Tackling the challenges to standard train control
ETCS: Some decisive action needs to be taken soon in order to ensure the evolution of a truly standardised European Train Control System.
Frank Walenberg is Director of KEMA Rail Transport Certification, where Rob te Pas is Principal Consultant and Lieuwe Zigterman is Senior Assessor.
Observers of the European railway scene could be forgiven for thinking that there is something seriously wrong, as operators and the supply industry struggle to adopt the European Rail Traffic Management System. Progress is slow, and it is clear that implementation of ETCS is taking place in small steps.
Some progress has been made towards interoperability. The legal framework is in place, and the institutions are largely established both in the member states and at the European level. The first interoperable lines have been put into operation, and traffic is starting to grow. This should pave the way for interoperability to move from ‘pragmatic’ to ‘full’ implementation. But whilst the end vision is clear, it seems that not enough attention has been paid to common international migration strategies, and the interoperability issues that arise when railways have reached different stages of implementation.
ETCS Level 2 is now in commercial operation in Switzerland, Italy, the Netherlands and Spain, amongst others, and many more railways have Level 1 installations to a greater or lesser degree. Most of these are based on System Requirements Specification Version 2.2.2, but with local modifications to get the systems operational. So today, we have a ‘consolidated’ version and something referred to as 2.2.2 ‘Corridor’. It is clear that the different suppliers, who are all members of Unisig, have been implementing slightly different functionalities based on identical specifications.
To try and make sense of the confusion, the European Railway Agency, as designated System Authority for ETCS, published a new SRS Version 2.3.0 on March 7 2007. However, it became evident that this was incomplete, so a debugged version (2.3.0D) was officially adopted on May 24 2008. Suppliers and infrastructure managers are now trying to implement this by updating the equipment and software on existing rolling stock and infrastructure.
Meanwhile, ERA is working towards Version 3.0.0, which will include functional updates requested by many different parties. For example, RFI of Italy is asking for radio infill and SBB wants Level 1 with Limited Supervision. The industry’s current expectation is that the Version 3.0.0 specifications will be signed off by December 2012, and that the suppliers will have their products tested and approved three years later. This would allow for operation using 3.0.0 to start in 2016.
Putting this in a positive light, the ETCS community is in the throes of a learning process to settle specifications that can guarantee unified, and hence compatible, implementation. But the learning process is continuous, and the railway sector may not be well equipped to manage it.
ERTMS in practice
Concerned by the various national differences in ERTMS implementation, in 2007 ERA commissioned Kema Rail Transport Certification to undertake a study of experience with implementing ERTMS, with a particular focus on safety approval procedures. This study was conducted in co- operation with RINA (Italy), Cetren (Spain) and Attica Advies (Netherlands).
One of the most important findings was that system integration is not well covered by the European regulations. This is the responsibility of individual member states, and as a result, many national procedures remain in place.
That is bad enough, but there is worse. As agreement could not be reached on all aspects of ETCS, the key players invented National Values to identify parameters where countries may (and do) choose different standards.
A good example is ‘V_nvunfit’, which is the permitted speed limit in ‘unfitted’ mode where the on-board equipment is not working. This was seen as a failure mode that would only occur on rare occasions. In one sample country the permitted speed is 10 km/h, but one of its neighbours allows 100 km/h, another 160 km/h.
Each country claims its choice is based on sound arguments, but it would be hard to explain to a driver why such important changes occur when his train crosses a border. In most cases these differences will only become apparent to the driver under specific failure conditions, which makes the issue potentially quite serious. Most railway accidents do not happen in normal operating conditions, but only after one or more ‘abnormal’ events.
When a new line or an upgraded route is taken into service, many conditions have to be met. It is not sufficient simply to equip track and trains with ETCS and GSM-R, the two main components of ERTMS. This is because the infrastructure consists of numerous subsystems such as bridges and tunnels, power supply and stations, while there are countless different types of rolling stock. Operational procedures are markedly different too.
Fig 1 illustrates how the different TSIs apply to the railway and its subsystems. The upper half of the diagram concerns Conformity Assessment at the subsystems level as determined in interoperability legislation. Note that significant elements of the operating railway are not covered by TSIs, for example interlockings and train detection systems.
Each TSI still has an Annex which lists a number of ‘Open Points’. In relation to ERTMS, Annex G of Commission Decision 2006/860/EC mentions (amongst many other items) the following:
- requirements for reliability and availability;
- requirements for safety and safety analysis;
- odometry functional interface specification;
- version management.
For the time being, the TSI requires each member state to define its own requirements in these areas. In theory, these national requirements should be exchanged at European level, and at some point in the future, the EU hopes this may lead to a consensus.
