Synergies for Trains and Cars Automation in the Era of Virtual Networking

The ERTMS (European Train Management System) has been developed by the European Union (EU) to enhance safety, increase efficiency and to cross-border interoperability creating a unique solution fulfilling a standardized certification process. The ERTMS being able to automatically stop the train to overcome human errors has achieved the highest track record in terms of safety over several billion km travelled each years. GNSS positioning, bearer-independent telecoms and ATO (Automatic Train Operation) are the new features for enhancing the ERTMS in the path to fully autonomous operations. In the same period, the automotive industry has launched ambitious plans for the connected cars and autonomous driving applications are emerging as the next wave of innovation. This paper evaluates the challenges to sharing intelligent infrastructure means, by combining the strengths of the safety benchmark achieved on the rail transport with the mass production capability of the automotive industry to lower the costs. In this scenario, rail and automotive becoming tightly intertwined can get a grip in the race towards a fully automation affordable and safe, giving birth to autonomous vehicles able to travel within virtual rails as “trains” on the road. To this aim we will introduce the two test bed in Italy respectively for validating the ERTMS with GNSS positioning and public telecoms networks and for testing FCA Ducato vans to operate at SAE level 3 automation exploiting the new GALILEO and 5 G services.


Introduction
The recent progress of satellite geo-positioning technology and the emerging 5G telecom networks open the way to digitally connected ecosystems for autonomous vehicles.The multi-billion dollars investments of the car industry are an unprecedented stimulus for the research to targeting performance and cost objectives that no other transport sector "alone" could achieve.Trains equipped with the ERTMS (European Railways Train Management System) are operating with a high level of automation, ensuring the highest levels of safety and cumulating several billion km travelled yearly.The ERTMS train control system compares the speed of the train with the maximum permitted speed in the portion of the line the train in operating on, and automatically applies the train's brakes if the limit is exceeded or if the train does not stop at the prescribed location.The system is able to intervene on the braking system in case of a driver's mistake.
For this reason, the driver behavior is not considered in the safe analyses.Instead on the airplane the pilot behavior is considered in the safety assessment because he must take the control of the airplane in case the autopilot does not perform correctly.Similarly on the autonomous cars prototypes under tests the driver must be ready to intervene and to demonstrate the safety level they are just cumulating test results even though this approach is not sufficient.Instead, to overcome these limitations a Common Safety Targets (CSTs) and Common Safety Methods (CSMs) were introduced in the Railway Safety Directive (EU) 2004/49/EC [1] and 2016/798 [2] for demonstrating the compliance with the ERTMS SIL 4 safety level.In 2009 a new regulation regarding safety management has been implemented by the European Commission (EC) and the European Union Agency for Railways (ERA) to harmonise risk assessment process for the European railway industry [3].This new approach, called Common Safety Method for risk evaluation and assessment (CSM-RA), is described in the revised Commission Regulation (EU) 402/2013 [4].In the frame of the automated cars, a Study on the assessment and certification of automated vehicles has been released recently to initiate and pursue actions aimed at the development or worldwide harmonisation of technical regulations for vehicles [5].
However, control mechanisms regarding interoperability and safety assurance are still under evaluation requiring many interactions before a standard process is agreed and released.Step change innovations beyond the current state of the art are needed to transform the mobility and making it safer and affordable to mass market stimulating coordinated roadmaps and synergies [6] [7] [8].One important challenge is the ability to sharing the telecom and GNSS augmentation infrastructures that are planned for the smart roads and the autonomous trains to optimize the investments (Figure 1).In fact by combining the ERTMS principles to the connected car application is possible to create safe corridors to linking for example with autonomous minibuses the home with railways stations.
The final goal is to obtain the safety levels already achieved by the ERTMS at a

