Challenge H: For an even safer and more secure railway

COMPUTATION OF THE SAFE EMERGENCY BRAKING

DECELERATION FOR TRAINS OPERATED BY ETCS/ERTMS
USING THE MONTE CARLO STATISTICAL APPROACH

1. Abstract

2. Introduction
The purpose of speed control systems is to protect the train and trigger an emergency braking in case
of danger. The system takes into account the speed and position of the train relative to the limits
allowed for the safety of railway operation. If the allowed limits are exceeded, the driver is first
informed and in the absence of appropriate reaction, the emergency brakes are applied automatically.

These systems have been developed on a national basis and the philosophy used to build the control
strategy is closely linked to the underlying signalling system, with specific functional concepts. In
France for instance the KVB (Speed control by balise) is used for conventional railway whereas the
TVM (Track to train transmission) is dedicated to high speed lines. Different solutions exist also for
the transmission media (balise, rail, GSM-R) and for the type of monitoring (piecewise constant
speed threshold, parabolic speed threshold). Speed control systems have been constantly
upgraded to increase the performance and to incorporate the latest technological improvements. The
development of numeric systems in the 90s has also deeply modified the design of train control
systems and opened new perspectives in terms of performance.

As a consequence, a large variety of incompatible speed control systems exists in Europe and
represents an obstacle for interoperability and for the development of rail transport at the European
level. ETCS is the European Train Control System created to address these incompatibility issues by
creating a unique train control system, to replace the existing national speed control systems. The
deployment of ERTMS enables the creation of a seamless European railway system.

ETCS is based on an a set of braking curves, computed in real time and depending on different
physical parameters (estimated speed of the train, track profile, train acceleration, etc. ). On the one
hand, some of these curves provide useful information to the driver: the Pre-Indication curve and the
Indication curve for instance, inform the driver that he has to initiate a service brake to respect the
signals. On the other hand, the safety of the system is based on the Emergency Brake Deceleration
curve (EBD). This parabolic shaped curve starts from the Supervised Location (SvL) and is computed
with the guaranteed emergency brake deceleration, which incorporates the safety margin. As a result,
the statistical dispersion of the emergency braking performance is taken into account, as illustrated in
Figure 1 below. Typically, a large safety margin will result in a flat EBD curve, spanning a more
important distance range. The Emergency Brake Intervention curve (EBI) which is used to trigger the
emergency brake is then directly shifted from the EBD curve with the equivalent emergency brake
build up time. To respect ergonomic principles, the curves related to the service brake are positioned
upstream compared to the EBI curve: thus a driver who respects the signals will not be impacted by
the EBI curve.
 Challenge H: For an even safer and more secure railway

Speed EBD curve

Safe Emergency Supervised
Brake Deceleration Location

Nominal Emergency
Brake Deceleration

Train A Train B

Distance
Safety Margin
Figure 1 : Statistical dispersion of the emergency brake performance

3. ERTMS/ETCS framework for safety margins

The management of safety margins is strongly influenced by the existing signalling systems and the
speed control systems used. The safety margin can be materialized by a global fixed margin, applied
to the overall braking distance and taking into account rolling stock and trackside dispersion. In
addition the safety margin is often not ensuring alone the overall safety: it is also supported by
operational rules and trackside characteristics. This global value is usually confirmed by operational
feedback. However one major inconvenient of this approach is that it doesnt allow any optimization of
the system and that it can be an obstacle to handle the case of cross border trains: the same margin
is applied independently from the braking performance.

ETCS has introduced a unified framework to take into account safety margins. This method,
described in detail in the latest release of the ERTMS/ETCS System Requirement Specifications
(SRS Baseline 3), uses different parameters for safety margins. The main sources of dispersion are
separated, making the representation closer to the real apportionment and allowing a more accurate
allocation of the safety target. Adhesion, which has a great influence on the performance and which is
at the interface between trackside and rolling stock is handled specifically. The approach is based on
two multiplicative rolling stock correction factors Kdry_rst and Kwet_rst, applied to the nominal
emergency brake performance and which depend themselves on two trackside parameters,
respectively EBCL and AVADH:

Kdry_rst takes into account the rolling stock characteristics and represents the statistical
dispersion of braking effort on dry rails. It is provided as a table indexed by the confidence
level EBCL.
The Emergency Brake Confidence Level (EBCL) is transmitted by trackside and corresponds
to the confidence level on the emergency brake deceleration on dry rails. It is used to select
the appropriate Kdry_rst value. It corresponds to the probability of the event The rolling stock
emergency brake subsystem of the train does ensure a deceleration at least equal to
Kdry_rst(EBCL) * A_brake_emergency. Confidence level values are usually between 90%
-1 -9
(equivalent to 10 ) and 99.9999999% (equivalent to 10 ).
Kwet_rst is a rolling stock parameter which represents the dispersion due to adhesion
degradation. Since adhesion loss depends both on rolling stock and trackside characteristics,
the margin is separated from Kdry_rst. Kwet_rst corresponds to the deceleration degradation
between wet and dry rail conditions as defined in the UIC leaflet 541-05. It is directly
modulated by the weighting factor AVADH transmitted by trackside.
The parameter AVADH (AVailable ADHesion) is transmitted by trackside and is used as a
weighting factor for the correction factor Kwet_rst. It is used by the Infrastructure Manager to
modulate Kwet_rst on the basis of the trackside characteristics (for instance during autumn to
handle the case of dead leaves).
 Challenge H: For an even safer and more secure railway

ROLLING STOCK
Correction factor Kdry_rst TABLE
Correction Factor
Kdry_rst(v,EBCL9)

Kdry_rst(v,EBCLi) Kwet_rst

Kdry_rst(v,EBCL1)

Nominal Emergency Braking curve

Brake Deceleration A_brake_dry A_brake_safe computation

A_brake_emergency

Emergency Brake Available Adhesion

Confidence Level Weighting Factor

EBCL AVADH
TRACKSIDE

Figure 2 : Calculation of correction factors

 Challenge H: For an even safer and more secure railway

4. Optimization of the safety margin with ETCS

The trackside and the rolling stock characteristics play an important role in the determination of the
safe emergency brake deceleration. To take benefit from the new safety margin structure laid down in
Baseline 3, the correction factors and the trackside parameters must reflect as much as possible
rolling stock and trackside characteristics respectively. The next paragraphs propose methods used
by the SNCF Rolling Stock Engineering Center that exploits this new leverage for the safety margin
management.

4.1. The safety allocation: first step toward optimization

The confidence level used in the ETCS braking curves concerns the emergency braking performance
of the train. It is only a component of the overall safety of train operation. The overall safety target is
associated to the probability of the following unwanted event the train overruns the Danger Point.
The Danger Point (DP) corresponds to the fouling point of a crossing or to beginning of an occupied
block. The Supervised Location (SvL) is the point targeted by the EBD curve and is located a distance
called overlap before the Danger Point. All the braking events which can lead to overrun the danger
point must be considered in the safety study. The safety target is usually expressed as follows:
-x
P(Train overruns DP = SvL + ) 10

A first approach consists in allocating directly the overall safety target to the Emergency braking
deceleration EBD. Mathematically it corresponds to the equation:
-x
P(Train overruns SvL) 10

The overall safety target is respected on the Supervised Location and as a consequence on the
Danger Point. This means that the whole safety of the system is affected to the emergency braking
curve EBD. This is illustrated in Figure 3 where the parameter x is directly used for the EBD curve,
thus selecting a relatively low level of deceleration. The Indication curve which is shifted from the EBD
curve will be impacted by the selected confidence level and the train A will see its braking instruction
(materialized by the yellow circle) relatively in advance: as a consequence the driver will apply the
brakes early.