The lower half of Fig 1 shows the steps required when a railway is taken into operation. The first is to integrate the lineside and onboard equipment (CCS integration). Integration of all other subsystems then follows, with a period of trial operation before the line can enter commercial service.
The study showed that each member state goes about implementation in its own way. There are no common rules for the period of trial running. No common criteria are defined to specify when a new line can be put into service, and there is no common approach to safety testing.
There also are significant variations in the way that safety approvals are handled compared with what is required in the certification process for interoperability. In some cases assessment by the Independent Safety Assessor is seen as part of the interoperability certification, while in others a separate ISA assessment is given the highest priority before a line enters commercial service, and interoperability is left until later.
In either case there is little experience of assessment for international cross-acceptance. Apart from decisions by Notified Bodies about ISA acceptance, the legislative ground for safety cross-acceptance is weakened by different views about assessors’ qualifications and liability.
Looking at operations, current practice is that bilateral agreements are negotiated between infrastructure managers and railway undertakings as well as between infrastructure managers in neighbouring countries. But these agreements are not standardised.
Multiple Class B systems
The CCS TSI distinguishes between the Class A system (ETCS), and Class B national train protection systems. Rolling stock for international services is usually equipped with several Class B systems to run in different countries. For example, a Thalys PBA trainset is fitted with the French KVB and TVM, the Belgian TBL and Crocodile, as well as the old and new versions of the Dutch ATB. The PBKA trainsets also have PZB/LZB inductive train control to operate in Germany. Thalys trains are now being fitted with ETCS Level 2 so that they can run on HSL-Zuid between Belgium and the Netherlands.
The TSI assumes that each Class B system is controlled via a Specific Transmission Module. The Unisig Subsets in Versions 2.2.2 and 2.3.0 distinguish between an STM-European and an STM-National. The former is the ideal from the point of view of integration, as it only handles the track interface, while all logic processing for multiple STMs would be concentrated in the on-board European Vital Computer. An STM-National, by contrast, more or less maintains the existing ATP system, which is simply switched on or off by the EVC.
So far only a limited number of STM-N modules have been developed, and we do not know of any STM-E. There are even suggestions that the provision for STM-E could be removed from the Version 3.0.0 specifications.
At present, there is no provision for co-ordination between different STM-Ns. A specific example highlights what may happen. When operating on a Class B system, the CCS TSI defines which STM should be used. As defined in Annex A of both the High Speed and Conventional TSIs, the ETCS kernel determines the level of safety provided, either ETCS or ‘Level-STM’.
Starting a train from cold, a driver must input the appropriate level. Selecting ‘Level-STM’ brings up a list of available STMs on the DMI, and the driver can then choose the correct system. However, it is possible to select the wrong one. For example, on a Thalys train in the Netherlands, a driver could select the STM for Belgium, which would mean that the system would operate to TBL1 specifications, as a warning system rather than a train protection system. The driver would expect the Dutch ATB to protect his train, reducing the speed to 40 km/h if no ATB signal is received. However, STM TBL1 only introduces emergency braking if train speed exceeds 160 km/h, and the train protection system in the Netherlands would not function until an ETCS balise was passed, which would reset the system. So in some circumstances the introduction of ETCS, and particularly the control of STMs by ETCS, may actually reduce the level of safety.
When trains cross several borders, it is clearly important for the ATP to function correctly in each country, even when operating in degraded mode. In a typical example, the systems for countries X and Y are put into ‘sleeping mode’ when the train is running in country Z. The systems needed in countries X or Y are woken up by an ‘activation event’ which occurs as the train enters that country.
But the ETCS designers have assumed that the whole European network is being equipped with ETCS, or at least with transition balises at each border crossing. Thus the Class B systems for countries X and Y, which are not active in country Z, are not put in sleeping mode but are simply switched off. They would then be switched on again by a transition balise.
Yet in reality transition balises have not yet been fitted at all relevant borders. If a train re-enters country X at such a border, the Class B system remains switched off. This border would still be equipped with the ‘old’ activation code for a sleeping Class B system, but this would not be ‘heard’ by a train running with the system switched off. Once again, there is a risk that the level of safety could fall as a result of STMs being controlled by ETCS.
We are concerned that the specifications do not consider the problem of transitions between existing national systems in sufficient detail. Chapter 4 of Subset 026 includes the ETCS Transition Table for all ETCS modes, including STM-E and STM-N, but there are no transitions from one STM mode to another: transitions SE to SE and SN to SN have been omitted!
