Wider aspects of deceleration supervision in ERTMS/ETCS

The paper concerns basic information about implementation of the ETCS system in the Czech Republic especially its influence on the railway operation. Also facts about the principles of the automatic train protection system with the full speed supervision are described as well as the specifics of the speed monitoring experiences. In the next chapter are some principles of the braking curves calculation.


Introduction
The ETCS L2 implementation projects currently carried out by the Railway Infrastructure Administration (further SŽDC) of Czech Republic -i.e. in an environment with basically no previous experience with operating an automatic train protection (further ATP) system with full speed supervision -bring either new aspects, or aspects not very well known. A significant part of these aspects share a common denominator: the transfer of responsibility from human to a technical device. Being an ATP system with full speed supervision, it is the responsibility of ETCS as a technical device to ensure that the vehicle doesn't exceed the limit parameters, i.e. the maximum allowed speed in the given position and the maximum position to which a movement of the vehicle is allowed. (Note: This represents the main safety objective of the implementation of ETCS, with other ETCS features being implemented either to achieve this safety objective or to ensure interoperability). However, depending on the method of implementation of the ATP system with full speed supervision, the abovementioned transfer of responsibility can lead to operating restrictions compared to the situation before the implementation.
This article presents certain aspects of the introduction of deceleration supervision or stopping supervision as key safety-operational aspects of the ETCS implementation, adding or emphasizing relevant facts to broaden the context of the operational impacts of ETCS and their solutions.

Automatic Train Protection systems
In principle, the general purpose of railway signalling systems is to limit the behaviour, or commands of operators to a subset and sequence which in the given operational context are allowed -i.e. they not represent a direct risk to safety. In this regard, it is natural that the introduction of supervision functions of technical devices can limit the operational flexibility until now only achieved thanks to the skilfulness, dexterity, and responsibility of the operator. Furthermore, as is well known, a defining technical feature of railway signalling systems is limiting the operation (or more precisely limiting the authority degree) in the absence of operational-technical information or where the system loses functionality due to a failure -also referred to as the fail-safe (Fail-safe means safe in a case of failure. In addition to railway signalling technologies, these principles are applied in the chemical industry in processing and manufacturing of dangerous substances, partly in the nuclear industry as well and recently also in industrial automation in general. Related to the last one mentioned applying fail-safe technologies increases both the production quality, and health and safety at work) principle. Even though it is logical and natural, it should be pointed out that a signalling system can only be responsible for such aspects of railway operation and can only perform such supervision functions, for which it has the necessary information and for which unambiguous decision algorithms and calculation algorithms can be determined.
As for ATP systems, in particular, those with full speed supervision, the speed reduction or stopping falls fully within their responsibility. Therefore, they must be able to supervise and ensure a timely deceleration of the vehicle (train, train unit) so that it doesn't exceed the limit speed in the given position, or comes to a standstill in the given position at the latest.
Based on the information available to the ATP system (both "online" -current operational and technical data, and "offline" -configuration parameters), it has to consider the most unfavourable conditions (the worst-case scenario) for the deceleration supervision. Therefore if some information is not available to the ATP at all, or only with limited accuracy, it has to assume that its actual value is neither better, nor average, but worse, meaning that the braking effect is generally assumed to be lower and the deceleration distance longer. In particular, the system is to consider a probability distribution with a mean value (i.e. average value) and other parameters, where the mean value is definitely not the correct representative of a safety parameter. The selection of a "sufficiently safe" mean value deviation depends on the acceptable rate of risk that the deceleration distance will be longer and by how much (In addition to this qualitative approach to safety assessment, it is necessary to apply qualitative approaches as referred to in [1]). An ideal ATP system with full speed supervision would be a machine having the qualities of an experienced train driver taking into account not only the information on speed and distance, but also other information having an impact on the vehicles' braking, such as typically weather conditions, or adhesion conditions, train set structure and qualities of the material transported (e.g. partly filled tank cars), where this train driver would be concentrated in all circumstances, and basically inerrable. A real ATP system can be implemented in a way that with a necessary safety integrity level (put simply, with an astronomically low probability of failure), it will be concentrated and inerrable. However, the experience can only be algorithmized (Experience, as a phenomenon attached to living creatures, is examined in relation to possible development of artificial intelligence. However, as for the transfer of responsibility for safety (not only of transport), artificial intelligence is a thing of the future; according to authors of this article, a rather distant future) to a very limited extent (for instance the feedback of the current braking effect of a service break to evaluate the need to use an emergency brake), with some information being completely unavailable (e.g. weather conditions leading to lower adhesion).
If a real ATP system with full speed supervision is to take on the responsibility, it has to algorithmize more critical braking curves than those which a vehicle is able to achieve in normal operation in most situations, i.e. in nominal (average) situations. In this way, the ATP system will "act" responsibly also in non-nominal situations, i.e. under critical braking conditions. The difference in braking curves is shown in Fig. 1.  Historically, based on the information available to the authors, it appears that the responsibility has never been assumed by the ATP system without negatively influencing the performance parameters of railway operation compared to a situation where the responsibility remains with the driver, together with the responsibility for distinguishing between nominal and critical situations.
However the operational performance is designed for nominal situations! In implementing ATP systems with full speed supervision, two approaches can be (and logically are) applied: • The railway operation performance is designed for critical situations -for critical braking curves. It is thus expected that the deceleration supervision will (or can) lead to a longer braking distance to a standstill and longer time necessary for stopping the vehicle. Note: In practice, this involves creating sufficiently long station tracks (Fig. 2) or overlap sections behind the stopping point (Fig. 3). • At a certain phase of the deceleration supervision, the responsibility for speed reduction or stopping is fully or partly transferred to the driver -in a controlled and active manner of the driver -to reduce the negative impact of the absence of information and/or absence of "experience algorithms" in the ATP system on the operational performance. Note: In practice, this involves introducing a release speed limit, under which the driver can take over responsibility (Fig. 4). Both approaches are commonly combined.  The possibility of transferring responsibility to the operator is crucial in intermittent ATP systems. In case where deceleration information can only be transferred at one or a few specified positions (equipped relevant transmission device), usually close to the stopping position, the possibility of a release from supervision is the critical from operational point of view.

