(19)
(11) EP 3 925 853 A1

(12) EUROPEAN PATENT APPLICATION

(43) Date of publication:
22.12.2021 Bulletin 2021/51

(21) Application number: 21169327.0

(22) Date of filing: 20.04.2021
(51) International Patent Classification (IPC): 
B61L 25/02(2006.01)
 B61L 27/00(2006.01)
(52) Cooperative Patent Classification (CPC):
B61L 2205/04; B61L 27/0077; B61L 25/025; B61L 25/02
(84) Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
Designated Extension States:
BA ME
Designated Validation States:
KH MA MD TN

(30) Priority: 15.06.2020 GB 202009071

(71) Applicant: Siemens Mobility Limited
London, NW1 1AD (GB)

(72) Inventors:
  • Brend, Graham
    Chippenham, SN15 1GG (GB)
  • White, Robert
    Chippenham, SN15 1GG (GB)

(74) Representative: Deffner, Rolf 
Siemens Mobility GmbH Postfach 22 16 34
80506 München
80506 München (DE)


(56) References cited: : 
   
       


    (54) A SYSTEM AND METHOD FOR DETECTING ERRONEOUS LOCATION DATA REPORTED BY A TRAIN


    (57) A system and method for detecting erroneous location data reported by a train.




    Description


    [0001] Being able to track and determine a train's location is a critical aspect of the latest train control systems. For example, the European Train Control System can utilise GPS/GNSS signals as a means of determining a train's location for the purpose of monitoring/controlling train movements. Being able to accurately locate a train is critically important to the train control system in order to support the required SIL (Safety Integrity Level) for the system.

    [0002] However, there are increasing threats to the correct operation of GPS/GNSS systems, ranging from jamming of the GPS/GNSS signals, to spoofing of those signals. Such threats have consequential impacts on the operation of any devices and systems relying on valid GPS/GNSS position data. For example, spoofed GPS/GNSS signals could originate from a device which is faking satellite signals, in which case the fake signals would be received by a train and then reported as valid location information to a Railway Control Centre; alternatively a device could spoof valid GPS/GNSS coordinates or location data in other formats, as it is relayed by a train to a Railway Control Centre, for example over GSM-R.

    [0003] Therefore, it is desirable to deploy an arrangement that can mitigate issues with the validity of GPS/GNSS signals for train control systems that rely on valid signals to monitor train locations and hence provide movement authority for said trains.

    [0004] Known arrangements for mitigating such issues with GPS/GNSS signals include GPS/GNSS vulnerability test systems such as described at www.orolia.com and systems to detect GPS/GNSS spoofing, such as the Regulus Cyber "Pyramid GNSS" product.

    [0005] These arrangements provide specific hardware that can be used to test the vulnerability of GPS/GNSS devices or to detect spoofed GPS/GNSS signals. However, whilst these systems can help determine when such spoofing occurs, or how vulnerable a device is to GPS/GNSS signal spoofing, they cannot easily help mitigate any consequential issues on the latest train control systems which rely on using valid GPS/GNSS signals in order to correctly and accurately locate trains.

    [0006] The present invention provides an arrangement to mitigate issues that arise from threats to the validity of GPS/GNSS signals that are used to determine a train's location for use in train control systems. The proposed arrangement allows a train control system to validate by independent means a train's location that is calculated from received GPS/GNSS signals in order to verify that the received signals are correct and hence confirm the location of a train. A difference between the location calculated from received GPS/GNSS signals and a location calculated by independent means may indicate spoofing of the GPS/GNSS signals, or at least indicate their inaccuracy. The expected location data is calculated on the basis of known departure and arrival times of the train.

    [0007] Accordingly, the present invention provides methods and/or apparatus as defined in the appended claims.

    [0008] The above, and further, objects, characteristics and advantages of the present invention will become more apparent from the following description of certain embodiments thereof, given by way of non-limiting examples only, with reference to the accompanying drawings, wherein:

    Fig. 1 represents a flow chart of a method according to a first embodiment of the present invention;

    Fig. 2 represents a flow chart of a method according to a second embodiment of the present invention;

    Fig. 3 represents a flow chart of an optional feature of a method according to the present invention;

    Fig. 4 represents an embodiment of the present invention, implemented as a software module at a Railway Control Centre;

    Figs. 5 and 6 illustrate respective scenarios wherein GPS/GNSS signals received by a train are spoofed before being received by the Railway Control Centre;

    Fig. 7 illustrates a scenario wherein a software module located within a Railway Control Centre is used to sense-check received location data of a train.



    [0009] Fig. 1 represents a flow chart of a method according to a first embodiment of the present invention. At step 101, a set of calculations is performed of expected location data, e.g. GPS/GNSS signal information, that is expected to be received by a train as it travels along a pre-determined route defined by route data provided to the calculations. Such calculations will be performed before the train starts on its route, and the calculated GPS/GNSS signal information will be expected to correspond to the route of the railway line along which the train will travel. GPS/GNSS data is received at step 102 from satellites 103. The calculated (expected) location data 104 and the received location data 105 are compared at step 106. The result 107 of the comparison is sent to a decision step 108. If received GPS/GNSS signal data differs significantly from the calculated GPS/GNSS signal information, spoofing may be suspected, or at least the GPS/GNSS signal information should be considered erroneous. An output 109 is provided, instructing the issuance of an alarm or alert 110. The train may be halted, the erroneous signal may be reported to the Railway Control Centre. In some embodiments, the expected GPS/GNSS data may be used, to control the train to a place of safety, such as the next station along its pre-determined route. If the received GPS/GNSS signal data does not differ significantly from the calculated GPS/GNSS signal information, no alarm or alert is issued, and the received GPS/GNSS data may be accepted as valid at step 111.

