Aspect 2019 - Opening & Conference Day 1

Opening

Alwin van Meeteren

Rob Goverde, Delft University

Keynote Speech

Karel van Gils, ProRail, Innovation Director

He is responsible for the implementation of ERTMS and the technology renewal for the infraprovider.

Karel has extensive experience in the public transport domain. He was previously responsible for project, technology and ICT at GVB, the Amsterdam Municipal Transport company. For NS he was responsible for the operations in the Randstad Zuid and he was head of the workshops in Duisburg and Amersfoort. In London he worked for Abellio in business development. As director Asset management within ProRail from 2016-2019 he was responsible for management and maintenance of the rail infrastructure in the Netherlands.

Summary

The introduction of ERTMS is not only a major technical task, but also a major change process.

The major objective for new signalling systems is to ensure that more passenger and freight transport can be accommodated on the network. With these systems, we meet our objectives as infra manager and facilitate growth for the rail business. We will also achieve improvements in interoperability, safety, reliability and higher speed demands.

The programme in the Netherlands is also mainly driven by the need to renew, due to end-of-life of the Class B signalling assets, and in particular the future shortage of workforce needed for maintaining and engineering. This summer our government approved a 2.5 billion euro investment in ERTMS for equipment in rolling stock, the central system and the first infra corridors.

In this conference, other speakers will contribute to technical issues, I want to address the organisational and people change which comes with the transformation in railway signalling.

ERTMS is a real system leap forward.

The programme itself is a major technical and realisation task but it also causes four major changes for ProRail and the industry.

From track-based roll-out to national implementation

From operational technology to data driven IT

From customer-supplier approach towards partnerships

From separate contributions to joint performance

ProRail sees the introduction of ERTMS as a steppingstone and as a transformation vehicle to change the organisation into a more flexible, and resilient one. It capitalises on all benefits and future opportunities of digital technology. Thus, in addition to our Programme High Frequent Railways (Programma PHS) which focusses on building new tracks, we will invest in a more efficient use of the network.

I will address these 4 major changes in the industry and ProRail.

These change statements do not intend to be exhaustive. It reflects the insights we now have. This will continue to be a learning process in the next few years.

Full text version and also the presentation:

ERTMS

Joost Jansen, Mott McDonald

ETCS Hybrid Level 3: simulation based assessment for the Dutch railway network

Joost is a recent graduate from Delft University of Technology and received the Masters degree in Civil Engineering with a specialisation in Transport & Planning. His masterthesis (a collaboration between Delft University of Technology and Dutch infrastructure manager ProRail) provides useful insights in the application of ETCS Hybrid Level 3, an integrated cab-signalling and ATP system that combines train position information, Train Integrity Monitoring (TIM) and trackside train detection.

Recently he started a new position as a consultant in the field of Transportation at the Dutch office of Mott MacDonald.

Abstract:

The combination of the Dutch mainline legacy signalling system NS’54 and Dutch automatic train protection system ATB-EG is functioning well but has some drawbacks. Both systems are old and components have to be replaced in the near future. The speed supervision functionality of ATB-EG is limited to only five speed steps and full brake supervision is lacking. ERTMS is proposed to be the new standard European railway safety system.

It could provide interoperability, enhanced safety and/or improved capacity over the existing national signalling systems.

The Dutch government decided back in 2014 to replace the legacy system by ERTMS/ETCS Level 2 on several mainlines by the year 2030. To fully benefit from all opportunities of Level 2, corridors have to be divided into short block sections, requiring a substantial amount of trackside train detection. This amount of trackside train detection would have an impact on reliability and is a costly asset, both in installation and in maintenance. The concept of ERTMS/ETCS Level 3 allows for even more capacity while eliminating trackside train detection. A high demand is put on both train and remaining trackside equipment. All trains need to be proven complete and the trackside needs to know the position of all trains all times to ensure safe railway operations.

To overcome those issues, ERTMS/ETCS Hybrid Level 3 comes into play: to combine the ERTMS/ETCS train position information i.e. the Level 3 principles with limited trackside train detection.Virtual subsections divide the physical detection blocks into smaller block sections. Position reports from the proven complete trains are used to authorise following trains at short headways, limited to the minimum of the size of the virtual blocks and the braking distance of a specific train. Following a train not being equipped with a Train Integrity Monitoring System (TIMS), safe operations is provided with the remaining trackside train detection.The capacity effect of ERTMS/ETCS Hybrid Level 3 is a trade-off between the amount of remaining trackside train detection and the amount of trains equipped with integrity monitoring. The reduction in asset costs is a trade-off between the capacity goal of a corridor and the amount of TIMS-equipped trains.This paper presents a simulation-based impact assessment of ERTMS/ETCS Hybrid Level 3 for the Dutch railway network for several corridors with varying numbers of TIMS-equipped trains and reduced trackside train detection. Although several theoretical studies and real-life tests have been performed over the last few years, quantification of the possible effects is lacking.

Using the Timetable Compression Method for the assessment of capacity effects and the RAMS-LCM approach for the assessment of asset costs reduction, this paper provides insight into the benefits of the implementation of ERTMS/ETCS Hybrid Level 3 instead of ERTMS/ETCS Level 2 for the Dutch railway network.

Harm van Dijk, Movares

The Wait for ERTMS, keeping conventional systems safe

Harm van Dijk (1965, MIRSE) studied Electrical Engineering at Hogeschool Windesheim, Zwolle.He is a railway safety consultant at Movares since 1993 and a specialist on train detection and ATP. He is involved in the development of the Electronic Track Relay. He is further involved in projects that requires combined knowledge of railway safety, signalling systems, traction power and return circuits, EMC, interfacing, and more.

Abstract:

