You are on page 1of 17

A Train Integrity Solution

based on GNSS Double-Difference Approach


A. Neri1, F. Rispoli2, P. Salvatori1, and A.M. Vegni1
1
RADIOLABS, Rome Italy, {alessandro.neri, pietro.salvatori, annamaria.vegni}@radiolabs.it
2
Ansaldo STS, Genoa Italy, francesco.rispoli@ansaldo-sts.com

Local Augmentation networks and the certification


BIOGRAPHIES process.
Alessandro NERI is Full Professor in
Telecommunications at the Engineering Department of Pietro SALVATORI is a PhD student at ROMA TRE
the ROMA TRE University. In 1977 he received the University, Rome, Italy. He received the 1st level Laurea
Doctoral Degree in Electronic Engineering from Degree in Electronics Engineering and the Laurea
“Sapienza” University of Rome. In 1978 he joined the magistralis cum laude in Information and Communication
Research and Development Department of Contraves Technology Engineering from ROMA TRE University, in
Italiana S.p.A. where he gained a specific expertise in the October 2010 and May 2013, respectively.
field of radar signal processing and in applied detection Since May 2013 to December 2013 he was researcher in
and estimation theory, becoming the chief of the RadioLabs consortium focusing on satellite navigation
advanced systems group. In 1987 he joined the systems, taking part of 3inSat project co-funded by
INFOCOM Department of “Sapienza” University of European Space Agency.
Rome as Associate Professor in Signal and Information His research interests are in the area of satellite navigation
Theory. In November 1992 he joined the Electronic and communication systems, mobile communications,
Engineering Department of ROMA TRE University as virtual networking and security of telecommunications.
Associate Professor in Electrical Communications, and
became full professor in Telecommunications in Anna Maria VEGNI is Assistant Professor in
September 2001. His research activity has mainly been Telecommunications at the Department of Engineering of
focused on information theory, signal theory, and signal ROMA TRE University, Rome, Italy. She received the
and image processing and their applications to both Ph.D. degree in Biomedical Engineering,
telecommunications systems and remote sensing. Electromagnetics and Telecommunications from ROMA
Since December 2008, Prof. Neri is the President of the TRE University in 2010, and the Laurea Degree cum
RadioLabs Consortium, a non-profit Consortium created laude in Electronics Engineering in 2006.
in 2001 to promote tight cooperation on applied research From May to October 2009, she was a visiting scholar in
programs between universities and industries. the Multimedia Communication Laboratory, at the
Department of Electrical and Computer Engineering,
Francesco RISPOLI has joined Ansaldo STS in 2011 as Boston University, Boston, MA. Her research activity is
responsible for the Satellite and Telecommunication focusing on vehicular networking, indoor and outdoor
technologies. He is Vice president of Radiolabs and localization, GNSS, and Visible Light Communications.
Director of Galileo Services board. Previously, he has Since 2011, she is in charge of Telecommunications
been with Telespazio (2005-2011) as Chief of New Networks Laboratory course at ROMA TRE University.
Initiatives and by 1983 to 2005 with Alenia Spazio (now
Thales Alenia Space) where he served various positions
as responsible for R&D and Institutional programs, Vice
president of Multimedia business unit and General
manager of EuroSkyWay. He started his carrier in 1980
with Contraves Italiana as technical engineer in the
antenna department. In 1978 he received the Doctoral
Degree in Electronic Engineering from the Polytechnic of
Turin and in 1980 a post-graduate Master in Applied
Electromagnetism from the University of Roma La
Sapienza. He is currently involved into the Pilot project
ERSAT (ERTMS over SATELLITE) in Sardinia Region
and other related projects such as 3InSat and NGTC. He
is also contributing to EGNOS-R (railways) interface with

1
ABSTRACT
Nowadays, the train integrity function is assured by track
circuits deployed along the line. This approach is safe but
has several limitations since if any part of a track is
occupied, that entire track circuit must be assumed as
occupied and if the track circuits are made shorter to
increase the traffic capacity, additional costs are incurred.
In the European Rail Track Management System
(ERTMS-ETCS) Level 3 trains must be able to localize
and to monitor their integrity by themselves without the Figure 1. ERTM-ETCS L1functional level concept.
track circuits. This scenario makes it possible to optimize
the capacity of the lines and to further reduce the
operational costs by eliminating most of the track circuits.
In this paper, we investigate the capability of the Global
Navigation Satellite Systems (GNSS) to perform the
integrity function in the perspective of the deployment of
the ERTMS-ETCS L3 platform. The reference
architecture is based on a pair of GNSS train Location
Determination Systems (LDS) respectively located at the
rear and the front-side of the train and connected each
other by a radio link. A novel train integrity estimation Figure 2. ERTM-ETCS L2 functional level concept.
solution that exploits a GNSS Double-Difference
approach, has been developed for its advantages to
mitigate most of the iono, tropo, clocks hazards caused by
the GNSS signals. The Protection level and the Hazard Several train safety systems are currently in operation
Misleading Informations rates are derived by taking into around the world. Among them, the European Railway
account the safety requirements SIL-4 (Safety Integrity Traffic Management System/European Train Control
Level 4) of the ERTMS-ETCS system. The simulations System (ERTMS/ETCS) is the most advanced and
have been performed by assuming a 2500 m train length; successful even outside the European Countries [2].
they confirm the validity of the proposed approach and Mainly for high-speed lines, the deployment of ERTMS-
pave the way for a seamless introduction of the GNSS ETCS is contributing to a global standard in terms of both
into the ERTMS-ETCS L3 by replacing the fixed track interoperability among different national systems, and
circuits with virtual track circuits of variable size, and highest safety level achieved.
without affecting the safety requirements. In ERTMS three functional levels of automated control
are foreseen. The first level (L1) uses train integrity and
Keywords: train integrity, train control, GNSS, satellite position by track circuits and signaling on the trackside.
based localization. Those signals, providing the information about train
location and where it is allowed to travel safely, also
known as movement authorities, are reported inside the
I. INTRODUCTION locomotive by means of a short-range wireless
In the last century, the first block signaling systems were communication system, making use of balises deployed
introduced to improve railway safety. They were based on along the track at regular intervals, as depicted in Figure
the simple concept of partitioning a track into non- 1. The balises also provide additional self-localization
overlapping sections, named blocks, and imposing the functionality to the train.
constraint that the same block cannot be used by two As illustrated in Figure 2, ERTMS level 2 (L2) is more
trains at the same time. In practice, before allowing a train advanced, since the signal information is moved from the
to enter a block section, a check that the previous train has track to the locomotive, so that the trackside signals are
already cleared the block section without leaving any not necessary anymore. The train position and speed are
vehicles behind has to be successfully performed. computed on board by the odometer, which relies on the
Initially, this control was performed by visual inspection balises deployed along the track, as reference points, to
of the train at each block section exit, verifying that the periodically reset the accumulated errors. In particular the
last vehicle carried an end of train marker (often a red balises determine the train absolute position and the
lamp) [1]. Since then, automatic systems detecting the odometer estimate the relative distance from the Last
presence of a train inside a block (train detection systems) Relevant Balise Group (LRBG).
have been progressively introduced, using track circuits or Movement authorities are generated trackside by the
axle counters. These technologies provide an automated Radio Block Center (RBC) and transmitted to the train via
report when a block section is clear of vehicles. the dedicated GSM-R network. In ETCS L2, as well as in
ETCS L3, communications between train and RBC use
the Euroradio secure protocol.

