Model-Based Approach for ERTMS Railway Wayside System Specification, Validation, and Proof

Train signaling systems for mass transit and mainlines have seen their complexity increase in the last decade. This is due either to the introduction of new concepts and technologies that increase performance, such as line capacities, or to interoperability requirements, for example European standards that allow trains use same trainborne subsystem while driving in different countries that have different interlockings, trackside technologies, and principles.

In the conventional railway industry, infrastructure managers in the specification phase of signaling system design usually adopt a conventional approach based on paper specifications with all the drawbacks known by engineers, which is subject to risk of misunderstanding, misinterpretation, and a lack of validation at the early stage of specification.

RFF and SNCF jointly experimented with a Model-Based Design approach at a high level of specification. This model is a mainline wayside ERTMS Level 2 system called Radio Block Center, which is an automatic train protection (ATP) system. In the system studied, there is a close relationship between the different subsystems: the Automatic Train Control, which is either ERTMS based or CBTC based, and the interlocking. Both subsystems are intended to allow trains to move safely with the requested level of performance, i.e., speed and headway. The result is a complex system combining wayside and train-side control systems, interlocking, track elements, and supervision level.

The goals of modeling the RBC are to:

• Provide an unambiguous description of its expected behavior. Requirements writing allows expressing functional expectations, but there is an unavoidable risk of misunderstanding or interpretation. The main concern is that system-level functional issues, due to a lack of system definition, are solved at the software implementation level.
• Provide a description independent from the manufacturer’s design choices. The model is not the mirror of a particular manufacturer existing implementation.

This experiment with Model-Based Design also covers the specification level, simulation/validation, and property proof activities.