In the Netherlands, railway safety is largely based on the combination of train detection and ATP by 75Hz Track Circuits. The ATP system (ATBEG) uses the 75Hz signal of the same track circuits. This binds the systems. Replacing the track circuits is only economically feasible when the ATP system (including the onboard ATP equipment) is replaced.75Hz track circuits are relatively simple circuits, using robust components, used since the 1960's and before. To date, 16.000 track circuits of this type are in use, covering over 80 percent of the network.Train detection with track circuits is becoming less reliable. Developments in rolling stock (very smooth running) and rail maintenance (optimal grinding for noise reduction and optimisation of the rail profile to increase the life span ) lead to more difficult shunting of the track. Traction systems are becoming complex and interaction between rolling stock may introduce interference currents that cause risks for reliable detection and ATP.The policy in the Netherlands is to introduce axle counters when ERTMS is installed. With ERTMS, 75Hz ATP is no longer required and thus, track circuits are no longer necessary. The introduction of axle counters will then provide reliable train detection, no longer depending on the shunting of the track.ERTMS is eventually to be installed on the complete main network. However, the rollout will take time. It requires a high budget and the capacity of many signalling engineers to upgrade all lines. It is therefore expected that the full roll-out will take over 30 years. Development of new trains and rail maintenance will continue and may lead to a further decrease in detection performance.ProRail now faces the challenge of keeping the conventional lines safe during the time that ERTMS is not yet installed. A double investment in new systems or additional systems is costly.With an unsolicited proposal in 2012, Movares advised Prorail to develop a new version for the track relay of the track circuit. The ambition for this is to improve reliability and enhance the functionalities by just replacing the track relay and not changing anything else.ProRail embraced this idea and after a business case study, development of the Electronic Track Relay (ETR) started in 2015. A laboratory prototype has been developed as a proof of concept.The ETR enables the life span of track circuits to be extended by 30 years, just by replacing one component in the track circuits. ETR means (A) Functional improvements by means of digital signal processing, by (1) reliable detection, even in case of loss of shunt conditions, (2) improved immunity to near-band interference currents; and (B) Technical improvements, by (1) Easy adjustment of the track circuit and (2) Included maintenance interface for remote monitoring and diagnosticsProRail intends to develop the ETR together with industrial partners leading to a design that will be open source. This leads to an open market and shared knowledge for the railway world.The paper will describe the challenges faced and the solutions we found while developing the prototype of the ETR.

Maryam Akbari, University of Twente

Overview of ETCS Level 3 impediments

I'm a master's student from the University of Twente, mechanical engineering (design and construction) department.

Abstract:

Level 3, based on the moving block principle, is the most promising application level of the ETCS (European Train Control System) developed since the late 90s, with which the most benefits related to safety, interoperability, capacity and LCC (life cycle costs) are expected. However, after more than 20 years, the deployment of ETCS Level 3 is restricted to pilot projects on regional lines. In Level 3 the absence of trackside train detection equipment requires the train information (speed, location, direction and confirmation of integrity) to be used as the basis of route setting. This creates the essential difference between ETCS level 3 and other ETCS levels.The focus of this paper is on the challenges of implementing ETCS level 3 in brown field environment. Challenges are divided into 3 (three) main categories and 5 (five) subcategories: technical (technology, knowledge), operational (procedures, processes) and budgetary (LCC) and studied through literature review. The Dutch railway network is chosen as a case study to examine the deployment of ETCS Level 3 as a game changer. ERTMS (European Rail Traffic Management System) specialists are interviewed to determine and further analyze how the Dutch railways would be influenced by the above challenges. Our study reveals that the absence of developed operational procedures is the main hinderance for the realization of the ETCS Level 3. The operational procedures help to ensure that functions and requirements related to human aspect, rolling stock, trackside equipment and maintenance strategies are properly defined and implemented. Also, the resilience aspects, including migration strategies and operational scenarios in case of degraded modes need attention. This is followed by the budgetary challenges, including short life cycle and relatively high costs of the onboard equipment. Finally, expected advantages in terms of capacity and safety are closely related to the extent to which ERTMS is deployed and modifications in other network elements and subsystems, including traffic management are considered. Therefore, the implementation of merely a moving block Level 3 system without a holistic change in control & command would not be sufficient to get expected benefits.

Safety

Stefano Stanghellini, Alstom

Misuse of safey cases

Stefano Stanghellini is an employee of ALSTOM since 1994 (when he joined SASIB); the first 5 years were devoted to RAM topics in the framework of High Speed lines in Italy. Later he served as Site Safety Officer in ALSTOM and as internal assessor for the application of the both internal ALSTOM safety processes and management and for the compliance with the lifecycle defined in the CENELEC Standard EN 50126 for both the development of products and deployment of projects. Since 2012 Stefano has been part of Alstom’s Fjernbane East Infrastructure project in Denmark as Safety manager onshore (in Denmark) and with direct responsibility for the safety aspects at system level. Since 2014 he has been the safety manager offshore (in Italy).

Abstract:

In the everyday practice of railway signalling projects safety management seems to be the same as delivery of safety cases. There is a very strong focus on producing safety cases which, after positive ISA statements have been obtained, are submitted to a regulator (usually the NSA).

After ISA assessment and approval by the regulator any change to the baseline makes the safety case invalid, unless assessment and approval processes are restarted. Safety cases usually are Word documents, full of references to other documents regarding design, HW and SW versions, as-installed baseline etcetera. Updating safety cases and renewal of assessment and approval therefore is a time-consuming task. In summary there is a severe penalty on changes to a baseline (implementing improvements and upgrades), once the safety case has been finalised and assessed. They tend to immobilise the status quo.

A second and more important and unfortunate side effect of the focus on safety cases is that the safety case and its approval tend to drive in various ways the safety management processes, instead of the other way around. The deadlines for completing the safety case are transferred to the safety management processes. These processes and their supporting quality management processes are likely to be delayed until the safety case has to be completed. Furthermore, the scope of the safety management processes tends to be reduced to what needs to be captured in the safety case. Instead of a push relation (safety management is summarised in the safety case) we often see a pull relation (the summarising safety case reduces the scope of the safety management processes). In summary, the set-up of the safety cases determines scope and timing of safety management work.

This too strong focus on the safety cases (at the cost of the safety management) process is seen both at supplier’s and at customer’s side. Partly because of contractual reasons discussions between customer and supplier tend to concentrate on the delivery of safety cases that are positively assessed by an ISA. Then it is sometimes up to the ISA to proactively request and inspect evidences that must be produced during the life cycle of the project.

The paper describes the situation just sketched in more detail and outlines a solution. In essence the solution is to clearly separate safety management from the delivery of safety cases. As Wim Coenraad wrote in 2009 on behalf of the International Technical Committee of the IRSE (in “Towards the one page safety case: less paper and more assurance”): “any project, any supplier that applies the systems- and safety assurance processes that are now the norm in our industry […] should not need more than ten pages and two weeks [for a safety case] to explain all that and convince their Independent Safety Assessor (ISA)”. In other words safety management is the central, continuous and controlled activity; safety cases are just a by-product, a snap-shot of that activity.

Roger Short

Does SIL live up to expectations?

In the course of 27 years at British Rail Roger Short became Signalling Development Engineer, BR Headquarters, leading a team of engineers responsible for type approval of railway signalling equipment.

After a further 10 years with HM Railway Inspectorate, five as Assistant Chief Inspector of Railways, he worked for Atkins from 2000 to 2011 as a Chief Engineer working in the area of safety assurance.

Now chairman of the UK National Committee for standards for Communication, Signalling and Processing Systems and a member of the CENELEC working groups charged with the revision of the EN50126, EN50128 and EN50129 standards.

