Critical Embedded Systems

for Rail Transport

28/08/13
P.Poisson
Alstom Transport
 Bio

• Responsable du programme R&D dans la

division Transport –Signalisation- Paris
• Coordinateur du programme de l’IRT
SystemX pour Alstom Transport
• Parcours:
− Alstom Transport -> ferroviaire
− Océ -> Infographie
− Schlumberger -> systèmes d’information
Pascal Poisson − Statec -> automatismes industriels
• Compétences:
− Informatique industrielle
• Définition des programmes
• Management d’activités R&D
• Process Engineering et outils
• Architecture des systèmes
• Systèmes d’Information
• Automatismes Industriels

2
 Embedded systems in Railway domain

Objectives of this presentation:

- Create awareness about the reality and the future of Embedded
systems in the rail domain,
- How Engineering efforts can be contained.
Agenda:
• A few words about Rail domain
• Signaling: a large set of complex embedded systems
• Rail systems are safety critical
• Using Formal methods: A way to alleviate V&V activities
• Challenges of today and trends
May 2010
 Alstom: Four main activities

92,600 employees in 100 countries

Thermal Power sector Renewable Power sector Grid sector Transport sector
Equipment & services for Equipment & services for Equipment & services for Equipment & services
power generation power generation power transmission for rail transport

Journée SysML – 13 Novembre 2012 –4–

 Alstom Transport, the only railway multi-specialist

24,700 employees in more than 60 countries

• The only manufacturer in the world to master all • N°1 in high and very high speed
businesses of rail sector • N°2 in urban transport (tramways, metros)
• The most complete range of systems, equipments • N°2 in signalling
and services:
Rolling Stock / Infrastructures / Signalling / Services / • N°2 in maintenance
Turnkey transport systems

Journée SysML – 13 Novembre 2012 –5–

 Rail: World Wide Maket size

Rail Control market

€12,000 M
8% of Railway market

Rail Control market

Growth 3.0%

6
7
 Embedded systems in Railway domain

Agenda:
A few words about Rail domain
Signaling: a large set of complex embedded systems
Rail systems are safety critical
Using Formal methods: A way to alleviate V&V activities
Challenges of today and trends

8
May 2010
 Innovation opportunities in Rail applications

Main Lines National and International trafic

Rail roads • Standards first

Urban-Mass Transit
Metro
• Mostly autonomous Systems
Tramways
• Performance first
• Open door to breakthroughs

9
 on board RT systems

• Traction / breaking control

• Various servo-control systems
• Failure detection and maintenance systems
• Assisted or automatic driving –
• Safety management
• Traffic management

10
 On board Signaling Systems

MODEM MODEM MODEM MODEM

@ @
INTERNET INTERNET
ACCES TICKETING CCTV CCTV ACCES TICKETING

MMI MMI

ONBOARD ONBOARD
IO IO
CONTROL CONTROL
MODULE MODULE
MODULE MODULE

ANTENNA

ODOMETER ANTENNA ODOMETER

August 2008 -11

Signaling systems of a train station

Topologie du système
de signalisation

Systèmes critiques

Systèmes de communication

Services aux passagers

Systèmes de maintenance

Opérateurs et systèmes de
Supervision

12
 What is Signalling ?

Signalling is at the heart of the transport system

• Ensure Safety of people and trains,

thanks to route control & Train
protection management

• Reduce • Ensure Comfort of all

operational costs users through traffic
through traffic and supervision, passenger
asset management information,…

• Improve Availability of transport offer

13 PPE CBTC - Introduction - PPA Reminder

 Reminder: Global operation requirements

Transport efficiently passengers / freight from point A to point B enforcing :

• The appropriate safety level
• The correct route and speed
• The planned schedules
Whatever the conditions :
∙ Traffic density
∙ Perturbations and failures
14 PPE CBTC - Introduction - PPA Reminder
 Aligned with major signalling sub-systems

Schedules

Control Center

Routes Automatic Train

Interlocking
Priority Block
Speed Control

Speed

Catching each other

Nose to nose

15 PPE CBTC - Introduction - PPA Reminder

 Interlocking and Route concept
Interlocking

Schedules

Routes Block

Speed

Priority
Catching each other

Nose to nose
16 PPE CBTC - Introduction - PPA Reminder
 Route concept
Interlocking

