Conference PaperPDF Available

Dependability evaluation of a GNSS and ECS based localisation unit for railway vehicles

Authors:

Abstract and Figures

Today, GNSS-based solutions (Global Navigation Satellite Systems) facilitate the implementation of the train localisation function on-board the vehicle. In the railway context, as a train has to travel different zones on its itinerary, multiple obstacles in these environments can cause different signal perturbations: multipaths, signal delays and masking phenomena that lead to negative consequences on the position accuracy. To reinforce the position quality, a localisation system, developed in the GaLoROI european Project and based on the combination of sensors such as a GNSS receiver and an Eddy Current Sensor, is studied. In this paper, we present a procedure and a model, which aims at evaluating the dependability of this system under local impacts of different railway environments. It allows us analysing complex behaviours of the sensor fusion component on the availability and accuracy of data provided by GNSS & ECS sub-systems and also to take into account the reliability parameters of hardware components.
Content may be subject to copyright.
Dependability evaluation of a GNSS and ECS based
localisation unit for railway vehicles
Khanh NGUYEN, Julie Beugin, Juliette MARAIS
To cite this version:
Khanh NGUYEN, Julie Beugin, Juliette MARAIS. Dependability evaluation of a GNSS and
ECS based localisation unit for railway vehicles. ITST 2013, 13th International Conference on
ITS telecommunications, Nov 2013, Finland. 6p. <hal-00930588>
HAL Id: hal-00930588
https://hal.archives-ouvertes.fr/hal-00930588
Submitted on 14 Jan 2014
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destin´ee au epˆot et `a la diffusion de documents
scientifiques de niveau recherche, publi´es ou non,
´emanant des ´etablissements d’enseignement et de
recherche fran¸cais ou ´etrangers, des laboratoires
publics ou priv´es.
Dependability evaluation of a GNSS and ECS based
localisation unit for railway vehicles
T.P.K.Nguyen, J. Beugin, J. Marais
Univ Lille Nord de France
IFSTTAR - COSYS
The French Institute of Science and Technology for Transport, Development and Networks,
COmponents and SYStems Department, Villeneuve d’Ascq, France
Emails: khanh.nguyen, julie.beugin, juliette.marais@ifsttar.fr
Abstract—Today, GNSS-based solutions (Global Navigation
Satellite Systems) facilitate the implementation of the train
localisation function on-board the vehicle. In the railway context,
as a train has to travel different zones on its itinerary, multiple
obstacles in these environments can cause different signal per-
turbations: multipaths, signal delays and masking phenomena
that lead to negative consequences on the position accuracy. To
reinforce the position quality, a localisation system, developed in
the GaLoROI european Project and based on the combination of
sensors such as a GNSS receiver and an Eddy Current Sensor,
is studied. In this paper, we present a procedure and a model,
which aims at evaluating the dependability of this system under
local impacts of different railway environments. It allows us
analysing complex behaviours of the sensor fusion component
on the availability and accuracy of data provided by GNSS &
ECS sub-systems and also to take into account the reliability
parameters of hardware components.
I. INT ROD UC TI ON
One of the keys in automatic train control systems is
localisation of railway vehicles. It generally relies on track side
components. However, such devices lead to high maintenance
costs and also expensive investment costs for infrastructure
deployment. For several years, the evolution of the localisation
from trackside to trainborne side is a promising solution for
this issue. In fact, no infrastructure installation has to be in
relation with the on-board system and its maintenance can be
easily done during the frequently checks of the trains.
By offering an interoperable worldwide solution, Global
Navigation Satellite System (GNSS) becomes an advantageous
solution for on-board localisation units. That is the reason
why, numerous articles analysed if the performances of GNSS
systems satisfy the railway requirements, in particular for
safety-related applications. Indeed, using experimental results,
[4] concluded that a standalone GPS/GLONASS satellite nav-
igation system and also its combination with inertial navi-
gation systems (INS) do not meet the strong safety-related
requirements mentioned in railway standards. This point of
view is reinforced in [3]. The authors showed the unavail-
ability probability of the GNSS-based train localisation unit in
different zones like tunnels, urban, wooded and railway cutting
environments is far to attain the expected safety integrity level
and needs to be augmented by other navigation sensors in
order to overcome GNSS outage situations. In a recent study,
authors of [13] performed numerous test runs on the High Tatra
mountain railway line in order to evaluate RAMS parameters
of a GNSS based localisation unit. They showed that the
performances of GNSS cannot meet the railway requirements
in a forest zone and suggested to integrate other on-board
localisation sensors.
These above studies emphasized the necessity of rein-
forcing the performances of GNSS localisation unit by other
sensors when they are used in safety applications. However,
identifying an appropriate configuration associated to a data
combination strategy that meet railway requirements remains
an issue. This question is considered in [1]. From the dis-
cussion about a short-listing of data fusion options between
GNSS signals and other sensors, the authors highlighted one
of the advantages of the Eddy Current Sensor (ECS) compared
to INS, which is the avoidance of velocity errors due to
slip/slide. In fact, the combination between GNSS signals and
ECS signals permits to overcome the disadvantages of each
component taken separately and to increase the accuracy and
robustness of the global localisation unit.
In this context, the GaLoROI project (Galileo Localisation
for Railway Operation Innovation), which aims at developing
a certifiable, safety-relevant, and satellite-based localisation
unit for low density railway lines, is ongoing. The operation
principle of GaLoROI is to combine satellite positioning data
with satellite-independent data, here provided by an ECS,
in order to provide a safe, accurate and continuous train
position. The development process of this new localisation
system requires to evaluate performances and dependability
parameters according to EN50126-1, 2 & EN 50129 ( [5]–[7]).
