The ERTMS (European Train Management System) has been developed by the European Union (EU) to enhance safety, increase efficiency and to cross-border interoperability creating a unique solution fulfilling a standardized certification process. The ERTMS being able to automatically stop the train to overcome human errors has achieved the highest track record in terms of safety over several billion km travelled each years. GNSS positioning, bearer-independent telecoms and ATO (Automatic Train Operation) are the new features for enhancing the ERTMS in the path to fully autonomous operations. In the same period, the automotive industry has launched ambitious plans for the connected cars and autonomous driving applications are emerging as the next wave of innovation. This paper evaluates the challenges to sharing intelligent infrastructure means, by combining the strengths of the safety benchmark achieved on the rail transport with the mass production capability of the automotive industry to lower the costs. In this scenario, rail and automotive becoming tightly intertwined can get a grip in the race towards a fully automation affordable and safe, giving birth to autonomous vehicles able to travel within virtual rails as “trains” on the road. To this aim we will introduce the two test bed in Italy respectively for validating the ERTMS with GNSS positioning and public telecoms networks and for testing FCA Ducato vans to operate at SAE level 3 automation exploiting the new GALILEO and 5 G services.
The recent progress of satellite geo-positioning technology and the emerging 5G telecom networks open the way to digitally connected ecosystems for autonomous vehicles. The multi-billion dollars investments of the car industry are an unprecedented stimulus for the research to targeting performance and cost objectives that no other transport sector “alone” could achieve. Trains equipped with the ERTMS (European Railways Train Management System) are operating with a high level of automation, ensuring the highest levels of safety and cumulating several billion km travelled yearly. The ERTMS train control system compares the speed of the train with the maximum permitted speed in the portion of the line the train in operating on, and automatically applies the train’s brakes if the limit is exceeded or if the train does not stop at the prescribed location. The system is able to intervene on the braking system in case of a driver’s mistake. For this reason, the driver behavior is not considered in the safe analyses. Instead on the airplane the pilot behavior is considered in the safety assessment because he must take the control of the airplane in case the autopilot does not perform correctly. Similarly on the autonomous cars prototypes under tests the driver must be ready to intervene and to demonstrate the safety level they are just cumulating test results even though this approach is not sufficient. Instead, to overcome these limitations a Common Safety Targets (CSTs) and Common Safety Methods (CSMs) were introduced in the Railway Safety Directive (EU) 2004/49/EC [
The final goal is to obtain the safety levels already achieved by the ERTMS at a
lower cost leveraging to the mass production of the automotive industry. This paper aims at exploiting these potential synergies for sharing R & D investments, safety procedures and test beds. Section 2 describes the recent progress on the geo-localization systems identifying reference architectures which allow to achieve the target safety levels for the train and car automations. Section 3 deals with the validation strategy, simulation tools and the contribution of two test beds under development and a special consideration is given to the adoption of next generation 5 G telecom network.
A general goal of a transportation system is to achieve a defined level of traffic in a given time and safely. The RAMS process (Reliability, Availability, Maintainability and Safety) must be used to describe the confidence with which the system can guarantee the achievement of this goal and has a clear influence on the quality with which the service is delivered. Safety and Service are complementary and the right trade-off between different needs shall be assessed and tuned among different operational scenarios. Under comparable conditions in fact, a safer system means more limitations for service and vice versa. For a railway system the CENELEC 5012× and IEC 61,508 norms must be applied knowing that railways traditionally belongs to very safe transportation system with the restrictive fail-safe principle saying that safety must be maintained in case of dangerous signaling system failure, mitigated through other operational procedures. GNSS―Global Navigation Satellite System(s) has become a de-facto global source of safe positioning thanks to the aviation sector. By the year 2020, four independent constellations with global coverage will be operational bringing to some 40 satellites into view at a time.
