ERTMS: SNCF experience and performance in France and in Europe (Thalys, TGV Dasye,

Euroduplex...): Tools and methods developed by the Rolling Stock Engineering Centre at
SNCF (CIM, Le Mans, France)

Authors

Diego Herrero Murillas. SNCF, Rolling Stock Engineering Centre (CIM), Le Mans (France)
Franck Bourgeteau. SNCF, Rolling Stock Engineering Centre (CIM), Le Mans (France)

1 Summary

The aim of this paper is to show SNCF Rolling Stock Department (CIM) experience in integration and
independent validation of complex systems as onboard ETCS, via the development of innovative
engineering methods, especially the ERTMS simulators at CIM with the associated delivery in due
time, reliability and cost reduction for better customer satisfaction.

The new organizational approach to specify, follow the industrial development and qualify an ETCS
onboard equipment leads to keep under control a complex software signalling system related to the
railway safety and to ensure the place into service in due time.

The detection and correction of errors during the execution of tests at CIM lab leads to:

 Continuously improve the expertise and the implementation of the control in both Bi-Standard
ERTMS/TVM and ERTMS/KVB products;
 Reduce the number of onboard tests and functional problems during commercial operation;
 Optimize research, non-regression tests and validation delays of software version.

The keys of success and the future challenges are described in the final part of this paper.

2 Introduction

SNCF experience shows that safety management is highly critical to today’s development of the
ETCS onboard unit and its integration in rolling stock. For each new railway application, safety can
only be ensured by replaying independently many verifications and tests. Each time a modification is
carried out on one of the ETCS subsystems (track-side or onboard), new tests are required to ensure
the safety and conformity of the complete ETCS system.

The SNCF Rolling Stock Department’s involvement in ETCS onboard equipment covers a large range
of technical tasks: specification, integration in the rolling stock, verification and validation, including
the development of tools and proof deliveries. The operator is also responsible for delivering the
technical dossier, according to CCS TSI, to the national safety authorities involved in issuing the
Authorisation for Placing in Service (APIS).

SNCF continuous feedback in ETCS onboard system and in the technical management process put in
place to obtain in due time the APIS speeds up safety, quality and technical improvement to ensure a
safe, reliable, cost-effective train operation (especially at the Rolling Stock Engineering Centre –
CIM);

3 Methodology and tools developed by SNCF – CIM

The implementation of ERTMS/ETCS in the different national networks has usually been more difficult
than expected, mainly due to the following reasons:

 Historically, each country has developed its own safety equilibrium between track and
onboard signalling sub-systems and driving rules; consequently, it has edited its own national
specifications, which have an important impact on safety;
 ERTMS deployment depends on several aspects outside the pure technical issues, such as
budget or political reasons meaning that the transition period towards a full ERTMS
 deployment in Europe will be quite long. So, it has to take into account present national
signalling systems that will still be maintained in service during this transition period;
 The opening of the competitor market has introduced new issues related to organization of
the historical firms;
 Finally, a growth of the technical complexity of the new signalling systems that shall operate
at European level and consequently fulfil greater number of requirements (different rules,
regulations, functions, onboard and track interfaces, etc.).

In fact, the ETCS onboard subsystem is a greater complex system compared to previous national
class B signalling systems.

Therefore, SNCF CIM decided to improve its “classical” methods and tools to facilitate the
implementation and ensure the success of ETCS systems. Two of them are described below.

3.1 SNCF improvements to V-Model: Key success factors

Figure 1 shows the five main organizational improvements the SNCF Rolling Stock Department (CIM)
implemented in the V-Model development process.

TSI Commercial operation

1

SNCF specifications
NoBo APIS

Independent
safety Analysis
“System”
5 team
and tests
4

Support of Support of
technical technical
“System” “System”
team at CIM
2 team at CIM 3

Manufacturer development

Figure 1: SNCF improvements to V-Model

Legend:
Basic, theoretical V-cycle
Improved SNCF V-cycle for ETCS (complex system): “System and Independent Approach”