The dependability parameters, i.e. the Reliability, Availability,
Maintainability (RAM) parameters are used in the railway
domain to characterize the conditions that maintain the system
in a state to deliver a correct required service during operations.
In this paper, we present the first step of the dependability
assessment process for GNSS & ECS based localisation unit,
the core part of the GALOROI system. The quality of GNSS
signals degraded by local phenomena in railway environment
and also, the complex behaviours of the sensor fusion, pose
multiple challenges for analysing failure causes of the localisa-
tion service and for evaluating its dependability. In this article,
we propose a new methodology that meets these challenges.
The paper is structured as follow: in Section II, we will de-
scribe the system and its components under the dependability
aspects. The issues, which concern qualitative and quantitative
evaluations of the system dependability, will be presented in
Fig. 1. System concept
Section III. Finally, Section IV presents the conclusion and the
future research works.
II. DE SC RI PT IO N OF T HE O N-BOAR D LO CA LI SATI ON U NI T
AN D IT S ER ROR C ON DI TI ON S
Figure 1 presents the working principle of the localisation
unit. Every data from both GNSS and eddy current sensors
contain information about the position and the velocity of the
train and are combined in a fusion component. This process is
implemented in a computer that integrates a digital track map.
With a data fusion algorithm that includes a map-matching
process, an accurate train position can be calculated in real-
time.
Satellite based localisation unit
The GNSS antenna is used to collect the data that are
emitted from satellites. These data, which contain the satellite
ephemeris, a set of parameters that describe the satellite orbit,
are sent to the receiver. Based on measurements of the signal
propagation time between a satellite and a receiver, a pseudo-
distance can be calculated. Using the ephemeris and pseudo-
measurements, the receiver position is generally obtained in
real-time. Normally, 3 visible satellites are required for the
position estimation. However, in order to overcome errors due
to a clock deviation between a satellite and a receiver, the
localisation is performed if there exists at least 4 satellites.
The advantage of GNSS localisation unit is to provide
worldwide available and highly accurate measurements that
are not prone to drifts in contrast to the INS. However, for
the dependability analysis of the satellite navigation, multiple
error sources can lead to a poor positioning:
errors in space such as satellite failure, ephemeris
errors, orbit errors,
errors in propagation environment such as ionospheric
& atmospheric delays, meteor impact, multipath devi-
ations, interference impacts, satellite shadowing,
failures in user hardware equipment, in particular an-
tenna failures or receiver failures (their corresponding
failure rates are hereafter called αaand αr).
Eddy current sensor
The second localisation device, the ECS, gives a speed
value, a distance value and the direction of the vehicle. In
the sensor unit, there are two coil systems that are placed
along the rail direction with a fixed distance between them
of Lm. Each coil system generates a time varying signal that
represents the variation of the eddy currents along the rail.
By an analysis of electromagnetic signal correlation, the time
delay (T) between the signals from the two coil system is
obtained. The actual speed with which the train runs along the
track is then calculated: v=L/T. Furthermore, the direction
of the movement can be detected. Thus the ECS measurements
are totally independent of the slipping or slidding errors.
The ECS is not affected by weather conditions such as rain,
snow, ice, etc, or by pollution. The impact of interferences
due to electrical conductors near rails is also non-significant.
Therefore,the dependability of ECS device is considered using
only its hardware failure rate called αe.
Digital track map
The digital track map is stored in a computer that performs
the data fusion function. It comprises all relevant track infor-
mation such as length of track sections, geo-coordinates to the
track elements, hazard areas. These information are customised
and updated for particular application area.
The consistency checks for track map information are
performed only at the program start of the localisation unit.
If any errors are detected, the program is stopped. Therefore,
when the program starts successfully, we do not consider the
possibility of errors caused by the digital track map.
Fusion component
The position information coming from the GNSS receiver
and from the ECS are sent to the fusion component every T
s. Then the fusion component combines these data to ensure
reliable positioning results. In [2], an example of data fusion
approach for a satellite-based localisation unit is provided and
is based on an Extended Kalman Filter. By discussing about
the approach limits, the author also suggests an idea that is
to use the digital track map as a further source in order to
overcome the lack of information in the case of sensor faults.
In fact, a data fusion approach combined with a map-matching
algorithm is being currently developed in the GaLoROI project
[12]. For the dependability analysis in this paper, we do
not mention the algorithm and we are only interested in the
position results at the fusion component output. By analysing
the fusion component behaviours, we find that an estimated
position in output of the system is considered as incorrect if
one of the following states occurs:
Unavailable ECS and GNSS data: If there is no ECS
and GNSS data for more than T1s, the output of the
fusion can be considered as false.
Unavailable GNSS data: If GNSS data are missing for
more than T2s the confidence interval linked to output
data will increase quickly. In that case, the position is
not trustworthy and considered as false.
Unavailable ECS data: If the ECS data are missing
but GNSS measurements are available, the system can
estimate the train position and the process goes on.
Note that the inaccurate measurements of the ECS are
not considered because no reliable criterion allows us
to judge whether a ECS measurement is invalid.
Inaccurate GNSS data:
At least kconsecutive position errors of the
receiver that are greater than xmeters (P Er>
x) can lead to a position error in output of
the fusion component that exceeds the user
tolerance limit.