The first edition of the recently published European Radio Navigation Plan provides an inventory of existing and emerging radio navigation systems modernization plans and detailed user requirements including those relevant to rail and road applications [
However, in safety critical applications, like those belonging to avionics, and in safety related applications, like those related to rail and automotive, the Safety requirements are as relevant as those concerning accuracy. They are usually specified in terms of Tolerable Hazard Rate (THR) that indicates the occurrence rate the train control systems fails to stop the train at the desired location or the speed exceeds the prescribed value. For instance, the ERTMS requires a THR less or equal to 10E-9/(hours x train) which however does not indicate the frequency of occurrence of a fatality that is at least one order of magnitude lower. Thus given 20,000 trains (the number of trains actually circulating in Europe) operating 24 hours per day, every day in the year, this is equivalent to a hazard about every 6 years. Applying the same THR for the cars, on a fleet of one million vehicles operated one hour per day we obtain about one hazard every 2.7 years. Starting by these considerations the vehicle’s localization function has to guarantee the same THR.
Therefore, in the design of a train localization system compliant with this requirement we considered the state of the art performance guaranteed by the SBAS augmentation systems, already developed for and certified for aviation and reasonably obtainable also with local augmentation systems. In this case, a THR of 10E−6/h for the GNSS Location Determination System (LDS) stand-alone is retained a feasible compromise between cost and performance. However, as exemplified by the fault tree shown in
An augmentation network has to be adopted, to achieve the required THR mitigating the hazards originated by satellite faults and by anomalous ionospheric
and tropospheric gradients. However, hazards sources also include multipath and intentional and unintentional interferences. These local causes of hazards, that indeed represents the major risk for rail and automotive applications, cannot be mitigated by any augmentation network. Therefore, the adoption of an integrity monitoring network is mandatory and for this reason it has been studied both in terms of Receiver Autonomous Integrity Monitoring (RAIM) algorithms and Networks [
This bi-level approach can support protection levels of 5 m with high availability in mild environments, and protection levels of 12 m in severe environments. However, these performances are not sufficient for the car automation as indicated in
The reference ERTMS architecture with its main constituents and the new ones for using the GNSS is reported in
• OBU (ERTMS―On Board Unit): it processes the raw data provided by the GNSS receivers on board on the train/vehicle, together with the augmentation messages coming from the RBC (Radio Block Center), for calculating the train position, and velocity, as well as the related confidence intervals, and whatever needed to support the train control system.
• RBC (ERTMS―Radio Block Center): knowing the train position, it is in charge of defining and sending the permission to proceed to specific locations with supervision of the permitted speed (also known as Movement Authority); it is also in charge of sending to the On-Board Unit the augmentation and integrity monitoring data;
• SBAS (Satellite Based Augmentation System) ground services: the terrestrial services provided to the user by the SBAS Ground Segment (e.g. EDAS-EGNOS Data Service for EGNOS (European Geostationary Navigation Overlay Service));
• TLC I/F and RADIO I/F: are the components of the rail communication network used by the rail operator for the communication between the RBC and the OBU;
• GPS and Galileo Ground Services: ancillary services provided to the user by the GNSS Ground Segment (e.g. precise ephemeris, almanacs, geodetic reference frame parameters);
• High QoS (Quality Of Service)/Security Communication Link: a high QoS (low latency, low number of lost packets) is needed for guaranteeing the quality of the communication between the GPS and Galileo Ground Services operators, SBAS Ground Services operators, external networks operator and the RBC.