Abstract:

The relationship between unsafe failure rate and SIL has always been somewhat equivocal. On one hand the relevant standards insist that SIL is concerned with systematic failures, whose occurrence is inherently unquantifiable, especially where software is concerned. On the other hand the standards contain tables which align tolerable functional failure rates with the corresponding SIL to be attributed with regard to systematic failures. This leads to the tacit expectation that if, for example, a system is developed according to the requirements for SIL4, unsafe functional failures due to design errors in software or hardware will manifest themselves at a rate in the region of 10-8 to 10-9 per hour.For years it was possible to regard this as an abstruse academic problem, since empirical confirmation of such performance would require evidence of hundreds of thousands of equipment-years of operation. However, there are now in service in railway signalling and train control applications tens of thousands of individual items of equipment claimed to meet SIL4 requirements. They include interlockings, radio block centres, axle counters, ETCS on board units and wayside and on board CBTC subsystems.When making assessments of overall railway system risk it is usual to assume that the contribution to risk resulting from unsafe failure of SIL4 subsystems or components is zero. There is a need to consider whether this assumption continues to be justified for applications such as major CBTC or ETCS Level 2 schemes which may involve hundreds of individual SIL2 units.This paper will discuss the feasibility of estimating the actual unsafe failure rate, including systematic failures, of the current population of SIL4 units, taking account of all the gaps and uncertainties in the relevant data. The validity of the very notion of a numerical value for the rate of systematic failure of a large population of disparate products will be critically examined. In the course of this analysis the distinction between random and systematic failures will be challenged, and it will be argued that all failures have both systematic and random aspects. A major problem for determining actual failure rates for high integrity systems is the sparsity of data relating to systematic failures. The paper will look at the mathematical techniques available for handling sparse data, and will also consider suitably conservative assumptions to make in the absence of data.

Fei Yan, Beijing Jiaotong University

Train control uncertainty treatment and safety assurance shifting to automation

Dr. Fei Yan received the Ph.D. degree in 2007 from Beijing Jiaotong University . He is currently an Associate Professor of the School of Electronic and Information Engineering in Beijing Jiaotong University and He was a Visiting Scholar in the Civil Engineering and Environment Department, Imperial College London from Aug 2017 to July 2018. He led R&D team of the LCF-300 CBTC systems to get the SIL4 safety certificate from Lloyd’s Register Rail. In 2010, Beijing Yizhuang Line is successfully opened as Chinese first self-innovation CBTC system. His research area focuses on Railway Operation Safety and System Safety Assurance. From 2015, he participated in the study on Intelligent Maintenance and Reliability Improvement research projects for Beijing Metro. Contact him at fyan@bjtu.edu.cn.

Abstract:

Large cities depend heavily on their metro systems to alleviate traffic jam, while disruptive incidents have become more common, causing threats to passenger safety and transport service plan. Adopting a fully automatic operation system（FAO） with advanced technology, stable performance, efficiency first has become the urgent need of global rail transit construction. The objective of this paper is to show how to deal with train control uncertainty in driverless metro and give a possible solution to realize a resilience metro system. The paper selects a FAO system scenario to use causal scenario search algorithm which based on Systems Theoretic Process Analysis (STPA) for safety analysis, obtaining more causal scenarios and related safety requirements. At the same time, it discusses the safe process of testing, verification and validation and the interaction between passengers and the system. The safety assurance scheme of the FAO system in the design and development process is proposed.

Tetsuya Takata, Kyosan Electric Manufacturing Co., Ltd.

A Safety Analysis Technique Using STAMP/STPA for Electronic Interlocking System

Graduated from the Department of Electrical Engineering of Kogakuin University and joined Kyosan Electric Manufacturing Co., Ltd. in 1990. Discharged his duty as a railway accident investigator of Japan Transport Safety Board of the Ministry of Land, Infrastructure, Transport and Tourism from August, 2012 to July, 2014. Afterwards, returned to Kyosan in August, 2014 and up until now in charge of design and development of electronic interlocking equipment and development of radio-based train control systems in compliance with relevant European and American standards such as CBTC and ETCS. A member of the Society of Project Management.

Abstract:

Fail-safe technology has been the foundation of the safety of previous signal systems. The fundamental principle is to build systems so that when a malfunction occurs in part of the system, red signals are always triggered and trains are stopped. In recent systems, however, software is essential and the scale of that software is growing in size. At present, there is no such thing as fail-safe software, and high reliability is ensured through approaches such as writing easy-to-understand software, and carrying out thorough inspection. In this paper, STAMP/STPA is used to conduct analysis on signal systems with large-scale software. Detailed safety analysis is carried out with STAMP/STPA, using electronic interlocking system as an example. Then an assessment approach is described, suited to the purpose of Phase 3: Risk analysis of railway RAMS (IEC62278), as well as a method of summarizing the results of that assessment as a hazard log.

CBTC and Metro

Ian Thompson, IMT Engineering Solutions Limited

Reliability improvement of CBTC systems on metro lines

Ian Thompson is a Chartered engineer with a MSc in Systems Engineering Management. He joined London Underground as a graduate in 2008. Over the next ten years he has mainly work on major signalling upgrade projects. This included the first use of CBCT on the London underground. He worked on both systems engineering and RAM activities of the CBCT installation on the Jubilee and Northern Lines. He ran projects to improve both the performance and resilience of the CBCT signalling system. He now works on European Train Control System (ETCS) implementation projects across Europe.

Abstract:

This paper describes the reliability management systems and processes designed to minimise reliability issues experienced with the implementation of a new signalling system onto a brownfield metro line. The use of a standard metric, common targets and a single method of defining reliability ensured that all stakeholders focused on the most relevant areas. The data capture methodology necessary to capture all the reliability related issues is described. As is the reliability process developed to record, analysis and rectify faults.

Importantly a collaborative approach between the signalling supplier and system integrator was adopted. The importance and benefits of this collaborative approach are discussed as well as the working practices developed to ensure a rapid improvement of the system reliability. This paper details the reliability data, lessons learnt, and an overview of the solutions developed which are being used on a current signalling upgrade project of four London Underground lines.

Pierre Dersin, Alstom

Building resilience into urban rail transport systems

Pierre Dersin holds a Ph.D. in Electrical Engineering and a Master’s degree in Operations Research , both from MIT. With ALSTOM Transport since 1990, he founded the “RAM Center of Excellence”. He is currently RAM (Reliability-Availability-Maintainability) Director and PHM (Prognostics & Health Management) Director of ALSTOM Digital Mobility. He has authored numerous publications in scientific conferences and journals in RAMS, PHM and automatic control (including IEEE Transactions,ESREL, RAMS Symposia, French Lambda-Mu symposia, IEEE-PHM Conference) . He served on the IEEE Reliability Society AdCom from 2012 to 2017 and as VP, Technical Activities, in 2017. He is a contributor of 4 chapters in the “Handbook of RAMS in Railways: Theory & Practice” CRC Press, 2018).