If the ECS data are missing, at least lcon-
secutive position errors of the receiver that
are greater than xmeters (P Er> x) can
lead to a position error in output of the fusion
component that exceeds the tolerance limit.
Note that due to the efficiency of the fusion,
the impact of position errors at the receiver
output on the global position result will be
reduced if there exists valid ECS data, thus
k > l.
On the other hand, we also consider material failures of the
fusion component using the failure rate αf.
III. FIR ST S TE P OF T HE D EP ENDAB IL IT Y EVAL UATIO N OF
TH E LO CA LI SATI ON U NI T
The first step of the dependability evaluation is to define,
analyse and evaluate the service failures of the system. From
railway user’s point of view, the positioning function is con-
sidered as failed in the following cases:
Case A - unavailable output of the fusion component.
In this case, the localisation service expected by the
user is interrupted.
Case B - untrustworthy position, i.e. the position result
has a large estimated confidence interval. In this case,
the service is still delivered. However, the position
result with its large confidence interval cannot be used
in safety-relevant train control applications.
Case C - estimated position is outside accuracy bound-
aries. In this case, the localisation service expected by
the user is failed but is not recognized by the system
or the user.
The combinations of causal events leading to each above
mentioned case will be identified by the qualitative analysis
presented in the next subsection. The probability of each case
will be evaluated in the subsection related to the quantitative
analysis.
Qualitative analysis of dependability of the positioning service
As mentioned previously, the qualitative analysis of the
GNSS and ECS-based localisation system encounters multiple
challenges because of specific properties of the GNSS signals
and because of complex behaviours of the fusion component.
On the one hand, common analyses of dependability cannot
adaquately take all perturbations affecting GNSS signals into
account, especially local impacts of railway environments. In
order to overcome this difficulty, we model the GNSS receiver
output using 4 states:
1) Correctly estimated position, i.e. when the difference
between the true position, unknown for the user, and
the estimated position is inferior than a tolerance limit
laid down by user requirements: P Erxm.
2) Incorrectly estimated position, i.e. when the estimated
position is outside accuracy boundaries: P Er> x
m. Consecutive position errors can lead to a failed
service of the global localisation unit.
3) Position is not delivered because, at the receiver
input, the number of valid signals received are in-
sufficient (Missing-GNSS-signal).
4) Position is not delivered because of an hardware
failure.
In the next subsection, the transition probabilities between
these states can be identified using data collected from:
simulations [3],
real tests [13].
Note that in both articles [3], [13], the authors only focus on
the important impact of local phenomena and do not consider
the hardware failures. This aspect is also examined in our paper
with relevant hardware failure rates.
On the other hand, a new approach that allows the analysis
of the dynamic behaviours of the fusion component is required.
This approach has to consider at each sampling instant if sensor
data are available and accurate, and has also to handle temporal
dependencies.
In reliability and safety studies, the traditional fault tree
method (FT) [8] is widely used because it is suitable for both
qualitative and quantitative analyses. In fact, it provides an
ideal framework for deductive analyses that look for various
possible combinations of causal events leading to the top event
(feared event). It also allows the calculation of probabilities
related to the combinatorial logic gates. However, this method
is not sufficient to capture behaviours and interactions of
components of complex and hybrid systems that integrate both
continuous and discrete dynamic behaviours. The Dynamic
Fault Tree method (DFT) [14] is an extension of the FT method
by defining additional dynamic gates in order to attain a higher
level of systems’ dependability analysis. This method allows
the analysis of failure sequences, functional dependent failures
or priorities on failure events. Moreover, the FT method with
time dependencies between events (TdFT) [10] is also useful. It
allows duration conditions leading to hazards to be considered
inside logic gates. In order to combine advantages of the above
methods aiming at capturing the fusion component behaviours,
we present in this subsection a hybrid fault tree model.
Let us consider the FT in Figure 2, which analyses failed
outputs of the fusion component, those failures intervene in
the three cases A, B and C. The unavailable output (Case A)
is caused by a material failure (Basic Event 1 - BE1) or by a
software error in the fusion component (Undeveloped Event -
UE). The material failure occurs with a failure rate αfwhile
the software error is not analysed in the framework of this
paper.
The untrustworthy position (Case B) can be caused by a
lack of both GNSS and ECS data for more than T1s(called
Intermediate Event 1 - IE1) or by missing GNSS data for more
than T2s(Intermediate Event 2 - IE2).
Fig. 2. Hybrid Fault Tree of service failure
BE1: material failure of the fusion component
BE2: ECS failure
BE3: antenna failure
BE4: receiver failure
BE5: missing GNSS signal (signal in space)
BE6: position error at the receiver output > x m
IE1: lack of both GNSS and ECS data for more than T1s
IE2: missing GNSS data for more than T2s
IE3: missing GNSS data
IE4: GNSS hardware failure
IE5: at least kconsecutive position errors of the receiver > x m
IE6: at least lconsecutive position errors of the receiver > x m|
ECS fails
UE: software error in the fusion component
Next, the IE1 is the output of a causal AND gate (defined
in [10]) having in input ECS failure (Basic Event 2 - BE2) and
missing GNSS data (Intermediate event - IE3) with a duration
greater than T1s. The output of the causal AND gate only
happens when its inputs occur together during the given period
of time. The IE3 has in input the BE5 - Missing of GNSS signal
(state 3 of receiver output) or IE4 - GNSS hardware failure
(state 4 of receiver output) caused by an antenna failure (BE3)
or receiver failure (BE4). Similarly, the IE2 is a duration gate
output (DUR gate) having in input the IE3 for more than T2
s. The DUR gate is defined by the occurrence duration of the
input during a given period of time.
