Colored Petri Net Model for Discrete System Communication ... - ijssst

2014 UKSim-AMSS 16th International Conference on Computer Modelling and Simulation

Colored Petri Net Model for Discrete System Communication Management on the European Rail Traffic Management System (ERTMS) Level 2

Adnen El Amraoui

Khaled Mesghouni

Laboratoire LAGIS-CNRS Ecole Centrale de Lille (EC-Lille) Villeneuve d’Ascq, France [email protected]; [email protected]

Laboratoire LAGIS-CNRS Ecole Centrale de Lille (EC-Lille) Villeneuve d’Ascq, France [email protected];

(ERTMS/ETCS) [1]. Thus, the ERTMS/ETCS systems have been widely studied ([2], [3], [4], [5], [6]) and several formal models have been proposed ([7], [8], [9], [10], [11]). It is important to note that there are more than twenty different train control systems across the European rail network (Compendium on ERTMS, 2009), which impede the interoperability and the costs decrease. Among these works on formel models, one can remark the work of Dhahbi et al. [10] and Sun et al. [11]. In [10], the authors propose a colored Petri nets model of the train movement and its system localization in a raileway track equipped with ERTMS level 2. Moreover, their model includes the interaction between train and Eurobalises (equipments fixed on the track). Besides, Sun et al. [11] introduce a new Hierarchical Coloured Petri Net (HCPN) model for a Railway Intrlocking System (RIS). They present also a case study where a zone of normal station is under French interlocking rules. This paper aims at presenting a first coloured Petri net model of the system communication exchange between a train and its Control Center. This model highlights three important concepts of net theory and which are concurrency, conflict and causal dependency. Following to these introductory remarks, Section 2 and Section 3 are devoted to present an overview on the ERTMS/ETCS systems and on colored Petri net modelling tool respectively. Section 4 details the CPN model. Section 5 discusses the simulation parameters and results. Conclusion remarks as well as future work issues are presented in Section 6.

Abstract—The European Rail Traffic Management System ERTMS aims to permit safe and interoperable operation of the European railway traffic (Council directive, 1996). Traffic safety depends closely on the position and the movement of trains, precisely related to the reliability of data transmission. This paper focuses on the train communication system management of the ERTMS Level 2. This communication is ensured by a radio system labelled: Global System for Mobile Communications-Railway (GSM-R). The presented work gives an overview of the ERTMS and describes a Coloured Petri Net model of the data communication system management. This model is validated by simulations and will be extended to more complex configuration integrating information losses. Keywords- ERTMS Level 2, CPN model, Data management, Safe traffic.

I.

INTRODUCTION

One of the consequences of the permanent growth of populations is the increase of the necessity of movement and transport of people and goods between cities and countries. This fact drives to improve the train companies’ services, such as the increase of the train networks and the improving of train technology. In this context, a big attention has been allowed to railway signalling system; and several railway signalling technologies (called Automatic Train Control) have been developed in different countries at different times. This consideration designs to ensure travellers and train safety. In fact, the railway signalling system aims to maintain the safety distance between consecutive trains on the same track, to respect the train movement priorities at junctions and to ensure the train traffic regulation. Aware that train movement depends on the other trains movements and that train is not able to manage itself without any data about the state of the railway traffic, an accurate train state and position data is essential. Concerned about the incompatibility between Automatic Train Control (ATC) systems and the increase of operational and maintenance costs of running such systems; the European Commission (EC) is encouraging the international standardisation of ATC systems on the European Rail Traffic Management System/European Train Control System

978-1-4799-4923-6/14 $31.00 © 2014 IEEE DOI 10.1109/UKSim.2014.110

II.

OVERVIEW ON ERTMS/ETCS

As stated in the previous section, a reliable communication between the personnel on the ground and the driver on the train is ensured by the way of the railway signalling systems. Our focus will concern ERTMS/ETCS. This system operates through the communication between two subsystems, an on-board subsystem and a line side subsystem. The communication between these two subsystems is either punctual or continuous, depending on the ERTMS level.

247

x Euroradio: applies the Euroradio Protocol to encode the message sent by the RBC and decode the messages received from it.

Figure 1 illustrates the architecture of the ERTMS/ETCS and its interface with the GSM-R and signalling subsystems.

x Odometry: provides train location information (i.e. position, speed and driving direction) to the EVC using speed sensors. x MMI (Main Machine Interface) or DMI (Driver Machine Interface): defines the interface between onboard equipments and the driver. Figure 2 illustrates the ERTMS MMI and the information displayed on it. x BTM (Balise Transmission Module) and LTM (Loop Transmission Module): used to manage the messages between the train and the Eurobalise and the Euroloop respectively.