The functional decomposition of the GNSS Multimodal Augmentation 2nd Tier system is reported in
• Data Acquisition: it oversees acquiring data from the Rail RS /Reference Station) network safety of life backbone and from the external network;
• RS Network: it is the internal Rail TCS (Train Control System) system network of GNSS RS; it has to follow the GBAS (Ground Based Augmentation System) standard able to guarantee a minimum safety level to be agreed;
• Integrity Monitoring: it is the core of the integrity monitoring system, implementing the FDE (Fault Detection and Exclusion) algorithm for both GNSS SIS and RSs through a 2-Tiers algorithm. It takes as inputs SBAS messages and RIMS (Ranging Integrity Monitoring Station) raw data for performing a residual check and output only integrity checked raw data;
• Integrity Parameters: it is in charge of calculating integrity related parameters to be broadcast to the OBU for performing integrity monitoring and alarms identification; in the case of GBAS, OBU has to calculate the Protection Level (PL) to be compared with a defined alarm limit; the PL is based on the estimation of the measurements variances derived from single error variances (ionosphere, troposphere, ephemeris) as well as parameters carrying out the information about network integrity (e.g. B-values in the GBAS);
• Local Atmospheric Monitoring: it implements local ionospheric monitoring for anomalies detection (e.g. high gradients and scintillations);
• Measurements Corrections: it implements the generation of measurement corrections (PRC (Pseudo range Range Corrections)) and RRC (Range Rate Corrections) in case of SBAS, area corrections in the case of RTK (Real Time Kinematic) to be broadcast to the OBU;
• Network Processing for High Accuracy: GBAS like performances, based on pseudo range measurements, are sufficient for meeting normal rail operation; RTK and
• PPP (Precise Point Positioning) are considered as an optional feature to be developed, e.g. for track discrimination application; this block is devoted to the estimation of parameters needed for performing very accurate (e.g. RTK and PPP) positioning; it includes area corrections (e.g. VRS (Virtual Reference Station) , NRTK (Network Real Time Kinematic), etc..), precise orbit ad clocks, satellite biases, accurate STEC (Slant Total Electron Content) determination;
• High QoS/Security Communication Link: to receive raw measurements from RSs and from SBAS and GNSS constellations ground services, a high QoS network is needed (e.g. RTD (Round Trip Delay < 1 s) protected by high level of security able to counteract cyber-attacks that could lead to severe disasters if directed toward a national and regional TCS;
• Spoofing Detection: the developed RS can be used for implementing a national and regional spoofing attack monitoring system; it is an optional feature to be analyzed, due to the relevant damages a spoofing attack can lead to rail applications.
Two complementary test bed are under construction respectively for rail (ERSAT) to certify the satellite positioning and public telecom networks in the ERTMS system and for automotive (EMERGE) to evaluating multi-constellation multi-sensors positioning means together with 5 G communications and cybersecurity platforms for vehicles with SAE level 3 automation.
Both facilities are under construction, the former with RFI (Rete Ferroviaria Italiana) that is the Italian railways operator in charge with the role of Game-Changer for validating the GNSS and public telecom in the ERTMS ecosystem [
ERSAT is the latest generation signalling project that interfaces and integrates ? for the first time in Europe―the European Rail Traffic Management System (ERTMS) with the navigation and satellite positioning technology and public telecom networks. The Pinerolo-Sangone pilot line is the first step to the validation and verification (V & V) of the GNSS within the ERTMS platform and as such it is supported by the a group of satellite and rail agencies and experts (
This initiative represents the first attempt aiming at developing and testing advanced localization, terrestrial and satellite communication and cyber security platforms for autonomous car applications exploiting the synergy with rail applications (
which to install the 5 G network to anticipate new applications enabled by the 5 G technology and to realize a multi-modal augmentation network based on the architecture shown in
The Living Lab will allow the testing of different solutions under a variety of dynamic scenarios that include a large number of vehicles as well as pedestrians, each equipped with a different set of sensors and location determination units: GNSS multiple constellation, multi-frequency receivers, RF terrestrial signal based positioning, Mechanical odometer, IMU, Visible light and IR passive Imaging systems LIDAR Visual odometer (based on LIDAR and/or visible light and IR passive Imaging systems processing), RADAR, Acoustic sensors. Two missions are envisaged respectively for daily operations and in emergency situations, both requiring a geo-fenced corridor where connected vehicles will be moving autonomously as trains on the roads. This experimentations will open the way to vehicles connecting for example the railways stations with fixed locations in the city or in general two places where in between is possible to realize geo-fenced corridors and apply the principle of the ERTMS for controlling the vehicles.