Abstract:

Today's urban rail transport networks are an essential instrument for large metropolitan areas in coping with the growing demand for punctual, reliable and environment-friendly transport services. Alstom's solution to address that need is its URBALIS® communication-based train control system.Resilience is the capacity to recover quickly from difficulties; in this context, it is the ability for the system to continue to perform its transport function, or to return quickly to nominal operation, after disturbances caused by unforeseen situations. The situations URBALIS is designed to deal with are of three types: 1) hardware and software failures or degradations; 2) disruptions resulting from various causes, including passenger usage; 3) malevolent attacks.To deal with hardware and software failures, URBALIS relies on highly redundant architectures, in particular that of the data communication system which is its backbone, but also on the use of innovative maintenance and asset management strategies; in particular, predictive maintenance, supported by the Health Hub™platform, aims at detecting degradations before they result in service-affecting failures. Communication system redundancy involves duplicated and fully separated wired and radio networks for end-toend communication between trackside and trainborne equipment. Vital messages, essential for signaling, are sent through two different channels, and non-vital messages are carried by a third network. Wi-Fi communications between trackside and trainborne equipment are managing frequency reconfiguration in case of radio perturbation or cyber-attack. On-line built-in test equipment with high detection rates enables the detection of partial failures before a function loss happens. Redundancy management mechanisms are made as simple as possible and attention has been paid to critical interfaces such as with power supply sources, to avoid single points of failure. Redundancy integrity and data flow are continuously monitored by the centralized maintenance system. Design protection mechanisms against common cause failures have been applied. The centralized equipment that supports key functions such as automatic train control, interlocking and train supervision can be duplicated to provide a standby redundancy backup that guarantees a short recovery time in case of catastrophic events such as flood or fire, or malicious attack.In addition, predictive maintenance is applied to wayside assets such as point machines, whose failures significantly impact service;it consists of performing maintenance operations based on the condition of the assets rather than scheduled maintenance(time-based or distancebased). Just as for the communication network,the goal is to avoid service-affecting failures as much as possible, this time by detecting evolving degradations and intervening before they result in a failure. Machine learning and domain knowledge are combined to construct health indicators which measure the distance to 'perfect health' and are used for degradation detection, diagnostics and prognostics. Beyond that, Health Hub™paves the way for dynamic maintenance management based on evolving asset conditions. Last but not least, adaptive traffic management algorithms ensure quick restoration of full nominal operation after a disruption (resulting from passenger flow fluctuations, passenger behavior such as door obstruction, or external delays).

Phil Dubery, CPC Systems

Delivering capacity and service resilience from modern CBTC systems

The author was inspired to study engineering through a passion for motorcycles. He graduated from Brunel University in 1985, his final year project being to optimise engine performance through tuning inlet manifold pressure pulses combining empirical data derived from instrumentation of the engine with computer modelling. The author started in the rail industry with London Underground Rolling Stock Design and Development in 1983 and has championed improvements in Metro operations, railway performance optimisation, service resilience, condition monitoring and maintenance. Currently the author is the Technical Director of CPC Systems Limited, a consultancy that specialises in railway optimisation and service resilience.

Abstract:

To achieve optimum service capacity and resilience on a modern railway requires a thorough understanding of the environmental characteristics of the railway, the operational constraints and an ability to balance the safety and the performance of the railway in terms of service regulation, management and release of train movement authorities, train spacing and relative movements and operational speeds, particularly across key junctions and the interaction between the automatic train control systems and the train traction and braking systems.The presentation addresses these issues in a systematic manner with a vision of the railway of the future and how modern technology and processing power could be integrated to achieve the optimum railway performance.

Specific areas to be addressed using service examples will include:

• Balancing the operational and technical aspects of the railway, such as platform detrainment, dwell and crew changeover times and the service patterns to ensure that potential pinch points on the railway are alleviated by considering operational and technical aspects holistically to achieve practical operational performance.

• Management of open section adhesion levels, how these can be monitored and strategies to optimise braking curves and performance through flexing the braking profiles and brake application levels to match the geographical and environmental characteristics of the railway and using service performance data to support the operational and technical cases- Management of the vehicle train interface and passenger comfort using modern modelling techniques supported by service condition monitoring of key aspects to ensure that speed profiles achieve the best railway performance whilst balancing passenger comfort and track safety and condition issues.

• Optimising railway performance by ensuring that fleet utilisation is maximised by considering all the factors that contribute to the fleet service requirement, including stand time in termini and sidings, interstation run times and platform stopping and dwell times, lost time through service operation and continuous monitoring of the railway to provide timely indications of either congestion or time being lost on the railway during operation.

• Harnessing data from the myriad of centralised and distributed computer systems to fully characterise the actual performance of the railway and allow amendments to be made to the operational practices, service schedule timings and regulation, control, signalling and rolling stock systems data to continually improve the performance of the railway and empower the operators with both a high level overview of the railway performance and an understanding of how the railway performance can be made more resilient by both preventing, minimising and recovering from service perturbations

Ultimately the presentation aims to bring together a vision of how the railway operation, scheduling and performance can be developed in an integrated manner with continuous process control being applied in the same way as for modern manufacturing processes whilst considering the human and system contributions and taking a proactive approach to understanding these with a continuous and immediate feedback loop to hone and improve the operation, scheduling, performance and systems design of the railway.

Systems

Wim Coenraad, Movares

Business Continuity in Railway Signalling

Wim is a Senior Signal Engineer with broad international experience in signalling principles, automatic train protection and train detection. Extensive experience in international harmonisation and standardisation. Involved in the specification and development of ERTMS/ETCS from its inception. Founded Railcert as Dutch Notified Body and acted as Lead Assessor and Certification Manager. Ample experience as Safety Manager and Safety Coordinator, managing delivery and acceptance of large and complicated safety cases under time pressure. Served as the President of the Institution of Railway Signal Engineers (IRSE) for the 2007-2008 session. Wim specialises in Safety Case Delivery and Certification Management.Specialties: Specification, development, certification. Safety management, safety cases delivery, management of independent safety assessors and notified bodies.

