some safety aspects related to train position ... · a. filip , s. pullen , r. capua , a . neri, s....

R H I N O S “Railway High Integrity Navigation Overlay System”

IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017

Some Safety Aspects related to Train Position Determination for ERTMS/ETCS:

Start of Mission on Parallel Tracks A. Filip , S. Pullen , R. Capua , A. Neri, S. Sabina, F. Rispoli

2 IGAW 2017 Workshop, SOGEI, Rome, 20-22 June 2017

Motivation

Fulfilment of ERTMS/ETCS requirements for safety integrity related to Start of Mission.

Utilization of existing GBAS/LAAS (RTCA DO-245) concept, which was originally developed for safety operations in aviation.

Design of Track Discrimination Function according to CENELEC standards (EN 50126, EN 50129, EN 61508 2nd ed.).

Simplification of safety evidence which could be used for LDS Safety Case and Certification.

Requirements for Track Discrimination Function

3

Operational assumptions for SOM on parallel tracks:

THRVB = 1e-9/hr for ETCS Level 2 - Start of Mission (SOM)

Minimum distance between axes of parallel tracks (v< 160 km/ hr):

THRVB = 0.67e-9/hr for ETCS Level 3, SOM … derived from SUBSET-088

5 m at stations (very exceptionally 4.75 m) 6 m for level platforms on low traffic lines, possible only in narrow

conditions - AL =6 m/ 2 = 3 m … it is further used in this analysis 10 m for inland platforms … can be very often applicable for SOM 4 m between stations

The last position of train before LDS switch-off is stored in LDS OBU / RBC in compliance with SIL 4

Still-stand detector (SIL 4) is available on train/ locomotive (UIC) SOM with position UNKNOWN will be performed very seldom Place with good GNSS SIS conditions for SOM can be preselected


4

Duration of SOM in Staff Responsible: 3% of mission ( SUBSET-088) Duration of mission = 1 hour, duration of SOM = 108 seconds

Application mode of multi-constellation GBAS during train mission

Requirements for Track Discrimination Function


5

LDS with high-integrity GNSS augmentation

Realization of SIL 4 safety function

SIL 4 requirement represents very high demands on a safety function.

It is suggested in EN 61508 to reduce this requirement first e.g. by means of additional non electric/electronic safety-related systems or other risk reduction measures.

If such option is not possible, then a further risk assessment shall be carried out using quantitative method that takes into consideration potential CCFs – see next slide.

If THR < 1e-9/ 1 hr is required for a safety function, then this function cannot be realised as a single function according to EN 61508. This function must be composed of at least of two diverse and independent functions – let’s say Function A and Function B, and probabilistically combined using AND operator.

The systematic capability approach must be respected.


6

LDS with high-integrity GNSS augmentation

Systematic capability (EN 61508 , 2nd Edition, 2011)

Systematic failures can happen every time the specific set of conditions occurs.

In order to avoid CCF, the standard EN 50129 requires a guarantee of physical, functional and process independence among safety functions of a safety-related system.

EN61508-2 (2nd Edition) introduces the term ‘systematic capability’ SC. SC is a measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of an element meets the requirements of the specified SIL for a given safety-related function.

Diversity is suggested to eliminate systematic CCF and build e.g. SIL 3 function (SC=3) using two diverse elements A and B (SCA=SCB=2) according the following justification: SC= SCA+SCB+1 = 3.

If diversity is not applied, then SC= SCA+SCB = 2 , it corresponds to SIL 2.


7

Composite Fail-Safety for Start of Mission

Safety integrity requirements are strict (HRVB=0.67e-9/ hr, AL=3 m) Multi-constellation can be used to reduce PL via GBAS Kffmd lowering

2oo2 (GPS + Galileo): HR2oo2 = 2*(HRReq_const)2 * SDT

3oo3 (GPS+Galileo+Glonass): HR3oo3 = 3*(HRReq_const)3 * SDT2

4oo4 (GPS+Galileo+Glonass+BeiDou): HR4oo4 = 4*(HRReq_const)4 * SDT3

Kffmd coefficient can be further reduced via lowering of HR requirement per GNSS constellation, i.e. HRReq_const

GNSS HRReq_const can be reduced via multi-channel architectures:

Safe Down Time (SDT) is proportional to duration of SOM, i.e. 0.03 hour, because the first Virtual Balise must be detected within SOM duration.

Note: In case of GNSS there is potential to further reduce SDT



Protection Level (H0) concept is valid under fault-free condition

Conversion of Hazard Rate to Probability of Missed Detection Pmd :

HRReq_const = Pmd * Nindep

where - Nindep number of independent samples per mission (i.e. 1 hour); the more independent samples, the higher uncertainty in position determination

Duration of SOM in Staff Responsible: ~ 108 s [subset-088]

Estimated correlation time between samples: 30-150 s [1]

It is assumed that Nindep= 1 for SOM function (as for PA in aviation)

Composite fail safety can be utilised for Kffmd reduction (2oo2, 3oo3, …)

PL estimation for GBAS-based Track Discrimination

[1] : Pullen, S. et al.: . SBAS and GBAS Integrity for Non-Aviation Users: Moving Away from “Specific Risk”. Int. Technical Meeting of the Inst. of Navigation, 24-26 January 2011. San Diego, CA, USA: 533-543.