It is also possible to take into account the contribution of trackside margins, materialized by the
overlap distance. The overlap distance depends on several parameters (speed of the line, traffic
density, trackside configuration) and can vary from few meters to thousand meters. If the probability
-y
10 is associated to the overlap distance, then the confidence level of the EBD curve can be set to
-x+y
the value 10 as follows:
-x+y
P(Train overruns SvL) 10
-x+y
By selecting the confidence level EBCL = 10 for the emergency brake safe deceleration, the overall
safety target is still respected, and the margin is then shared between trackside overlap and rolling
stock emergency deceleration:
-x
P(Train overruns DP) 10

Figure 4 shows the shortening of the stopping distance obtained with a steeper EBD curve. Thus the
driver observes the braking instruction later and the stopping distance is shorter. The main advantage
of the optimized approach is that the allocation of the safety target takes into account each existing
margin, and that the performance is increased. The perturbation point is reduced by the distance:
-x -x+y
d = Indication[EBCL = 10 ] Indication[EBCL = 10 ]
 Challenge H: For an even safer and more secure railway

Speed

EBD Supervised
curve Location
Braking
Instruction Overlap
Indication Distance
curve
Train A Danger
Point

Distance

-x
10
Train B

Figure 3 : Safety allocation - direct approach

Speed

EBD Supervised
curve Location

Braking Overlap
Instruction Indication Distance
curve
Train A Danger
Point

Distance

-x+y -x
10 10
Train B

Figure 4 : Safety allocation - optimized approach

 Challenge H: For an even safer and more secure railway

4.2. Rolling stock correction factors optimization with the

Monte Carlo method

4.2.1. Origin and development of the method

The main principles of the method have been established by the UIC Workgroup B126.15C, whose
objective was to define a unified algorithm to obtain the safety margins in order to facilitate
interoperability. The determination of Kdry_rst is not straightforward since there is no analytical
relation between the correction factors and the parameters of the braking architecture. Different
options have been investigated and the probabilistic Monte Carlo method was found to be the most
suited for the calculation of correction factors to be applied to the emergency brake deceleration.
Today Railway Undertakings are still free of choosing their own method for the computation of safety
margins; however the European Railway Agency (ERA) encourages the use of this probabilistic
method. In the end of 2009, ERA has organized a call for tender for the provision of case studies to
compute the correction factor. In the frame of this procedure, the tool developed by the SNCF Rolling
Stock Engineering center was submitted and finally selected. A 4 year contract was concluded
between ERA and the Rolling Stock Engineering center to deliver correction factor for Railway
Undertakings who plan to equip their rolling stock with ERTMS/ETCS.

4.2.2. Description of the methodology

The methodology used to compute the correction factor is composed of following steps:

Functional description of the braking architecture

This step is very important since the model must be generic, flexible and applicable to every braking
architecture. The complexity of braking systems, the large number of components involved and the
very different technologies used increase the dimensionality of the problem and the computational
burden.
The formula of the correction factor Kdry_rst cannot be obtained directly with the functional
description, thats why the coefficient k corresponding to the ratio actual deceleration (i.e. including
dispersions) by nominal deceleration 0 is first introduced in this procedure. For the functional
description, a top down approach is used as illustrated on Figure 5 for a part of the TGV: the
architecture is first divided into the different types of braking systems used on the train, and then each
type of braking system is split into the different elementary independent braking units implemented.
The contribution of each unit to the total braking effort is then expressed with the most influent
physical parameters, whose variability impacts the braking performance (cylinder pressure, friction
coefficient, failure rate ).

Bogie 1 Bogie 2 Bogie 3 Bogie 4 Bogie 5

Shoe Brake & Shoe Brake & Extremity Intermediate Intermediate
Electric Brake Electric Brake Disc Brakes Disc Brakes Disc Brakes

Figure 5 : Example of functional description

 Challenge H: For an even safer and more secure railway

The result of this step is the equation of the ratio k, as a function of the most influent physical
parameters:

k f ( x1 , x 2 ,..., x q )
0

Description of the variability of the physical parameters

The dispersion of the physical parameters is described with the type and the characteristics of their
statistical distribution. Uniform and normal laws for the continuous variability and Bernoulli law for the
partial/total loss of braking effort are the most commonly used distributions to represent dispersion.
The selection of the distribution and the definition of the parameters are important tasks and are
based on experimental data or on the braking experts knowledge. If necessary, customized
distributions can also be introduced to interpolate operational data.