1. Further SNCF specifications are needed to fill in the gaps in TSI specifications, to take into
account national requirements of the different European countries where SNCF trains
operate and to integrate the feedback;
2. Support of an independent railway expert technical team at CIM to manufacturer to
exchange and answer questions regarding the requirements defined by TSI and SNCF
 specifications. Rolling Stock and Infrastructure Engineering Centres work together in order to
have a global system approach and analysis of the whole ETCS track/onboard system, from
the design level system stage. These technical teams are the same during all the V-cycle;
3. Put in place of these independent teams to verify, check and validate the development of the
products by the manufacturer and solve quickly any new detected problems;
4. Analysis and tests (see §3.2 below for further details):
a. Examination of the design technical documents;
b. Tests on platform and simulator;
c. Tests on a dedicated ERTMS train, with a possibility of simulate other trains running
in front of the test train;
d. Tests on a real TGV over HSLs.
5. Independent railway expert team dedicated only to safety who deals with safety aspects and
exported constraints to infrastructure, maintenance, operation or driving, and ensures a
railway system approach of problem-solving and not only at the level of the onboard
subsystem (i.e. Rolling Stock).

3.2 Execution of interoperability tests at lab, in order to reduce tests in lines already in
commercial operation, with the associated reduction of cost and human resources.

SNCF CIM has developed its own testing scenarios based on feedback for Bi-standard TVM and KVB
systems in order to do the activities needed for validation of the different versions of ERTMS
equipments and to analyse the failures found during the tests campaigns or commercial operations.
This validation task is done independently from manufacturers by railway expert engineers.

The registered information in the JRU (Juridical Recorder Unit) and via Simulate tool is analysed by
CIM. It is essential for the analysis of the results. This approach is being applied in order to
demonstrate the validation and cost reduction and also to minimize the upgrade and retrofit
constraints and validation cost.

It has thus been decided to separate ERTMS qualification in several steps:

 Examination of the design technical documents;

 Tests on platform and simulator;
 Tests on a dedicated ERTMS train, with a possibility of simulate other trains running in front of
the test train;
 Tests on a real TGV over HSLs.

The test platform developed by CIM (figure 2) with the onboard and track equipment (with the
environment simulator) has been included in specifications of adjudications.

This important step allows testing the system before the completeness of the real line and thus save
time and money to qualify and analyse ERTMS issues.

Validation scenarios are run by moving the train on a

fictitious track; this theoretical track allows testing all
signalling functions foreseen in the test plan.

These functions are tested in three configurations:

 Nominal modes: Free track with nominal

reductions in speed and operational itineraries;
 Particular modes: The system is not broken down
but the situations are not usually utilized: override
EoA, backwards movements, etc.;
 Degraded modes: A part of the system is faulty.

It is necessary to point out the importance of performing train-track integration tests in a laboratory in
order to reduce testing on real track with the associated reduction of cost and human resources.
Among tests types, there are:

 Unit tests, made in order to check that each module can operate without error;
 Functional tests, made by a specialist in order to make sure that functional requirements are
met;
 Product tests, run in order to make sure that the component operates correctly.

Whatever the type of test is, this kind of activity includes at least three steps:

 Defining specifications models;

 Generating tests based on those models;
 Interpreting returned results for cover measurement.

To finish, the development of platform tests helps SNCF to the qualification of the system and to
detect and correct design issues (dozens of issues detected and corrected), independently from the
manufacturers.

Figure 2: Architecture of the test lab at CIM

4 Success

 Onboard ETCS incidents per Mkm decrease significantly from the initial placing in
service until today.

Milestones:

• June 2007: TGV POS (Bi-Standard ERTMS/TVM ; TVM and transitions between
national safety systems);
• September 2008: Thalys (Bi-Standard ERTMS/TVM ; TVM and transitions between
national safety systems;
• December 2009: Thalys (ERTMS operation in Belgium and the Netherlands);
• December 2010: Dasye (ERTMS operation between France and Spain).
 Bi-Standard ERTMS/TVM

700 12
640

600
10 10

500
8 8
Incidents / Mkm

400
6 Failures / Mkm
6
5
300

4
200
Incidents / Mkm
150

100 1,5 2 2
100

20
0 0
v7.2.3.2 v7.2.3.3 v7.2.3.4 v7.2.3.4 v7.2.4.5 v7.2.4.5
Thalys (Dec. Thalys Dasye (Aug. Thalys (Dec. Thalys (Sept. Dasye (Sept.
2009) (March 2010) 2010) 2010) 2012) 2012)
Improvement Milestones

 Transitions management of several safety equipments (ERTMS levels, national

systems…), especially on Thalys trains.

