied or not), SMC provides a quantitative result, namely how likely (probability value) the examined property is satisfied by the model. Furthermore, the generated result is associated with a confidence interval. The SMC algorithm is, in fact, based on the classical Monte Carlo simulation, i.e., using sampling. Therefore, while the outcomes issued by SMC algorithms offer a probabilistic characterization of some investigated property, they are well considered as a formal technique in the sense that they provide a quantification of the likelihood associated with the fulfillment of such a property, as well as the certainty/uncertainty associated with the issued result. Such a qualification of the SMC outcome provides a valuable characterization in terms of the confidence that one shall associate with the obtained result. Besides, it is worth noting that SMC algorithms are well adopted in the verification of safety critical applications in diverse domains, as highlighted in the survey conducted in [58].

In what follows, we will mainly analyze how likely the uncertainty on the train position can exceed a certain threshold during the whole run of the train along some given lines while considering specific PB/VB arrangement. This property has to be expressed as a temporal logic formula to be analyzed by the model-checker. The aforementioned feature can be formulated as follows: $$\begin{equation*} Pr\;\left [{ < = bound\;}\right ]\;\left ({ < > PositionError > threshold}\right )\tag{1}\end{equation*}$$ View Source\begin{equation*} Pr\;\left [{ < = bound\;}\right ]\;\left ({ < > PositionError > threshold}\right )\tag{1}\end{equation*} where:

• bound denotes the time bound on the simulation procedure,

• PositionError is the allowed position error for each train,

• threshold is the monitored limit value for the allowed error (e.g., $105\;m)$ ,

• <> is the eventually temporal operator. Namely, for $\varphi$ some given predicate, $< >\varphi$ means that there exists some state from now on that satisfies $\varphi$ .

To evaluate different error limits, it is sufficient to adapt the threshold value in the previous formula. Hence, for each generated query (representing a different threshold), the SMC tool executes an important number of runs on the system model to explore the reachable states. At the end of each run, the algorithm checks whether or not the query is satisfied. This is, in fact, analogous to a Bernoulli problem with a set of logical answers (true or false). The obtained outcomes are then aggregated to quantitatively estimate the probability of the property being satisfied (with a corresponding confidence interval). Namely, the SMC algorithm computes the number of runs needed in order to produce an approximate interval $[ p - \epsilon ; p + \epsilon ]$ for the probability $p$ with a confidence $(1 - \alpha )$ , where:

• $\epsilon$ is the probability uncertainty.

• $\alpha$ is the probability of false negatives.

B. The Considered Case Study

As mentioned in Section II-A, using VB to implement the train localization function under ETCS L3 can be envisaged in two main situations:

1. The case of a new ERTMS L3 railway line,

2. The upgrade of an existing line (e.g., operated in ERTMS L2) towards ERTMS L3.

In both situations, performance and safety targets have to be evaluated. In our case study, we will consider Case 1), i.e., the design of a new ERTMS L3 line to be operated with FVB.

From an operational point of view, the pursued objective is that the new ERTMS L3 line should provide at least the same capacity that would have been obtained under ERTMS L2 operation (with PB exclusively). Obviously, a direct benefit of ERTMS L3 over ERTMS L2 is that fewer PB shall be deployed, since the used balises will be mostly virtual.

In this context, we assume that the configuration of the ERTMS L2 line used as a comparison basis can be summarized as follows:

• Only physical balises are used for odometry calibration,

• All the PB are equivalently spaced on the track, and the distance separating two successive (group of) balises is $d=2000\;m$ .

Such an ERTMS L2 line configuration implies that the global train position uncertainty varies between $5\;m$ (immediately following the activation of a PB) and $105\;m~(5+5\% \cdot d$ with $d =2000\;m$ , right prior to the activation of a PB).

We recall that the capacity of the ERTMS L2 line depends on three main parameters: the maximum uncertainty value on the train position, the braking distance of the trains, and the length of the blocks. Since the braking characteristics of the operated trains remain unchanged, only the uncertainty on train position and the distance separating balises determine the variation in terms of line capacity between the L2 reference line and the L3-FVB line. Accordingly, in our case study we will mainly focus on the maximum error bound on train position and the block length as comparative parameters. In fact, on the one hand, the block length can be directly compared, namely according to the distance separating two successive (group of) balises. On the other hand, the maximum train position uncertainty needs to be analyzed in order to check if the bound (i.e., $105\;m)$ remains satisfied (with a tolerable confidence level) in the new ERTMS L3 line, while using VB.

Through our case study, we seek to illustrate how to safely address the position uncertainties under FVB operation by means of formal verification using the developed models. Considering the same speed, constant acceleration, and the same dynamic characteristics for all trains in our case study, the model managing the variation of each train dynamics parameter is not considered here; this model has already been investigated in [11]. Thus, in the present paper we concentrate the analysis on the PL characterization related to VB activation. Besides, the cumulative error due to the traveled distance can be regarded as a constant when considering the same size for each block section; this can be the case for a new ERTMS L3 line operated with FVB, ERTMS L2 lines being not necessarily equipped with block sections sized identically. Therefore, the model part related to the PL characterization will be analyzed in the sequel. Using 3 possible settings related to the PL distribution, the impact on train position uncertainty will be particularly investigated. Namely, we will address the following question: “How should the balises be arranged on the line in order to guarantee that the uncertainty on the train estimated position does not exceed a predetermined threshold?”. It is worth highlighting that the aforementioned investigated issue is given here for the sake of illustrating how safety analyses can be conducted on the basis of our formal models; in general, further analyses can be undertaken. Depending on the investigated problem, the development of additional behavioral modules can be required, yet the whole approach remains the same.