Numerical simulation with the Monte Carlo Method

The purpose of the simulation is to reproduce the real dispersion of the braking performance, by
feeding the mathematical model of the train with the distribution of the physical parameters, as
illustrated on Figure 6. This propagation of dispersion through the model is achieved iteratively with
the Monte Carlo method. This approach is particularly adapted to complex non linear systems with a
large number of variables. The steps shown on Figure 7 are repeated until the maximum number of
iterations is reached:

Distribution of physical parameters

Distribution of k
Braking
Architecture Model

k f ( x1 , x2 ,..., xq )

Figure 6 : Distribution of physical parameters and distribution of k

 Challenge H: For an even safer and more secure railway

Start of simulation
iter 0

1 Generation of the statistic samples

x iter
1 , x2iter ,..., xqiter
2 Evaluation of the model

kiter f x1iter , x2iter ,..., xqiter
3 Processing of input data and results

kiter et x1iter , x2iter ,..., xqiter

no
iter greater
iter iter 1 than maximum
number of
iteration ?

End of simulation
Figure 7 : Structure of the Monte Carlo method

The maximum number of iterations depends on the confidence level that is requested for the
correction factor. The results of the individual evaluations of the model are then aggregated in order to
produce the statistical distribution of parameter k. In case of several speed ranges with different
deceleration values, the previous method needs to be repeated separately on each speed range.

Determination of the correction factor Kdry_rst

The next step consists in processing the statistical distribution of k in order to extract the correction
factor values Kdry_rst for each requested confidence level. From a probabilistic point of view,
Kdry_rst is defined as the value, such as the probability to have a value of k greater or equal is EBCL.
Mathematically, this can be expressed by following equations, with probabilities or with the cumulative
distribution function Fk:

P k K dry _ rst EBCL

or
F Kdry _ rst 1 EBCL
k

The last equation can be used to determine graphically Kdry_rst. On the representation of the
cumulative distribution function of Figure 8, the correction factor is directly the value that corresponds
to the value 1-EBCL.The results are synthesized in a table, indicating the correction factor values in
function of the speed range and the confidence value, according to the template of Figure 9:
 Challenge H: For an even safer and more secure railway

Cumulative distribution
function Fk
Probability

1-EBCL

Correction
Factor
Kdry_rst

Figure 8 : Graphical determination of Kdry_rst

Confidence level EBCL (in %)

90 EBCL 99,9999999
[0;V1] k1,1 k1,j k1,9
Speed Range

(in km/h)

[Vi;Vi+1] ki,1 Kdry_rst ki,9

[Vn;Vmax] kn,1 kn,j kn,9

Figure 9 : Correction factor values versus speed range and confidence level

4.2.3. Implementation of the tool

The software developed by the SNCF Rolling Stock Engineering Center integrates the numerical
Monte Carlo method and was specially designed to facilitate the computation of the correction factor.
Figure 10 corresponds to the welcome screen of the software and gives an overview of the different
functions that are available. A flexible and graphical user interface has been created to simplify the
functional description of the train and to guide the user in the definition of the different input
parameters. An example of user interface is provided on Figure 11. The possibility of saving input
parameters corresponding to a given train has also been added, in order to enrich a rolling stock
database containing all the parameters. The core of the software is composed of the numerical
algorithm and uses the parameters provided by the user as input. The program was specially written
to be able to run in parallel and to increase the performance. In addition, the software has been
installed on a scientific workstation with memory space specially dimensioned to manage the large
amount of data and with a parallel architecture to accelerate as much as possible the iterations of the
algorithm.
 Challenge H: For an even safer and more secure railway

Figure 10 : Main screen of the statistical correction factor calculation tool

Figure 11 : User interface to describe the input parameters

4.2.4. Application to safety margin computation and optimization

This method has been applied to multiple existing rolling stock including regional trains and high
speed trains. Different European Railway Undertakings have asked for the computation of correction
factors with this method in the frame of the contract concluded with the European Railway Agency. It
has the advantage of providing safety margins that correspond to the braking architecture of the train,
by taking into account the contribution and the specificity of each braking unit implemented. For
instance, the contribution of the electro-dynamic brakes, which were often not taken into account in
the computation of the emergency braking performance because they were not considered safe
enough, can now be incorporated in both the nominal emergency brake deceleration and the
correction factor. This offers the possibility to obtain a higher guaranteed deceleration than the one
without the contribution of the electro-dynamic brakes, even with a relatively high failure rate of the
electro-dynamic brakes.
 Challenge H: For an even safer and more secure railway

The relevancy of the model and of the quantification of physical parameters can be checked with a
sensitivity analysis: the sources of dispersion are ranked and the variables that need a refinement in
the distribution description step are identified. As a consequence, the procedure is not necessarily
restricted to a single step but includes several loops until the convergence is guaranteed.