Current operational conditions and safety restrictions
The current relevant SŽDC operational conditions and safety restrictions are the following: • The length of the station tracks almost corresponds to the maximum length of operated trains. • Minimization of operational intervals (a logical and justified requirement of railway undertakings leading to corresponding efforts of the infrastructure manager). • Stopping before a given position falls fully within the responsibility of the train driver (Through a signal device, the current LS train protection system safely indicates information (on four levels) in front of the vehicle front end , and according to this information (or changes to this information) and the current vehicle speed, it expects / doesn't expect the intervention of the train driver, otherwise intervening (initiating emergency braking) by itself.
The system is thus responsible (and performs the respective functions in accordance with the fail-safe principles) for indicating the information to the train driver and intervenes, where the train driver fails to carry out the necessary actions based on this information (or a change to this information). However, it cannot ensure stopping the train before the given location, which remains the responsibility of the train driver). • The non-existence of overlap sections in front of the end of train routes. In view of the above, the distance and time within which the train driver has to move the vehicle is very limited. On one hand, it is required to maximize the use of performance parameters of the infrastructure (minimization of time spent train moving through open line, stations and station heads when coming to station tracks with maximally using their length), on the other hand it is not possible (not even in critical, i.e. nonnominal situations) to exceed the position where a movement of the vehicle is allowed. In addition to complying with the principles and rules necessary for ensuring the safety of traffic, the train drivers are under pressure due to the logical and justified efforts to increase the performance of infrastructure.
Safety restrictions inherently requiring certain operational reserves exceeding the physical and performance capabilities of vehicles and infrastructure in fact don't exist. This means that it is not possible, or it is only possible to a limited extent, to use the "free infrastructure capacity" to perform supervision functions of a non-intelligent, but safety (i.e. fail-safe) ATP device to fully assume the responsibility for supervising the limit parameters of a train movement.

European Train Control System (ETCS)
General principles, features and application of the ETCS train protection system are described in [2,3,4,5,6]. The authors of this article present them as possible sources of information as it is not their aim to describe already known information.

General principles of deceleration supervision in ETCS
In short (more information is provided for in the sources specified above), the ETCS L2 train movement supervision consists in creating and sending to the on board unit a movement authority (further MA) together with static speed profiles (further SSP), a gradient profile and potential other speed limits (i.e. line description) [6]. As for location, this information is related to balise groups (further BG) placed in the railyard. The balise group, to which the current MA and the line description are related, play the role of the last relevant balise group (further LRBG) for the creation of a balise co-ordinate system. From the various speed limits which can be valid for the given vehicle/train type at the given position, the ETCS on-board equipment creates the most restrictive speed profile (further MRSP). Based on the MRSP, the gradient profile and other vehicle/train parameters, the ETCS on-board equipment calculates a dynamic speed profile (further DSP). According to the DSP, it then supervises the running of the vehicle -with multiple deceleration, i.e. braking curves for one speed change (warning curve and intervention curve of the service brake, warning curve and intervention curve of the emergency brake, etc.), the braking curve area is marked with grey in Fig. 5 (only one curve is shown for illustration purposes). It can be seen that in stopping supervision, some curves can reach behind the EoA -the supervised location (further SvL) is behind the EoA, where allowed by the infrastructure conditions.