The case C is caused by IE5 - at least kconsecutive P Er>
xmor IE6 - at least lconsecutive P Er> x m when ECS
fails. We define in this paper the consecutive gate (CON gate).
Its output only happens when its input consecutively occurs at
least Ntimes. The IE5 is the CON gate output of kconsecutive
events P Er> x m(BE6, state 2 of the receiver output). Next,
the IE6 is characterized by the priority-AND gate (PAND gate
defined in [14]) of a ECS failure (BE2) and a CON gate of l
consecutive events P Er> x m(BE6). The PAND gate output
only happens when its inputs occur from left to right.
With a dynamic gate (PAND gate) and time dependency
gates (Causal AND gate, DUR gate, CON gate), the proposed
hybrid fault tree allows the complex behaviours of the fusion
component to be captured and characterized. Then, the causes
Fig. 3. DSPN structure for hardware states of components
that lead to failed outputs can be studied. However, the
analytical evaluation of the system availability in terms of a
structure function is a complex issue and is not performed
within the framework of this article. For the quantitative
analysis, the service failure probability will be evaluated by
another approach presented in the next subsection.
Quantitative analysis of dependability of the positioning ser-
vice
Based on the hybrid fault tree presented before, the Dy-
namic Stochastic Petri Net (DSPN) is used to quantitatively
analyse service failures. This method is widely employed in de-
pendability assessments and allows time dependent behaviours
in a system to be taken into account. An event transition in a
DSPN can occur according to the three following ways:
immediately when all guard conditions are satisfied
(type 1)
after a constant delay (type 2)
after an exponentially distributed probabilistic delay
(type 3)
The quantitative analysis is performed according to the
three following steps:
Step 1 - model the evolution of sub-system states over
time.
The hardware states of ECS, antenna, receiver, fusion
component is modelled by two PN places: OK and
Failure places (Figure 3 illustrates the receiver exam-
ple). Their failure events and reparation actions are
characterized by two transitions of type 3 associated
to the corresponding failure rates (see values in Table
I) and with a reparation rate of 1/24 h.
Based on the qualitative analysis, the 4 states of the
receiver output are modelled in the DSPN illustrated
in Figure 4. The transitions between the states 1/2/3
only occur when no material failure exists. Their
probabilities are calculated from the simulation data
used in [3]. The transitions from these three states
to state 4 (hardware failure state) immediately occur
Fig. 4. DSPN structure for position results of GNSS receiver
Fig. 5. DSPN structure for CON gate of N consecutive events
when there exists at least a material failure of a
component. Finally, after a reparation action, if all
components are OK, the transition from state 4 to
one of the three states 1/2/3 is fired after the time to
first fix (TTFF) of the receiver.
Step 2 - model dynamic logic gates.
The translation of OR, PAND, DUR gates to the
corresponding DSPN structure is proposed in [11].
The Causal AND gate is modelled by a combination
of AND and DUR gate. Finally, we propose in this
paper the CON gate model. It is described in Figure 5.
Step 3 - model and evaluate the global behaviour of
the system.
The probability of the top event of the hybrid fault
tree is evaluated using the DSPN simulation results.
TABLE I. IN PUT PA RAM ET ERS F OR EVAL UATIN G TH E FAIL URE
SE RVIC E OF SY ST EM
Missing time & Number T1T2k l
of consecutive PE 3 s 60 s 2 6
Failure rate (/106h) αaαrαeαf
4 4.08 2 6.06
TABLE II. PRO BAB ILI TY O F SERV ICE FA IL URE I N DI FFER EN T
EN VIRO NM ENT S
Urban Tunnel Woody Railway
Cutting
Service failure 1.65E41.53E27.59E27.17E4
Fusion
component 3.42E6
failure
Missing GNSS
during 60s
4.1E61.53E24.1E64.1E6
Missing ECS &
GNSS during 3s
8.34E11 6.63E77.4E10 3E9
Failed ECS &
2 consecutive
P Er>50 m
1.63E802.73E72.95E8
6 consecutive
P Er>50 m
1.57E407.59E27.1E4
TABLE III. CO MPAR AIS ON O F THE AVE RAG E AVAIB IL ITY O F EC S AND
GNSS LO CAL IS ATION U NI T AND S IN GLE G NSS LOC AL ISATI ON U NIT [ 3]
Environment ECS & GNSS unit Single GNSS unit
Railway Cutting 99.93% 87.76%
Urban 99.98% 93.88%
Woody 92.41% 60.23%
Tunnel 98.45% 15.57%
There are numerous tools to create and evaluate a DSPN. In
this paper, we use the Petri Net module of GRIF platform [9]
to illustrate the performance of our model. The dependability
assessment of the global localisation unit on a mission of 1
hour is based on the following assumptions:
The system is considered to be fault free at the start
of the mission.
Failed components are repaired after the tests (µ=
1/24 h) and the TTFF of the global system is 180 s.
Consecutive position errors of GNSS receiver output
of more than 50 m can lead to a position error of the
global system (estimated position is outside accuracy
boundaries).
Other parameters that characterize system behaviours
are given in Table I.
Table II gives the results of the quantitative analysis for the
GNSS and ECS based localisation system. The probabilities
of intermediate events (IE) that directly lead to the Top event
(TE) are respectively presented in the right part of the Table.
