Periodically, the Institution of Railway Signal Engineers (IRSE) offers the industry an opportunity to show off its successes and expose some of the challenges. This is the Aspect conference, and the ninth one was held in London recently, attracting both speakers and delegates from all parts of the globe.
It is all too easy in the UK to imagine that our railway is the only one in the world with problems of capacity, technology update and financial control, and it is some comfort to learn that virtually all railways face similar challenges.
Growth and capacity
The European Shift²Rail initiative, ongoing since 2009, was described by Jacques Poré from Alstom Transport in France and represented a keynote theme to the event. The original intent to build up rail usage is now extended to finding ways of coping with this increasing volume. The thrust is very much ‘Providing More for Less’ with a target based around three challenges:
- Capacity – up to 100% increase;
- Reliability – a 50% improvement required;
- Life Cycle Cost – a 50% reduction required.
These items impact on all types of rail – high speed, intercity, regional, urban & suburban and freight. Research priorities are set out in a number of innovation programmes – energy and mass, advanced traffic management and control, cost effective infrastructure, seamless and attractive railway operations using IT solutions, and sustainable and attractive freight.
Each of these will lead to technology demonstrators which will commence in 2016, initially with prototypes in laboratories, then integration and demonstrations at system level, and finally the implementation of successful technology. The funding allocated is a €920 million budget covering up to 2023, €450 million coming from the EC and the rest from industry with eight founding members contributing €270 million and other major stakeholders €200 million.
Specifically for signalling, work will focus on:
- Development of communications systems – GPRS, EDGE, 4G, Satellite;
- Adding ATO to ETCS;
- Moving Block provision on main line railways;
- Trackside train detection including satellite options;
- On-board train integrity;
- Zero on-site testing, replaced by simulation;
- Standardisation of engineering and operational rules;
- Investigating virtual-coupled trains, i.e. convoys;
- Dynamic traffic management;
- Network attached object controllers in wayside equipment rooms;
- Cyber security and online key management.
This represents a considerable ‘shopping basket’ and Rail Engineer will keep a close eye on progress.
A common problem amongst European Railways is the age and variety of signalling interlockings, many becoming obsolete within 20 years. Looking to the future, Maarten van der Werff from ProRail in the Netherlands described the EULYNX project which has the objective of producing a common architecture with common apportionment of functionalities, standardised interfaces to create a safe closed network but borne upon open standard telecom networks, and the connection of interlocking peripherals to this network.
Known as a Cluster Project, the outcome will be a system design based upon mainstream solutions as used in the automation and telecom industries, the use of COTS (commercial off-the-shelf) equipment, a modular philosophy and a new electronic interlocking and train detection spec for both conventional and ERTMS-equipped railways.
Signalling secondary and rural lines has attracted a number of solutions down the years but a new system, based on satellite positioning, has recently been developed by Siemens under a 2012 UIC programme. This SATLOC system was described by Teodor Gradinariu from the UIC and Lucas Redding from Siemens UK. Trains have an on-board unit and driver’s MMI (man machine interface) screen containing a route map of all relevant lines, an odometer and a combined satellite / 3G aerial unit. Baseline positioning is obtained from track mounted balises and ongoing position is derived from GPS Galileo signals.
Train location is accurate to one metre, this being continually transmitted to the control centre via the public mobile networks. Movement authorities can be given for the sections ahead, typically to the next passing loop. Switches are either trailable or, for facing point operation, moved and locked by an adjacent RFID (radio frequency identification device) – again activated via the public mobile network. The system is installed on a trial basis in Romania with reported successful results. The system aims to be low cost, with more facilities than the RETB system deployed in Scotland, but less sophisticated than the Regional ERTMS system akin to Level 3 as developed in Sweden.
Train control is getting evermore data hungry and the use of IP (Internet Protocol) with MPLS (Multiprotocol Label Switching) is an obvious choice to service the need. But is it safe for mission-critical applications and how would it be managed? Benoit Leridon from Alcatel-Lucent considered the question. The statement that nowadays ‘no telecom = no signalling’ may well be true, but telecom lifecycles are typically 5-7 years whereas signalling is 30 years plus. Is this reconcilable?
The answer is yes since, whilst the hardware and software will develop, the basic building blocks will be there for a long period and any advances have to be backward compatible. IP/MPLS is a distributed architecture that can adapt a network for all applications. The IP addressing structure allows for differentiation in criticality, such that a signal control IP address cannot communicate with a passenger information system, for example.