2
carriages. Instead, for regional and freight trains, which
are assembled each time, the integrity function must be
Interlocking and provided by ad hoc devices. Several solutions and patents
Radio Block Center
have been proposed even if there is not a consolidated
Train ETCS architecture to be certified for the SIL-4 requirements of
Integrity trainborne the ERTMS-ETCS [1]. They can be classified into two
DRIVER classes: (i) those relying on an end of train device (e.g.,
brake air pipe pressure reduction detector, acoustic waves
Balise (fixed message)
transmitter, radio transmitter, GNSS localizer), (ii) those
Figure 3. ERTMS-ETCS L3 functional concept. needing no train end device (e.g., ultrasonic signals fed
into the rail across the wheels of the leading vehicle,
detection of spacing and number of wheels by analyzing
the reflections provided by the wheels of the subsequent
cars, injection of acoustic signals into the brake air pipe
on the leading car, and monitoring of parameters on the
leading car). In [5] Scholten et al. present an approach to
cargo train integrity, aimed at determining the train
composition, by means of a distributed Wireless Sensor
Network (WSN). The WSN is comprised of two
components i.e., (i) a communication systems that allows
determining the train composition, thanks to the sequence
of hops needed to send a packet from the Head-of-Train
(HoT) node to the End-of-Train (EoT) node, and (ii) a set
of acceleration sensors, whose output correlation allows
distinguishing carriages of different trains. If the WSN
Figure 4. Future evolution of the train control system.
infers from its data that an unexpected change in
composition, with a potential hazardous loss of carriages,
has occurred, an alarm is raised.
While ETCS L1 and L2 are already operational in Europe In [6] Oh et al. propose a Train Integrity Monitoring
and in the World, many infrastructure managers stick to System (TIMS), based on TIMS modules installed in each
the vision of next ETCS level 3 (L3) as the ultimate carriage, interconnected through wired serial links. If a
solution of an interoperable train control system. Indeed, separation occurs, the link is broken, the HoT TIMS
as illustrated in Figure 3, the train detection system is module does not succeed in communicating with the
based on virtual tracks circuits of variable size (moving TIMS modules on the departed component, and an alarm
block) that replace the track circuits without impacting the is raised. This technique can be coupled with the
safety requirements. [3]. As a result, the train reports its monitoring of the air-pressure in the pneumatic braking
location and its actual length (train integrity) to the system. A sudden loss of pressure generates an impulse
control center where the required safe distance to the next that may be caused by the disconnection of the train
(preceding and following) trains is continuously updated. carriages. One of the drawbacks of the mentioned
Thus, all the train protection system functionalities are techniques is that the train control system does not have
moved to the locomotives and to the RBC, then keeping knowledge of the portion of the track where the train
to a minimum the amount of trackside equipments. spreads out.
Nevertheless, the need to ensure also the rail integrity to This issue can be overcome when detection of the train
prevent the risk of train derailment still remains. In this head and tail position is performed by means of GNSS
respect, in the USA, the Federal Railroad Administration receivers. In general, products relying on end of train
(FRA) is amending the Federal Track Safety Standards to devices and GPS are today commercially available and
promote research on safety of railroad operations by are used as part of an onboard signaling system on freight
enhancing rail flaw detection processes [4], focused on railways running mostly in dark territory i.e., areas
the improvement of railroad safety by reducing rail without trackside signaling infrastructure.
failures, and the associated risks of train derailments. For Recently, a Positive Train Location system (PTL) has
the time being some track circuits will have to be installed been presented by Leidos in the USA for meeting the
as a broken track detector. The availability of the GNSS requirements of the Positive Train Control (PTC) [8].
system and IP-based wireless communications are This product is based on the data fusion between different
expected to play an important role for making the train sensors including GNSS. Nevertheless, none of the
control system more competitive as shown in Figure 4. mentioned solutions have given the demonstration of
The most challenging innovation of the GNSS consists of meeting the Tolerable Hazard Rate (THR) specified by
the on-board train integrity function that provides the the CENELC norms (i.e., THR < 10–9/1hour).
information on the actual train length.
For the trains with a pre-assembled configuration, the
integrity function can be realized by monitoring the
electrical continuity of a cable connecting all the

3
END-OF-TRAIN
OBU GNSS RX
HEAD-OF-TRAIN
OBU GNSS RX Further analyses to estimate the multipath affecting the
train localizers are needed but the mitigation techniques
are well known and for this reasons they are not reported
in this paper. Instead, the availability and continuity
requirements of the SIS are more stringent for the train
Figure 5. Schematic model of the train equipped with two OBU integrity respect to the virtual balise application and to
GNSS receivers. The train has a variable number of cargos (not this aim a multi-sensor multi-constellation architecture
shown in the picture). offers enough flexibility for the future implementations.
This paper is organized as follows. In Section II, we
describe the basic reference architecture for assessment of
The lack of this evidence and the potential opportunity of the train integrity through GNSS technology. Section III
the GNSS are the main drivers behind our research. In illustrates the algorithms employed for estimation of the
this perspective, the development of the GALILEO train length. In Section IV the mathematical model for the
system in Europe has also contributed to the study of computation of the Protection Levels is described.
safety-of-life applications for railways [8], [10]. A Performances of the proposed algorithms are illustrated in
synergy between EGNOS-GALILEO and ERTMS-ETCS Section V. Finally, conclusions are drawn at the end of
has been recognized by the railways stake-holders in the the paper.
Memorandum of Understanding (MoU) signed in 2012
for the ERTMS-ETCS evolution [2].
Until now, the priority has been given to the GNSS II. SYSTEM ARCHITECTURE
localization functionality in order to replace the fixed In the design of the reference architecture for the GNSS
balises with virtual balises. In this respect, the probability based train integrity evaluation, we considered that this
that the magnitude of the position error exceeds the Alert function is just one of several train control functionalities
Limit, representing the highest error magnitude still that can benefit from GNSS technology.
adequate to support train operation, and no timely In practice, this functionality is coupled, at least, with the
warning is provided, has to be compatible with the THR train location determination system [9], and the track
(i.e. 10 –9/1 hour) guaranteed by the ERTMS-ETCS detection when the train is moving in a region covered by
system. Although this requirement is quite challenging to multiple parallel tracks (as in a railway station), [11].
be achieved in the rail environment, the ERTMS-ETCS Thus, the design of the system architecture is driven by
system incorporates mechanisms to mitigate some of the the whole set of requirements concerning them.
typical hazards due to the GNSS signals [12]. As in avionics we assume that an augmentation network
In this paper, we make a step forward respect to the for integrity monitoring and differential corrections is
GNSS localization to focus our contribution on the design mandatory to fulfill the SIL-4 requirement.
of a GNSS based train integrity monitoring system As a matter of fact, track discrimination at the start of
compliant with the SIL-4 requirement. As illustrated in mission appears to be the most demanding functionality in
Figure 5, the system employs two GNSS receivers terms of location accuracy and to this purpose some
deployed on the head and on the end of the train, Virtual Reference Station (VRS) supporting the use of the
connected through a wireless link to a processing unit. RTK or PPP mode on board of the train should be
To this purpose we introduce the double-difference deployed. Since the effectiveness of the method is strictly
approach, and we make use of a track database to related to the baseline between the VRS and the train, the
constrain the trajectory of the train lying on the rail. As a SIL-4 and high accuracy navigation modes require a far
result, it is possible to reduce the 3D positioning problem denser spatial distribution of Reference Stations employed
to a 1D case, with the improvement of train integrity for Wide Area Augmentation networks.
functionality performance, expressed in terms of In this respect a functional integration between Wide Area
Misleading Hazard Information Rate. The short baseline Augmentation systems like WAAS and EGNOS, and
between the two receivers implied by the length of the local augmentation networks deployed along the railway
trains in operation (i.e., < 4 km), combined with the tracks, may allow a cost effective solution for meeting the
double difference approach allows to compensate most of SIL-4 requirement.
the iono, tropo and clock hazards due to the GNSS Thus, the reference architecture comprises a ranging and
Signals In Space (SIS) that represent a severe threat to integrity monitoring network that provides the
exploit the GNSS technology in meeting the challenging augmentation data to the train on board units equipped
requirements of the ERTMS-ETCS system. with multi-constellation satellite receivers, through the
For sake of compactness in the description of the Radio Block Center interface. We remark that joint use of
mathematical framework, here only the single multiple constellations is a viable approach to fulfill the
constellation version of the algorithms is presented. stringent SIL-4 requirements [12].
Nevertheless, extension to multiple constellation systems As already mentioned, this architecture can be largely
is straightforward and is part of the current authors' extended by interfacing the ranging and integrity
research for exploiting the GNSS capabilities in meeting monitoring network with a Wide Area Augmentation
the challenging railways requirements. System.