Abstract:

In the context of engineering, resilience can be defined as the ability to continue operating, perhaps at a reduced performance level, when unexpected but plausible events occur, and the ability to recover after such an event referred to as Business Continuity Management. Practices such as the application of redundancy, graceful degradation and "spatial diversity", i.e. allocating corridors comprising of routes and the control of track elements allocated to separate "interlocking machines", such that if one fails at least one (or more) corridors remain available, have long been used and come under this heading. This paper presents an international survey of BCM in railway signalling and how to apply this concept to the digital railway, where the introduction of communications based signalling concepts, such as ERTMS, ATO over ETCS, C-DAS etc. might introduce the sort of "systemic failures", where the risk of occurring is difficult to determine at best, but consequences can have system wide effects, that are difficult to predict and analyse and where mitigations, if they exist and can be afforded, cannot easily be tested for effectiveness.

Ian Jones, Siemens Mobility Ltd.

Providing resilience as the goalposts move

Ian Jones is a Key Account Manager for Siemens Mobility Rail Automation UK, responsible for business development in Mass Transit. During his 30-year career Ian has worked on programme, systems and software management to deliver safety and security critical systems for rail, aerospace and defence. Since 2009, Ian has worked for Siemens in roles including UK Software Manager, Product Introduction Manager for the DTGR System for the London Underground Victoria Line, and Global R&D Director. In his current role he is responsible for bringing together people and technology to create systems that fulfill customer’s needs today and in the future.

Abstract:

Since the 1850s signalling has had the primary aim of preventing trains colliding. Mechanical levers have now been replaced by electronics, software, secure digital telecommunications, sophisticated systems engineering, and increased automation to enhance safety and increase efficiency. That quantum leap in technology has brought new challenges, particularly to keep the railway running. So what’s changed? Compared to the Victorian railway there are more systems to go wrong, fault-find and repair, and for maintainers and operators to understand. Yet system safety is at the highest level ever. Reliability and, more importantly, availability are at high levels, but the challenge to the industry to meet stakeholders’ expectations for resilience is also at an all-time high. How do we manage all this complexity? The industry is investing in improved methods of testing. System engineering gives us clearly defined requirements that can be verified and validated during the product lifecycle, however it is important to make sure that systems not only do what they should, but that they don’t do what they shouldn’t! Following the aerospace model of testing to destruction has delivered benefits for projects such as London Underground’s Victoria Line, allowing us to understand what will ultimately lead to system failure. This has offered significant mitigation when systems have pushed beyond their original design limits, in the Victoria Line example upgrading the railway to support a 36 train per hour timetable.

How do we prove that it’s going to work before we put it on the railway? Schemes including Network Rail’s Thameslink benefited from the extensive use of testing rigs allowing system components to be brought together and tested off-site. Interfaces have been defined, proven and tested using target hardware. The use of technologies like ‘digital twins’ offers a further progression to creating resilient systems. Where one organisation is delivering two large parts of the system such as the signalling and the trains, there can be huge opportunities for reducing the risk in managing, integrating and delivering a homogeneous, integrated solution. The delivery of the Riyadh Metro System took full advantage of integrated train and signalling tested on the Wildenrath Test circuit before deployment. Designing for resilience. We can learn from the original mechanical interlockings which had no duplication built-in, instead having failure modes where functionality would be degraded without stopping trains. Such ‘graceful degradation’ needs to be considered to avoid blindly designing for availability through providing redundancy. The design of highly reliable systems, rather than duplicate systems, would take up less space and reduce vehicle weight. Continuous change. Changing technology has introduced new threats to safety and availability, most obviously cyber-security. The underlying technology has developed extremely quickly, and many major railway schemes are now dependent upon complex networks based on commercial systems which we now need to guard from cyber threats.

Andrew Love, SNC-Lavalin Atkins

A whole-railway reliability approach to planning for things that will probably never happen

Andrew is Head of Train Control and Signalling at SNC-Lavalin, leading a team experienced in both conventional signalling and cutting-edge train control on mainline, metro and APM infrastructure.He started his career as a signalling and control systems trainee at London Underground. Following a Masters degree in Electrical and Information Sciences at Peterhouse, Cambridge University, he managed signalling and power maintenance on two lines, then worked in signalling design. In 2000 he joined Atkins, reaching Professional Head of Metro Signalling. In 2013 he joined SNC-Lavalin.Andrew sits on the IRSE Education and Professional Development committee, and sponsors and lectures study classes to prepare candidates for the IRSE Professional Examination.

Abstract:

Many railways understandably focus their attention on improving safety and reliability into eliminating the causes of the most commonly experienced incidents. However, this approach neglects the mitigation of low-probability high-impact incidents that might only be experienced once in the life of a transit network, but would be significant (potentially catastrophic) should they occur, such as widescale power or communication failures and earthquakes. Although such risks exist throughout (and beyond) the railway system, the role of communications, telemetry and operational control in mitigating or managing the impact of such risks means that addressing these issues falls squarely into the remit of the IRSE's members. In this paper, I will discuss:

• The need for a structured, quantitative approach to identifying and assessing potential threats, so that an appropriate level of attention is given to mitigating low-probability events and the (sometimes hidden) dependencies between systems can be identified.

• The use of a whole-railway resilience model to identify the risks and mitigations from the human components of the railway system and the dependencies from interfaces from outside the railway systems (e.g. utilities), as well as the more obvious risks and mitigations from the technological components of the railway system. This methodology enables a wider range of mitigations to be considered, and moves the approach to resilience from being asset-focused (e.g. "Do we need a backup control room?") to being enterprise-focussed (e.g. "How will we cope if the control room becomes unavailable?") to enable a more holistic approach to planning and investment.

• The importance of assessing the environment in which the railway operates; this covers the criticality of the railway to the wider environment as well as the evolving threats in the global environment, including geopolitical, meteorological, technological, medical, commercial and social issues.

• Practical steps by which the impact of low-probability failures can be designed out or mitigated through procedure or monitoring systems. This will include measures to ensure that critical resources are available to work under scenarios that also affect their out-of-work environment.

• The informal mitigations that are already in place in many railway enterprises, and how these can be formalised and protected during organisational change. •How railways can test their resilience to ensure that mitigations are effectively implemented.

Lizuo Xin, Siemens Mobility B.V.

Bring Digitalization to an Enhanced Urban Transportation

Lizuo obtained her BSc degree in Civil Engineering at Beijing Jiaotong University in 2011, China. Then she started her PhD research in Railway Engineering in Delft University of Technology. Her research focused on dynamic behavior of wheel-rail interaction in railway turnout, numerical and experimental analysis of structural behavior, material fatigue analysis and rail maintenance procedure.Since February 2017 she started in Siemens Mobility B.V. in the Netherlands. She works as a system engineer on railway signaling system, with focus on interlocking systems and ETCS. Also involved in activities such as HSL- Zuid test enviroment and Sinet (Siemens Interlocking Network). Her interest also lies in data analysis for possible root cause analysis of the subsystems, e.g. in RandstadRail.