Geo-Positioning Platforms for Safety Critical Applications
A general goal of a transportation system is to achieve a defined level of traffic in a given time and safely.The RAMS process (Reliability, Availability, Maintainability and Safety) must be used to describe the confidence with which the system can guarantee the achievement of this goal and has a clear influence on the quality with which the service is delivered.Safety and Service are complementary and the right trade-off between different needs shall be assessed and tuned among different operational scenarios.Under comparable conditions in fact, a safer system means more limitations for service and vice versa.For a railway system the CENELEC 5012× and IEC 61,508 norms must be applied knowing that railways traditionally belongs to very safe transportation system with the restrictive fail-safe principle saying that safety must be maintained in case of dangerous signaling system failure, mitigated through other operational procedures.GNSS -Global Navigation Satellite System(s) has become a de-facto global source of safe positioning thanks to the aviation sector.By the year 2020, four independent constellations with global coverage will be operational bringing to some 40 satellites into view at a time.
The first edition of the recently published European Radio Navigation Plan provides an inventory of existing and emerging radio navigation systems modernization plans and detailed user requirements including those relevant to rail and road applications [9].With this abundance of satellites, it will be possible to select the "healthier" ones to get the best performance, especially in the harsh environments where the trains and cars operate.The GPS is continuously modernized, and the incoming GPS III generation will provide increased accuracy, integrity and a 4th civil frequency.The Galileo constellation with its 22 satellites launched to date and its initial operational services already "on" since December 2016 has triggered Broadcom-the world's biggest chip manufacturer to launch the first mass-market dual frequency Galileo-GPS chipset-in September 2017.
This device is able to remove ionospheric incremental delays and to mitigate multi-paths, that were, till now, the two major hazard sources when using geo-localization techniques for mobile land applications.Accuracies below 1 m will become a standard on a global footprint when combining the dual frequency feature with the Galileo's Precise Point Positioning (PPP) service.
However, in safety critical applications, like those belonging to avionics, and in safety related applications, like those related to rail and automotive, the Safety requirements are as relevant as those concerning accuracy.They are usually specified in terms of Tolerable Hazard Rate (THR) that indicates the occurrence rate the train control systems fails to stop the train at the desired location or the speed exceeds the prescribed value.For instance, the ERTMS requires a THR less or equal to 10E-9/(hours x train) which however does not indicate the frequency of occurrence of a fatality that is at least one order of magnitude lower.Thus given 20,000 trains (the number of trains actually circulating in Europe) operating 24 hours per day, every day in the year, this is equivalent to a hazard about every 6 years.Applying the same THR for the cars, on a fleet of one million vehicles operated one hour per day we obtain about one hazard every 2.7 years.Starting by these considerations the vehicle's localization function has to guarantee the same THR.
Therefore, in the design of a train localization system compliant with this requirement we considered the state of the art performance guaranteed by the SBAS augmentation systems, already developed for and certified for aviation and reasonably obtainable also with local augmentation systems.In this case, a THR of 10E−6/h for the GNSS Location Determination System (LDS) stand-alone is retained a feasible compromise between cost and performance.However, as exemplified by the fault tree shown in Figure 2, to attain an overall THR better than 10E−9/h or even than 10E−10/h, a cross-check with an independent Non-GNSS LDS (denoted in Figure 2 as Function B) has been defined in the RHINOS project [10], [11].The merit of this approach is twofold, since it first avoids to export to GNSS unnecessary and costly requirements and then to relax the requirements to non GNSS means, as those based on accelerometers, lidars, radars or other video technologies, whose a low THR has still to be proved.

From the Rail Application to the Automotive Scenario
An augmentation network has to be adopted, to achieve the required THR mitigating the hazards originated by satellite faults and by anomalous ionospheric This bi-level approach can support protection levels of 5 m with high availability in mild environments, and protection levels of 12 m in severe environments.However, these performances are not sufficient for the car automation as indicated in Figure 3 and additional features such as high accuracy positioning and digital maps become a necessary contribution from the Augmentation network.Figure 4 shows the high-level architecture of a possible telematics infrastructure serving the rail and road users [18].Its foundation relies on two pillars: 1) re-use existing and planned augmentation networks, 2) adding a second layer of augmentation tailored respectively for meeting the requirements of the rail and road applications performance.