This section describes the VIRGILIO simulator that has been developed for assessing the GNSS performance under various augmentation architectures including different algorithms and the Digital Beam forming platform to evaluate and mitigate the risks caused by intentional interferences.
VIRGILIO is a GNSS multi-constellation software simulator to design high integrity GNSS-based systems. It operates with hardware in the loop and can be connected in cloud modality to other simulators (to characterize multipath) and to test facilities (to acquire in-field tests) for an end to end simulation relevant to a specific operational environment.
As indicated in
Looking to
In safety relevant applications robustness and resilience of the GNSS against intentional interferences are important attributes for trusting the PVT of the on board unit and the wayside reference stations. Whereas jammers are used for denial-of-service attacks, spoofers and meaconers pose an even bigger threat, since they can intentionally lead a GNSS receiver to estimate a fake position and/or time without recognizing it. In case of trains, spoofing and meaconing are made easier to counteract because the receiver trajectory is well known in advance. Since no commercial anti spoofing and anti-meaconing solutions have been validated yet for the railway context a specific project has been launched todesigning, developing and prototyping a software digital beamforming platform coupled with advanced GNSS signal processing techniques [
1) the anti-jamming pre-processing module based on a spatial filter that projects the received signals from the individual array elements into an incoherent interference free subspace. The anti-jamming pre-processing is based on the consideration that, usually, the jammer is quite stronger than the received GNSS signal. Thus, a viable solution to suppress jammer without exploiting the knowledge of the jammer’s and satellite SISs’ DoAs is to minimize the energy of the signal at the output of the anti-jamming pre-processor. In essence, projection of the received signal into the interference-free subspace can be realised by decomposing the received waveforms into orthogonal components by means of the Singular Value Decomposition (SVD) of their correlation matrix, and then, retaining only those terms belonging to small (i.e. low energy) eigenvalues, 2) the temporal despreading module that performs the temporal despreading of the signals at the output of each tracked signal for each array element and for each visible satellite. It consists of two sub-modules respectively implementing:
• the acquisition of the signals potentially transmitted by each visible satellite, determining for each of them the carrier frequency of the received signal, that differs from the nominal value at least by the Doppler shift, and the Code Phase that indicates the time instant where the C/A code begins in the current block;
• the tracking of the signal transmitted by each visible satellite.
In essence, for each element of the array, it computes the samples of the (complex) cross-correlation between the In-phase and Quadrature digital samples of the complex envelops of the signals after Doppler wipe off, and the PRN code of each visible satellite.
3) The third stage, addressed in the following as the DSP stage, performs Joint SIS Detection and Estimation of relevant information like time of arrival, carrier phase and DoA, by means of an iterative procedure that exploits the spatial correlation among SISs.
For each visible satellite, this module individually estimates the directions of arrival of the signals potentially belonging to it including, in addition to the direct line-of-sight component, multipath replicas and spoofed signals, starting from the complex samples of the cross-correlation between the array signals and the PRN codes.
Since spoofing and meaconing signals overpower true GNSS signals, in the DSP stage, for each satellite this module first analyses the output of the corresponding temporal despreading in order to determine the dominant DoAs. For each satellite, the detected signals are ranked with respect to their strength. Dominant DoAs are then tested in order to determine if either the relative angular separation between satellites is in agreement with the a priori information on train location and attitude (as provided by the odometer) or a significant number of satellite signals, nominally spread in space, appears to be transmitted from the same direction. At this aim, the heading of the antenna is estimated first by (angularly) cross-correlating the DOA’s of the detected SISs with the DOA pattern corresponding to the predicted train location provided by the odometry.