4
is possible to mitigate most of the iono, tropo and clock
errors of GNSS SIS.
If the positioning estimation process employs carrier
phase pseudoranges, then the fractional part of the phase
ambiguity is cancelled out as well. Then, the remaining
ambiguities are integer number of wavelengths.
In the second step, the train length is estimated by
“geometrically projecting” on the track the baseline
between receivers. Once again, the double-difference
algorithm is combined with the track constraint.
The estimated train length is then computed as the
difference between the mileage of the head and tail
receivers, based on the track database relating train
Figure 6. System Reference Architecture.
mileage to the geographical coordinates.
The detection of an eventual gap between a couple of
neighboring carriages is then performed by thresholding
Joint processing of local and wide area information can
the difference between the current estimated train length,
then be used to monitor the healthiness of the local
and the one estimated at the start of train mission. In order
system.
to keep constant the probability of providing a false alarm
The system is complemented with a communication
with respect to train integrity, such a threshold is
network interconnecting the trains with the radio block
dynamically adapted to the train length estimation
centers.
confidence interval, which depends, among others, on the
As depicted in Figure 6, the system can be subdivided
geometry and the number of the satellites in view.
into the following main subsystems:
As an additional means for autonomous (safety) integrity
1. On Board Unit (OBU): consisting of two GNSS
monitoring, to detect Signal In Space (SIS) failures and
receiver chains (i.e., located on the head and on the
remove outliers (due for instance, to ephemerides errors,
end of the train respectively) and one processing
cycle slips, etc.), a check of the consistency of the
unit;
observed double-differences with the track constraint is
2. Augmentation Network: consisting of several
also performed.
Reference Stations (RSs) deployed trackside and one
To derive the train length estimation algorithms, let us
coordinator server denominated TALS (Track Area
Location Safety server), which collects and recall that, denoting respectively with X RxH [k ] and
elaborates the data from Reference Stations, and X RxE [k ] the ECEF coordinates of the positions of the
provides augmentation and integrity message to the
OBUs. antennas of the Head-of-the-Train (HoT), and the End-of-
the-Train (EoT) GNSS receivers at the k-th epoch, they
The Augmentation Network has a star topology with the have to satisfy the track constraint, represented by the
Server (TALS) that can be used either as forwarding node parametric equations that relate those coordinates to the
through the OBU and as data central to jointly process track mileage s:
data retrieved by the RSs. In this second configuration the
T
TALS can perform also an Integrity Monitoring feature. XTrack ( s) = ⎡⎣ X 1Track ( s) X 3Track ( s) X 3Track ( s) ⎤⎦ . (1)
This feature has been described in [13].
Notice that, concerning the train integrity issue, the Thus, the receiver location in terms of ECEF coordinates
nearest RS, by means of TALS, sends the observed raw is perfectly known as soon as its mileage is known. We
data (i.e., code pseudoranges or carrier phase) to both assume that an initial track survey has been performed
OBU GNSS receivers. during the deployment phase and a digital version, named
in the following track database, is available on board of
the train.
III. PROPOSED ALGORITHM Thus, denoting respectively with sH [k ] and sE [k ] the
Under the hypotheses described in Section II, we
designed a two-step algorithm, based on (i) a coarse head mileages of the head and end receivers at the k-th epoch,
and tail receiver’s position estimation, and (ii) a fine we have
estimate of the baseline between the two receivers X RxH (k ) = XTrack [sH (k )] , (2)
followed by the estimate of the mileage between the two
receivers based on the track database. X RxE (k ) = XTrack [sE (k )] , (3)
In the first step, the estimate of the location of both head Then, let ρ (k ) and ρ (k ) be the code pseudo-ranges
i
RxH
i
RxE

and tail GNSS receivers may benefit from the availability of the i-th satellite measured, respectively, by the HoT
of the Augmentation Network. In particular, in the and EoT receivers. They can be expressed respectively as:
following the constrained double differences approach
that combines traditional double difference scheme with
the track constraint has been adopted [14]. In this way, it

5
b( k )
eˆ b ( k ) = , (6)
b( k )
as
b(k ) = b(k )eˆ b (k ) . (7)
Equation (5) represents the track constraint applied to the
receivers’ baseline, which is defined following the
orientation of the train.
Let us denote with eˆ iRxh (with h = [H, E]) the unit vectors
corresponding to the lines-of-sight of the i-th satellite with
respect to the HoT and EoT receiver, respectively:
XiSat − X Rxh
Figure 7. Geometrical scheme of baseline in the railway eˆ iRxh = , h ∈{H , E} (8)
scenario. RxH and RxE are the locations of the head-of-the-train XiSat − X Rxh
and end-of-the-train OBU GNSS receivers, respectively.
with respect to the ECEF coordinate system. Then, we
can write the single difference SDi between the geometric
distances of the i-th satellite from the two receivers, as:
ρiRx ( k ) = XiSat ⎡⎣Ti Sat ( k )⎤⎦ − X Track ⎡⎣ sh (Ti Rx (k ))⎤⎦ +
h h

+ cΔτ iion , Rx (k ) + cΔτ itrop , Rx (k ) +


h h
(4) SDi = XiSat ⎡⎣Ti Sat ( k ) ⎤⎦ − XTrack ⎡⎣ sH (Ti Rxh (k ))⎤⎦ −

+ cδ t Rxh (k ) + niRxh ( k ) − cδ tiSat (k ) , + XiSat ⎡⎣Ti Sat (k )⎤⎦ − XTrack ⎡⎣ sE (Ti Rxh (k ))⎤⎦ = (9)
with h = {H, E}, where: = rRxi H ⎡⎣1 − eˆ iRxH , eˆ iRxE ⎤⎦ − b, eˆ iRxE ,
• Ti Sat (k ) is the time instant on which the signal of
the k-th epoch is transmitted from the i-th satellite; where rRxi H is the geometric distance from the head-of-the-
• Ti Rx (k ) is the time instant on which the signal
h
train OBU GNSS receiver and the i-th satellite, and ⋅
transmitted from the i-th satellite at the k-th epoch is
is the scalar product operator. Figure 7 describes the
received by the the h-th GNSS receiver;
geometrical scheme adopted to evaluate the single
• X iSat ⎡⎣Ti Sat ( k )⎤⎦ is the coordinate vector of the i-th difference in (7).
satellite at time instant Ti Sat (k ) ; From (7), we can derive the double-difference equation
ij
• XTrack ⎡⎣ sh (Ti Rxh (k ))⎤⎦ is the coordinate vector at the relating the double difference DDRx H RxE
between the
time instant Ti Rxh (k ) , of the h-th receiver. single differences of i-th and j-th satellite, to the
receivers’ baseline, then obtaining:
• Δτ iion,Rxh (k ) is the ionospheric incremental delay, ij
DDRx H RxE
= SDi − SDj =
along the paths from the i-th satellite to the h-th
GNSS receiver for the k-th epoch w.r.t. the neutral = rRxi H ⎡⎣1 − eˆ iRxH , eˆ iRxE ⎤⎦ − b, eˆ iRxE −
atmosphere;
• Δτ itrop , Rxh (k ) is the tropospheric incremental delay, + ⎡ rRxj H ⎡⎣1 − eˆ Rx
j j
, eˆ Rx ⎤ − b, eˆ Rx
E ⎦
j ⎤=
⎣ H E ⎦

along the paths from the i-th satellite to the h-th


GNSS receivers for the k-th epoch w.r.t. the neutral = rRxi H ⎡⎣1 − eˆ iRxH , eˆ iRxE ⎤⎦ − rRxj H ⎡⎣1 − eˆ Rxj H , eˆ Rxj E ⎤⎦ +
atmosphere;
− b, eˆ iRxE − eˆ Rx
j
. (10)
• δ tiSat (k ) is the offset of the i-th satellite clock for the E

Without loss of the generality, let us assume the first


k-th epoch;
satellite is used as pivot to compute the double-difference
• δ t Rx (k ) is the clock offsets of the h-th GNSS
h
equation system. Then, for sake of compactness, by
receiver; dropping the epoch index k, (10) can be arranged in a
• niRx (k ) is the error of the time of arrival estimation
h matrix form as follows:
algorithm, generated by multipath, GNSS receiver DD = Hb + u, (11)
thermal noise, and eventual radio frequency where u is the residual vector, which needs to be
interference, at the h-th GNSS receiver. minimized according to the Weighted Least Square
Estimation (WLSE) criterion, and H is defined as
Let us denote with b (k) the baseline vector between the
HoT and EoT receivers, computed at the k-th epoch, as
b(k ) = XTrack [sH (k )] − XTrack [sE (k )] , (5)
which can be rewritten in terms of its magnitude b, and
the unit vector eˆ b ( k )

6
" % Let us denote with !sH( m) , and !sE( m) the estimated mileages
$
$
(ê1
Rx E
1
− ê 2Rx
E1 ) (ê 1
Rx E
2
− ê 2Rx
E2 ) (ê
1
Rx E
3
− ê 2Rx
E3 ) '' of the GNSS receivers at the m-th iteration and with
$
$ (ê1
Rx E
1
− ê 3
Rx E
1
) (ê 1
Rx E
2
− ê 3
Rx E
2
) (ê
1
Rx E
3
− ê 3
Rx E
3
) '' X! Rx (k ) = X Track !s! ( m) (k )# and X
H
( m) " H $
! Rx (k ) = X Track !s! ( m) (k )#
( m)
E
" E $
$ ' the corresponding Cartesian coordinates.
! ! !
H =$ ', (12) Then, tacking into account the track constraint we have
$
$
(ê1
Rx E
1
j
− ê Rx
E1 ) (ê 1
Rx E
2
j
− ê Rx
E2 ) (ê
1
Rx E
3
j
− ê Rx
E3 ) '
'
b ≈ b! (m) + ΔbE(m)ê (m)
b
− ΔbH(m)ê (m)
E b
, (17)
H

