Advanced Engineering for Railway Rolling Stock

Advanced engineering for railway rolling stock

Moving to a new engineering dimension

criticalsoftware.com [email protected] White Paper Advanced Engineering for Railway Rolling Stock

The liberalisation of rail transportation in Europe, which started in the 1990s, TRACTION CHAIN has changed the railway market. The flow of goods is moving quickly over ever What causes the train to accelerate and brake greater distances, while the logistics are becoming more complex. Consequently, are the adhesion forces that appear in the the manufacturers of rolling stock, namely locomotives, have to meet an wheel-rail contact. For these adhesion forces increasing number of demands due to altered statutory requirements, as well to effect, tractive or braking effort needs to as new standards and directives. be applied to the wheels. This torque must be generated in a motor or braking system that MARKET DEMANDS, AS WELL AS CUSTOMER FEEDBACK, MUST ALSO transforms a certain amount of energy into BE CHANNELLED INTO THE PRODUCT LIFE CYCLE. the required mechanical energy.

As most freight traffic in Europe is cross-border, in order to provide a competitive advantage, locomotive manufacturers must overcome a major challenge: interoperable services. In order to operate cross-border, manufacturers must support different catenary voltages (15kV AC, 25kV AC, 3kV DC and 1.5kV DC), different types of pantographs, different train radio systems, different loading gauges, to name just a few of the many national Figure 2: Results of bad traction control requirements. The locomotive traction chain combines various equipment, allowing the locomotive to move. Railway traction is essentially supported by two different propulsion systems: electric or diesel. Electrical traction units can be of the following types: • DC traction units, which use direct current drawn from either a conductor rail or an overhead line AC traction units, which draw alternating current from an overhead line • Multiple-system units, which can operate under several different voltages and current types: the locomotives do not have to stop when passing from one electrification system to another as the changeover occurs where

Figure 1: Trans-European Transport Network the train coasts for a short time In a diesel locomotive, the diesel engine drives IN ADDITION, ONE OF THE MOST DIFFICULT CHALLENGES TO an electrical DC generator or an electrical AC INTEROPERABILITY ARE THE AUTOMATIC TRAIN PROTECTION (ATP) alternator-rectifier, the output of which SYSTEMS; THESE SAFETY SYSTEMS HAVE A HIGH SAFETY INTEGRITY provides power to the electric traction motors. LEVEL AND ARE RESPONSIBLE FOR THE PROTECTION OF PERSONS An electro-diesel locomotive can operate as an AND GOODS. electric locomotive on electrified lines, with an on-board diesel engine for non-electrified ROLLING STOCK EQUIPMENT AND SYSTEMS sections. With this capability, the same locomotive is able to leave the freight in the LOCOMOTIVE PRODUCT CONCEPTS correct location without the need for another The product concept provided by some of the biggest manufacturers (Siemens' locomotive. Vectron; Alstom's Prima; Bombardier's TRAXX) covers single and multi-system

locomotives for the European alternating-current (AC) and direct-current (DC) 3 1 7 4 6 networks for high-speed passenger traffic and interoperable cross-border 2 9 TCMS freight traffic. To enable the capability of operating on non-electrified lines, the 5 8 manufacturers also provide diesel-electric versions of these same locomotive platforms. Figure 3: Locomotive traction chain

One interesting aspect is that the platforms of all these major locomotive The locomotive traction chain is composed of manufacturers have, in reality, a very similar architecture. They rely on similar the following main components, which may main subsystems and functions to provide the customer a very flexible usage. vary depending on the type of locomotive:

1) TRACTION TRANSFORMER 4) TRAIN CONTROL & 7) AUXILIARY CONVERTER 2) TRACTION CONVERTER MONITORING SYSTEM 8) BATTERY CHARGER 3) TRAIN CONTROL 5) TRACTION MOTOR 9) ENERGY STORAGE © Critical Software. All rights reserved. 6) DIESEL ENGINE GENERATOR

White paper BODY STRUCTURE

The locomotive body structure is typically designed as a self-supporting structure that meets high mechanical strength requirements. It should be capable of withstanding stresses from load cases according to applicable standards, i.e. it should withstand the maximum static tensile and compressive forces. The design of the two driver cabs should ensure survival space in crash scenarios, according to applicable standards.