C. Analysis Phase

As explained earlier in the paper, our analysis is performed by means of the model-checking facilities offered by UPPAAL. As a matter of fact, we should indicate that we used both the graphical TA models discussed in the previous subsections, but also a number of textual TA models (“.xta” files) and “.q” query files that are generated automatically by means of Python scripts we have developed. Indeed, since we seek to investigate different track (PB/VB) configurations, while considering various uncertainty levels, we took advantage of the possibility offered by UPPAAL to perform model-checking using command-lines on the basis of TA models and query textual files. It is also worth mentioning that depending on the available computational capabilities, we can easily adapt the levels of accuracy and confidence of the model-checking results (resp. $\epsilon$ and $\alpha$ statistical parameters), as well as the level of details in the investigated models. These aspects are further discussed in the explanations provided with our models in the public repository.

In the analyzed ERTMS L3-related case study, we choose to employ only 10% of PB for illustrating how the probabilistic distributions related to different GNSS signal reception environments can vary in our models while maintaining an accepted system residual risk. Accordingly, the balises configuration of (1PB - 9VB) is adopted in the remainder of our study. This means one (group of) PB while the 9 next successive balises are virtual (VB), etc.

As stated before, for the sake of clarity, we assume that the operational environment is invariable in one scenario, in terms of GNSS reception quality, all along the considered line. Hence, the same probabilistic distribution is used to characterize the PL values in each scenario. Namely, we aim to study the impact of three illustrative normal distributions on the VB separation distance (cf. Table 1).

TABLE 1 Parameters Related to PL

Note here that, for the sake of obtaining realistic PL values, we define a minimum acceptable PL value equal to $3\; m$ for each distribution. Hence, if the generated PL value is smaller than this bound, a new value is generated until obtaining an accepted PL value. Such a minimum setting can be adapted to represent different PL distributions.

We recall that the results sought via our analysis intend to provide indicators regarding the physical and virtual balises safe configuration along the new line. In this context, we assume the distance separating successive balises (denoted as $d^{\prime })$ to be constant. Moreover, since the OdoError_dyn variable (i.e., the odometer accumulated error) component of the PositionError variable (i.e., the allowed train position error) only depends on the traveled distance from the last balise (which can be either a PB or VB), one can easily infer the maximum value of OdoError_dyn from $d^{\prime }$ . In contrast, the BaliseError variable (resulting from the activation of a VB) depends on the various PL values and represents the uncertain part of the PositionError variable. Hence, such a variation needs to be finely investigated. This can be done by adapting and formally checking the property expressed in formula (1).

For each threshold value (e.g., from 1 to 35 meters), the SMC algorithm handles the associated query and estimates the probability that the BaliseError variable exceeds the investigated threshold. The obtained results are processed to obtain the charts represented in Figure 7. The results pertaining to the maximum balise error are depicted via the orange plots, which show the relation between the various error thresholds and the probability that these limits are exceeded by the balises activation error bound.

FIGURE 7.

SMC Results on the Balise activation error bound following the PL characterization models A,B, and C.

Show All

D. Results Interpretation

We recall that, in contrast with the case of PB where the fixed value of $5\;m$ bounds the value of the BaliseError variable, no maximum value is defined for the PL associated with the activation of a VB. Indeed, large PL values can be reached, especially in unfavorable GNSS reception conditions. Instead, an Alert Limit (AL) is used as an upper bound on the accepted PL values. If the estimated PL is lower than the value of AL, the PL value is accepted and associated with a ‘confidence level’. On the contrary, if the estimated PL exceeds AL, the GNSS position is deemed unavailable and, hence, rejected by the on-board system.

In our context, we consider this ‘target confidence level’ as an input parameter to our analysis. In fact, such probabilistic threshold stands for an accepted residual risk (according to the safety targets). For instance, let us assume that the risk of PL exceeding the balise error bound must be smaller than 10⁻⁵ with a confidence of 0.99999. Considering this target probability (i.e., 10⁻⁵), particular zones of interest (i.e., uncertainty value corresponding to the target probability) are identified according to the results obtained previously. These zones (illustrated with red boxes in Figure 7) require an in-depth exploration. Accordingly, the SMC tool parameters are further adapted as follows: $\alpha =1 - 0.99999$ and $2 \times \epsilon = 10^{-5})$ . For instance, the interest zone corresponding to the setting of the parameters related to a PL distribution $Normal(10:3)$ (Setting B) is zoomed in and presented in Figure 8. The other PL distributions are addressed similarly.