$ ! ! ! ' where Δb eˆ and Δb eˆ are the baseline increments


( m) ( m) ( m) ( m)
$ ' E bE H bH
when the HoT and EoT receivers move along the track,
$
$# (ê1
Rx E
1
− ê
N sat
Rx E
1
) (ê 1
Rx E
2
− ê
N sat
Rx E
2
) (ê
1
Rx E
3
− ê
N sat
Rx E
3
) '
'& respectively.
Considering that the iterative procedure is initialized
T
where eˆ iRxE = ⎡eˆ iRxE eˆ iRxE eˆ iRxE ⎤ are the unit vectors of using as initial estimates of the receiver locations, the
⎣ 1 2 3 ⎦
positions provided by the independent processing of the
the line of sigth of the visible satellites. measured pseudoranges, with the support of the
From (6), the first term is augmentation network, the initial estimation error can be
DD = DD + ΔDD, (13) considered small (i.e. <10 m). Thus, (17) can be
approximated by its Taylor’s expansion, so that the unit
where DD represents the vector of double-differences
between the raw data, as measured by the j-th satellite and vectors eˆ (bm) and eˆ (bm) can be approximated by the unit
E H

the pivot, from the HoT and EoT receivers, vectors corresponding to the tangents of the track curve
⎡ DD 2,1 ⎤ on X! Rx (k ) and X
H ! Rx (k) respectively, given by:
E
( m) ( m)
⎢ Rx H ,RxE ⎥
(
⎢ DD 3,1 ⎥ " ∂X RxH %
⎢ Rx H ,RxE ⎥ *ê(bm) = $ '
⎢ ⎥ ** H $# ∂s '&s=!s ( m ) ( k )
! H
(18)
DD = ⎢ ⎥, (14) )
j,1
⎢ DDRxH ,RxE ⎥ * ( m) " ∂X RxE %
⎢ ⎥ *ê bE = $ '
$# ∂s '&s=!s ( m ) ( k )
⎢ ! ⎥ *+ E

⎢ DD N Sat ,1 ⎥ Therefore, by replacing (18) into (11) the double-


⎢⎣ Rx H ,RxE ⎥
⎦ difference equation system at the m-th iteration step
and specifies as follows:
⎡ rRx2 ⎡1 − eˆ 2Rx , eˆ 2Rx ⎤ − rRx (m)
1
⎡1 − eˆ 1Rx , eˆ 1Rx ⎤ ⎤ DD − Hbˆ (m) = HG(m)Δb( m) + u, (19)
⎢ H⎣ H E ⎦ H ⎣ H E ⎦

⎢ r 3 ⎡1 − eˆ 3 , eˆ 3 ⎤ − r1 ⎡1 − eˆ 1 , eˆ 1 ⎤ ⎥ where
⎢ RxH ⎣ RxH RxE ⎦ RxH ⎣ Rx H Rx E ⎦ ⎥
⎡ Δb( m ) ⎤
⎢ ⎥ Δb( m ) = ⎢ H( m ) ⎥ , (20)
ΔDD = ⎢ ⎥ , (15) ⎣ ΔbE ⎦
⎢ rRxj ⎡1 − eˆ Rx j
, ˆ
e j
⎤ − r 1
⎡1 − eˆ 1
, ˆ
e 1
⎤ ⎥
⎢ H⎣ H RxE ⎦ RxH ⎣ Rx H Rx E ⎦
⎥ G( m ) is the partitioned matrix
⎢ ⎥ G( m ) = ⎡eˆ b( mH ) eˆ b( mE ) ⎤ , (21)
⎢ ⎥ ⎣ ⎦
⎢ rRxN satH ⎡1 − eˆ Rx
N sat N sat
, eˆ Rx ⎤ − rRx1 ⎡1 − eˆ 1Rx , eˆ 1Rx ⎤ ⎥
⎣ ⎣ H E ⎦ H ⎣ H E ⎦ ⎦ and
is the vector of double-differences between the geometric
DD( m) = DD + ΔDD( m) , (22)
distances between the j-th satellite and the pivot, from
HoT and EoT receivers. with
Finally, the i-th component of the equivalent noise at the
first and second OBU GNSS receiver, computed with ⎡ ⎤
⎢ rRx2,m ⎡1− ê 2,m , ê 2,m ⎤ − r1,m ⎡1− ê1,m , ê1,m ⎤

H ⎣ Rx H RxE ⎦ Rx H ⎣ Rx H RxE ⎦
respect to the pivot satellite, is: ⎢ ⎥
3,m ⎡ 3,m ⎤ ⎡1− ê , ê ⎤
⎢ rRx 1− 3,m
ê Rx , ê Rx − r1,m 1,m 1,m

H ⎣ ⎦ RxH ⎣ Rx H RxE ⎦
ui ,1 = cΔτ iion , RxH ( k ) − cΔτ iion , RxE (k ) + ⎢ ⎥
H E

⎢ ⎥
ΔDD( ) = ⎢ !
m
⎥,
−cΔτ 1ion , RxH (k ) + cΔτ 1ion ,RxE (k ) + ⎢ rRxj ,m ⎡1− j ,m
ê Rx j ,m ⎤
, ê Rx 1,m ⎡
− rRx 1− ê1,m , ê1,m ⎤ ⎥
⎢ H ⎣ ⎦ H ⎣ Rx H RxE ⎦

+ cΔτ itrop ,RxH ( k ) − cΔτ itrop ,RxE (k ) +
H E

⎢ ! ⎥
(16) ⎢ ⎥
−cΔτ 1trop , RxH ( k ) + cΔτ 1trop , RxE (k ) + ⎢ r N sat ,m ⎡1− ê Rxsat , ê Rxsat ⎤ − rRx
N ,m N ,m 1,m ⎡
1− ê1,m , ê1,m ⎤ ⎥
⎢⎣ RxH ⎣ ⎦ H ⎣ Rx H RxE ⎦ ⎥

+ niRxH ( k ) − niRxE ( k ) − n1RxH ( k ) + n1RxE (k ) .
H E

The baseline between receivers can then be estimated (23)


with the following iterative procedure that explicitly where
accounts for the track constraint.

7
X Sat −X "b!( m) $
Rxh
j,m j # %
ê Rx = Rxh " !( m) $
, h ∈ { H , E} (24)
Sat
h
X j − X #b %

and
rRxj,m = X Sat −X
Rxh "b!( m) % . (25)
h j $# '&

Thus the baseline correction Δb( m ) is evaluated as


follows:
( m)
Δb( m) = K( m) ⎡⎢ DD − Hbˆ (m) ⎤⎥ , (26)
⎣ ⎦
( m) Figure 8. Projection into the track curve of the estimated
where the gain K is computed in accordance to the
WLSE metric as receiver position.

( )
−1
K (m) = G(m)T HT Rν−1HG(m) G(m)T HT Rν−1. (27) Let us consider first the case of train operating under
nominal conditions, i.e., the case of healthy satellites and
Once the baseline correction Δb has been computed, ( m)
known initial train length.
the mileage and the Cartesian coordinates of the two Denoting with ε ΔbH and ε ΔbE the estimation errors on
receivers are updated by projecting the two points
Rx ! Rx !s! ( m) (k )# + Δb( m) ê ( m)
X̂ ( m+1) = X
H H (28) ΔbE and ΔbH , and with ε L! the estimation error on the
( m) " H $ H b
distance along track (i.e. mileages’ difference) of the two
H

Rx E
X̂ ( m+1) ! RxE !s! ( m) (k )# + Δb( m) ê ( m)
=X (29)
( m) " E $ E b E receivers, we have:
into the track as illustrated in Figure 8, then obtaining $ ∂s ' $ ∂s '
! Rx and X
X H ! Rx . E ε L(! k ) = & ) ε ΔbH − & ) ε Δb . (32)
( m+1) ( m+1) % ∂ΔbH (s=!sH % ∂ΔbE (s=!sE E
The baseline estimate at iteration (m+1) is updated as
follows Introducing the row vector
# &
b! ( m+1) = X
! Rx − X
( m+1)
! Rx .
( m+1)
H
(30) E
∂s % # ∂s & # ∂s &
( ,
= % ( −% ( (33)
Finally, the train length at the k-th epoch is computed as ∂Δb % $ ∂ΔbH 's=!s $ ∂ΔbE 's=!sE (
follows: $ H 's=!sH
L!( m+1) (k) = s!H( m+1) (k) − s!E( m+1) (k) . (31) the previous relation can be rewritten in matrix form as
follows
∂s ⎡ε ΔbH ⎤
ε L( k ) = ⎢ε ⎥ , (34)
IV. PROTECTION LEVEL COMPUTATION ∂Δb ⎣ ΔbE ⎦
In the evaluation of the protection level, we could model where we denoted with s!H and s!E the final estimate of
train integrity as a Boolean function providing a TRUE
value if the train is integral and FALSE otherwise. the receivers mileage at the last iteration.
Following this approach, we could consider as misleading Based on (19), considering that ε ΔbH and ε Δb can be
E

information the event associated to declaring the train as modeled as zero mean Gaussian random variable with
integral in presence of a train split, while the event covariance matrix
associated to declaring the train as not integral, when no
R Δb = (GT HT Rν−1HG ) ,
−1
split occurs could be simply considered a false alarm, (35)
impacting on system availability and not on the hazard. the covariance of ε L! can be computed as
On the other hand, with the introduction of moving block
T
in ERTMS/ETCS L3, an error on the estimate of the track ∂s ⎡ ∂s ⎤
portion actually occupied by the train should be σ ε2L = R Δb ⎢ ⎥ . (36)
considered as misleading. ∂Δb ⎣ ∂Δb ⎦
Thus, here we prefer the last approach, and analyze the Thus, the probability Pε >δ that the error on the along
L L
protection level computation by modeling the train track distance between the two receivers exceeds a
integrity as a functionality providing an estimate of the threshold δ L is
extension of the interval actually occupied by the train
and not just as a Hypothesis verification test. This ⎛ δ ⎞
approach is more conservative, because in this case Pε L >δ L = erfc ⎜ L ⎟, (37)
⎜ 2σ ε ⎟
declaring the train as not complete when no split occurs is ⎝ L ⎠
considered misleading, and not just a false alarm. where erfc() is the complementary error function i.e.,
Nevertheless, the methodology adopted for evaluating the 2 ∞ −t 2
protection level associated to the train length estimation, erfc( x) = ∫ e dt .π x
(38)
can be immediately extended to the Boolean case.