By considering the probability of TE (service failure) and IEs,
we see that the principal cause of a service failure is the
impact of the operational environment on the GNSS output.
For example, in woody environment, the IE5 (more-than-
6-consecutive-GNSS-PEs) with an occurrence probability of
7.59E2is the critical event that leads to the global service
failure. In tunnel environment, the occurrence probability of
IE5 is reduced and is non significant while the IE2 (missing-
GNSS-data-for-more-than-60s) with its occurrence probability
of 1.53E2becomes the principal cause of TE.
By considering Table III, the service availability of global
system are improved significantly when compared with a
single GNSS-based localisation unit at the accuracy level of 50
m [3], especially in areas of low GNSS signals. For example, in
tunnel environment, the service availability is reinforced from
15.57% to 98.47%.
IV. CON CL US IO N
On-board localisation equipment in railway systems can
beneficially evolve using GNSS. Moreover, the combination
of GNSS sensors to ECS sensors can improve significantly
the positioning quality in case of GNSS outage situations.
However, such configuration poses numerous challenges when
analysing and evaluating the system dependability. We have
presented in this paper a hybrid fault tree model aiming at
performing the dependability assessment of a GNSS-based
and ECS-based localisation unit. Using dynamic gates (PAND
gates) and new time dependency gates (Causal AND gates,
DUR gates and CON gates), the hybrid fault tree method
is powerful for analysing complex behaviours of numerous
systems.
For the qualitative evaluation of dependability of the stud-
ied system, the method analysed dynamic and time-dependent
behaviours of the data fusion. Additionaly, the model of the
receiver outputs considers local impacts of different railway
environments and the hardware failure probability.
The quantitative analysis was implemented by translating
the elements of the hybrid fault tree toward DSPN. Then, we
used an existing tool -the Petri net module of GRIF platform -
in order to evaluate the probability of the global service failure.
The results illustrated the efficiency of integrating an ECS
into a satellite-based localisation unit. However, for a safety
application ensuring a safe railway traffic, this configuration
is not sufficient as the safety requirement for the localisation
function is not met. It has to be reinforced by a redundant
equipment. This principle is adopted for the GaLoROI system.
These above results are preliminary conclusions obtained
using the illustrated numerical example of [3] based on simu-
lation data. As the system is totally new and is still developing,
real data are not yet available to tune the model of the
system. In future work, after the system tests in operational
environments will be completed, we will analyse experimental
data and will apply them into the model for RAMS assess-
ments. Furthermore, a more efficient algorithm to improve the
implementation time of Petri Net for quantitative evaluation
could also be developed.
V. ACKNOWLEDGEMENTS
This research was conducted as part of the GaLoROI
project (Galileo Localisation for Railway Operation Innova-
tion) supported by the European commission. GaLoROI is an
integrated research project within the European 7th Framework
Programme.
REF ER EN CE S
[1] A. Acharya, S. Sadhu & T.K. Ghoshal, Train localization and parting
detection using data fusion, Transportation Research Part C 19, 2011,
75-84
[2] F. Boehringer, Train location based on fusion satellite and train-borne
sensor data, Proc. SPIE 5084, Location Services and Navigation Tech-
nologies, 76 (August 6, 2003); doi:10.1117/12.487062
[3] J. Beugin, J. Marais, Simulation-based evaluation of dependability and
safety properties of satellite technologies for railway localization, Trans-
portation Research Part C 22, 2012, 42-57.
[4] A. Filip, L. Bazant, H. Mocek & J. Cach, GPS/GNSS based train position
locator for railway signalling, Computers in Railways VII, 2000, ISBN
1-85312-826-0
[5] EN 50126-1, 2000. Railway applications specification and demonstration
of reliability, availability, maintainability and safety (RAMS) Part 1.
CENELEC European standard (European Committee for Electrotechnical
Standardization).
[6] EN 50126-2, 2007. Railway applications specification and demonstration
of reliability, availability, maintainability and safety (RAMS) Part 2:
Guide to the application of EN50126-1. CENELEC European technical
report (European Committee for Electrotechnical Standardization).
[7] EN 50129, 2003. Railway applications communication, signalling and
processing systems safety related electronic systems for signalling.
CENELEC European standard (European Committee for Electrotechnical
Standardization).
[8] Fault Tree Handbook, U.S. Nuclear Regulatory Commission, Washing-
ton, DC, 1981, NUREG-0492.
[9] GRIF - GRaphical Interface for reliability Forecasting, http://grif-
workshop.com/grif/petri-module/
[10] J. Magott, P. Skrobanek, A Method of Analysis of Fault Trees with Time
Dependencies, Computer Safety, Reliability and Security Lecture Notes
in Computer Science Volume 1943, 2000, pp 176-186.
[11] B. Kaiser, C. Gramlich, State-Event Fault Trees - A Safety Analysis
Model for Software Controlled Systems, Computer Safety, Reliability,
and Security Lecture Notes in Computer Science Volume 3219, 2004,
pp 195-209.
[12] M. Lauer, D. Stein, Algorithms and Concepts for an Onboard Train
Localization System for Safety-Relevant Services, IEEE ICIRT - Inter-
national Conference on Intelligent Rail Transportation, Beijing, China,
2013, 6p.
[13] D.Lu, F. G. Toro and E. Schnieder, RAMS Evaluation of GNSS for
Railway Localisation, ICIRT 2013 - IEEE International Conference on
Intelligent Rail Transportation, Beijing, China, August 2013.