MACHINE COMPARTMENT

The machine compartment layout is determined based on factors including customer requirements, economical use of space, ease of maintenance, clarity, safety, flexibility and convertibility.

BOGIE MODULE

The bogie comes in many shapes and sizes but it is, in its most developed form, the motor bogie of an electric or diesel locomotive. Bogies are classified into various types according to their configuration; in terms of number of axles, the design and suspension structure. Bogies are subjected to severe stresses and shocks and may have to run at high speeds.

Railcar bogies usually go unnoticed by rail passengers, but despite their obscurity, they are one of the most vital components of rolling stock:

• They support the railcar body firmly

• They run stably on both straight and curved track

• Ensure good ride comfort by absorbing vibration (generated by track irregularities) and minimising impact of centrifugal forces (when the train runs on curves at high speeds)

Many safety concerns should be considered with bogies, since a damaged bogie may put lives at risk.

MONITORING SYSTEMS ARE BEING SPECIALLY DESIGNED TO MONITOR THE PHYSICAL PROPERTIES OF BOGIES, WHEELS AND SUSPENSION, E.G. TEMPERATURE, VIBRATIONS AND SHOCK ABSORBER CAPABILITIES. WHENEVER ONE OF THESE PARAMETERS EXCEEDS A PREDEFINED LIMIT, A MAINTENANCE WARNING IS ISSUED AND REPAIRS ADVISED.

TRAIN PROTECTION EQUIPMENT

The train protection equipment is installed on specific cabinets in the machine compartment of the locomotive. The train protection cabinets are typically designed with a modular structure, so that conversion or retrofitting can be easily performed.

Train protection systems are of vital importance in maintaining the safety of the complete rolling stock structure. Their main function is to monitor the different systems involved and the surroundings – especially the trackside equipment data – to maintain train safety according to defined rules. Automatic train protection systems are generally found inside a locomotive with a higher safety integrity level.

Whenever a safety rule violation is detected by the automatic train protection system, the ATP will put the rolling stock in a safe state. Generally, this safe state means the system stops the train before an accident could happen, making people and goods safe.

The underfloor area and the bogie are pre-prepared for the mounting of antennas and speed encoders; the sensors used to monitor the trackside data. White Paper Advanced Engineering for Railway Rolling Stock

SOFTWARE SERVING YOUR BUSINESS – IT’S MORE THAN JUST A change in infrastructure costs CODE millions, far more expensive than the cost of changing only some rolling TRAIN MANAGEMENT SYSTEM stock items. This option is more The system that performs train control and continuous monitoring of train attractive, not only for the companies status, the 'brain of the train', integrates all control and communication operating freight or passenger functions on board. It provides train, vehicle and drive control functions including services, but also for governments operating and comfort functions, as well as train diagnostics. discussing modernisation projects or construction of new infrastructure. Train Management Systems (TMS) can integrate multiple subsystems developed at various Safety Integrity Levels (SIL). The main components of Software will play an interesting role these systems are: the Vehicle Control Unit (VCU), which is a general processing in this particular market; using unit that provides vehicle management and control functions; the Drive Control configurable software applications in Unit (DCU), that controls and supervises the functions of the traction converter; these safety-critical systems will and I/O modules, to provide an interface to additional systems, typically leverage manufacturers to better through low voltage signal lines. Due to safety concerns, subsystems such as respond to the needs of their VCU and DCU in particular should be developed accordingly with a high SIL, in customers. accordance with CENELEC standards EN 50126, EN 50128 and EN 50129. The backbone of modern TMS is based in a Data Communication Bus for intra-vehicle communication, and for train-wide information exchange. The TMS streamlines the flow of information between trains and wayside equipment. It collects and provides real-time information allowing proactive transit security and vehicle maintenance.