8
Nominal p-th Incidentally, we observe that the following bound holds:
satellite location βp True p-th satellite βi b
location ε Δi SD (βi ) ≤ . (45)
r!Rxp !e Rx
p
rRxi E
H H
p p
r! !e
RxE RxE Then, from (42) we have that if the faulty satellite is not
rRxp e Rx
p rRxp e Rx
p

E E
H H the pivot one (i.e., in our case i ≠ 1 ), the estimate of the
along track distance is affected by the additional error
RxE b RxH ∂s
ΔLSF
i (β ) =
i
K (i −1) colε Δi SD (βi ), i = 2,..., N sat (46)
∂Δb
Figure 9. Faulty satellite geometry. where K n col denotes the n-th column of gain matrix K ,
TrainIntegrity
while, if the faulty satellite is the pivot one (i.e., in our
Thus, denoting with RTH H0
the THR allocated to case i = 1), then we have:
nominal conditions, the Protection Level under nominal ∂s ⎡ Nsat −1 ⎤ 1
ΔL1SF (β1 ) = − ⎢ ∑ K q col ⎥ ε ΔSD (β ) . (47)
1
conditions PLH 0 computes as follows: ∂Δb ⎣ q=1 ⎦
PLH 0 = k H 0σ ε L , (39)
Denoting with γ(i) the function
with
⎧ ∂s ⎡ N sat −1 ⎤
⎛ RTH ⎞ ⎪− ⎢ ∑ K q col ⎥ i =1
TrainIntegrity

k H 0 = 2 erfc ⎜ −1
, (40) ⎪ ∂Δb ⎣ q=1 (48)
⎜ N Dec ⎟⎟
H0
γ (i ) =⎨ ⎦
⎝ ⎠ ⎪ ∂s
⎪ K ( i −1) col i = 2,..., N sat
where NDec is the number of independent estimates in 1 ⎩ ∂Δb
hour of operation.
Let us know consider the case of SIS faults. Let us recall the conditional probability that the position error
that the rather short baseline between the EoT and HeT magnitude will exceed the protection level, when the i-th
receivers (i.e., < 4 km) implies that the satellite clocks satellite is faulty, becomes
errors and incremental tropospheric and ionospheric ⎛ PL − g ( i )ε i (βi ) ⎞
1
delays experimented by the two receivers are highly PMISF/i MA = erfc ⎜ ΔSD
⎟+
correlated, and therefore, completely mitigated by the 2 ⎜ 2 σ ⎟
⎝ εL ⎠
double difference operation at the basis of the train length
estimate. 1 ⎛ PL + g ( i )ε i (βi ) ⎞
The threat to be accounted for when considering the event + erfc ⎜ ΔSD
⎟ . (49)
2 ⎜ 2 σ ⎟
of a failure of the SIS of the i-th satellite essentially ⎝ ε L ⎠
reduces to the ephemeris error, whose effect can be However, the computation of the HMI probability
modeled by a satellite position error βi . requires the evaluation of the probability that the Integrity
In this case, w.r.t. Figure 9, it can be easily verified that Monitoring and Augmentation subsystem deployed along
the track will not detect the satellite fault. At this aim, we
rRxi h βi may employ the approach described in [17] that, for each
eiRxh (βi ) = eiRxh
% + , h ∈{H , E} , satellite, monitors the Differential Pseudorange Residuals
rRxi h eiRxh + βi rRxi h eiRxh + βi (DPR) and the Double Difference Residuals (DDR) of the
(41) pseudoranges observed by the reference stations, located
Thus, the single difference of the i-th satellite is affected in known position.
by the error DPR monitoring allows detecting ephemeris error
components parallel to the satellite line of sights, while
ε Δi SD (βi ) = r%Rxi H ⎡⎣ % eiRxE (βi ) − eiRxH , eiRxE ⎤⎦ +
eiRxH (βi ), % DDR monitoring allows detecting those components
orthogonal to the line of sights.
+ΔrRxi H (βi ) ⎡⎣1 − eiRxH , eiRxE ⎤⎦ + b, % eiRxE (βi ) − eiRxE . (42) Let Δρrawi
, j (k )
be the raw reduced pseudorange residual
of the i-th satellite w.r.t. the receiver of the j-th RS, at the
The above expression can be usefully written as follows k-th epoch, defined as the difference between the
(see [17], Eq. (19)): measured pseudorange and its counterpart predicted on
the basis of the navigation data, and ionospheric and
bi⊥e p , βi
tropospheric models. In addition let us denote with ddnij,m
ε i
(β ) = − e
i i
−e i
,β ; −
i Rx E

ΔSD RxE RxH


rRxi E the DDR of the pseudoranges of the i-th and j-th satellite
(43) measured by the n-th and the m-th reference stations:
i
where b⊥ei is the component of the baseline orthogonal
Rx E ddnij,m = Δρraw
i
,n (k ) − Δρraw,n (k ) − Δρraw ,m (k ) + Δρraw ,m ( k ).
j i j

i
to the line of sight e RxE : (50)
We note that when a Wide Area Augmentation System is
bi⊥ei = b − eiRxE , b eiRxE . (44) available the raw reduced pseudorange residuals can be
Rx E

9
computed by resorting to actual ephemerides and satellite 2
N RIM eiRIM m − eiRIM n , βi
clock corrections provided by the Wide Area
λ (β ) =
i
∑ . (58)
Augmentation System. Same approach applies to n =1 σ dd2 i
ionospheric and tropospheric corrections. n≠m m ,n

When the SIS of each satellite is healthy, ddnij,m can be Therefore, the probability that a fault event will not be
detected (i.e., probability of Missed Exclusion of a faulty
modeled as a zero mean, Gaussian random variable with
satellite) equals the probability that a random variable
variance
with non-central chi square distribution with non-
σ dd2 ij = σ Δ2ρ i + σ Δ2ρ j + σ Δ2ρ i + σ Δ2ρ j . (51) centrality parameter λ (βi ) will not exceed the EL
n ,m raw ,n raw ,n raw ,m raw ,m

When the i-th SIS is affected by a satellite position error threshold:


βi , ddnij,m can be modeled as a Gaussian random variable SF
PMA = Dχnc2 ⎡ EL, λ (βi )⎤ , (59)
with variance σ dd
2
and expectation equal to (see [17], N RIM −2 ⎣ ⎦
ij
n ,m that can be rewritten as
Eq. (19)): SF
PMA = Dχnc2 ⎡ D−12 (1 − P ) , λ (βi )⎤ , (60)
E {dd nij,m } = − eiRIM n − eiRIM m , βi , (52) N RIM −2 ⎢⎣ χ NRIM −1 fe ⎥⎦
where eiRIM n is the unit vector of the line of sight of the i- where Dχnc2 ( , λ ) is the cumulative noncentral chi-square
n