ETCS features related to stopping supervision
As mentioned above, the main and fundamental change brought by the introduction of ETCS L2 on the SŽDC network is the full speed supervision and control through a ATP. Fig. 2 and Fig. 4 show the examples of braking to standstill supervision.
A fundamental prerequisite for the right functioning of this supervision is an exact mathematical-physical description of the vehicles' behaviour during running and braking [7]. The braking model is based on the value of brake weight percentage. Together with the maximum vehicle speed, this variable determines its braking properties. Without knowing other parameters, however, this description leads to the fact that the respective conversion braking model adds extra time to make sure the EoA isn't exceeded. Furthermore, this model is based on historical UIC methodology and measurements, which might no longer correspond to the features of modern interoperable vehicles. This means that the conversion model creates safe curves, which are not practical for the SŽDC operational conditions though (not taking into account adhesion, brake shoe properties, and linear course of the onset of braking performance).
A distinction is drawn between service curves (Service brake intervention -SBI, Service brake deceleration -SBD) and emergency ones (Emergency brake intervention -EBI, Emergency brake deceleration -EBD). The difference in the amount of deceleration for both curves manifests itself in trains with a BWP of more than 135 . In service brakes, for BWP > 135 the value of BWP is always set at BWP = 135. The BWP value is then used for the calculation of vlim according to (1), where in the interval of <0;vlim>, the deceleration is constant.
The amount of deceleration is then calculated according to (2).
Other amounts of speed with a change in deceleration are provided for in [7], with the amount of deceleration determined according to the general relation (3).
The result is the course of deceleration for the emergency or service brakes depending on the speed. This is shown in Fig. 6.   Fig. 6. Emergency brake deceleration. Source: Authors, [8] In this way, it is possible to create braking curves for any train. In ETCS, these braking curves are marked with lambda. They have to be functional and safe for any combination of vehicles corresponding to the given BWP. Another option for braking curves is gamma. This curve is usually provided (upon request) by the vehicle supplier. It is used in cases where it is possible to guarantee certain braking properties, i.e. in cases where a train unit has a constant structure for a long time. The advantage of these braking curves is the fact that they are in accordance with potential good achievable braking capabilities of the train unit, and a more critical and thus operationally less advantageous approach to braking properties is thus not necessary. In the context of the Railway Infrastructure Administration, this applies to the Pendolino, railjet, or Interpanter train units. However, there is no limitation to this approach being applied to common train units with a constant structure. These include container trains (under load, empty), Regiojet train units with a specified number of cars or push-pull train units in general. Source: Authors, [8] In this way, it is possible to calculate and display a whole range of curves, which can be supervised by ETCS. In addition to the above mentioned EBD, EBI, SBD, SBI, also First Level of Intervention -FLOI and Permitted are worth mentioning. All curves are shown in Fig. 7.
It is the Permitted Speed curve that is displayed to the locomotive driver on the Driver Machine Interface -DMI and ideally, it is the responsibility of the locomotive driver to monitor this curve. In Fig. 8, this curve is already a warning one.
Another interesting feature of braking curves, as shown in Figure 6, is the different position of the individual curves for v = 0 km·h -1 . EBD is supervised at the danger point, SBD is supervised at the end of the MA and other curves are moved forward before the end of the MA by the size of odometry inaccuracy. For the least advantageous case, this inaccuracy is calculated as 5 m + 5% distance from the last balise (Also here, there is a parameter determining the accuracy of balise positioning (Q_NVLOLACC). The national value thereof is 12 metres). Where the balise distance is 500 metres, this value is 30 metres. It is this distance that causes the "shortening" of the useful length of tracks for freight trains and in a combination of the end of a MA and the end of a platform, it can cause problems to passenger trains approaching the platform. A solution already put to use is the installation of relocation balise groups specifying the vehicle's location and decreasing this inaccuracy. In new planned projects (high-speed railway line Praha-Brno [9], high-speed railway line Brno-Ostrava), the engineers and technologists already determine the line topology in a way excluding these problems. Critical ETCS braking curves are calculated in a more critical way as they are to ensure that ETCS fulfils its responsibility to perform stopping supervision in a broad range of operational conditions in different railway infrastructures of different countries. Higher ETCS (from 1.1 onwards) implemented according to the Baseline 3 specification version [7] allow for parametrizing the braking curves of the supervised ETCS on-board equipment (indeed of a version ETCS 1.1 or higher) based on the trackside ETCS values (i.e. according to the infrastructure manager). The question is what added value such parametrization can bring compared to other influences on the critical ETCS braking curves. This must be further examined together with the implementation of ETCS 1.1 on the SŽDC network.

Conclusion
This article points out the operational aspects of the implementation of ETCS L2 in the Czech Republic. It is the very first automatic train protection system with full speed supervision. Until now, the first ATP systems gave the train driver quite a high degree of freedom in the train speed deceleration. This is flexible from operational point of view (a delayed train could brake within a shorter distance than an early train, which could make an efficient use of drift, recuperation, etc.), but from a safety perspective, the probability of passing through a stop signal at danger was more likely. On the other hand, the introduction of full speed control reduces the flexibility of operation. A partial elimination of the problem -to be further examined, ideally by all ETCS stakeholders in the Czech Republic -is available through parametrizing the curves using national values, which is possible from ETCS system version 1.1 onwards according to Baseline 3. In other countries, the experience with train protection systems with full speed supervision is more extensive, which means that the risk of decreasing the line operational capacity is not so great there. One of the elements with a positive effect is for instance overlap sections.
The work was supported from ERDF/ESF "Project PosiTrans -University of Pardubice cooperation and application sphere in application oriented research of localization, detection and simulation systems for transport processes" (No. CZ.02.1.01/0.0/0.0/17_049/0008394).