Critical applications (not just signalling but such as SCADA systems as well) must have a high order ranking to guarantee delivery in the required time and must be compliant with EN50129. Resilience and redundancy will be all-important with a fast re-route (15msec) if failures occur. Lower order applications will still have good quality service if high order requirements do not use all the available bandwidth. Hardware advances have enabled the IP/MPLS router, the SDH and PDH connections and firewalls to be contained within the same box.
This whole scenario is more than a vision, it is a reality just around the corner.
The vexed question as to the life expectancy of GSM-R and any future replacement was discussed by Chiel Spanns from the Netherlands, now working for the ERA. It took from the early 1990s until 2006 to get the technology stable and is predicted to be in use until 2030. Thereafter, there are many options but, whatever is selected, the transition will itself be a challenge.
Many suggest that 5G will be the answer. This will use a combination of technologies, always connecting to the best signal to give a fast and secure service. The functional architecture will be decoupled from the physical layer with the first 5G systems expected to be in operation for the 2020 Olympics.
Even if this is the chosen technology, the challenges for the railways will be considerable:
- Product lifecycles for the radio are much shorter than typical rail assets;
- Business models of public operators are very different to rail operations;
- Defining one single radio technology, starting in around 2022, will be impossible;
- Spectrum options need to be decided – continuance of GSM-R band, new band for railways, share with public safety bands, use non-harmonised spectrum;
- Ownership and control may not be with the railways;
- Migration is likely to take 10 years;
- Co-existence with GSM-R is essential;
- How to balance costs between infrastructure and rolling stock?
Success will be judged as to how cost can be reduced by using standard technology and products. This will mean requirements will have to be re-written, both for operational and normal usage conditions. Applications must be determined for all types of line, and decisions made on the requirements for interoperability and whether split usage between public and dedicated networks is acceptable.
Studies are underway to probe these questions with answers by the end of 2016. The aim is to have a first deployment by 2022.
Can more be made of GSM-R in the meantime? Joanna Binstead, from Siemens at Poole who make the on-train mobile, certainly thinks so. Only about 20% of the available processing power within a GSM-R set is used for current applications. Other potential uses are:
- DAS (Driver Advisory System) – algorithms are already developed for the radio screen and the storage of timetable and route data. With a combined terrestrial and GPS aerial installed, trains can quickly and easily be equipped with a low cost DAS application using the GSM-R network for the distribution of data. The system is already under trial with one TOC and results will be made known soon.
- Remote Condition Monitoring – on board sensors exist on many trains and integrating these into a ground reporting system using GSM-R is straightforward. Should the train be equipped with sensors for recording track defects, these can be reported in real time.
- Passenger Information – connecting the GSM-R radio to the PA system so that live announcements can be made from control to passengers has been part of track-to-train radio specifications for many years but still needs to be resolved in terms of desirability and driver distraction.
- Remote Software Updating – most trains are now equipped with an on board data bus. Periodically these need software updates that can only be done at depots meaning not all trains receive them at the same time. Downloading the update via the GSM-R radio would overcome this constraint.
- Some of these ideas may appear fanciful but could well become part of the Digital Railway vision.
Many railways see automation as the means of optimising the operational railway. Whilst ATO is one such opportunity, there are many more tasks that could benefit by being automated. However, Daniel Woodland from Ricardo Rail explored the potential risks.
Accidents in Washington DC and Santiago were caused by overreliance on automated system performance. Human errors may be reduced by automation but risk still exists. De-skilling of staff, delayed reactions, incorrect assumptions, attention conflicts and preparation errors are just some of the situations that might occur, all magnified if the automation system fails.
The dynamics of a train service are fundamentally unstable and automation has to be perfected over time with changes often being necessary when real passengers are involved. Badly implemented automatic systems are often switched off and get a bad name.
Automation is not a holy grail.
Whilst new forms of signalling and train control are a major factor in increasing capacity, there are other elements in this challenge. The ON-TIME project, funded by the EU, has a number of objectives aligned around better timetable compilation and improved decision support to controllers and drivers.
Clive Roberts from Birmingham University explained how the project had progressed with 19 partners and Network Rail as leader. Capacity may be defined as ‘traffic volume X infrastructure occupation’, where on busy routes problems easily multiply when real time train running does not match the timetabled service. Junctions and stations are the crunch points and the philosophy of first come, first served often leads to yet more disruption.