GNSS Architecture with High Integrity & High Accuracy
The reference ERTMS architecture with its main constituents and the new ones for using the GNSS is reported in Figure 4 (see also [10]).The core train control system is enclosed into the core RBC Functions block.The RBC is responsible to issue the Movement Authority (MA) to the train on board unit indicating the speed and the distance the train is authorised to travel.The augmentation networks are external entities to the ERTMS. OBU (ERTMS-On Board Unit): it processes the raw data provided by the GNSS receivers on board on the train/vehicle, together with the augmentation messages coming from the RBC (Radio Block Center), for calculating the train position, and velocity, as well as the related confidence intervals, and whatever needed to support the train control system. RBC (ERTMS-Radio Block Center): knowing the train position, it is in charge of defining and sending the permission to proceed to specific locations with supervision of the permitted speed (also known as Movement Authority); it is also in charge of sending to the On-Board Unit the augmentation and integrity monitoring data;  Integrity Parameters: it is in charge of calculating integrity related parameters to be broadcast to the OBU for performing integrity monitoring and alarms identification; in the case of GBAS, OBU has to calculate the Protection Level (PL) to be compared with a defined alarm limit; the PL is based on the estimation of the measurements variances derived from single error variances (ionosphere, troposphere, ephemeris) as well as parameters carrying out the information about network integrity (e.g.B-values in the GBAS);  Local Atmospheric Monitoring: it implements local ionospheric monitoring for anomalies detection (e.g.high gradients and scintillations);  Measurements Corrections: it implements the generation of measurement corrections (PRC (Pseudo range Range Corrections)) and RRC (Range Rate Corrections) in case of SBAS, area corrections in the case of RTK (Real Time Kinematic) to be broadcast to the OBU;  Network Processing for High Accuracy: GBAS like performances, based on pseudo range measurements, are sufficient for meeting normal rail operation; RTK and  PPP (Precise Point Positioning) are considered as an optional feature to be developed, e.g. for track discrimination application; this block is devoted to the estimation of parameters needed for performing very accurate (e.g.RTK and PPP) positioning; it includes area corrections (e.g.VRS (Virtual Reference Station) , NRTK (Network Real Time Kinematic), etc..), precise orbit ad clocks, satellite biases, accurate STEC (Slant Total Electron Content) determination;  High QoS/Security Communication Link: to receive raw measurements from RSs and from SBAS and GNSS constellations ground services, a high QoS network is needed (e.g.RTD (Round Trip Delay < 1 s) protected by high level of security able to counteract cyber-attacks that could lead to severe disasters if directed toward a national and regional TCS;  Spoofing Detection: the developed RS can be used for implementing a national and regional spoofing attack monitoring system; it is an optional feature to be analyzed, due to the relevant damages a spoofing attack can lead to rail applications.

Verification & Test Facilities
Two complementary test bed are under construction respectively for rail (ERSAT) to certify the satellite positioning and public telecom networks in the ERTMS system and for automotive (EMERGE) to evaluating multi-constellation multi-sensors positioning means together with 5 G communications and cybersecurity platforms for vehicles with SAE level 3 automation.
Both facilities are under construction, the former with RFI (Rete Ferroviaria Italiana) that is the Italian railways operator in charge with the role of Game-Changer for validating the GNSS and public telecom in the ERTMS ecosystem [19] and the latter with a team co-ordinated by the Radiolabs consortium [20].

ERSAT-The Pinerolo Sangone Pilot Line
ERSAT is the latest generation signalling project that interfaces and integratesfor the first time in Europe-the European Rail Traffic Management System (ERTMS) with the navigation and satellite positioning technology and public telecom networks.The Pinerolo-Sangone pilot line is the first step to the validation and verification (V & V) of the GNSS within the ERTMS platform and as such it is supported by the a group of satellite and rail agencies and experts (Figure 6).In [21] this topic is analyzed in detail aiming to reach the consensus among the stake-holders, necessary to update the Technical Specifications for Interoperability of the ERTMS (TSI) for using the GNSS.

EMERGE-The Urban Test Bed for the Connecting Car Application
This initiative represents the first attempt aiming at developing and testing advanced localization, terrestrial and satellite communication and cyber security platforms for autonomous car applications exploiting the synergy with rail applications (Figure 7 and Figure 8).A Living Lab is being realized in the town of L'Aquila, one of the 5 Italian cities selected by the Ministry of Development in   The Living Lab will allow the testing of different solutions under a variety of dynamic scenarios that include a large number of vehicles as well as pedestrians, each equipped with a different set of sensors and location determination units: GNSS multiple constellation, multi-frequency receivers, RF terrestrial signal based positioning, Mechanical odometer, IMU, Visible light and IR passive Imaging systems LIDAR Visual odometer (based on LIDAR and/or visible light and IR passive Imaging systems processing), RADAR, Acoustic sensors.Two missions are envisaged respectively for daily operations and in emergency situations, both requiring a geo-fenced corridor where connected vehicles will be moving autonomously as trains on the roads.This experimentations will open the way to vehicles connecting for example the railways stations with fixed locations in the city or in general two places where in between is possible to realize geo-fenced corridors and apply the principle of the ERTMS for controlling the vehicles.

Simulation Tools and Platforms to Support the V & V Process
This section describes the VIRGILIO simulator that has been developed for assessing the GNSS performance under various augmentation architectures including different algorithms and the Digital Beam forming platform to evaluate and mitigate the risks caused by intentional interferences.