[14] G. Merle, Algebraic modelling of Dynamic Fault Trees, contribution
to qualitative and quantitative analysis, PhD thesis of Ecole Normal
Sup´
erieur de Cachan, 2010.
... Based on Table 1that summarises the methods for solving the extensions of FT in literature, we find that the PN approach based on the MC simulation [2,4,13,26] is the most appropriate approach for evaluating an eFT of a complex system. Following the direction of these papers, we use PN and MC simulations [21] to quantitatively analyse the eFT. In detail, we convert the eFT into PN using 3 following steps: ...
... Step 2 – Gates: translate " dynamic and temporal logic gates " through PN structure [13,21]. Step 3 – Combination: evaluate the eFT by integrating basic events into the inputs of " dynamic and temporal logic gates " . ...
... However, the duration of Petri net simulations for a dependability evaluation is an issue. In fact, as the system output strictly depends on the states of components every small period of time T 0 s, the classical PN method [21] requires modelling the transition of the component states every T 0 s. It can cause a huge number of unnecessary sequences that do not lead to the critical events. ...
... The two general methods that are widely used for this process are the "bottom-up" evaluation and the "top-down" apportionment approaches. For the "bottom-up" approach, the expected reliability and maintainability data of individual components are used to predict the overall system availability (Nguyen, Beugin, & Marais, 2013;Nguyen, Beugin, & Marais, 2015). This predicted value is compared to the requirement, and then the system design is adjusted if necessary to reach the goal. ...
... In (Filip, Bazant, Mocek, & Cach, 2000), authors examined the performance of a standalone GPS/GLONASS satellite navigation system and also its combination with inertial navigation systems (INS) for safety-related applications in the railway industry. (Nguyen et al., 2013; evaluated the dependability of a GNSS & Eddy Current Sensors (ECS) based LU. In fact, numerous research projects such as GRAIL-2 (Marradi et al., 2012), EATS (Arrizabalaga et al., 2014), GaLoROI (Manz et al., 2015), had been launched and therefore highlighted the trend to employ the autonomous localization into ETCS. ...
Article
According to the evolution tendency of the control decision process from a trackside to a train-borne system, various autonomous localization units for railway vehicles were developed. As recommended in railway standards, the design process of each system, here the autonomous localization units (LU), follows the V-model whose first step is to define its availability requirement in order to satisfy the global ETCS system requirements. The classical approach for assigning the subsystem availability is based on the assumption that failure parameters of other units are precisely known. This assumption is too restricted in reality due to the lack of information. In this paper, we propose a new approach that allows taking into account uncertainties in the dependability parameters of the ETCS components for identifying the upper threshold of the LU unavailability to reach ETCS availability requirements. Using fuzzy fault trees, the fuzzy unavailability of the ETCS without the autonomous LU is evaluated. Then, based on its membership function, we assess the satisfaction rate that an advanced ETCS with the autonomous LU can satisfy the ETCS availability target.
... A future use of route maps and virtual balises was proposed.  GaLoROI [9] [11] [12] [14] project obtained the position estimation using GNSS (including Galileo technology), Eddy Current Sensors (ECS) and trackmatching techniques. The tests performed in order to analyze the Reliability, Availability, Maintainability and Safety (RAMS) showed that GNSS performance was not good enough to meet railway requirements in harsh environment, showing the need of additional sensor fusion in order to increase the availability of the system. ...
Article
Full-text available
Independently on the business case addressed, one of the main drawbacks of the railway use cases that need continuous Global Navigation Satellite Systems data is the lack of availability for the 100% of the time of the journey. Additionally, the integrity assessment of the position estimation given is also mandatory for safety critical applications. Thus, tunnels and multipath effects are one of the most challenging situations for the continuous positioning systems. In this context, an autonomous on-board Complementary Positioning System has been proposed to overcome the limitation of Global Navigation Satellite System based positioning systems. This paper proposes a positioning enhancement solution by means of fusing data from the satellite navigation system and inertial measurement units. That hybrid solution provides higher availability and accuracy to the positioning specially on known blocked scenarios, such as tunnels, or urban canyons, by means of a novel environment aware map aided software technique named Known Blocked Scenarios algorithm. This paper describes the Complementary Positioning System and the field test carried out in a challenging environment to validate the enhancement proposed by the authors, which demonstrate the benefits that this system has in known harsh environments for railways.
... This combination is performed by a fusion based on Extended Kalman Filter, a filter used a lot in navigation. Figure 6: System concept used in GaloROI project [13] All these projects conclude in the same way: GNSS is useful in railway localisation but their performance cannot meet the requirements in particular environment (forest, urban area). However, a hybridised solution with GNSS and existing on-board localisation system can be conceivable. ...
Conference Paper
Full-text available
For railway positioning solutions based on GNSS (Global Navigation Satellite Systems) like the GPS (Global Positioning System) or the future Galileo, a generic model is impossible to create in regards to the signal degradations in the atmosphere, the multipath effects caused by receiver near-environment, the multitude of environment configurations crossed by the train and the weak feedback of these technologies for estimated failure rates. To compensate the weakness of GNSS, it must be hybridised with other sensors to determine a position sufficiently accurate for an use in safety applications. A multitude of information sources is available about the train position. Only one position is possible. In consequence, a fusion step is necessary to combine all these sources of position. This raises some questions: Why the technology hybridisation is interesting to provide a accurate position? How the influences of sensor errors can affect the system output? Which sensors combination is the most efficient in regards to RAMS (Reliability, Availability, Maintainability and Safety) analyses required in railway safety standards? This paper proposes to focus on this last question with an analysis of different sensor architectures in order to understand how errors (propagation of failures) of one or several sensors can affect the entire positioning system. To answer to this question, a causal analysis is led based on the sensor behaviours.