A route is a path from one signal

to the next via a set of points
Interlocking shall ensure
compatibility between routes

Route is a compromise as:

• Too few points in a long route reduces potential for other moves
when the long route is set
• Too many points, routes are short and many signals are required.
17 PPE CBTC - Introduction - PPA Reminder
 Route element : Train detection
Interlocking

To ensure that a route can be set or released,

Interlocking uses train detection device to check track occupancy
Track Circuits Axle Counters
 Track is divided into electrical sections, with a  Each track section is defined by 2 or more
transmitter and a receiver counting heads with wheel detectors
 Train axles are shunting the rails, preventing  An evaluator unit counts/decounts axles
the transmitted signal to be detected by the entering/leaving the section
receiver
 Axle counters deliver the count result to the
Interlocking Block
limit
 Track is clear
when result is 0

Interlocking
Axle counter
Block Computer
Junction Box
Pair of wheel
detectors
Axles

18 PPE CBTC - Introduction - PPA Reminder

 ATC and Block concept Automatic Train Control

Schedules

Routes Block

Speed

Priority
Catching each other

Nose to nose
19 PPE CBTC - Introduction - PPA Reminder
 From tokens to blocks Automatic Train Control

Basic: when a train leaves the station the entire interstation is locked for it

First enhancement, to allow a second train but to keep distance

Second enhancement, to put as much trains as possible

• Hypothesis for sizing the blocks:

•Safe distance between two trains should at least equal to the braking distance
•Preceeding train is supposed to be stopped
•Distance is calculated for the worst case braking
20 PPE CBTC - Introduction - PPA Reminder
 From signal blocks with ATP to ATC block Automatic Train Control

Third enhancement, to provide protection (ATP) using Speed Code

60 km/h
30 km/h
0 km/h

In this case: speed limit is sent from track to train (usually through tracks)
• Speed limit is computed automatically according to occupation of preceding blocks
• On-board equipment will receive speed limit and control train accordingly if needed
• Size of blocks still shall be defined according to braking distance
• Train location is still done by trackside

Fourth enhancement, to provide protection (ATP) using « Distance To Go » concept

In this case: the train will target a stopping point that it will not cross
• Train received information regarding upfront constraints (signals, blocks….)
• Train locates itself on the track (using beacons, odometer…)
• On-board computer compute a braking curve not to go past closer constraint
21 PPE CBTC - Introduction - PPA Reminder
 Block operation : determines line capacity Automatic Train Control

Signal red

Direction of traffic

Track Circuits

Headway (minutes)

• Headway : Blocks determine the “headway” or line throughput of trains

• Each block can detect Trains with its own track circuit or axle counters
• Only 1 Train in each Block
• Red signals mean “Stop”, Yellow light is a warning (depends on IXL principles)

22 PPE CBTC - Introduction - PPA Reminder

 From Fixed Block to Moving Block Automatic Train Control

SPEED CODE 40 Speed Code Breaking Curve

Speed profile
0
Stopping Point

Speed Code
Track Circuit Track Circuit Track Circuit
DISTANCE TO GO 40 Distance to Go Breaking Curve

Stopping point

Authorised speed
Gain
Track Circuit Track Circuit Track Circuit

CBTC MOVING BLOCK Moving Block Breaking Curve Automatic Protection

40 Stopping Point
End of Authority

Additional Gain
23 PPE CBTC - Introduction - PPA Reminder
 Basic Traffic control and schedule
Control Center

Schedules

Routes Block

Speed

Priority
Catching each other

Nose to nose
24 PPE CBTC - Introduction - PPA Reminder
 Schedule concept in railways
Control Center

• Traffic control is needed

to optimize use of track
by trains
• Traffic control runs train only when route can be set to avoid
unexpected delays and traffic jams.
• In metros, trains can run following a time table, or respecting a
headway
• In case of perturbation control room operator has to have the
possibility to modify the traffic

25 PPE CBTC - Introduction - PPA Reminder

 Time-table versus Headway
Control Center

• Regulation based on time-table

09:53 10:28 12:05 13:57

• Regulation based on headway

2 min 2 min 2 min 3 min 3 min

26 PPE CBTC - Introduction - PPA Reminder

 Conclusion – Signaling basic concepts

To fullfill global needs, rail industry has developed three major concepts:

• Route: this is the path that is assigned to a train to go

Interlocking
from A to B. Route ensure the basic protection

• Block: this is the concept that permit a safe separation

Automatic Train Control
between succeeding trains

• Schedule: this is the concept that permit to make train

circulation without stopping for freeing a occupied section
Control Center
of the track
27 PPE CBTC - Introduction - PPA Reminder
 Embedded systems in Railway domain

• Agenda:
• A few words about Rail domain
• Signaling: a large set of complex embedded systems
• Rail systems are safety critical
• Using Formal methods: A way to alleviate V&V activities
• Challenges of today and trends

May 2010
 Reference Standard: CENELEC

The EN 50126 standard covers the specification and demonstration

of safety for all railway applications, at all levels:
− from complete railway routes
− to major systems
− to individual and combined sub-systems
− to components within these major systems, including those
containing software and hardware.
• the standard also addresses Reliability, Availability, and
Maintainability (RAM) when it contributes to Safety.
• EN 50126 is the entry point of parent standard for the other
European standards for the railway domain:
− EN 50128: Software, recent update 2011, most constraining
− EN 50129: Electronics

Augus008 -29
 Safety level is specified

• The safety of a system = the property that the rate of failures with potentially
dangerous consequences is low enough to globally reduce the risk (i.e. the
probability of injuries, fatalities, damages) to a specified acceptable value.
SIL definition ( Safety Integrity Level)

For continuous operation (Probability of Failure per Hour):

SIL PFH PFH (power) RRF

1 0.00001-0.000001 10−5 - 10−6 100,000-1,000,000
0.000001- 1,000,000-
2 10−6 - 10−7
0.0000001 10,000,000
0.0000001- 10,000,000-
3 10−7 - 10−8
0.00000001 100,000,000
0.00000001- 100,000,000-
4 10−8 - 10−9
0.000000001 1,000,000,000
RRF: Risk Reduction Failure
May 2010
 Development Cycle ruled by safety cycle

ImplementConsider Safety
Safety Plan by Implications
Review,
of Project
Analysis, Testing and Data
Assessment, · Review Safety Policy &
addressing:
· Hazard LogSafety Targets
· Hazard Analysis & Risk Assessment
Perform
· Justify Safety Preliminary
Related Design Hazard
Decisions Analysis
· Establish Safety Plan
· Define Tolerability of Risk
Criteria

Perform System Hazard &

Establish Commissioning Program
Safety Risk Analysis
· Implement Commissioning
· Set-Up Hazard Log Program
· Prepare ·Application Specific
Perform Risk Safety
Assessment
Case
Specify System Safety Requirements
· Define Safety Acceptance Criteria
· Define Safety Related Functional Requirements
· Establish Safety Management
August 2008 -31
 From Generic product to customer case

August 2008 -32

Context: Railway signalling system development
Safety critical development process: “Traditional V-Cycle”

User Need

System specification
Commissioning
Architecture
Validation
Design
Verification

Implementation
Context: Railway signalling system development
Safety critical development process: “Safety Activities”

Preliminary Hazard
Analysis (PHA)

System Hazard Analysis

(SHA)
Subsystem Hazard Certification
Analysis
Validation
Hw / Sw Hazard
report
Analysis
Verification
report

Safety Review
 Assisted safety analysis integrated to the design cycle

May 2010
 From document base Build DSL for safety Safety early validation
SE to model based SE activities with formal modelling
(SysML) (PHA – FMEA) (Altarica)

Traceability

Model Based Approach

System Design with SysML

Journée SysML – 13 Novembre 2012 – 36 –

Specification with SysML
Three viewpoints
• Operational
• Functional : Activities Hierarchy
Allocation
• Constructional: Blocks Hierarchy

CBTC

ATS IXL ZC CC

. .
CC
. . CC Vital
NonVital
. .
Hw Sw Hw Sw

Iterative process over the constructional hierarchy

Journée SysML – 13 Novembre 2012 – 37 –

Illustration of System Eng. Concepts in SysML

SysML representation of SE concepts

• Operational viewpoint
− Environment of the
system
− Context of use
• Functional viewpoint
(Function = Activity)
− FBS
− Functions behaviour