Abstract:

In this paper a use case of root cause analysis (RCA) of a subsystem disturbance (false notification of section occupancy) based on the gathered data, is presented. The use case is taken from the Randstad Rail in the Netherlands, which is the light rail network in the southern part of the Rotterdam – The Hague area. Due to the high population in the area, the low downtime of maintenance is requested to ensure the passengers a safe and punctual journey.

For analyzing the system performance, the key point is to bring data to life, i.e. digitalization, to provide as much information as needed. The use case studied in this paper is related to the false notification of section occupancy which leads to the reset of axle counters. In order to find out the root cause of the problem, an analysis framework has been developed, which starts with the data collection from the systems, e.g. interlocking, followed by data analysis using appropriate tools, and visualization of results. RCA of this specific disturbance has then been performed, which reveals that problems lie in not only the cable connection between the axle counter and the interlocking, but also the failing interaction between the vehicle and the axle counter, which prevents the axle counter from receiving the magnetic field. Consequently, the axle counter misses counting of the wheels of the vehicle.

Cyber-Resilience

Eylem Thron, Ricardo Rail

Evaluating the impact of cyber security and safety with human factors

Eylem is a Senior Consultant at Ricardo Rail with 10 years’ experience in the application of human factors (HF) and design expertise within the rail, highways and defence industries. Her experience includes providing HF support across the concept, design, and implementation phases of projects, including application of ‘persons with reduced mobility’ (PRM) design principles to rolling stock and infrastructure; Human Machine Interface (HMI) and Human Computer Interface (HCI) design and assessment; HF guidance and design of National Traffic Information System (NTIS) and design and development of next generation user interfaces for armed forces (land and air).

Eylem has a BEng in Computer Systems Engineering and PhD in HCI (Engineering) from University of Kent and is currently undertaking an MSc in Ergonomics at Loughborough University. She is also a visiting fellow in HF at Bournemouth University, with an interest in cyber security issues in the rail sector.

Abstract:

Railway safety and security are typically considered as two independent engineering concepts, but there is now a recognition that cyber security imposes new threats which directly or indirectly affect human life. Rail technology is engineered from a safety perspective, and subject to independent assurance. However, in the same sense that a passenger or driver's view of a system is not the same as that of an accreditor, attackers view rail systems and vulnerabilities in different ways. Similarly, human and task characteristics that might seem benign from a safety perspective might be manipulated from a security perspective, leading to attacks that compromise both. This raises the question of how cyber security can be better designed and assessed as part of the implementation of railway projects, while accounting for human factors.To illustrate the impact of security on safety, we consider the example of a Polish tram incident in 2008, where a teenager converted a TV remote control into an infrared transmitter. This activated rail switches and redirected trams. This led to tram derailments and emergency tram stops which provide a serious threat to the safety of passengers and railway staff. Although a well-known incident used by some as an unwarranted appeal to fear, it does highlight the need for rail infrastructure and the people who maintain it to remain resilient in face of emerging threats and unintended consequences. One vehicle for obtaining this resilience is better understanding the relationship between induced errors (latent failures) and anticipated error with security concepts.Risk is an important concept shared by safety and security engineering. It portrays the impact of a potential loss of human safety and cyber security on the railway systems, and acts as a boundary object for exploring the impact of changes to safety, security, and human factors system design elements. In this paper, we present the interdependencies between safety, security, and human factors engineering concepts, and they can be used to explore the impact of design changes on risk. We illustrate how the open-source CAIRIS (Computer Aided Integration of Requirements and Information Security) platform can conceptualize the security and usability elements to the Polish tram incident to identify root cause safety and security problems related to human error.

Henry Cheung, IRSE Hong Kong Section

Data resilience: protection of a CBTC system from hackers

Ir. Henry Cheung was a graduate of the University of Toronto Faculty of Applied Science and Engineering, Division of Engineering Science. He also attained the qualification of Master of Business Administration from Deakin University in Melbourne, Australia.

Ir Henry Cheung has over 30 years’ experience in the railway engineering industry, serving in various capacities in the client, consultant and supplier organization and has delivered railway systems around the world. His most notable contribution was his leadership in the first replacement of a signalling system to the Hong Kong MTR network and the introduction of the first Communication Based Moving Block Train Control system to the KCRC West Rail and Ma On Shan Lines.

Ir Cheung is renowned in the local engineering community and global railway industry. He has served in various positions in many professional institutions and has lectured in post-graduate level railway engineering courses.

Ir. Cheung is a Registered Professional Engineer (Electronics and Control, Automation & Instrumentation); Chartered Engineer (United Kingdom); Professional Engineer (Ontario, Canada); Fellow of the Institution of Engineering and Technology; Fellow of the Hong Kong Institution of Engineers, Fellow of the Institution of Railway Signal Engineers; Senior Member of the Institute of Electrical and Electronic Engineers; and Fellow of the

Kong Information Technology Joint Council. He is also actively involved in the profession: being a Council Member of the Hong Kong Institution of Engineers; executive member of the Hong Kong Information Technology Joint Council; Vice Chairman of the Railway Signal Engineers Hong Kong Branch; member of the Hong Kong Institution of Engineers Electronics Professional Advisory Panel; Board member of the Smart City Consortium; member of the Consultative and Advisory Panel of the Hong Kong Internet Registration Corporation Limited; member of the Advisory Committee, Department of Electronic Engineering, Chinese University of Hong Kong; past Chairman of the Institution of Engineering and Technology Hong Kong branch; past Chairman of the Hong Kong Institution of Engineers Electronics Division; and past member of the Divisional Advisory Panel for the Electrical and Electronics Engineering Department, University of Hong Kong.

Ir. Cheung is currently the Managing Director of KONE Elevator (Hong Kong) Limited.

Abstract:

The signaling system has gone a long way from semaphore to colour lights to electronics interlocking and analogue based automatic train protection to the modern day communication based train control (CBTC) system. The means of communication for a CBTC system also evolved from inductive loop or track circuit based to dedicated radio to the more commonly adopted WiFi based system based on IEEE 802.11 international standard.The subject of potential cyber-attack on a CBTC system based on a publicly accessible communication system using off the shelf equipment and devices has been widely discussed at various forums, seminars, conferences and discussion groups. Signalling system suppliers have incorporated into their design various measures to protect the CBTC system from unauthorized access and so far these protection measures seem to be effective. In addition to the defensive protection, the IT industry has developed many standards such as IEC 62443 series and ISO 15408 with an attempt to detect potential intrusion into the system by hackers and report or eliminate these threats before they become an issue.This paper attempts to review the ways hackers would attack the CBTC systems: from wifi access points installed along the trackside, from local area network portals at stations, and even from virus apps hidden in the mobile phones of the train driver; the counter-measures available for the systems to defend themselves from being hacked: from fire-walls installed around the system, encryption and codes embedded in the data, to specific data algorithms. We review the merits and coverage of the various methods of protection and compare that to the cyber security industry standards. The question is: are we more vulnerable using the CBTC system than the previous generation distance-to-go systems?