Article
Accurate localization of railway vehicles is one of the key requirements for development of high-efficiency automatic train control systems. This paper proposes an angle offset-assisted positioning (AOAP) scheme for improving the localization of railway vehicles in tunnel environments. Our AOAP system consists of a wireless sensor network (WSN), where anchor nodes or sensors are distributed along the railway tracks to collect the signals transmitted by a target node installed a train. Based on the information obtained by the anchor nodes from the target node, the position of the target node or the train is initially estimated. However, radio signals experience transmission delay, which makes this estimated position have a bias from the real position. Hence, the initially estimated train's position is updated with the aid of the angle offset estimated. In this contribution, we address the effect of angle offset error on the positioning accuracy. It can be shown that our AOAP approach is capable of providing more accurate positioning than the conventional least square approach without considering angle offset.
Article
Full-text available
Safety models for software-controlled systems should be intuitive, compositional and have the expressive power to model both software and hardware behaviour. Moreover, they should provide quantitative results for failure or hazard probabilities. Fault trees are an accepted and intuitive model for safety analysis, but they are incapable of expressing state dependencies or temporal order of events. We propose to combine fault trees with an explicit State/Event semantics, using a graphical notation that is similar to Statecharts. Our new model, named State/Event Fault Trees (SEFTs), subsumes both deterministic state machines suited to describe software behaviour, and Markov chains that model probabilistic failures, while keeping the visualisation of causal chains known from fault trees. We allow exponentially distributed probabilistic events, deterministic delays, and triggered events. The model provides a component concept, where components are connected by typed ports. Quantitative evaluation is achieved by translating the component models to Deterministic and Stochastic Petri Nets (DSPNs) and using an existing tool for analysis or simulation. This paper, which is an extended version of [Kaiser B, Gramlich C. State-Event-Fault-Trees—a safety analysis model for software controlled systems. Computer safety, reliability, and security. Proceedings of the 23rd international conference, SAFECOMP 2004, Potsdam, Germany, September 21st–24th. Lecture Notes in Computer Science, vol. 3219, 2004.p. 195–209], revisits the model elements and the analysis procedure and provides a small case study of a fire alarm system, completed by an outlook on our tool project ESSaRel.
Conference Paper
Full-text available
Safety models for software-controlled systems should be intuitive, compositional and have the expressive power to model both software and hardware behaviour. Moreover, they should provide quantitative results for failure or hazard probabilities. Fault Trees are an accepted and intuitive model for safety analysis, but they are incapable of expressing state dependencies or temporal order of events. We propose to enrich Fault Trees with State/Event semantics. We use a graphical notation that is similar to Statecharts. Our model subsumes deterministic state machines that are suited to describe software behaviour and Markov Chains that model probabilistic failures. We allow exponentially distributed probabilistic events, deterministic delays and triggered events. The model is compositional and joins components by ports. Quantitative evaluation is achieved by translating the component models to Deterministic and Stochastic Petri Nets (DSPNs) and using an existing tool for analysis. We introduce the model and the analysis procedure and provide a small case study of a fire alarm system, completed by an outlook on our tool project ESSaRel.
Article
In the context of the reliability of critical systems, we focus on Dynamic Fault Tree (DFT) analysis. Our contribution is the definition of an algebraic framework allowing to determine the structure function of DFTs and to extend the analytical methods commonly used to analyze Static Fault Trees to DFTs. First, we review the main approaches which allow to analyze DFTs, as well as their limits. Then, the algebraic framework allowing the modelling of DFTs is presented. This algebraic framework is based on a temporal model of events, and on the definition of three temporal operators allowing to model the sequences of appearance of events. These temporal operators allow to algebraically define the behaviour of dynamic gates, and hence the structure function of DFTs. A probabilistic model of these dynamic gates is given to determine the failure probability of the top event of DFTs from this structure function. Finally, we show how the structure function of DFTs can be simplified to a canonical form thanks to some theorems and to a minimal form thanks to the definition of a minimization criterion. Last, we show how DFTs can be analyzed analytically and directly from this minimal canonical form of the structure function. We illustrate this approach on two DFT examples from the literature.
Conference Paper
This paper describes a system that enables a railway vehicle to determine its position in a track network accurately. The system does not rely on trackside hardware like balises or axle counters but is based solely on onboard sensors. It is composed out of drift-free velocity estimates of an eddy current sensor, a GNSS sensor, and a geodetic and topological track map. The paper develops an algorithm based on a probabilistic modeling that fuses the data of those sensors and determines position estimates robustly. We describe how we can treat ambiguities and stochastic uncertainty adequately and we introduce the concept of virtual balises that replace in software what is implemented by trackside balises in present train protection systems. The technique of onboard train localization is one important contribution to future train protection systems that are based on onboard sensors rather than trackside infrastructure and that are more flexible and less expensive than today's systems without loss of safety.