VCU Data communication BUS

DCU I/O Modules

High voltage power line 24V signal lines Traction Brake Lever Converter

Figure 4: Typical rail vehicle control architecture

Current tendency is to increase the use of networks for the signal transmission, using remote transmission units that interface with the sensors and pack the necessary information into a network. This method of design has the advantage of reducing the total cable length necessary in the locomotive, while increasing the capability to integrate new sensors, providing more accurate information to the TMS. All these safety-critical systems use state of the art software development techniques, not only to comply with the safety targets defined for them, but also to make the system as reliable as possible. Reliability of software is not quantitatively measured like mechanical parts or electronics. However, it is possible to have qualitative measures of the soware being developed for these safety-critical systems. These techniques may make all the difference when a new product is being developed.

CHALLENGES

The rapidly changing technology markets – especially intelligent systems, software and capabilities enabled by software – continue to dominate the values and costs of many types of business. Industries and businesses face a range of challenges and opportunities in technology, in the experience offered to users and in the business models that support them. The rail locomotive market is no different; the new platforms not only need to be more efficient, greener, but they also need to be more reliable and more interoperable. The interoperability between trains and the different infrastructures they use is not only a technical problem, it is also a political and economic challenge.

© Critical Software. All rights reserved. A NOVEL METHOD FOR IMPROVED EFFICIENCY AND RESULTS SOFTWARE UNIT TESTING Software engineering is a discipline applied to the software development life At software unit testing level, being cycle to ensure that the produced software is reliable and compliant with the smart with testing methodology enables pre-defined requirements. the team to achieve enhanced results, exceeding the provision of simply structural coverage of the source code NORMALISATION USUALLY DIMINISHES THE EASE OF WORKING WITH INNOVATIVE METHODS. HOWEVER, IF CORRECT METHODS ARE APPLIED as requested by the standard. Testing DURING THE DEVELOPMENT LIFECYCLE, AND THE SIL LEVEL IS MAINTAINED, against software functional TIME TO MARKET OF THE FINAL PRODUCT CAN BE REDUCED requirements enables problem identification earlier and thus reduce the total development cost.

Software Veriﬁcation Software Requirements Validation SOFTWARE INTEGRATION TESTING

Software Veriﬁcation Software Architecture & Integration The techniques used to create the Design Testing structural coverage are applied to the integration of all software modules. That Source Veriﬁcation Software Code Unit Testing is, the different module interfaces are tested with defined values to verify each module is able to communicate with Figure 5: Software life cycle others, providing the expected results.

Critical Software follows specific methodologies and systematic processes, taking into consideration the established targets for the system and applicable SOFTWARE VALIDATION standards. However, optimisations across many tasks may increase team Software requirement-based testing efficiency by 20% without jeopardising certification objectives. focuses on functionalities and performance. Taking into consideration the safety aspect tests with different SOFTWARE REQUIREMENTS objectives, these are executed to provide Specification of the soware requirements, supported by Sequence and Finite evidences of safety measure State Machine diagrams, allows determination of interaction paths, and the implementation within the software. finding of safety problems before the validation phase. These techniques also Robustness testing, including stressing identify interactions between applications and databases, performance interfaces using fault injection requirements and user interface requirements. techniques, is used to validate the software, and to validate the effectiveness of the implemented safety SOFTWARE ARCHITECTURE AND DESIGN barriers. Software architecture and design specifications, using model driven development, allow developers to simulate soware early in the development cycle, identifying interface problems that generally only appear at integration test levels. Architecture performance requirements are also evaluated at architectural level. The possibility of architecture that does not comply with the system performance requirements is diminished, negating a huge rework later in the development lifecycle.