Journée SysML – 13 Novembre 2012 – 38 –

 From document base Build DSL for safety Safety early validation
SE to model based SE activities with formal modelling
(SysML) (PHA – FMEA) (Altarica)

Traceability

Model Based Approach

Safety Process & Safety DSL

Journée SysML – 13 Novembre 2012 – 39 –

Hazards Analysis on SysML System Specification

PHA
Accident Cases

ATS – SHA IXL – SHA ZC – SHA CC – SHA

(FMEA) (FMEA) (FMEA) (FMEA)
Effects of
functions
failures

CC NV – CC V –
SHA SHA
Consequences (FMEA) (FMEA)

Causes SwEEA SwEEA

FMEA Hw FMEA Hw

Journée SysML – 13 Novembre 2012 – 40 –

Hazard analysis with the DSL

Journée SysML – 13 Novembre 2012 – 41 –

PHA – SHA modelling concepts

PHA SHA
• Identify accident • Exhaustive analysis of all
scenarios function failures
Safety
Requirements

Products

Functions
BARRIER
Operating
Rules

BARRIER BARRIER
reducing the reducing the
Accident Accident
Occurence Severity

Consequences of
HAZARD X X ACCIDENT X
the ACCIDENT

Phase Operational
Context
Mode

Zone

Conditions

DSL for PHA & SHA interoperable with SysML

Journée SysML – 13 Novembre 2012 – 42 –

 From document base Build DSL for safety Safety early validation
SE to model based SE activities with formal modelling
(SysML) (PHA – FMEA) (Altarica)

Traceability

Model Based Approach

Traceability between SysML and Safety DSL

Journée SysML – 13 Novembre 2012 – 43 –

 Traceability inside Safety model : Failure decomposition

Failures of low level functions develop to system accidents:

Accident System level

Subsys
Subsystem level
failure

Low level function

Sw failure

Failures at level i+1 are causes of failures at level i

Journée SysML – 13 Novembre 2012 – 44 –

Propagation of errors

Error are propagated

through dataflow links

An erroneous value as input

can be the cause of a failure

Journée SysML – 13 Novembre 2012 – 45 –

 From document base Build DSL for safety Safety early validation
SE to model based SE activities with formal modelling
(SysML) (PHA – FMEA) (Altarica)

Traceability

Model Based Approach

Formal semantic for safety DSL
Automatic translation
Journée SysML – 13 Novembre 2012 – 46 –
Formal semantic for Safety DSL

Why?
− To generate the fault trees,
− To compute the sequences,
− To preform early validation of the system safety;
What?
− Guarded Transition System: Altarica (Thesis – Point, G. 2000)
How?
− Control flow (event, guard): to model the occurrences of failures,
− Data flow: to study errors propagation;

Journée SysML – 13 Novembre 2012 – 47 –

Altarica overview

Textual Syntax to describe GTS

(Garded Transition Systems)

• Hierarchy of Nodes
• Node
• Sub-Nodes
• Data Flow connectors (in/out)
• Events
• States
• Transitions
• Assertions http://altarica.labri.fr

Journée SysML – 13 Novembre 2012 – 48 –

Translation - Overview

Journée SysML – 13 Novembre 2012 – 49 –

 Embedded systems in Railway domain

• Agenda:
• A few words about Rail domain
• Signaling: a large set of complex embedded systems
• Rail systems are safety critical
• Using Formal methods: A way to alleviate V&V activities
• Challenges of today and trends

May 2010
 Cenelec: expected production and evidences

33 artefacts
to produce!

May 2010
 Formal Methods

• Demonstrate mathematically that what is produced is equivalent

to the intent and is totally deterministic.
• Various techniques are used:
• e.g.: symbolic analysis ( conversion of an expected behavior into
automata where paths from root to leaves can be analyzed thus
demonstrating inconsistencies or under specifications

• In this session B language is briefly introduced

August 2008 -52

 Analyse symbolique: synoptique fonctionnel

53
Concretely – Step 1

• Specify the system

architecture using composite
structures

• Specify interactions between

components using sequence
diagrams

MBAT – 54 –
Concretely – Step 1

• Specify the system

architecture using composite
structures

• Specify interactions between

components using sequence
diagrams
• Combining operators
• Data constraint
• Timed constraint