PL ≈ Kffmd * σ pos ; let‘s assume σpos = 0.5 m for GBAS

Scaling factor Kffmd - is calculated from Gaussian distribution

MatLab … Kffmd = norminv(Pffmd/2, 0,1)

P(H0) – a priori probability under fault free conditions, it is equal to 1

M – is number of Reference Receivers RRs in reference station; (M+1) means that (M+1) different hypothesis exist, i.e. M hypothesis for RRs and one H0 hypothesis.

)2

P(K ffmd1Gaussffmd−Φ=

)1M()H(PN

HR

P0

Indep

const_qRe

ffmd +×=

PL estimation for GBAS-based Track Discrimination


2oo2 : HRReq_const = 5e-5/ hr; STD=0.03 hr HR2oo2 = 2*(HRReq_const)2 * SDT = 1.5000e-010 / hr

3oo3 : HRReq_const = 5e-3 / hr; STD=0.03 hr HR3oo3 = 3*(HRReq_const)3 * SDT2 = 3.3750e-010 / hr

4oo4 : HRReq_const = 1e-2 / hr; STD=0.03 hr HR3oo3 = 4*(HRReq_const)4 * SDT3 = 1.0800e-012 / hr

2oo2 : HRReq_const = 5e-5/ hr; M=3; σpos = 0.5 m Pffmd = 1.25e-005, Kffmd = 4.3687 , PL ~ 2.1843 m

3oo3 : HRReq_const = 5e-3/ hr; M=3; σpos = 0.5 m Pffmd = 0.0013, Kffmd= 3.2160 , PL ~ 1.6080 m

4oo4 : HRReq_const = 1e-2/ hr; M=3; σpos = 0.5 m Pffmd = 0.0025 , Kffmd= 3.0233 , PL ~ 1.5117 m

1oo1: PL ~ 3.1943 m

GPS+Galileo+Glonass; BeiDou - backup

Examples: HRReq_const and PL estimation for HRVB

Multi-channel structures …

Effect of 4oo4 is not so high


Common Mode Failure / Common Cause Failure analysis Diversity can mitigate CMF (e.g. use of GPS vs. Galileo) Completely independent technologies can also protect against CCF –

e.g. ionospheric storms, local effects - multipath, EMI … CCF analysis must demonstrate fulfillment of THRVB=0.67e-9/hr & AL < 3 m.


Meaning of Protection Level for Track Discrimination In aviation Position Error (PE) cannot be estimated

On railway PE can be independently estimated (PEe) with respect to known track geometry

In case of Track Discrimination it is a Decision Problem. Question: Train on track No. X? Answer: Yes or No … (with HR < 0.67e-9/ hr !!)


Meaning of Protection Level for Track Discrimination Composite fail-safety with at least 2 safety functions must be used,

because THR < 1e-9/ hr (EN 61508, 2nd edition 2011).

Each of safety functions will have HR > THRVB=0.67e-9/hr, e.g. 1e-6/ hr It could limit availability of track discrimination – see below.


Meaning of Protection Level for Track Discrimination Single function with THR = 0.67e-9/ hr ... possible only theoretically

because track discrimination for HR < 1e-9 / hr cannot be realised as a single function according to CENELEC standards

Correct track selection: PL < 3 m = AL and PEei ≤ PL ; i=0, 1

Engineering rules related to safety margin must be elaborated


Meaning of Protection Level for Track Discrimination

Dangerous fault (1e-6/hr) Not available Correct (1e-6/hr)

Failure modes for single Track Discrimination Function

Availability of track discrimination: PEei ≤ PL< 3 m = AL ; i=0, 1


SOM with track discrimination function with position UNKNOWN can be based on Composite Fail-Safety e.g. using 3oo3 architecture.

3 GNSS constellations within GBAS provide sufficiently low PL for track selectivity. The 4th constellation can be used as back-up.

After LDS initialization is completed, Reactive Fail-Safety can be used for VB detection under Full Supervision mode. Integrity requirement for GNSS is significantly relaxed. (HRGNSS_SOM=0.67e-9/ hr HRFS = 4.8e-6/ hr) .One constellation is needed for integrity, other remaining constellations provide high availability of integrity.

Track discrimination via 3oo3 structure can be performed in predetermined locations. In most of locations single constellation (within GBAS or SBAS) is sufficient for LDS safety integrity.

Conclusions

Acknowledgement

This work was supported from the European H2020 research and innovation programme budget within

the RHINOS project (2016-2017).


some safety aspects related to train position ... · a. filip , s. pullen , r. capua , a . neri, s....

Documents