SOURCE CODE Implementation of the source code is done using a select set of tools. The usage of correct languages and compilers to comply with the safety integrity level is necessary for safety-critical systems. Source code maintainability and readiness is another important aspect when developing for these higher levels. The software is developed in order to be analysable, verifiable, and capable of being easily modified: reducing the total cost of maintenance operations and consequently the total cost of ownership of the product. White Paper Advanced Engineering for Railway Rolling Stock

SAFETY ENGINEERING - PROVIDING END-TO-END SAFETY TO MEET CHALLENGES

Safety is paramount in any transportation system, from local trams to high-speed cross-country trains. The standards governing safety systems have evolved over time and are starting to reflect the appropriate architectural concepts and model-based designs of markets like aerospace. Automatic train protection systems are implemented to ensure safe operation of the train in the event of human failure. One of the main challenges in implementing support for these systems, is the diversity and quantity of systems required for cross-border operation.

ATB-EG, ATB-NG Ebicab 700

AWS, TPWS Ebicab 900

TBL, RPS ZUB 123

Signum, Indusi (PZB), LZB ZUB 121/262

TVM, KVB, RPS SHP

ASFA, LZB, EVM Ebicab 900

Ebicab 700 Ebicab 700

BACC, RSDD Indusi, LZB

Figure 6: More than 25 ATP systems.

Since each country has adopted a specific set of automatic train protection systems, locomotives and other rolling stock equipment is required to integrate multiple train protection technologies and antennas, providing capability for cross-border operation. For example, during operation in the D-A-CH-I-NL corridor, a locomotive is required to be equipped with more than twenty different antennas. The European Rail Traffic Management System (ERTMS) enhances cross-border inter-operability by creating a single Europe-wide standard for train control and command systems.

CHALLENGE INCREASED USE OF SOFTWARE, HIGH LEVELS OF SYSTEM INTEGRATION AND NEW REQUIREMENTS FOR CONNECTIVITY ALL PRESENT A SIGNIFICANT CHALLENGE TO SAFETY AND CERTIFICATION.

Even with the European Union looking to harmonize the different corridors, national entities are not always willing to enforce the necessary interoperability for many reasons; including commercial aspects, like the inhibiting cost of changing the infrastructure to achieve the same level of safety.

The main purpose of safety engineering is to manage risk by eliminating or reducing it to an acceptable level. During the safety analysis, all possible and relevant hazard situations must be identified. The system, the hardware, and the software must be developed while taking into account the removal of all these identified hazards, whilst considering that any architectural decision may also add new hazards. Critical Software applies engineering concepts, methods, tools and techniques throughout the life-cycle of the system to eliminate the risk of possible hazardous situations and to guarantee compliance with applicable standards. All the identified hazardous situations are noted in a specific document – the Hazard Log. This document is intended to be used during the entire lifecycle of the system, from conception to decommissioning and disposal phases. To accomplish a high level of safety, among other techniques, the following practices are considered: • Risk analysis – identification of relevant risks and hazardous situations, providing early mitigation actions for each one • Achieve RAMS requirements – controlling the factors that influence RAMS throughout the life of the system, starting at design phase • Guarantee the compliance with the necessary safety integrity level (SIL)

SAFETY ANALYSIS TECHNIQUES Safety analysis can be performed using qualitative or quantitative methods, but most frequently using combinations of both of these. Qualitative approaches focus on the question "What events may occur that cause a system hazard?", unlike quantitative methods, which aim at providing estimations about probabilities, rates and/or severity of consequences. The most common methods used to perform the safety analysis of safety-critical systems are based on Failure Mode and Effects Analysis (FMEA) (qualitative), and the Fault Tree Analysis (FTA) (quantitative). The main goal of using FMEA and FTA methodologies is to identify all the possible failure modes for the system and for each one of its components, to describe the effects of those failures and then assign them a probability of occurrence. These may also include failures caused by human errors and any others originating from external events.

CERTIFICATION SUPPORT Critical Software performs all the required safety and risk assessment to support system certification, including the preparation of the safety case and remaining evidences for the system certification. We have experience in working with several different Independent Safety Assessors (ISAs) to certify railway systems up to SIL 4. Critical Software 2018

To find out more about our work, please get in touch: [email protected] We are CMMI Maturity Level 5 rated. For a list of our certifications & standards visit our website.