https://hal-enac.archives-ouvertes.fr/hal-01403432Brocard, PhilippePhilippeBrocardSIGNAV - ENAC Equipe TELECOM-SIGNAV - TELECOM - ENAC - Equipe télécommunications - ENAC - Ecole Nationale de l'Aviation CivileJulien, OlivierOlivierJulienSIGNAV - ENAC Equipe TELECOM-SIGNAV - TELECOM - ENAC - Equipe télécommunications - ENAC - Ecole Nationale de l'Aviation CivileMabilleau, MikaëlMikaëlMabilleauEgis Avia (FRANCE) - Egis Avia (FRANCE)Autonomous Integrity Monitoring Proposal for Critical Rail ApplicationsHAL CCSD2015[SPI] Engineering Sciences [physics]Porte, Laurence2016-11-25 22:49:492022-01-27 10:05:542016-11-25 22:49:49enConference papers1Although already used in USA in the Positive Train Control (PTC) system, in China for the high velocity and low capacity lines and in Russia, the GNSS technology is still not used in the European Train Control System (ETCS). ETCS will progressively replace the different systems that are used in Europe for an improved interoperability. In ETCS level 2 and 3, the train has to self-estimate its position by propagating the position of reference given by Eurobalises with wheel speed sensors (WSS). A large amount of balise must be settled on the rail tracks in order to bound the error on the position estimation that is growing as a function of the distance travelled since the last Eurobalise due to the WSS scale factor error and sliding effects. The current trend adopted by the rail community would consist in using the GNSS as a virtual balise. The first main challenge for the introduction of the GNSS in ETCS is the very low Tolerable Hazard Risk (THR), which, for the whole signaling system, shall not be over 2.10-9/h to fulfill the Safety Integrity Level (SIL) 4 requirement [1]. Therefore, the tolerable uncertainty on the GNSS sensor shall be even lower. Depending on the risk allocation in the ETCS fault tree, the integrity risk allowed for GNSS can reach 1.10-11/h. Because the requirements are key in the design of the virtual balise platform, a proposition of accuracy and alert limit requirements is discussed in the paper. The second main challenge for the introduction of the GNSS in ETCS is related to the operational environment of the vehicle. Indeed the trains are likely to operate in suburban and in dense urban environments, where the GNSS satellites can be masked by the buildings, or where the GNSS receiver can be affected by large multipath errors, interference or Non Line-Of-Sight signals (NLOS). This paper proposes a complete positioning module that is designed to fulfill the tight integrity requirements for a virtual balise in ETCS. The navigation solution proposed is based on a combination of GNSS, Inertial Navigation Sensor (INS) and a track database that are tightly coupled through an extended Kalman filter (EKF). The widely used WSS that are present onboard are purposely not used to avoid safety issues related to the joint dependency of the odometry function and virtual balise with respect to the same sensor. Together with the positioning algorithm, it is necessary to design an integrity monitoring algorithm that will ensure that the positioning requirements are fulfilled. This paper proposes such an algorithm, which can be seen as an adaptation of Aircraft Autonomous Integrity Monitoring (AAIM) techniques that were developed for tightly coupled GPS/IRS systems in civil aviation. The considered nominal case and fault modes are described in the paper, including the presence of a major (GNSS) service failure, the presence of large multipath errors and the reception of NLOS signals. The problem caused by large multipath errors and NLOS signals on the integrity monitoring is lightened by the use of an a priori exclusion of some GNSS measurements that are likely to be faulty. The exclusion decision is based on different criteria including GNSS signal quality indicators based on the assessment of the distortion of the correlation function, the estimated C/N0 or the satellite elevation. The proposed integrity monitoring algorithm assumes that all sensors are fault free. It is thus necessary to ensure that this condition is met. Considering this, and since the Mean Time Between Failure (MTBF) of the considered MEMS IMU is not sufficiently high to neglect the probability of failure of the IMU, a fault detection algorithm based on the redundancy of the IMUs is proposed in the paper. This algorithm, which can detect sensor failures before any use of the sensor in the position computation, is based on Kalman filtering and on a hypothesis test based on Weighted Sum of Squared Residuals (WSSR). The fault modes of the sensors are also detailed in the paper. The next step is to prove that the proposed positioning system will be able to meet an integrity risk of 1.10-11/h. In a usual system, this means that it is necessary to characterize the nominal error model of each error sources using an extremely large amount of data (to know the error model down to an extremely low percentile). To overcome this issue, the paper proposes to divide the problem in two independent ones. It thus proposed to use two different GPS/Galileo dual constellation receivers. The idea consists in dividing the available satellites into two independent subsets of satellites. The measurements from each subset are integrated with two independent IMUs. Due to the division into two separate subsets, it is likely to have less than 4 satellites available which reinforce the interest of using tight integration. The two EKF are monitored by two AAIM algorithms that provide protection levels in real time. A new estimated position and protection level is formed from the two independent positions and protection levels. As shown in the paper, this separation of the whole system into two independent sub-systems reduces the integrity risk of each subsystem down to ?10-11/h, which appears much more manageable based on the current knowledge of the GNSS error sources. Finally, this paper assesses the nominal accuracy and integrity performances of the proposed architecture by realistic simulations. Starting from a typical rail trajectory and velocity profile, ideal inertial sensor, GNSS and track database outputs are generated. Typical error models are then added based on the manufacturer specifications for the IMU and on realistic values for the GNSS. Performances of the proposed solution are finally assessed on a real measurement campaign in urban environment. The reference trajectory is given by a NovAtel SPAN equipment hybridizing a tactical-grade IMU with a high accuracy GNSS solution. The outline of this paper is the following: • The first chapter focuses on the operational requirements that must be fulfilled by the studied solution • The second chapter discusses the architecture of the hybridized solution and on the integration approach by EKF. • The third chapter addresses the failures modes and the fault detection algorithm proposed to detect them before integration of the measurements in the filter. • The fourth chapter addresses the failure modes of the GNSS. The way to lighten the burden of the integrity monitoring algorithm by using signal quality indicators and external information is discussed. The method that is used to set the integrity requirement to ?10-11/h instead of 10-11/h is discussed. • The fifth chapter provides nominal fault free performances of the system in terms of accuracy and integrity based on realistic simulations. The error models of each sensors are detailed. • The last chapter assesses the performances of the solution on a real measurement campaign.