Then, in case of detection of a spoofing or a meaconing attack, the spoofing signals are spatially removed from the received signal by means of a spatial-temporal filter, with a procedure that makes joint use of CoM (Center of Mass) and TE (Total Energy) detectors:
• CoM detector is designed to detect ACF deformations and non-synchronized spoofing attacks, i.e. attacks showing poor spoofer capabilities to estimate and replay a signal temporally aligned with the authentic one;
• TE detector is designed to monitor the energy of the ACF, and is very sensitive to both aligned and not aligned attacks, although is especially suited for aligned attacks.
These two detectors are somehow complementary and they can be used to exclude a spoofed channel from the PVT calculation.
4) The last stage, denoted in the following as Navigation stage, performs the PVT (Postion Velocity and Time) estimate, accounting for the track constraint.
At this stage, the spoofing detection and exclusion technique that uses observables is the RANSAC algorithm. That algorithm shows very smooth degradation of performance with respect to the number of spoofed satellites. This is due to the process of clustering based on “consensus”. Furthermore, it identifies outliers and allows excluding them, providing a baseline mitigation strategy. In literature, it is well known that a powerful solution to provide protection against interferences is based on phased array antennas [
For each possible elevation angle of the interfering signal, the width of the angular windows for which the array gain on the ϕ = 0˚ plane is higher than a
fixed threshold has been evaluated. As can be appreciated, also in this case the 4-element antenna arrays generally show a bigger gain width compared with the respective 7-element configuration.
The null-steering capabilities of the arrays are summarized in
However, the 4-element array with separation inter-element distance equal to 0.7λ exhibits good null-steering performances, being able to place a gain null lower than −5 dBi for elevation angle bigger than 20˚.
Looking forwards, the mitigation of local effects caused by the interaction of GNSS signals with the environment is a priority for land mobile applications. Cars and Trains are the most important users and since operate in the same environment the solutions can be common to both. The rail applications have succeeded to get a grip on analysing these local effects [
The ERTMS system with its common safety methods introduced in the European railway safety directives has demonstrated the compliance to the highest safety levels ever achieved for land transport means. The evolution of the ERTMS to adopting the GNSS for train positioning, without impacting the safety levels, is paving the way towards fully automated trains. While autonomous driving cars are developing new technologies mainly based on data fusion of vision-based sensors, the GNSS positioning has an important role to play in combination with those sensors to reach the high integrity levels of the rail applications. On the other hands, the multi-billion dollars investments injected by car manufacturers for the driverless car are driven the research on the frontier triggering performance and cost objectives that will be beneficial also for the rail industry that otherwise cannot achieve due to its limited market compared to the automotive.
However, significant challenges remain to validate new algorithms and the complex interaction of GNSS signals with the environment. For these reasons particular emphasis has been dedicated to develop simulation tools and risk mitigation techniques for trusting the GNSS performance in the rail operational environment. These tools can be extended to the automotive operational scenarios since the signal environment resembles the rail environment for multipath and interferences that are the main threats for the GNSS. A multimodal augmentation network serving the rail and road infrastructures has been evaluated to exploit economy of scale. In fact roads and rails networks are generally not far between each others as the case of Italy where 10,000 km of rails and roads are distant less than 1 km.
Applying the principle of the ERTMS to Connected cars is possible to create geo-fenced corridors where vehicles are driven as “trains” on the roads. To this aim important results are expected on the test beds under deployment in Italy.
Authors are grateful to GSA (European GNSS Agency), ESA (European Space Agency) and ASI (Italian Space Agency) for their contribution. A special recognition is paid to RFI (Italian Railways Infrastructure Manager) for its effort in promoting the adoption of GNSS in the ERTMS system. The research described in this paper was supported by Lazio INNOVA of Lazio Region under contract VIRGILIO (Virtual Inst Ruments for GNSS Augment at Ion and Localizat IOn)―LR 13/2008.
Rispoli, F., Neri, A., Stallo, C., Salvatori, P. and Santucci, F. (2018) Synergies for Trains and Cars Automation in the Era of Virtual Networking. Journal of Transportation Technologies, 8, 175-193. https://doi.org/10.4236/jtts.2018.83010