th satellite with respect to the receiver of the n-th RS. distribution with n degrees of freedom and non-centrality
i parameter λ.
Let dd n,m be the average DDR of the i-th satellite:
Let us observe that, when the local Track Area
1
∑ ddnij,m .
i
dd n ,m = (53) Augmentation and Monitoring system is complemented
N sat − 1 j ≠i with a Wide Area Augmentation System, the capability of
i detecting satellite faults increase, not only because of the
When all the satellites are healthy, dd n,m can be modeled alarms provided by the Wide Area Augmentation System,
as a zero mean, Gaussian random variable with variance but also because of the lower variance σ 2 of the
Δρ̂ ij
σ 2 i given by:
dd n ,m
reduced pseudorange residual appearing in (54), thanks
σ dd 2
i
n ,m
=σ 2
i
Δρ raw ,n
+σ 2
i
Δρ raw ,m
+
N Sat − 1
1
∑ (σ
j ≠i
2
j
Δρ raw ,n
+σ 2
j
Δρ raw ,m
). to the ephemerides and satellite clock corrections, and
ionospheric incremental delay estimates provided by the
(54) Wide Area Augmentation System.
Then, for the i-th satellite the squared weighted L2 norm Based on (60), the conditional probability of a Misleading
i Information (MI) event conditioned to the failure of the i-
ξi2 of dd n,m is computed as follows: th satellite can be evaluated as follows
1
( ) ( )
2
dd m,n
i
PMISFi = Dχnc2 ⎡ D −12 1 − Pfe , λ β(i ) ⎤⎥ ×
N RIM
2 ⎢
N RIM −1 ⎣ χ N RIM −1 ⎦
ξi2 ! ∑ σ 2
, (55)
n=1
n≠m
i
dd m ,n ⎧⎪ ⎛ PL − g (i )ε i (βi ) ⎞ ⎛ PL + g (i )ε i (βi ) ⎞ ⎫⎪
× ⎨erfc ⎜ ΔSD
⎟ + erfc ⎜ ΔSD
⎟ .
where the m-th RS is supposed to be the pivot one, and ⎜ 2 σ ⎟ ⎜ 2 σ ⎟⎬
where NRIM denotes the number of RSs employed. ⎩⎪ ⎝ εL ⎠ ⎝ εL ⎠ ⎭⎪
(61)
If ξi exceeds a threshold EL, named Exclusion Level, the
2
Denoting with PSSF the probability of fault of a single
satellite is marked as faulty and excluded from PVT satellite and with NSat number of visible satellites, the
computation. probability PSH that none of them is affected by a fault is
When the SIS is healthy, ξi is a random variable with a
2
bounded by the probability that none of them is affected
central chi-square distribution with (NRIM -2) degrees of by an independent fault, i.e.:
freedom. Thus, the probability Pfe of excluding a healthy PSH ≤ (1 − PSSF ) N Sat . (62)
satellite, declared as faulty, is given by:
Considering that, according to the GPS SPS Performance
Pfe = D 2 ( EL) , (56)
χ N RIM −2
Standard, for the GPS constellation PSSF ≤ 10−5 / h , PSH
where Dχ 2 ( ) is the cumulative central chi-square can be approximated as follows:
n

distribution with n degrees of freedom. Therefore, the PSH ≤ 1 − N Sat PSSF . (63)
Exclusion Level is pre-computed in accordance to the On the other hand, the probability of having a failed
Neyman–Pearson criterion by inverting the distribution satellite out of NSat satellites is
function: PSF ≅ NSat PSSF , PSSF 1 , (64)
EL = Dχ−12 (1 − Pfe ) . (57)
N RIM − 2 while for PSSF ≤ 10−5 / h the probability of having more
If the i-th SIS is faulty, ξ is a random variable with non-
2
i than one failed satellite can be considered negligible, [9].
central chi square distribution with non-centrality Denoting with SLOPEi the ratio between the magnitude of
parameter
the train length error g ( i )ε Δi SD (βi ) , and λ (βi ) :

10
g (i )ε Δi SD (βi ) Thus, for a given THR the above bound can be employed
SLOPEi = , (65) for computing the Protection Level.
λ (βi ) In particular, denoting with λMax the value of λ
and with SLOPEMax its maximum value w.r.t. all the maximizing the quantity:
satellites,

SLOPEMAX = Max
g (i )ε Δi SD (βi )
, (66)
{ {
λMax = Arg Max Dχnc
λ
2
N RIM −1
⎡ D−12
⎣⎢ χ NRIM −1
(1 − Pfe ), λ ⎤⎦⎥ ×
i
λ (βi ) ⎧ ⎛ b ⎞
⎪⎪ ⎜ PLe − 2 B σ dd Max g Max
λ⎟
TrainIntegrity
the THR conditioned to ephemeris faults RTH can × ⎨erfc ⎜ ⎟+
e
⎪ ⎜ 2σ ε L ⎟
be bound as follows ⎩⎪ ⎝ ⎠
TrainIntegrity
RTH e
⎧ 1
⎩ 2 λ {
≤ 1 − ⎨1 − Max Dχnc2 ⎡ D −12 (1 − P ) , λ ⎤ ×
⎢ χ N RIM −1
N RIM −1 ⎣
fe
⎦⎥
⎛ b
⎜ PLe + 2 B σ dd Max g Max λ ⎟ ⎪⎪⎪⎪
+ erfc ⎜
⎞⎫⎫⎫
⎪⎪
⎟ ⎬⎬⎬ (72)
⎧⎪ ⎛ PL − SLOPE ⎞ ⎜ 2σ ε L ⎟ ⎪⎪⎪
MAX λ
× ⎨erfc ⎜ e ⎟+ ⎝ ⎠ ⎪⎭ ⎭⎪ ⎭⎪
⎜ 2σ ε L ⎟
⎪⎩ ⎝ ⎠ the Protection Level PLe , for a single ephemeris fault can
N Dec
⎫⎫ ⎪ ⎫
⎛ PL + SLOPE λ ⎞ ⎫⎪⎪⎪ be written as follows:
+erfc ⎜ e MAX
⎟ ⎬⎬⎬ PSF ⎬ . (67) b
⎜ 2σ ε L ⎟ PLe ! 2 σ γ λ + keσ ε , (73)
⎝ ⎠⎭ ⎪⎪⎪
⎭⎭ ⎪ ⎭ B dd Max Max Max L

On the other hand, as demonstrated in Appendix A, when with


a Track Area Augmentation System surrounding the rail ⎛ ⎞
TrainIntegrity
track, with RSs deployed at nodes of a regular grid, is −1 ⎜
RTH ⎟
employed. We have ke = 2erfc ⎜ e
⎟.
⎜ Dec χ N2 −1 ⎢ χ N2 −1 (

fe ) λ ⎤

N D nc
D 1
1 − P , Max ⎥ SF ⎟
P
b
ε Δi SD (βi ) ≤ 2 σ dd λ (βi ) , ⎝ RIM ⎣ RIM ⎦ ⎠
i (68)
B (74)
where σ dd2 i is the variance of the DDR of the i-th satellite, In Figure 10 the plot of the Protection Level for single
ephemeris fault versus the THR for several values of the
b is the length of the baseline between the EoT and the SLOPE factor is reported. The SLOPE range has been
HoT receivers, and B is the length of the baseline between selected in accordance to those values experimented in the
adjacent RSs, with b = B, and B small enough so that simulations. Numerical examples on PL computation are
ionospheric and tropospheric incremental delays observed presented in the next section devoted to simulation
by adjacent RSs can be considered highly correlated results.
(typically B < 50 km).
Therefore, denoting with γ the maximum of γ (i ) ,
Max

i.e.,
γ Max = Max γ (i ) , (69)
i
we can write
b
SLOPEMAX ≤ 2 σ γ . (70)
B dd Max Max
TrainIntegrity
Therefore RTH e
can be bounded as follows

TrainIntegrity
RTH e
⎧ 1
⎩ 2 λ
{
≤ 1 − ⎨1 − Max Dχnc2 ⎡ D −12 (1 − P ) , λ ⎤ ×
N RIM −1 ⎢
⎣ χ N RIM −1 fe ⎥⎦
Figure 10. Protection Level versus THR, single satellite fault
case (NRIM=6, Pfe=10-5, PSF=10-4, NDec=3600).
⎧ ⎛ b ⎞
⎪⎪ ⎜ PLe − 2 B σ dd Max g Max
λ⎟ V. SIMULATION RESULTS
× ⎨erfc ⎜ ⎟+ For the assessment of the performance of the proposed
⎪ ⎜ 2σ ε L ⎟ algorithm, a Monte Carlo simulation making use of a
⎪⎩ ⎝ ⎠ GNSS simulator developed and validated for the rail
N dec
environment has been employed.
⎛ b ⎞⎫⎫ ⎫
⎜ PLe + 2 B σ dd Max g Max
λ ⎟⎪⎪ ⎪
⎪⎪ ⎪
+erfc ⎜ ⎟ ⎬⎬ PSF ⎬ . (71)
⎜ 2σ ε L ⎟ ⎪⎪ ⎪
⎝ ⎠ ⎭⎪ ⎭⎪ ⎭⎪