FIGURE 8.

Zone of interest with PL: Normal(10:3), $\alpha= 1E{-5}$ and $\epsilon= 5E{-6}$ .

Show All

Having obtained the BaliseError values associated with the investigated PL distributions, the second part of the study focuses on the Global train position uncertainty, as this parameter is key for determining the maximum distance between consecutive balises, and accordingly the size of the FVB. To do so, let us consider the following:

MaxAllowedError = MaxOdoError_dyn + BaliseError, where:

• MaxAllowedError denotes the target bound on the train position uncertainty (i.e., $105 m)$ ,

• MaxOdoError_dyn $=5\% \times d^{\prime }_{max}$ ,

• $d^{\prime }_{max}$ : maximum allowed distance between consecutive balises.

Therefore, it is straightforward to infer $d^{\prime }_{max}$ as in relation (2) below, and the obtained results are reported in Table 2, where all distances are indicated in meters (m): $$\begin{equation*} d^{\prime }_{max} = \frac {1}{5\%}\times \left ({MaxAllowedError - BaliseError}\right )\tag{2}\end{equation*}$$ View Source\begin{equation*} d^{\prime }_{max} = \frac {1}{5\%}\times \left ({MaxAllowedError - BaliseError}\right )\tag{2}\end{equation*}

TABLE 2 Results

In the last column of the table, we compare the number of PB needed in the new L3 FVB line respectively to their number in the reference ERTMS L2 line. One can notice that the number of PB is reduced by more than 85% in the three investigated scenarios. Indeed, even if the balises are closer to each other in the new line, only one out of ten balises is a physical balise. One can also notice that the lower the uncertainty on the value of PL is, the more the balises can be spaced out on the line, which means fewer balises to be deployed (e.g., 12% for PL $Normal(5:3)$ vs. 14.7% for PL $Normal(10:5))$ . It is therefore relevant to note that the obtained results depend highly on the PL distributions adopted as input parameters.

Moreover, since the FVB lengths $(d^{\prime }_{max})$ are smaller than the block length of the reference ERTMS L2 line $(2\;km)$ , the line capacity shall be increased. Besides, it should be noted that such $d^{\prime }_{max}$ values stand for the maximum distance separating successive balises. Hence, the actual balises separation distance to be adopted can be smaller than the calculated $d^{\prime }_{max}$ value. In particular, the increase of the balises number is particularly relevant since 90% of the balises are virtual. As a result, less odometry error accumulation and even shorter FVB can be obtained, thus making it possible for further increasing the line capacity. Nevertheless, a physical limit for line capacity increase is related to the braking capabilities of the operated trains.

Finally, it is worth noting that an analogous reasoning can be adopted to investigate different line layouts and PL distributions, so as to determine optimal cost/benefit ratio, while keeping control on the related risks.

E. Discussion on Operational Engineering Rules

For the sake of the transferability of our approach, this subsection is dedicated to discussing the implication of the obtained results, as well as the limitations of the analysis in the context of future research and innovation projects. Indeed, beyond the methodological aspects, some operational questions can arise when employing the proposed approach, as will be discussed in what follows.

Regarding the balise location along the track, we adopted the following generic rule: we assume that there is one balise (physical or virtual) by block section and balises are placed at the beginning of each block. Indeed, there is no standard regarding installation engineering rules for balises, and no guidelines regarding these aspects can be found in the scientific or technical literature. Also, based on some discussions with railway experts, we could infer that balises were today placed in a very heterogeneous way. The location of balises can be chosen for historical reasons related to the line, for topographical reasons, due to possible interference with other balises or conductive materials in the vicinity, or also for some maintenance considerations often related to the inspection of other trackside equipment in parallel. Indeed, for practical purposes, it is better to regroup all equipment in an easily accessible area where all devices can be inspected without moving monitoring/repair apparatuses from one place to another. Moreover, “beaconage plans” do exist especially in the case of new lines, but they are naturally not shared for security reasons and are the properties of the suppliers and the organization that operates the railway line. Therefore, they cannot be analyzed to infer some generic engineering rules.

Nowadays, requirements on physical balises exist in ETCS [59], and are referred to as FFFIS (Form-Fit Functional Interface Specification), which are concretely technical requirements on the balises. These specifications include the following installation requirement types for such devices: tolerances for balise installation and mounting on the track, balise installation in narrow curves, the distance between consecutive balises in a Balise Group (BG), the grouped data of balises in a BG providing the reference position to the train. However, it can be noticed that they only refer to local installation rules and not to global rules related to a line, and operating performances are not considered. The contribution discussed in the present paper therefore ambitions to help provide a practical answer to this global aspect.

Besides, considering Virtual Balises (VB), allows some local physical installation constraints to be overlooked. However, it should be noted that the use of GNSS technologies for ensuring the train localization function based on VB induces some other considerations of VB placing, i.e., they have to be found in locations where GNSS signal reception conditions are optimal or, at least, associated with well-controlled error models. These optimal places have to be determined based on tests and analyses that do need to be performed with the help of GNSS experts. Consequently, a VB can be placed further in a block section rather than at its beginning.