On international trains such as Thalys, onboard equipment for several national control-command
systems has been installed. A train crossing several European countries must switch to the control-
command systems in the country it crosses. One of the goals of ERTMS is to facilitate the
interoperability between the EU member states.

 Reduction of ETCS cost and incidents projects.

The execution of part of the qualification tests in lab reaches an important percentage of the whole set
of tests. It has been estimated that the methods and tools developed by SNCF CIM, such as
qualification tests execution at lab, reduces cost and time in main aspects:

 Reduction of 10 days of downtime for stationary tests on trains (for each version);
 Reduction of on-track trials (several hundreds of thousands Euros saved for each version);
 Speed up the European cross-acceptance issues to obtain the APIS from each concerned
country and validate operational rules;
 ETCS onboard system placed in service in due time according the customer request.

An example of a success in ERTMS cross acceptance has been the opening of the connection
between Perpignan and Figueras in December 2010. This was the first step to link Paris and Madrid
with France once the section between Barcelona and Figueras has been finalized this year.

 Test lab.

A NoBo (Certifer) has carried out an audit on the simulator for the compliance of SNCF to the French
and European relevant standards or regulations (no non-compliance).

This platform has also been used for assistance to APIS via a presentation to the French National
Safety Authority (EPSF) about issues related to Start of Mission procedure.

5 New challenges

 Signalling rail interoperability, despite the non-stability of ETCS specifications:

Migration of lines and trains to version 2.3.0d (backwards compatible), including
 placing in service of ERTMS Level 2 on LGV EE line and Level 1 on Corridor, which will
allow benefiting from the advantages of these levels as speed and capacity increase.

An important challenge is the migration process of the current high speed lines equipped with version
Corridor 2007 of the SRS (subset 026 v2.2.2 plus subset 108 v1.0.0 plus some Design Choice
Change Request) to v2.3.0d, which will be the base and backwards compatible version. At the time
being, lines HSL Zuid, L4, and L3 are equipped with Corridor 2007 and LGV EE, TP Ferro and Adif
(for Figueras – Barcelona lines) are equipped with v2.3.0d.

It is thus essential to define a strategy to allow the change of both the trains and the track to future
versions. This process is quite complex if we want to reduce the impact in the commercial operation.

 Formal methods to be developed within the framework of openETCS project.

The purpose of the openETCS project is to develop an integrated modelling, development, validation
and testing framework for leveraging the cost-efficient and reliable implementation of ETCS. The
framework will provide a holistic tool chain across the whole development process of ETCS software.
The tool chain will support the formal specification and verification of the ETCS system requirements,
the automatic and ETCS compliant code generation and validation, and the model-based test case
generation and execution.

OpenETCS is a European research project to promote standardization of the development of ETCS

systems via formal methods, whose main target is to propose a new approach to developing onboard
ETCS to overcome the increased cost and safety management issues encountered during the first
steps of migration, for example as experienced by the Thalys project. Among others, testing methods
and the independent approach described in §3.1 would be implemented more easily.

It is an Open Source approach with five goals:

 Formalization of SRS [SUBSET-026] in a formal model.

 Definition of processes and methods needed for safety validation of the model.
 Application of safety activities on subsections of the project to validate the methodology.
 Definition of a tool chain allowing the application of this methodology, from the specification to
source code generation and functional validation. This chain shall be compliant with the
standards in force (EN 50128) and SIL4 certified.
 Design of an executable simulator to be run on a platform for laboratory tests.

The SNCF Rolling Stock Department (CIM) participates actively in this openETCS project.

In fact, the ETCS onboard subsystem exhibits what systems theorists call “organized complexity”
(figure 3). Indeed, the ETCS onboard subsystem is complex software system-safety relevant for the
railway sector that classical tools and methodology are not sufficient to tackle easily.

Figure 3: Organised complexity (Gerald Weinberg, An Introduction to General Systems Thinking, John Wiley, 1975)

For the railway sector, a new approach based on systems theory is now requested.