Alexander Patton, Siemens UK

Developing cyber-resilience together: Industry cooperation for more security

Alexander is a systems engineer specialising in cyber security for signalling and train control. He has a long passion for IT systems, gaining his first industry certifications at age 11. Equally passionate about transport, Alex joined the rail industry with Siemens after graduating from the University of Surrey in 2015. He first presented at ASPECT 2017, demonstrating an ATO model railway project. From 2017 to 2019, Alex led the development of the cyber security solutions for the flagship London Underground Deep Tube Upgrade Programme and East Coast Main Line tenders.

Based in London, Alex enjoys language, history and culinary arts and spends his free time living with his fiancée in Nagoya, Japan.

Abstract:

Shortly after ASPECT 2017, the industrial control systems community received a stark reminder of the cyber threat to critical infrastructure. An energy plant in Saudi Arabia had been shut down by malware. Except, this malware was different: It had successfully infected the SIL-rated Safety Instrumented System and attempted to cause a wrong-side failure. All that stood between the plant and violent tragedy were a couple of small coding mistakes on the part of the attackers.

Like in the wider industrial control systems community, railway digitalisation is rapidly introducing commercial information technologies to signalling and train control systems. While this provides for significant opportunities, it introduces new risks. The security risks posed by digitalisation are unique because of the increased exposure to, and/or magnified impact of, a cyber-attack.

As cyber threats continue to grow, governments are beginning to introduce security regulations that  impact the signalling and train control industry. The best example is probably the EU Network and Information Systems (NIS) Directive -- the world’s first inter-governmental initiative on cyber security -- which came in to effect in May 2018. It places legal obligations on the operators of essential services, including railway infrastructure, to:

• Manage Cyber Security Risk

• Protect Critical Infrastructure Systems from Cyber-Attack

• Detect Cyber Security Incidents

• Minimise the Impact of Cyber Security Incidents

 The signalling industry is still in the early stages of addressing these objectives, and stakeholders are at varying levels of maturity. Currently, S&TCS asset owners take different approaches to security management. Individual system suppliers consider security architecture within their own limited scope. Vendors build products to varying levels of security and sometimes with incompatible technologies. When security functionality does finally make it to the railway, it can become obsolete long before the end of the system lifespan.

To efficiently and effectively manage security risk across the railway, stakeholders must work together to overcome this maturity gap. Like has been done with safety, the industry needs to collaborate on a standard approach, agree clearly defined baselines and create interoperable security architecture. To achieve this, stakeholders will need to overcome challenges including protecting one’s intellectual property and commercial position while openly cooperating on cyber security. This paper examines why industry cooperation is an essential part of building a more secure and resilient railway, how we can leverage it and what challenges there are to implementing such cooperation.

John Boss, John Boss Consulting

Signalling and Cyber Security: Closing the gaps that prevent comprehensive security solutions

John has over 35 years experience in delivering railway projects. He has worked in Australia, New Zealand, Denmark, the Netherlands, Belgium, UK, USA, Ireland, Israel, Portugal, Philippines, and Hong Kong.

John has a strong focus on risk and safety management. He leveraged experience in system safety to develop and apply depth in system security. John is completing his research project on cyber security monitoring for rail systems as part of his Masters in Cyber Security (joint program: University Leiden and TU Delft). He is currently involved in a project for cyber security monitoring of ERTMS. (refer: www johnboss.eu)

Abstract:

Cyber security is an issue that needs to be addressed in signalling systems. There are however, no cyber security standards for signalling. Cyber security is a multi system problem, and further complicated by the fact that signalling and security disciplines are different in nature. The critical issue is the potential for misalignment of context. – in particular, how the signalling engineer views 'the problem' may not align with the actual cyber security challenge that needs to be addressed. Simply encrypting some data channels is not in itself a comprehensive solution. This paper examines that potential misalignment of context, by reflecting on three paradigms of signalling, viewed through a cyber security prism. Firstly, the definition of a system that is used by signalling engineers is compared with security architectures currently defined in cyber security standards for industrial applications to highlight gaps. Secondly, the definition, and process of risk analysis is compared to reveal underlying differences between signalling and security concepts - but also highlight areas of commonality. Finally, the signalling approach to updating safety code is compared is with the IT practice of updating (patching), and examples are discussed that are attempting to address the issues that result. The conclusion is that close collaboration is necessary between the safety engineers and the security engineers to ensure comprehensive cyber security solutions for railways are developed. Interactions are mapped against phases of EN50126.

Standardisation

Bob Janssen, Siemens Netherlands

How the EULYNX data prep standard can improve railway robustness

In 1989 I graduated from TU Delft with an engineering degree in geodesy. After military service, I did a PhD at Strasbourg University in France in geophysics, focusing on numerical modelling of plate tectonics. After that I moved to Leeds for a post-doc in marine geophysics.My career in the rail industry started in earnest in 1998 in Stuttgart and Berlin with Alcatel, later Thales, developing ETCS onboard units in a joint venture with Siemens. In 2001, i joined Matra in Paris, developing Moving Block CBTC systems using formal methods. When Siemens bought the business I got the opportunity to pursue my career, after a short intermezzo in Braunschweig, on-site testing and debugging the ETCS Level 2 systems on HSL Zuid in the Low Countries. I staid in the Netherlands and joined Siemens NL supporting sales of signalling and ETCS systems. In a later, parallel, development I contributed my knowledge of European signalling systems towards developing an interlocking schema for railML. Since early 2018, I've been contributing to the EULYNX data preparation cluster, an effort to create a European standards for data exchange between signalling industry and infrastructure managers. I'm married and have two teen-age daughters.

Abstract:

EULYNX is the initiative of European Infrastructure Managers to standardize interfaces between signalling systems and their periphery. Standardisation creates a world-wide market for peripheral device controllers ranging from train control systems to point controllers. In the foreseeable future, IM’s can pick and mix signalling systems from supplier A that controls field devices from supplier B. This will do for the railway signalling industry what the USB-standard did for the IT industry and the GSM-standard for telecommunications.