The method is useful also during the design phase of the rolling stock, as a prediction tool to estimate
the performance of the braking architecture. It gives indications about the impact of the braking
architecture on performance. It can lead for instance to equip the train with additional elements to get
time intervals below critical thresholds.

To illustrate this last point, the method is applied to a general 3 cars train architecture, equipped with
disc brakes on each axle and a distributor on each car. The option consisting in equipping each bogie
with a distributor is investigated. The input parameters used for this simulation correspond to general
architectures and are determined according to the expertise of the SNCF Rolling Stock Engineering
Center. The characteristics and the performance results are described in Figure 12 and Figure 13
below. Architecture B with one distributor on each bogie allows to achieve a significant increase in
performance, as proved by the computed EBI and Indication distances.

Distributor Distributor Distributor

Architecture A

Disc brakes
One distributor
on each car Bog. 1 Bog. 2 Bog. 3 Bog. 4 Bog. 5 Bog. 6
Disc Brakes Disc Brakes Disc Brakes Disc Brakes Disc Brakes Disc Brakes
Nom. Emergency
1.2 m/s
Deceleration
Max speed 160 km/h

Distr. Distr. Distr. Distr. Distr. Distr.

Architecture B

Disc brakes
One distributor Bog. 1 Bog. 2 Bog. 3 Bog. 4 Bog. 5 Bog. 6
on each bogie Disc Brakes Disc Brakes Disc Brakes Disc Brakes Disc Brakes Disc Brakes

Nom. Emergency
1.2 m/s
Deceleration
Max speed 160 km/h
Figure 12 : Characteristics of architectures A and B

Architecture A Architecture B
nominal 1,2 m/s 1,2 m/s

safe(10-9) 0,70 m/s 0,86 m/s

safe(10-6) 0,80 m/s 0,97 m/s
-9
EBI(10 ) at Vmax 1570 m 1310 m
-6
EBI(10 ) at Vmax 1390 m 1180 m
-9
IND(10 ) at Vmax 1970 m 1710 m
-6
IND(10 ) at Vmax 1790 m 1580 m
Figure 13 : Results of Architectures A & B
 Challenge H: For an even safer and more secure railway

5. Conclusion
The approach presented in this document, based on the correction factor structure established by the
European Railway Agency (ERA), allows to optimize the performance of the signaling system and to
respect at the same time the safety target. The first step consists in the allocation of the safety target
to the Emergency Brake Deceleration curve (EBD) by taking into account trackside margins. The
computation of the rolling stock correction factor with the probabilistic Monte Carlo method which
incorporates all the characteristics of the braking architecture is another way to optimize the system.
With this method, the constant fixed margins often used for classical signaling can be replaced by a
set of correction factors particular to each rolling stock architecture or / trackside design. An
application of the method to the design phase is also shown to pre-determine the performance of
specific braking architectures. Further work has to be done in the statistical modeling, especially for
innovative braking systems.

6. Bibliography
[1] "ERTMS/ETCS Baseline 3 System Requirements Specification". Subset-026, Issue 3.2.0,
22/12/2010

[2] "Methodology for the safety margin calculation of the emergency brake intervention curve for
trains operated by ETCS/ERTMS". UIC B 126 / DT 414, June 2006

[3] Comparison between probabilistic mathematical safety margins calculations and operational
data. UIC B 126 /DT 421, May 2008

[4] "Monte Carlo Statistical Methods". George Casella and Christian Robert. Springer,
24/08/2005

[5] A numerical model for the probabilistic analysis of braking performance in railways. Monica
Malvezzi, Alain Bonnet, Cliff Cork, Robert Karbstein, Paolo Presciani. November 2006

7. Authors
Pierre MEYER (1)
Richard CHAVAGNAT(1)
Franck BOURGETEAU(1)

(1): SNCF, CIM/ESF - Safety Equipments and Brake Department, LE MANS - FRANCE