GNSS Simulator
VIRGILIO is a GNSS multi-constellation software simulator to design high integrity GNSS-based systems.It operates with hardware in the loop and can be F. Rispoli et al. connected in cloud modality to other simulators (to characterize multipath) and to test facilities (to acquire in-field tests) for an end to end simulation relevant to a specific operational environment.Figure 9 shows the simulator architecture with its constituents.VIRGILIO is configurable according to different operational scenarios in which to verify proper algorithms and settings to be tested and compared with theoretical predictions [22].The operational scenarios process both recorded and synthetic signals, in order to verify the system behavior with respect to experienced hazard causes (historical data) as well as to predicted hazard causes that may affect current and future satellite constellations.
The output is the behavior of the GNSS-Localization system in nominal and faulty conditions due to satellite and local effects including the communication channels.VIRGILIO is developed in MATLAB® and capable to process significant quantity of data and to allow a straight prototyping phase.Figure 10 shows the comparison of protection level (PL) resulting from the VIRGILIO simulations (with its algorithms) and those generated by the MAAST simulator conceived for the aviation applications from the University of Stanford and adapted for the railways scenario.The predictions with the MAAST equations described in Figure 10 and included in the VIRGILIO simulator are in good agreements with the real data gathered in a real train run [16].Looking to Figure 10, stating that the average PL is about 12 m with a THR of 10E−9/h, and to Figure 11 (ratio of the standard deviation σ LDS of the estimation error on the train mileage over the Alert Limit AL versus the THR) is possible to say that a PL of 6.3 m is reachable for a THR of 10 −6 when σ LDS = 1 m.

GNSS Interferences Mitigation
In safety relevant applications robustness and resilience of the GNSS against intentional interferences are important attributes for trusting the PVT of the on board unit and the wayside reference stations.Whereas jammers are used for denial-of-service attacks, spoofers and meaconers pose an even bigger threat, since they can intentionally lead a GNSS receiver to estimate a fake position and/or time without recognizing it.In case of trains, spoofing and meaconing are made easier to counteract because the receiver trajectory is well known in advance.Since no commercial anti spoofing and anti-meaconing solutions have been validated yet for the railway context a specific project has been launched todesigning, developing and prototyping a software digital beamforming platform coupled with advanced GNSS signal processing techniques [23].This platform (DB4Rail co-funded by a project of the European Space Agency), initially tailored to the railways operational scenarios is applicable also for the automo-   Then, in case of detection of a spoofing or a meaconing attack, the spoofing signals are spatially removed from the received signal by means of a spatial-temporal filter, with a procedure that makes joint use of CoM (Center of Mass) and TE (Total Energy) detectors:  CoM detector is designed to detect ACF deformations and non-synchronized spoofing attacks, i.e. attacks showing poor spoofer capabilities to estimate and replay a signal temporally aligned with the authentic one;  TE detector is designed to monitor the energy of the ACF, and is very sensitive to both aligned and not aligned attacks, although is especially suited for aligned attacks.These two detectors are somehow complementary and they can be used to exclude a spoofed channel from the PVT calculation.
4) The last stage, denoted in the following as Navigation stage, performs the PVT (Postion Velocity and Time) estimate, accounting for the track constraint.
At this stage, the spoofing detection and exclusion technique that uses observables is the RANSAC algorithm.That algorithm shows very smooth degradation of performance with respect to the number of spoofed satellites.This is due to the process of clustering based on "consensus".Furthermore, it identifies outliers and allows excluding them, providing a baseline mitigation strategy.In literature, it is well known that a powerful solution to provide protection against interferences is based on phased array antennas [3].For instance, CRPAs (Controlled Radiation Pattern Antenna) place nulls in the direction of the interferer, to protect the receiver from impairment, and/or maxima of the radiation patterns in the expected Direction of Arrival (DoA) of the authentic GNSS signals.
Since the total number of nulls and maxima, that can be imposed in the synthesis of the antenna diagram, cannot exceed the number of array elements minus 1, to reduce the H/W and S/W (computational) complexity, only the directions of the nulls are usually imposed.Products of this kind, like the 7-element Novatel/Qinetiq GAJT CRPA, are already available on the market, but are used for military purposes [24].A more sophisticated solution, as the one developed by the German Aerospace Center (DLR) and used within the BaSE project [25], F. Rispoli et al. [26], is based on a beamsteering that exploits the quasi-orthogonality of the GNSS signals.Furthermore, new solutions from the University of Stanford demonstrated the feasibility of a single element, dual feed antenna for anti-spoofing [27].Two 4-element and 7-element antenna array configurations have been studied (Figure 13) and for each of them the radiative and the null-steering capabilities in a single-interfering scenario have been evaluated.A null-steering algorithm is recursively applied to each configuration and for any possible arrival angle of the interfering signal, always assuming that the array keeps its radiation maximum in boresight direction (Figures 14-16).As expected, the 7-element antenna arrays exhibit a higher maximum gain and a lower average gain compared with the respective 4-element configuration.Since the desired radiation patterns should be almost isotropic for an ideal GNSS receiving antenna, the 4-element configurations should be preferred from this point of view since they could ensure a more uniform satellite visibility.A similar conclusion can be inferred also from the results reported in Figure 15, which has been obtained in the same interfering scenario described for Figure 14.
For each possible elevation angle of the interfering signal, the width of the angular windows for which the array gain on the ϕ = 0˚ plane is higher than a    The null-steering capabilities of the arrays are summarized in Figure 16.This plot reports the gain of each array configuration as the interfering signal direction changes.As can be appreciated, the 7-element arrays are able to introduce a deeper null for any possible direction of the interfering signal compared with the respective 4-element configuration.
However, the 4-element array with separation inter-element distance equal to 0.7λ exhibits good null-steering performances, being able to place a gain null lower than −5 dBi for elevation angle bigger than 20˚.
Looking forwards, the mitigation of local effects caused by the interaction of GNSS signals with the environment is a priority for land mobile applications.
Cars and Trains are the most important users and since operate in the same environment the solutions can be common to both.The rail applications have succeeded to get a grip on analysing these local effects [28] and since the effects of multipath cannot be tested in any operational scenario, the techniques described in this section might be used also for mitigating the multipath.