New algorithms have been developed, firstly to mitigate the effect of minor perturbations and secondly to optimise asset usage when major disturbances occur, either for planned engineering works or significant incidents. This has resulted in a Perturbation Management Module with four elements:
- Traffic State Monitoring that collects real time data on traffic conditions;
- Conflict Detection and Resolution that compiles the traffic evolution within a certain time period;
- Train Path Envelope Computation to calculate the time allowances available for a train to proceed to timetable with minimum use of energy;
- Human Machine Interface to give real-time information to signallers and controllers on a screen visualisation of the current traffic state.
The optimised plan has a combination of all four elements working together. Five locations in Europe have been tested in simulation, the ECML being chosen for the UK. Results show significant performance improvements but the main benefit is likely to be cross border traffic in mainland Europe. The relationship and integration with Traffic Management Systems (TMS) and DAS networks now being implemented needs to be understood.
Safety and security realisms
Safety, quite rightly, is at the core of all control and command systems. The safety industry has mushroomed over the last two decades, due partially to some unfortunate accidents but also because of software usage in signalling equipment. Is it all justified and will the final approvals guarantee a safe outcome?
Roger Short, former chief engineer at Atkins, has studied the subject for many years and discussed the process of safety assurance. A Safety Case is essentially made up of many documents, detailing system requirements, safety apportionment, system validation and system acceptance.
Have the verifiers and assessors understood all of this as a paper-based exercise? The mental capacity to absorb all this information is considerable and the complexity of the data will only compound this with the requirement for cross referencing, own knowledge input and inherent technical complications. Maybe the final sign off is not as robust as one would like to believe.
Software security is even more complex – so says Peter Sheppard from Ricardo Rail. The standard to follow is EN50128, which can be hard enough to understand for new systems let alone applying retrospective changes. Risks are numerous and considerable. The project team will have to check whether the baseline is suitably certified and accurate, be aware of creeping changes in any past application and how these might be found, know which standard to use (50128:2001 or 2011), assess any changes of hardware and their implications and impact on failure mode and rates, be sure of the quality of existing documentation and the integrity of the function such as its SIL rating, and lastly recognition that verification, validation and testing is so complex it is not possible to test everything.
It is all too easy to believe that, because a system was validated before, any changes will also be safe and reliable. Beware particularly of guaranteeing that a system is SIL4 if legacy software is to be re-used. Re-working code is difficult but using some rules can help:
- Partitioning – isolating the re-used software;
- Interface control – restrict the use of the re-used software features;
- Diversity – implement with diverse re-used software;
- Safety and credibility – check as far as possible beforehand;
- External safety implications – check interlocks to limit consequences of failure;
- Software watchdogs – use wherever possible.
Cyber security has taken on an importance almost in the same league as safety, but is it the threat that many predict? Michael Bastow from Atkins explained it has potential impact on many vital industries – power, oil and gas, water, air – and the measures being taken generally are also applicable for rail. Several standards and guidance are available but it does require a collaborative effort from government departments, infrastructure managers and suppliers.
Risk assessment of the threats is important in terms of access control, use control, data integrity, data confidentiality, response time to events and resource availability. Some standard countermeasures should be adopted: network segmentation and firewalls, encryption, intrusion detection, anti-virus software and updating, social awareness and training, configuration management, data logging and sharing.
A challenge to the audience was given by Andrew Love from Interfleet: he will buy a drink for anyone associated with a signalling control system if they have not had a hacking attempt before the next Aspect conference takes place. How’s that for a prediction?
A conference such as this covers a multitude of subjects, too many to report on in a single article. Level crossings are an ever-present safety concern in all countries. Ed Rollings from Network Rail outlined some of the improvements being made in the UK, most of them aimed at mitigating the sometime-stupid behaviour of motorists and pedestrians.
Automated testing, non-disruptive stage works, openness to use of other industrial practices, scalable train control systems for different types of line, plus ways of ensuring signalling competence into the future, were some of the other topics presented. As Francis How, the new IRSE chief executive, pointed out: the IRSE has a duty to educate its membership in the skills of railway command and control including commercial and financial elements, with senior engineers having a responsibility to mentor the young and those new to the industry.