MBAT – 55 –
Concretely – Step 12

• Specify the system

architecture using composite
structures

• Specify interactions between

components using sequence
diagrams
• Combining operators
• Data constraint
• Timed constraint

• Translate into a formal

representation (Timed Input
Output Symbolic Transition
System) – Seamless
integration

MBAT – 56 –
Concretely – Step 23
• Specify the system architecture
using composite structures

• Specify interactions between

components using sequence
diagrams
• Combining operators
• Data constraint
• Timed constraint

• Translate into a formal

representation (Timed Input
Output Symbolic Transition
System) – Seamless integration

• Symbolic execution and

projection
 A non empty trace ensures
a feasible interface

MBAT – 57 –
 • Specify the system architecture
Concretely – Step 34 using composite structures

• Specify interactions between

components using sequence
diagrams
• Combining operators
• Data constraint
• Timed constraint

• Translate into a formal

representation (Timed Input
Output Symbolic Transition
System) – Seamless integration

• Symbolic execution and

projection

• Generate test input sequence for

a given component from unitary
behavior

MBAT – 58 –
 Test execution algorithm (process)

Testbed (industrial environment) Diversity

C2

timed input sequence timed output sequence <0.5 ms

C2

merge():
timed input-output sequence verdict computation():
• Pass
• WeakPass
• Inconc
• Fail
1. Submit to SUT (System Under Test) a sequence of inputs and waiting delays
2. Test execution on SUT produces output sequence and delays
3. Output sequences is merged with input sequences to form input output traces
4. Resulting traces are analyzed in order to provide verdicts
MBAT – 59 –
 Présentation de la méthode B

August 2008 -60

 Positionnement du B Système ( Event B)

August 2008 -61

 Positionnement du B logiciel

August 2008 -62

 Références B Logiciel

August 2008 -63

 Références Event B

August 2008 -64

 Notion de base

August 2008 -65

 Démarche B-Logiciel

August 2008 -66

 Principe de preuve

August 2008 -67

 Démarche B-Système

August 2008 -68

 Cycle de conception traditionnel

August 2008 -69

 Cycle de conception B : Validation par preuves formelles

August 2008 -70

 Bénéfice de la méthode

August 2008 -71

 Comparaison avec d’autres langages

August 2008 -72

 Outils de conception

August 2008 -73

 Enseignement du B

August 2008 -74

 Embedded systems in Railway domain

• Agenda:
• A few words about Rail domain
• Signaling: a large set of complex embedded systems
• Rail systems are safety critical
• Using Formal methods: A way to alleviate V&V activities
• Challenges of today and trends

May 2010
 FSF
Objectifs

Deux thématiques:
 Plateforme d’exécution

 Haut niveau d’exigence RAMS

 Maitrise de l’exécution d’applicatifs multi-critiques sur multi-cœur
 Pré-certification
 Démonstrateur préindustriel (TRL 6)

 Conception système/logiciel
 Cadre d’architecture système en adéquation avec les métiers
 Conception software composant avec chaine de génération dédié au
déploiement sur la plateforme
 Validation et vérification continue
 Outils et cadres méthodologiques matures (TRL 5 -> 7)

76
 Signaling system is a combining of distributed systems in a
system of systems

CBTC

Contrôle &
IXL Supervision
opération

SIL2 sol
supervision
exec.
software AP
product SIL4
exec.
embarqué

SIL4 exec. IXL SIL4 exec. C&O

product software product ATO
software ATP
ctrl
software

• Une plateforme d’exécution avec architecture de sécurité

• Un produit « logiciel de contrôle embarqué » avec composants de criticités différentes
77
 A new generation of Systems is born: Cooperation of
Autonomous Systems

May 2010
 …..With an ultimate goal to get autonomous vehicles
moving towards their destination in an optimized traffic

Alike cars in traffic, each train can keep a safe distance from the vehicle in front,
and trace its route to reach the destination in time…. safely

May 2010
 Des défis passionnants en vue…..

• Les systèmes ferroviaires sont en pleine mutation.

• Les systèmes embarqués devront porter l’intelligence de la
mobilité des véhicules en sûreté de fonctionnement.
• La complexité résultante nécessite un environnement Engineering
à la hauteur des challenges industriels
• La multimodalité et les ouvertures du marché vont accroitre les
besoins

May 2010
 • Questions

May 2010
www.alstom.com