Conclusion and Way Forward
The ERTMS system with its common safety methods introduced in the European railway safety directives has demonstrated the compliance to the highest safety levels ever achieved for land transport means.The evolution of the ERTMS to adopting the GNSS for train positioning, without impacting the safety levels, is paving the way towards fully automated trains.While autonomous driving cars are developing new technologies mainly based on data fusion of vision-based sensors, the GNSS positioning has an important role to play in combination with those sensors to reach the high integrity levels of the rail applications.On the other hands, the multi-billion dollars investments injected by car manufacturers for the driverless car are driven the research on the frontier triggering performance and cost objectives that will be beneficial also for the rail industry that otherwise cannot achieve due to its limited market compared to the automotive.
However, significant challenges remain to validate new algorithms and the complex interaction of GNSS signals with the environment.For these reasons particular emphasis has been dedicated to develop simulation tools and risk mitigation techniques for trusting the GNSS performance in the rail operational environment.These tools can be extended to the automotive operational scenarios since the signal environment resembles the rail environment for multipath and interferences that are the main threats for the GNSS.A multimodal augmentation network serving the rail and road infrastructures has been evaluated to exploit economy of scale.In fact roads and rails networks are generally not far between each others as the case of Italy where 10,000 km of rails and roads are distant less than 1 km.
Applying the principle of the ERTMS to Connected cars is possible to create geo-fenced corridors where vehicles are driven as "trains" on the roads.To this aim important results are expected on the test beds under deployment in Italy.

Figure 2 .
Figure 2. Fault tree for high integrity requirements.

Figure 3 .
Figure 3. Target key performance indicators for autonomous car positioning.

Figure 6 .
Figure 6.Roadmap to verify and validate GNSS and public telecom on the ERTMS.

Figure 7 .
Figure 7. Innovation sharing with the EMERGE initiative.

Figure 8 .
Figure 8. EMERGEtest bed for the Connected car application.

Figure 10 .
Figure 10.PL computed by VIRGILIO using MAAST equations during a measurement campaign along Cagliari-San Gavino railway line on 6th April 2016.

Figure 11 .
Figure 11.Standard deviation of the overbounding Gaussian distribution of the train position error normalized with respect to the Alert Limit versus THR.

F
.Rispoli et al.

Figure 13 .
Figure 13.Sketch of a 4-element and 7-element planar antenna array composed by the designed circularly-polarized patch antennas.

Figure 14 .
Figure 14.(left) Maximum and (right) average gain of the four analysed array configurations.The gain has been evaluated for different arrival angle of the interfering signals.

Figure 15 .
Figure15.Width of the angular windows for which the gain on the ϕ = 0˚ plane is higher than a fixed threshold.In the left picture, the threshold is fixed at −15 dBi whereas in the right picture the threshold is fixed at −10 dBi.

Figure 16 .
Figure 16.Gain value at the interfering angle for the four different array configuration.