Figure 1. ERTMS/ETCS equipment architecture.

The Eurobalise, Euroloop and Euroradio are the components which ensure the data exchange between the onboard and the trackside assemblies. Moreover, two distinct Control-Command Assemblies are to be distinguished: the onboard and the trackside, as detailed as follows.

Figure 2. ERTMS Man Machine Interface.

Notice - it is important to mention that the composition of the onboard and the trackside assemblies are closely depending on the ERTMS level. ERTMS levels are presented in the third subsection.

B. Trackside ERTMS/ETCS Control-Command Assembly ERTMS/ETCS assembly can be composed by: x Eurobalise: is transmission equipment installed in the track. It ensures the transmission of data to the onboard ERTM/ETCS when a train passes over it. This data can be constant or variable, depending on ERTMS level.

A. Onboard ERTMS/ETCS Control-Command Assembly The onboard ERTMS/ETCS assembly can be composed by:

x Euroloop: allows the transmission of additional data.

x Kernel (or EVC): computer-based systems exchanges messages between the onboard sub-systems and the trackside systems in order to supervise the train movement.

x LEU (Lineside Electronic Unit): is a connection equipement used to join Eurobalises and Euroloops to the signalling system. It calculates the variable data coming from Eurobalise and transmitted to the train.

x GSM-R: used for bi-directional exchange of data (or messages) via the GSM-R network between the onboard sub-system and the RBC.

x RIU (Radio Infill Unit): used in ERTMS level 1 (see C subsection) sends additional data using radio channel. x GSM-R Trackside radio: distributed along the railway lines and used to ensure the message exchange between the onboard and the RBC, from both sides.

x Jur. Recording: records data coming from the onboard ERTMS/ETCS which can be explored when a hazardous event happens.

x RBC (Radio Bloc Center): is a computer-based system. It calculates the variable data to be sent to train via radio.

x TIU (Train Interface Unit): used to allow the onboard ERTMS/ETCS assembly to interface with train systems.

248

x KMC (Key Management Center): used to manage the configuration and the deployment of the cryptographic keys indispensable to ensure the communication between the onboard and trackside ERTMS/ETCS assemblies. As explained previously, these components are depending on the application of the ERTMS. Three levels are distinguished in addition to Level 0 and Specific Transmission Module Level (STML). But, before presenting these levels, let’s enumerate the most important advantages of the ERTMS:

Figure 3. ERTMS/ETCS application level 1.

x ERTMS Level 2: It is a signaling and safety railways system based on digital radio communication. Unlike Level 1, the movement authority is displayed on board for this level and so the external signal installations become useless. Nevertheless, controlling railways occupancy state and train integrity remain deployed on the ground. (ERTMS/ETCS - Baseline 3) [12-13]. In level 2, the central station (Radio Block Center) is permanently controling trains movement thanks to regular sent train report. Therefore, a movement authority is transmitted constantly to trains via GSM-R. The EuroBalises are used to define the right train position and then to correct any possible measurement errors. All information, received via radio and Eurobalises, is treated on-board and then presented to the driver on the MMI. Transmitted data and speed limit are regularly controlled by the on-board computer.

x Ensures the interoperability of high-speed lines throughout Europe. x Assures a standardization of the railway control systems and then decreases equipments and operational costs as well as loosing times. x Improves global railway safety. C. ERTMS Levels’ This subsection aims to provide a brief description of the previous mentioned ERTMS Levels. x ERTMS Level 0: the movement authority is given by the lineside signals and only speed supervision information is displayed on the MMI. x ERTMS STM Level: It is used to allow an ETCS equipped train to run on routes that are fitted with national train protection systems. In this level, the use of lineside signals depends on the implementation of the national train protection systems. Moreover, the level of supervision provided by level STM is depending on the national protection system. (ERTMS/ETCS - Baseline 3) [12-13]. x ERTMS Level 1: The lineside electronic units (LEU: Lineside Electronics Unit) is used to send data information to the system on-board (EVC). It receives data from the control and command center and transmits them to the on-board calculator via Eurobalises. Some of these useful data, needed to conduct the train (i.e. speed limit), are displayed on the MMI (Man Machine Interface). Furthermore, in ERTMS Level 1, the lineside signals are capital to indicate authority to move to the train driver (see Figure 3). This permission is given when the cantons are free. This principle is known in literature as fixed cantons principle. (ERTMS/ETCS - Baseline 3) [12-13].