Conference Paper
Global Navigation Satellite Systems (GNSS) are ready for various railway applications, especially the safety-related applications such as train detection and train localisation for the purpose of train control. Every safety-related application for railway should comply with a wide range of railway standards. In order to integrate GNSS into train localisation, a stand-alone satellite-based localisation unit should be developed. Then the demonstration of GNSS quality of service (QoS) should be implemented in consistent with EN50126 (Reliability, Availability, Maintainability and Safety, RAMS) standard. The RAMS standard seeks to evaluate massively the dependability (RAM) and safety aspects during the lifecycle before they are put into operation. However currently there is no RAMS evaluation method for GNSS-based localisation for railways available. In this paper, we propose a procedure and a model for evaluating GNSS in terms of railway RAMS, using the GNSS data derived from a large number of test runs along a railway line in the High Tatra mountains in Slovakia. We start by evaluating the accuracy, availability and then reliability as a whole to represent the QoS along this line. Since the localisation unit depends heavily on GNSS itself (especially satellites, signal in space and receivers), we investigate typical environment scenarios along this line in detail, for example open area, forest, etc. We evaluate quantitatively each scenario according to reliability and availability aspects, and on this basis we analyse the safety risks when GNSS is unreliable but available.
Article
This paper proposes a fusion framework to locate trains travelling on track routes. The input data are gained from two independent sensor devices, namely, a Global Navigation Satellite System and an eddy current sensor device. The sensor data are fused by an Extended Kalman Filter gaining precise information about the train location. This positioning system combines the sensor devices with the fusion approach to perform a robust location even in the case of noise or when a sensor fault occurs. Additionally, some future fusion strategies to extend the existing location system are presented.
Article
Data fusion schemes for train localization and parting detection for the “Train Collision Avoidance System” (TCAS) in Indian Railways are described and evaluated. The requirements and constraints for the application are reviewed and the relevance of related technologies reported with the TCAS problem is discussed. The autonomous component of train localization in TCAS should (i) determine the longitudinal (along track) position of the train, (ii) provide reliable velocity measurement for automated braking and (iii) detect accidental train parting by comparing the longitudinal positions of the engine and the last carriage. This paper examines whether the above duties can be performed during GPS outage and GPS dark regions, without using track-side aids. The system engineering issues for selecting sensors and short-listing of data fusion options are discussed in the context of the above requirements. A number of data fusion solutions including a new proposed scheme for longitudinal localization are discussed and compared with two solutions reported earlier. A novel scheme for detecting train parting situation, based on fusion-filters and fault detection approach is also described and its performance evaluated. All the reported schemes use odometer and accelerometer. Parametric performance analyses are performed to select appropriate algorithms, sensor specification and tuning parameters. Representative simulation results are included.
Article
Satellite-based localization technologies are strategic opportunities in railway applications because they offer new possibilities of service and have advantages that current technologies relying mainly on infrastructures deployed along tracks cannot equal. GNSSs (Global Navigation Satellite Systems) can, in particular, offer localization services in ERTMS (European Rail Traffic Management System), the system developed within the European railway community to harmonize, at European scale, railway signalling and control/command systems. However, using GNSS in such safety applications is slowed down when trying to comply with railway standards. Indeed, demonstrations of RAMS properties (Reliability, Availability, Maintainability, Safety) are required on new solutions embedded in trains. They aim at verifying if all dependability (RAM) and safety aspects are controlled over the lifecycle of the solutions before using them operationally. No RAMS evaluation technique exists for systems based on signal propagation and subject to failures provoked by environment effects. The major challenge is so to develop proof methods that will give means to fulfil the railway certification process. In this article, we propose a procedure to work in that direction after having presented the advantages, the possibilities and the challenges to use GNSS in rail transportation. The procedure is based on experiments for the evaluation of RAMS properties related to satellite-based localization units. We apply the method to different position measurements obtained in several typical railway environments. The obtained results are discussed according to the dependability and safety points of view.
Conference Paper
Safety is one of the biggest concerns in the design of computer-aided control systems. In order to make the system as safe as possible a number of analysis techniques has been developed. One of them is Fault Tree Analysis. Fault tree (FT) represents causal and generalization relations between events (e.g. between hazard and its causes). However, original FT cannot express either time relations between events or times of: detection of a danger situation and protection. A new method based on systems of inequalities and equalities for analysis of FTs with time dependencies is proposed in the paper. The method can be used for analysis of protections too. FT analysis and modelling of protection using systems of inequalities and equalities will be illustrated by an example. Formal models of FT gates used in the paper have the same expressive power as Timed Petri Net (TPN) models of FT gates from the paper [5]. However, present analysis method has greater decision power than classic TPN analysis method because the present method can be applied for much greater FTs. Additionally, the present approach results in more clear final conclusions.
Article
In order to make computer-aided control systems as safe as possible, a number of analysis techniques have been developed. One of these is fault tree analysis. A fault tree (FT) represents causal and generalisation relations between events (e.g. a hazard and its causes). However, it can express neither time relations between events nor detection and protection times. Time Petri nets (TPNs) can model all the above aspects. Thus, TPNs can be used for analysing and verifying time-dependent fault trees (FTs). One of the limitations of classical TPN analysis is the large number of TPN states. Even for a small FT this number can turn out to be vast. The authors introduce a new method for analysing such TPNs that model FTs. We do not consider all states that are reachable from the initial marking in classical TPN analysis but only those that lead to the occurrence of a hazard. Such an approach simplifies the procedure and results in cleaner final conclusions. If the hazard is reachable there is a need for safety measures to be taken. FT analysis and modelling of protection using TPNs will be illustrated using an example.