Our experience suggests that international freight traffic, on Corridor A between Rotterdam and Genova for example, is already encountering such transition problems. And with the profusion of traction leasing, locomotives are likely to be used in many countries, meaning that dozens of transitions between Class B systems will have to be taken into account.
Infrastructure managers acting only within their own country prefer to install balises which command and accept only those systems that apply in that country. For example, the onboard equipment on a train entering the Netherlands will be instructed by a balise to switch to ATB, and no alternative is permitted. When approaching either the Betuwe Route or HSL-Zuid, the train will receive Level 2 commands, with Level 1 as a fallback on HSL-Zuid.
As a consequence, if the ETCS fails, and is not able to switch to Level 0, the driver must isolate the equipment by breaking seals. Depending on his actions, he might then be permitted to continue the trip with no active train protection. If the transition balises on the approach to the Betuwe Route also allowed for ATB (as a secondary option in the priority list), the system might switch to ATB, which would provide a degree of protection by limiting train speed to a maximum of 40 km/h.
The consequences of choices made by infrastructure managers will affect train operators, especially freight companies, all across Europe. As these companies operate in a genuinely competitive market, they do not spend time discussing ERTMS and all its complications. They simply want to run their trains.
Braking curve parameters
Another key issue is the question of braking parameters. This involves the ETCS equipment manufacturer, the rolling stock supplier and the infrastructure manager, whose choice of trackside equipment is influenced by the characteristics of the rolling stock using the routes being fitted.
To date there is no agreement on braking curves in the TSIs. The ERTMS User Group has taken the lead in the search for agreement on a common braking model, and while this process is well in hand, agreement on braking curves in the TSIs must await the issue of Version 3.0.0. Yet while agreement on a common braking model may be within reach, there is no sign of an agreement on the parameters to be used in the model.
Meanwhile, each operator or rolling stock manufacturer has to decide which braking curves to apply, and the Notified Body then has to assess the choices made. In our experience, the braking curves adopted in recent years are often ultra-conservative — every party seems to want to increase the safety margin. This leads to braking curves which lengthen headways significantly. In extreme cases, the allowable braking distance for a freight train running at 100 km/h can be as much as 2 km.
The way ahead
ERTMS is not the only driver of interoperability, but is perhaps the most important, and the most visible sign of progress. The gradual development of a global market for ETCS also offers an important incentive for European suppliers to improve their competitiveness.
The separation of responsibility for infrastructure management and train operations is a cornerstone of European railway policy, aimed at improving the attractiveness and competitiveness of the rail sector. But as a consequence of this approach, the new concepts of interoperability, TSIs and certification are essential to restore a systems structure. Strict application of these instruments is needed to reach a stable structure. In particular, TSI-OPE needs to be applied more strictly. And it is important to recognise that the interoperability of subsystems can only really be demonstrated through certification.
Confusion about the definition of interoperability and other issues seem to be making the application of TSIs difficult, creating openings for some countries to continue their national approaches. Further development of the TSIs, to improve their completeness and ease of application, is needed to reduce this tendency.
Harmonisation of the European railway network is clearly a long-term task, because of the enormous costs involved. Interoperability is not a goal in itself, but is intended to create the conditions for an open railway market. Nor does it solve the financial problems of further introduction and implementation of interoperable technologies. The next steps towards creating a true market largely depend on the political will to define and support effective migration strategies. Future success will also depend on feedback from experience, the ability to monitor and measure progress with interoperability, and to recognise the reasons for any lack of progress.
We believe that some decisions need to be taken urgently to progress the evolution of ERTMS. To that end, we would like to offer some suggestions:
- allow a ‘sleeping’ mode for Class B systems:
- agree on the inclusion of ‘foreign’ Class B systems in the ‘priority lists’ for transition packages;
- explicitly address the need for SE to SE and SN to SN transitions, to accommodate border crossings between STM operations in different countries;
- eliminate National Values, or agree a smaller range for different speed values;
- continue working to establish common braking parameters.
We have learned that the path towards an interoperable European railway is long and arduous, and much still lies ahead of us. We can choose to return to the multi-national route of the past or we can choose a route that leads to a true European railway. So much effort has already been put into the introduction of ERTMS, and this progress should not be put at risk. The decision time is now.
Technical Specifications for Interoperability
OPE = Traffic Operational & Management; CCS = Control, Command & Signalling ENE = Energy; RST = Rolling Stock; INF = Infrastructure
Glossary of ERTMS terminology
ERTMS = European Rail Traffic Management System
ETCS = European Train Control System
FRS = Functional Requirements Specification
STM = Specific Transmission Module
DMI = Driver Machine Interface
SRS = System Requirements Specification
ERA = European Railway Agency
Unisig = Consortium of principal ETCS signalling suppliers