Figure 4. ERTMS/ETCS application level 2.

x ERTMS Level 3: This Level is still under developing. It aims to use radio signals to control trains spacing. Similarly to level 2, trains use eurobalises and sensors (accelerometer, radar…etc) to locate. Each defined position can be verified at any time by transmitting location message to the control center. Consequently, a movement authority can be transmitted to next trains and thus the principle of fixed cantons is no longer applied.

249

the system architecture but its temporal evolution and reaction during simulation. [15] The Petri net model represents the various connections between entities of the process. For each configuration (discrete state), a set of equations can be integrated and associated to a place to model continuous phenomenon. Moreover, the colored property of Petri net (known in literature as: colored Petri net (CPN)) allows the token place due to the association of a color (value) with them, and the value of token can be manipulated and tested with “Meta Language” during arcs, transitions and guards. For all of these reasons, we choose the CPN tool to model the system communication management in ERTMS Level 2. Figure 5. ERTMS/ETCS application level 3.

IV.

It is important to notice that when the release of the traffic lane can be supplied continuously and localization is performed frequently enough, the spacing between trains can be closed to the distance of absolute safety (Moving Block). Solutions for effective monitoring of the train integrity are very expensive and will be excluded for the old rolling stock of freight traffic. III.

MODEL DESCRIPTION

The studied system concerns the second level of the signalling system ERTMS. In this case, trains are reporting automatically, at regular time intervals, their position and travel direction to the central station (Control Center). Besides, this station is controlling trains movement continuously by sending permanently movement authority to trains via GSM-R. Thus, the system safety is closely depending on the data communication management system between the train and the central station. Figure 6 illustrates the proposed model of the data communication management between the train and the control center. This model is validated by simulation using CPN tools and each model sub-part is detailed in the following.

COLORED PETRI NETS

Petri nets represent a powerful tool to approach several kinds of discrete event systems. They have gained much attention and success due to their simplicity. Indeed, mathematical models are simple to elaborate and graphical representations are compact and easy to understand. [14]

Figure 6. Modelling data communication management between train and control center.

In this model, there are two communication managers (CM): the train and the control center. Each one of them has to send messages for the other regularly to ensure safety.

These modeling tools become one of the most popular used tools for modeling discrete event systems for different phenomena. Moreover, they are able to model either static structure or dynamic behavior. So, they allow us to examine

250

Using the Euroradio components, the train code the data (i.e. speed, position, direction …) received from sensors and send it to the control center. When it is received, an acknowledgment is sent to the train (Euroradio) via GSM-R network. Afterward, the control center treats the received data and sends a message to the train on the movement authority. This part of the model is illustrated by figure 7.

Online and takes end when it get back to Offline state (see figure 9). This duration defines the time response of the system and gives us an idea about the length of considered safety duration’s.

Figure 7. Data management.

Figure 9. System communication evolution.

Initially, we suppose that all the communication managers (train and control center) CM all() are inactive. Then, the sender (the train for example) code and send the collected data. At this time, its state changes to waiting. While, the receiver (the control center) still inactive, received the onborad messages, treats them and send acknowledgments to the sender. At the end of this cycle, the two communication managers get back to the inactive state (see figure 7). Unused is the first state of the messages to be sent. They are coded and sent to the receiver. At reception, acknowledgments are received by the sender and the messages get back to their first state (see figure 8).

V.

SIMULATION

In this section, we propose to explain the CPN model declarations. We use a constant nbr, fixed to two, to define the number of communication managers, which are limited in this ERTMS Level to the train and the control center. For future ERTMS levels (>2) the set of communication managers may include other trains mooving in the same track network. Instead of having to change a lot of declarations and net inscriptions due to the increse of the number of these communication managers, we have just to change the value of the constant nbr. Besides, several colour sets are defined for the model. The first one is CM. It is used to declare an indexed coulour sets in the aim to make the declaration independent of the value of nbr. The function CM.all() is used to generate the multi-set containing a single appearance of each element in CM. It is used for the initialization expression of the inactive state. The second colour set is MES. But, beforehand let’s declare a coulour set CP as the cartesien product of CM with itself. Thus, a new function CM.mult is automatically declared by the CPN compiler. Moreover, we declare a new function with two parameters as inputs. Its role consists on checking if these parameters are different or not. Reaching this step, it becomes easy to declare MES as a subset of CP which contains exactly two arguments coming from two different communication managers (as tested by the new declared function). The third defined colour set is E. It is used hear similarly to a ressource allocation system.

Figure 8. Messages state evolution.