11
Figure 11. Simulator overall architecture.

The overall architecture of the simulator is depicted in • the accuracy and integrity of the estimates
Figure 11. In essence: themselves,
a) The Satellite Orbit Generator provides precision • eventual sensor failures,
ephemeris to support evaluation of accurate • GNSS Rx internal clocks offsets.
propagation delays and Doppler effects. For GPS and g) The Train Integrity module evaluates the train
GLONASS constellations even real data (raw and integrity emulating the algorithms described in this
filtered data) periodically published by International contribution.
Research Institutes (e.g. IGS, EGNOS) may be
employed; The Propagation module evaluates the
transformations affecting the satellite signals received
at a specific location. At this aim, ionospheric and
tropospheric conditions recorded in the GNSS
records DataBase are employed. Additional random
delays may be added to account for residual errors
filtered out by the processing procedures used for
generate the data stored in the GNSS records
DataBase;
b) The RIM RU module emulates the RS behavior with
respect to GNSS data processing; Figure 12. Train’s track, from Roma Tuscolana to Zagarolo
c) The TALS Server module emulates the behavior of station.
the TALS Server. In particular starting from the raw
measurements supplied by the RIM RUs and The simulation scenario of the results reported here, refers
eventually available Wide Area Augmentation to a freight train that runs on a track, from “Roma
Systems in evaluates the SIS integrity and all those Tuscolana” station to “Zagarolo” station (Rome, Italy).
augmentation data provided to the on board receivers. The track has a length of about 30 km, and is mainly
A Virtual Reference Station emulation functionality running on a flat terrain with a few bends. Figure 12,
is also included; shows the path of the train. Two trains have been
d) The Train motion generator evaluates the Kinematic considered i.e., (i) a train, consisting of 35 carriages, each
data (i.e., position, velocity, and acceleration) of a set of them 14.5 m long, with a total nominal distance
of Points of Interest (POI) on board of the train (e.g., between the two GNSS receivers of 500 m, and (ii) a
head and end receivers’ location); longer train with 173 carriages, and a total nominal
e) The OBU GNSS Rx emulates the behavior of the distance between the two GNSS receivers of 2.500 m.
GNSS receiver; The shorter train was moving at constant speed of 108
f) The GNSS Localization module emulates the km/h (i.e., v0 = 30 m/s), while the longer train was
behavior of the Location Determination System moving at constant speed of 80 km/h.
Functional unit. In particular it estimates: We assumed that the train control system is alerted when
• the Kinematics of specific POIs, at least one carriage is decoupled from the rest of the train

12
(i.e., train gap).
In the simulation setup a conservative approach has been
adopted by assuming that the braking system of the
wagons are not operating and the train is affected only by
the rolling resistance FR, then omitting the air resistance.
Rolling resistance arises due to friction between the wheel
and the tracks. Two factors normally determine the rolling
resistance of a vehicle i.e., (i) the weight, and (ii) the
rolling resistance coefficient, fR, which depends on the
type of train/wagon involved.
For vehicles with stiff wheels, where wheels do not
deform plastically, the general relation for rolling
resistance FR with flat terrain is:
FR = f R ⋅ m ⋅ g (75)
(a)
where fR is the rolling resistance coefficient
(dimensionless), m [kg] is the mass of the train, and g
[m/s2] is the gravity acceleration. Notice that (64)
expresses the maximum rolling resistance i.e., it is
computed in absence of slip between the wheel and the
rails. For wagons, slip is very rare, since the wheels are
not driven; on the other hand, slip can more likely occur
with locomotives, especially under starting condition.
Thus, based on (64), the motion equation of the decoupled
carriage on a flat terrain, implemented in the simulator is:
1 FR 2
s=− t + v0 t , (76)
2m
where v0 is the train speed when the decoupling occurs. (b)
In Table 1 the main parameters assumed in the simulation Figure 13. GF+RN case for (a) train length = 500 m, and (b)
are reported. train length = 2500 m.
In the following two cases, which reflect the main railway
operative situations have been considered:
1. Gap free plus receiver noise (GF+RN): the train is
integer. Satellite errors, propagation effects and
thermal receiver noise are accounted for. In
particular the receiver noise is modeled as a sample
from a Gaussian process with mean equal to 0.1 m
and standard deviation equal to 0.8 m i.e.,
(
N 0.1,0.8 ;)
2. Gap affected plus receiver noise (GA+RN): during
the path, at least one carriage is decoupled from the
rest of the train. Same error sources as in case
GF+RN have been considered (Satellite errors,
propagation effects and Gaussian thermal receiver (a)
noise mean equal to 0.1 m, and standard deviation
equal to 0.8 m).

Figure 13 depicts the histograms of the estimation error of


the mileage between receivers for the GF+RN case. In
Figure 14, the normal probability plot of the empirical
Cumulative Distribution of the estimation error is
reported. In this kind of graph, the Normal Cumulative
Distribution corresponds to a straight line. We can
observe the distribution is practically Gaussian. In
addition, there is no significant difference between the
results corresponding to different train lengths.
(b)
Figure 14. Normal probability plot in GF+RN case, for (a) train
length = 500 m, (b) train length = 2500 m.

13
Figure 15. Mileage between receivers. Train length = 2500 m.
(a)

(a) (b)
Figure 17. Normal Probability plot: GA+RN case; (a) train
length = 500m, (b) train length = 2500 m.

525
Estimated mileage between receivers
Mileage between receivers [m]

520 Real mileage between receivers

515

510

505

500
(b)
Figure 16. GA+RN case: (a) train length = 500 m, (b) train 495
length = 2500 m. 95 97 99 101 103 105 107 109 111 113 115
Elapsed time from beginning of simulation [s]

Table 1. Simulation train dynamics parameters. (a)


2525
3
Train weight 1275 ×10 kg Estimated mileage between receivers
Mileage between receivers [m]

Carriage weight 35 t 2520 Real mileage between receivers

Locomotive weight 120 t


2515
fR 0.02
FR 24.9×104 N 2510

2505
The gap occurs after 3 km run. The deceleration profile
follows (65) so that the lost carriage stops after 150 s 2500
from the decoupling event.
As illustrated in Figure 15, where the mileage between the 2495
95 97 99 101 103 105 107 109 111 113 115
HoT and the EoT receiver for the longer train is reported, Elapsed time from beginning of simulation [m]
the simulation continues even after the lost carriage stops,
(b)
so that the final distance between the receivers is about 25 Figure 18. Estimated mileage between receivers w.r.t. Ground
km. Truth. (a) train length = 500 m, (b) train length = 2500 m.

14
Thus, the simulated scenario allows verifying the Normal Probability Plot

effectiveness of the algorithm approximations even with


baseline length one order of magnitude greater then 0.999
0.997
expected. Same situation applies to the shorter train. 0.99
0.98
The results on the train gap are shown in Figure 16 and 0.95
0.90
Figure 17, which depict the histograms of the estimation 0.75
error on the mileage between receivers, and Normal

Probability
0.50
Probability Plots when a carriage is decoupled from the 0.25
rest of the train. 0.10
In Figure 18 we depicted the estimated mileage between 0.05
0.02
receivers (i.e. blue line) w.r.t. the real one (i.e. green line) 0.01
0.003
in correspondence of the decoupling event (i.e. t = 100 s). 0.001

It can be easily verified that the output of the proposed


approach follows the receivers as expected. -4 -3 -2 -1 0
Data
1 2 3

The Normal Probability Plot of Figure 17 clearly Figure 21. Median filter estimation error, Normal Probability
indicated that the Gaussian model satisfactory fits the Plot. GA+RN case: train length = 2500 m.
empirical distribution only in its central part, with the
empirical distribution exhibiting heavy tails. Table 2. Statistics of simulation results.
In principle, the estimation error process, because its Metric Cases
variance strictly depends on the number of visible GF+RN GA+RN
satellites and on their position with respect to the
L = 500 m L= L = 500 L = 2500
receivers. The situation is evident from Figure 19 where
2500 m m m
the estimation error time-series of the longer train
Mean - 0.002 0.002 0.08 0.07
simulation is reported.
value
Estimation error on Mileage between receivers [m]

Train length L=2500 m


[m]
5 Std 0.82 0.84 0.93 0.94
4 [m]
3

2
In principle, the computation of the protection level
1
accounts for the variations of the statistics of the
0 estimation error.
-1 Nevertheless, a partial mitigation of the hazard associated
-2 to the outliers, at the expense of a slight increase on the
time to alert, can be obtained by introducing a median
-3
filter.
-4
The effectiveness of this kind of mitigation can be
-5
0 200 400 600 800 1000 1200
appreciated from the plots of Figure 20 and 21 where the
Elapsed time from beginning of simulation [s] histograms of the estimation error on the mileage between
Figure 19. Estimation error time series. Train length = 2500 m. receivers, and the Normal Probability Plots of its
cumulative distribution when a median filter with 11
samples is introduced are shown.
0.5 Considering that, in the simulation the GNSS receivers
operate at 10 Hz, a median filter with 11 samples
0.4 introduces an additional delay of 0.5 s that can be
considered quite acceptable.
Probability

0.3 As illustrated by the Normal Probability Plot, use of the


median filter removes the heavy tails, and the actual error
0.2 empirical error statistics is well fitted by the Gaussian
distribution.
0.1 Moreover, the variance of the error after the application of
the median filter is reduced.
0 Concerning statistics related to proposed scenarios, in
-10 -5 0 5 10
Mileage estimation error [m] Table 2 we reported the mean and the standard deviation
Figure 20. Median filter estimation error empirical pdf. GA+RN of the estimation error.
case, train length = 2500 m. Concerning the protection level for single ephemeris fault,
we observe that in the performed simulations we had
σ dd Max
= 2, g Max ≤ 1, B = 50 km . Therefore a

15
SLOPE=0.14 can be employed for the numerical
computation of PL.

VI. CONCLUSIONS

In this paper an analytical model to evaluate the


performance of the GNSS as a means to provide the train
integrity function in the ERTMS-ETCS L3 system is
presented. The protection level has been computed by
starting with the formulation already known for the
aviation safety of life application, and further
characterized to take into account the railways Figure 22. Track Area Augmentation System deployment
environment. The use of two GNSS receivers coupled scheme (red dots denote RS locations).
with a double-difference algorithm that explicitly
accounts for the constrained train trajectory allow to
mitigate most of the SIS hazards. However, the railways B
environment is more challenging than the aviation
operational scenario, and the multipath effects that
represent an important hazard, must be counteracted with
already consolidated solutions. The achieved results b
represent a basis to evaluate the use of the GNSS for the
train integrity function and to realize a robust and cost
effective system by combining GNSS technologies,
including multiple constellation receivers, with other
sensors (e.g. INS), for improving the availability and
continuity performance. The methodology described in
PL
the paper provides evidence of the analytical
characterization of the safety related parameters in order
to limit the amount of validation tests and to contribute to
VTC
Figure 23. Virtual Track Circuit vs Protection Level (red dots
the certification process.
denote RS locations).