EULYNX also standardises data preparation. This consists of designing the data structures that capture the information a supplier needs to build a signalling system from the ground up. This is a radical improvement from the present where the parties involved in (re-)signalling projects exchange heterogeneous and proprietary datasets, often on paper. In the future, the signalling industry ingests standardised EULYNX data into their proprietary design toolset. As before, the signalling industry process the data and then return the enriched data, in EULYNX format, to the IM who absorb this as-built data into their asset management systems. IMs and signalling industry retain their proprietary formats and tooling but EULYNX harmonises data exchange. The transfer of data must not reduce the quality, in other words, the probability of data being corrupted in transit must be acceptably low. Manual transfer is notoriously error-prone and the cost of finding and removing errors is high. The case for automating the data transfer process through well-defined standard data structures is obvious.

This paper describes how EULYNX defines classes of data that describe the objects we find in railway signalling, no easy task given the fact that European railways have nearly 200 years of technological traditions and jargon that must be reconciled. Answering a seemingly simple question like “what is a route” is fiendishly difficult once one starts drilling down. The participants from the various European IM’s in the data prep working group construct UML class models that analyse tangible and intangible signalling objects, define the semantics and most importantly, define the relations between objects and their states. We explain how we handle the different national signalling concepts and requirements to construct UML class models.

Finally, the UML models will be transformed into XSD schemata that harness XML data exchange between data-producers and consumers. Whilst the primary use case for this UML model remains the lossless data transfer between IM’s and signalling industry, one can think of many other use cases such as capacity analyses that need accurate information about signalling systems to forecast traffic. Another prospective use case is to improve the robustness of the railway system. The data model allows automated analysis of the relations between objects. One can design stress tests to answer questions like “what routes are affected when a given signal lamp fails” or “what is the impact on throughput if this train detection section fails” ?

João Martins, EFACEC

Moving safely towards IP for signalling

After receiving the MSc. Degree in Informatics from University of Minho, driven by the interest in formal methods and the development of safety-critical systems I entered in the railway industry. I first started performing verification and validation activities and then moved to the development of software systems. As the software development leader of EFACEC signalling products, I had already participated in the commissioning of several international projects.

Abstract:

In the railway industry, the trackside equipment represents an important layer for signalling solutions, the one responsible for the interaction with the physical world, i.e., lightning a lamp to show a proceed aspect or to detect a train within an area. The interface with this layer is changing, as electrical interfaces are being replaced by IP protocol interfaces. In fact, hardware interfaces are being replaced by software interfaces. This replacement is mainly explained by the efficiency of software systems regarding data exchange, due to their high integration, flexibility, and scalable capability to handle large amounts of data. The efficiency in (Big) data collection provided by communication protocols is essential when predictive maintenance systems are evolving fast with the goal to reduce maintenance costs and increase the systems life-cycle and resilience. Also, when an increase in the interoperability is required to improve the performance and reduce the development costs of railway systems, software communication protocols play an important role. The introduction of communication protocols to exchange safety-related data raises new challenges concerning safety and security aspects, in order to ensure data integrity and authenticity, respectively. The EN 50159 identifies the threats that a transmission system is subjected to, as well as defence strategies for those threats in the attempt of tackling safety and security issues. Regarding RAM (Reliability, Availability and Maintainability) even though they were not addressed by EN 50159 they should also be re-evaluated with this new type of interface in mind. Despite the mentioned challenges, there are already examples of communication protocols being successfully used by trackside equipment to exchange safety-related data. However, there is still no consensual standard protocol despite the effort of projects like EULYNX. Therefore, a new set of communication protocols have been emerging, pushed by the appearance of new IP interfaced equipment. The new vague of safety communication protocols entails also a challenge to system integrators: the implementation of these protocols. Thus, this paper presents an approach for the development of safety protocols intended to be compliant with EN 50128 for SIL 4 systems. The approach follows a modelbased development process, targeting the creation of a formal model with the aim to assess the protocols safety properties. In order to reduce unnecessary complexity and (consequently) improve the probabilities of a successful formal verification process, only the safety functions should be considered for the model creation. The remaining functions (ex: socket management) should only be added in the final target system. An implementation of the safety protocol FSE (Frauscher Safe Ethernet) will be used as an example, following the proposed approach in order to validate it against an already certified safety protocol for category 2 according EN 50159. In sum, while demonstrating the power of the modelling process, this paper also illustrates the importance of conducting formal proofs to ensure the safety properties of protocols, with the reuse of these properties in mind since most of the safety mechanisms provided by protocols are the same.

Kyung-Hwan Hwang, Railway Signal Research Association

Development of IP interlocking in Korea

1958. Born in Seoul, Republic of Korea

1981. Graduate Yon-Sei university, major is electronics

1983. ~ 1996. Daewoo Telecom, telecomunication sales engineer.

PABX SL-1 test & commissioning engineer.

Supply & construction of SDH/SONET transmission system for Korea Telecom.

Supply & construction of Seoul metro line 7&8 communication system

1996.~ 2014. POSCO Engineering, signaling engineer.

Participate construction of Seoul metro line 9 signaling as a system engineer (SE)for 5 years.

Participate Airport Railroad Express in Korea as a signaling engineer of Automatic Train Supervision for 4 years

2015 ~ Railway Signal Research Association, senior engineer.

2017 ~ : Participate development of “IP Based Railway Electronic Interlocking Device Commercialization” for the standardization of the interface between trackside signaling and IP based electronic interlocking system.

2018 ~ Participate development of ETCS L3 electronic interlocking system for the interface between trackside ATP(RBC),CTC and electronic interlocking system.

Abstract:

The project “Development and Commercialization of IP-based Railway Interlocking in Korea” is part of RSRA (Railway Signal Research Association)’s research into the application of IP-based railway interlocking system engineering for railway in Korean signalling system.

In cooperation with Korea Rail Network Authority as infrastructure manager, RSRA is participating in the IP-based railway interlocking in Korea project to develop technical interface standards for signalling equipment. Nowadays, rail infrastructure is faced with more and more diversity when interfacing subsystems, caused by an increasing number of different suppliers in replacement and renewal projects. Especially modifying electronic systems from different suppliers usually coincides with the costs. Standardization is now coming closer by using modern internet-based technology. This makes it possible to use the same solutions for improved monitoring and diagnosis. These innovations can help to achieve the ever increasing safety and efficiency requirements of our busy railway network.

A research and development of ERTMS/ETCS Level 3 in Korea, which is the government-led project followed by KTCS-2(ETCS-2), has now been in its 1st stage since April 2018 and will be continued until December 2020 under the responsibility of Korea Rail Network Authority. IP-based railway interlocking will be used for the standardization of the interface between ETCS-1, 2, 3 and interlocking with slight modification of data packet.