After each message pack exchange, the system come back to its initial state. We define this duration by a communication cycle. It starts when the system become

251

REFERENCES

Finally, using the CP coulour set, we define a new function Mes, matching communication managers to multisets of messages. And we declare s and r of type CM. The simulation has shown the effectiveness of this first model, where during the simulation steps not any error has been detected. Indeed, several errors can be happen during the communication management process and for safety reasons, we have to detect them. As follows, we propose to enumerate some direct and indirect errors related to communication system management.

[1]

[2]

[3]

[4]

1) Partial loss of the message. Causes related to this error are: - Problem of transmission or reception (interference) - Dysfunction of the balise detection system - Dysfunction of the positioning balise group

[5]

[6]

While the first cause is temporary, the two other can last longer and can generate important errors in the train positionning system. Thus, the instruments onboard must consider them when it is estimating the position of the train.

[7]

[8]

2) Total loss of the message Causes related to this error are: - Dysfunction of the transmission system - Dysfunction of the balise detection system - Dysfunction of the positioning balise group All these causes can be due to bad devices maintenance. Moreover, in the absence of subordinate communication system, the train is not allowed to continu its travel. VI.

[9]

[10]

[11]

[12]

CONCLUSION

Several studies on the ERTMS system Level 2 have been carried out and more precisely on the train location systems. However, the safety component is still relevant. For this reason, we propose in this paper a first colored Petri-net model for the communication system management of the signalling system ERTMS level 2. This model is validated using CPN-tools Software and will be extended in future work to more complex configurations integrating information losses and uncertainties.

[13]

[14]

[15]

ACKNOWLEDGEMENTS This research was supported in part by the engineering school “Ecole Centrale de Lille (EC-Lille)” under a grant from the European Research Project, named “Performing Enhanced Railway Formal Engineering Constraints Traceability (PERFECT)”.

252

Council directive 96/48/EC of 23 July 1996 on the interoperability of the trans-European high-speed rail system [Official journal L 235 du 17.09.1996]. Abed, S. K. (2010). European Rail Traffic Management System – An Overview. Iraq J. Electrical and Electronic Engineering, 6 (2), 172179. B. Cai, J. Wang, Q. Yin, and J. Liu, “A GNSS Based Slide and Slip Detection Method for Train Positioning”, Asia-Pacific Conference on Information Processing, Shenzhen, 2009. F. Senesi, and E. Marzilli, “European Train Control System – Development and implementation in Italy”, Published by CIFI – College of Italian Railway Engineers, 2007. J. Trowitzsch, and A. Zimmermann, “Using UML state machines and Petri nets for the quantitative investigation of ETCS”, 1st international conference on Performance Evaluation Methodologies and Tools, Pisa, 2006. A. Zimmermann and G. Hommel, G., “Towards modelling and evaluation of ETCS real-time communication and operation”, Journal of Systems and Software, vol. 77, pp.47-54, 2005. M. Antoni, “Formal Validation Method for Computerized Railway Interlocking Systems”, Computers and Industrial Engineering, pp.1532-1541, 2009. M. Antoni and N. Ammad, “Formal validation method and tools for french computerized railway interlocking systems”, 4th International Conference on Railway Condition Monitoring, 2008. P. Barger, W. Schön and M. Bouali, “A study of railway ERTMS safety Colored Petri Nets”, The European Safety and Reliability Conference, Prague, 2009. S. Dhahbi, A. Abbas-Turki and A. El Moudni, “On the ERTMS Level 2 degraded mode: colored Petri net model for discrete point positioning system”, IEEE Joint Rail Conference, JRC 2012, Philadelphia, 2012. P. Sun, S. Collart-Dutilleul and P. Bon, “Formal modelling methodology of French Railway Interlocking System via HCPN”, Transport Research Arena (TRA 2014), Paris, 2014. ERTMS/ETCS - Baseline 3, “System Requirements Specification”, Chapter 3, Principles. Subset-026-3, Issue 3.0.0. 23, Decembre 2008. ERTMS/ETCS - Baseline 3, “System Requirements Specification”, Chapter 4, Modes and Transitions. Subset-026-4, Issue 3.0.0. 23, Decembre 2008. K. Jensen, L.M. Kristesen and L. Wells, “Colored Pteri Nets and CPN Tools for Modeling and Validation of Concurrent Systems”, International Journal on Software Tools for Technology Transfer (STTT), vol. 9, pp.213-254, 2007. M. Westergaard and L.M. Kristensen, “The Access/CPN Framework: A Tool for Interacting with the CPN Tools Simulator”, The 30th International Conference on Applications and Theory of Petri Nets, Berlin, 2009.