In Figure 23 we depict the Virtual Track Circuit length vs.


APPENDIX A the Protection Level according to the Track Area Network
SLOPE UPPER BOUND deployment and the receivers baseline.
i
Without loss of generality, let us consider Figure 22, Denoting with Bm,n ⊥ei the component of the baseline
RIM m
depicting the case of a Track Area Augmentation System i
surrounding the rail track, with RSs deployed at nodes of Bm,n orthogonal to the line of sight e RIM n ,
a regular grid. Let B the distance between two adjacent
RSs. For sake of simplicity let us assume that the track
lies on a surface flat enough so that each track segment is Bim,n ⊥ei = Bim,n − eiRIM m , Bim,n eiRIM m (A-3)
RIM m
coplanar with the surrounding RSs. This, in turn implies, for a Track Area Augmentation System with RSs dense
that give a baseline b between the EoT and the HoT enough we can write
receivers, at least 3 RSs, let say m, p, q, exist so that,
denoting with Bm,n between the m-th and the n-th RS we
b⎛ ⎞
bi⊥ei ! ⎜ cos γ B m, + sin γ Bim,q
i
⊥eiRIM ⎟
can write (A-4)
RxE B⎝ ⊥epiRIM
m m

b
b= ⎡cos γ Bm, p + sin γ Bm ,q ⎤⎦ . (A-1)
B⎣ Substituting the above equation in (43), we have
i
Then, the component b⊥ei of the baseline orthogonal to ⎛ ⎞
Rx E
Bim, p ⊥ei , βi Bim,q ⊥ei , βi
b⎜ ⎟
i
ε i
(β ) ; ⎜ cos γ
i
+ sin γ
RIM m RIM m
the line of sight e RxE can be rewritten as ΔSD ⎟
B⎜ rRxi E rRxi E ⎟
bi⊥ei =
RxE
b
B
( )
cos γ Bm, p − eiRxE , Bm, p eiRxE + ⎝ ⎠

( )
b (A-5)
+ sin γ Bm, p − eiRxE , Bm,q eiRxE . (A-2) On the other hand,
B
2 (ξ 2 + η 2 ) = (ξ + η ) + (ξ − η ) ≥ (ξ + η )
2 2
(A-6)
Therefore

16
Conference on Control, Automation and Systems, Oct.
2(ξ 2 + η 2 ) ≥ (ξ cos γ + η sin γ ) .
2
(A-7)
17-21, 2012, Jeju Island, Korea.
[7] R. Seiffert, “Train Integrity, making ETCS L3
So that we can write happen,” IRSE International Technical Committee,
2010.
1
[8] K. M. Betts, T.J. Mitchell, D.L. Reed, S. Sloat, D.P.
⎧⎡ i i
2
⎤ ⎡ Bi ⎤
2
⎫2 Stranghoener, and J.D. Wetherbee, “Development and
b ⎪⎪ ⎢ Bm, p ⊥eiRIM m , β , βi ⎪⎪
⎥ ⎢ m,q ⊥eiRIM m ⎥ Operational Testing of a Sub-meter Positive Train
ε ΔSD (β ) ≤ 2 ⎨ ⎢
i i
⎥ +⎢ ⎥ ⎬
B⎪ rRxi E rRxi E ⎪ Localization System,” in Proc. of IEEE/ION PLANS
⎢⎣ ⎥⎦ ⎢⎣ ⎥⎦ 2014, Monterey, CA, May 2014, pp. 452-461.
⎩⎪ ⎭⎪
[9] A. Neri, A. Filip, F. Rispoli, and A.M. Vegni, “An
Analytical Evaluation for Hazardous Failure Rate in a
Satellite-based Train Positioning System with
(A-8) Reference to the ERTMS Train Control Systems,” in
Considering that the RSs employ identical receivers and Proc. of ION GNSS 2012, September 18-21, 2012,
that the baseline among them are relatively short, for each Nashville, TN, USA.
satellite the DDR σ 2 i can be consider practically equal [10] A. Filip, J. Beugin, and J. Marais, “Safety
dd n ,m
Concept of Railway Signaling Based on Galileo
so that in the following we approximate σ 2 i with its
dd n ,m Safety-of-Life Service,” COMPRAIL, Toledo, Spain,
average value σ 2
i i.e., Sept 15-17, 2008, pp. 103-112.
dd
[11] A. Neri, A.M. Vegni, and F. Rispoli, “A PVT
σ dd 2
i ; σ2 i .
dd
(A-9) Estimation for the ERTMS Train Control Systems in
n ,m
presence of Multiple Tracks,” in Proc. of ION GNSS
In addition the following approximation holds
2013, September 16-20, 2013, Nashville, TN, USA.
rRxi E ; rRIM
i
m
, (A-10) [12] A. Filip, and F. Rispoli, “Safety concept of
and we can restate the inequality (A-8) as follows GNSS based train location determination system SIL 4
compliant for ERTMS/ETCS,” in Proc. of ENC-GNSS
1 2014, Rotterdam, Netherlands.
⎧ N RIM ei − ei , βi 2
⎫2 [13] V. Palma, P. Salvatori, C. Stallo, A. Coluccia, A.
b ⎪ ⎪
⎨∑
RIM1 RIM m Neri, and F. Rispoli, “Performance Evaluation in
ε Δi SD (βi ) ≤ 2 σ dd i ⎬ (A-11)
B ⎪ i =2 σ dd i
2

terms of Accuracy Positioning of Local Augmentation
⎩ ⎭ and Integrity Monitoring Network for Railway Sector,
or equivalently in Proc. of IEEE Intl. Workshop of Metrology for
Aerospace, Benevento, Italy, May 2014.
b [14] A. Neri, V. Palma, F. Rispoli, and A.M. Vegni,
ε Δi SD (βi ) ≤ 2 σ dd λ (βi ) i (A-12) “Track Constrained PVT Estimation based on the
B Double-Difference Technique for Railway
Applications,” in Proc. of EUSIPCO 2013, September
q.e.d. 9-13, 2013, Marrakech, Morocco.
[15] J. Marais, M. Berbineau, O. Frimat, and J.-P.
Franckart, “A new Satellite-based Fail-safe Train
REFERENCES Control and Command for Low Density Railway
[1] I. Mitchell, “Train Integrity is the Responsibility of Lines,” in Proc. of TILT conference, Lille, France,
the Railway Undertaking,” IRSE International 2003.
Technical Committee. Available online. [16] M. Joerger, S. Stevanovic, S. Khanafseh, and B.
[2] ERTMS (European Rail Traffic Management System):
Pervan, “Differential RAIM and relative RAIM for
www.ec.europa.eu/transport/modes/rail/index
orbit ephemeris fault detection,” in Proc. of Position
[3] ERTMS LEVELS, Different ERTMS/ETCS
Location and Navigation Symposium (PLA NS), 2012
Application Levels to Match Customers’ Needs,
IEEE/ION, vol., no., pp.174,187, 23-26 April 2012.
Factsheets. Available online.
[17] S. Matsumoto, S. Pullen, M. Rotkowitz, and B.
[4] Federal Railroad Administration, Dept. of
Pervan, “GPS Ephemeris Verification for Local Area
Transportation, “Track Safety Standards; Improving
Augmentation System (LAAS) Ground Stations”, in
Rail Integrity,” published in the Federal Register on
Proc. of ION GPS 2009, September 14-17, 2009,
01/24/2014, and available online at
Nashville, TN, USA.
http://federalregister.gov/a/2014-01387.
[5] H. Scholten, R. Westenberg, and M. Schoemaker,
“Sensing train integrity,” in Proc. of IEEE Sensors,
pages 669-674, Los Alamitos, Oct. 2009.
[6] S. Oh, Y. Yoon, K. Kim, and Y. Kim, “Design of
Train Integrity Monitoring System for Radio based
Train Control System,” in Proc. of 12th International

17