    [0010] In a method of a second embodiment, represented by a flowchart illustrated in Fig. 2, the calculations of the expected GPS/GNSS signal information for the train's route are continuously and automatically compared with the information received by the train as it travels along its route.

    [0011] As illustrated in Fig. 2, a GPS/GNSS receiver 202 receives location data from satellites 203. The received data is supplied, either in raw form or in another appropriate format, to a calculation of expected location data 201. That calculation uses information defining the expected route of the train as well as current location data 205 to update expected location data 204 in real-time.

    [0012] A compare step 206 acts to compare the received location data 205, which may be in raw GPS/GNSS format or some other appropriate format with the predicted real-time expected location data 204. The result 207 of the comparison 206 is sent to a decision step 208. If the received GPS/GNSS signal data differs significantly from the calculated expected location data 204, spoofing may be suspected, or at least the GPS/GNSS signal information should be considered erroneous. An output 209 is provided, instructing the issuance of an alarm or alert 210. The train may be halted, the erroneous signal may be reported to the Railway Control Centre. In some embodiments, the expected GPS/GNSS data may be used, to control the train to a place of safety, such as the next station along its pre-determined route. If the received GPS/GNSS signal data does not differ significantly from the calculated GPS/GNSS signal information, no alarm or alert is issued, and the received GPS/GNSS data may be accepted as valid at step 211.

    [0013] If a discrepancy arises whereby the received GPS/GNSS position data 205 indicates an impossible location for the train, for example the indicated location does not lie on a GPS/GNSS position for that railway line, spoofing may be suspected, or at least the GPS/GNSS signal information should be considered erroneous.

    [0014] A critical alarm may be raised 210 whenever such comparisons indicate that the GPS/GNSS position of the train can no longer be trusted and a notification may be sent to the system controlling the train movements. The train may be halted, the erroneous signal may be reported to the Railway Control Centre. In some embodiments, the expected GPS/GNSS data may be used, to control the train to a place of safety, such as the next station along its pre-determined route.

    [0015] In a third embodiment, represented by a flow chart shown in Fig. 3, if a discrepancy is detected between the calculated, expected GPS/GNSS signal information 304 and the location data 305 received by the train, the compare step 306 will detect a discrepancy and the result 307 of the comparison will be transmitted to decision step 308 which will cause activation 309 of an alert or alarm to be issued at step 310 an will trigger the use of an alternative system to determine the location of the train and/or to subsequently control the train's movement, at step 312. For example, by using a conventional explicit movement authority from a signaller. Of course, if the result of the comparison 308 is that there is no significant discrepancy, the received GPS/GNSS data may be accepted as valid, at step 311.

    [0016] Optionally, the steps 101, 201 of calculating expected location data may determine whether the position of the train calculated from received GPS/GNSS signal information has changed by an acceptable amount from the last accepted position along the route. The expected amount of change in position will vary, depending on the expected speed of the train over each track section. For example, each section of track will have an expected speed profile that will be impacted by such things as speed restrictions, red light aspects etc; such impacts could result in the train travelling slower than normally expected over that section of track. Such an embodiment would allow the expected train location derived from GPS/GNSS signal information to be calculated for specific sections of the train's route; only as and when needed. As before, if a discrepancy is detected, a critical alarm may be raised and a notification sent to the train movement control system. The train may be halted; the erroneous signal may be reported to the Railway Control Centre.

    [0017] As mentioned above, a Railway Control Centre may be provided, which monitors train locations and provides movement authority, and to determine whether the GPS/GNSS information reported by each train corresponds to the expected location for said train as it travels along its pre-determined route. Such Railway Control Centre may be equipped to perform the methods of Figs. 1, 2, 3 as described above. Calculation of an expected location of a train is based on predicted departure and arrival times at stations. If received GPS/GNSS data reported by the train differs significantly from the calculated expected location, spoofing may be suspected, or at least the GPS/GNSS signal information should be considered erroneous. The train may be halted; the erroneous signal may be reported to the Railway Control Centre. In some embodiments, the expected location may be used, to control the train to a place of safety, such as the next station along its pre-determined route.

    [0018] It will be appreciated that when determining a location as indicated by genuine received GPS/GNSS signal information, the location accuracy of such information has a typical limit of a few metres and said accuracy can be reduced further by such things as the proximity of a train to structures which may block GPS/GNSS signals: buildings, bridges, trees etc. Additionally, the errors in accuracy of GPS/GNSS signals increase as the elevation increases, up to a factor of three as compared to horizontal accuracy. Therefore, the present invention preferably includes provision for a margin of tolerance when comparing a train's location derived from received data with the expected location before a discrepancy is identified. This means that an alarm, or alert, is preferably issued only when discrepancy between the location indicated by GPS/GNSS signals, and the location indicated by independent means is "significant". The limits of whether a discrepancy is "significant" may be determined empirically, using typical test scenarios. Deviations which do not meet the threshold for being "significant" provide a margin of tolerance which will help avoid false alarms in case of minor anomalies, to allow for determination that a train's location calculated from GPS/GNSS data does not lie on the track, but does lie within a tolerated distance from the track, due to interference with GPS/GNSS signals for example as may be caused by the proximity of trees, buildings etc.

    [0019] Optionally, the margin of tolerance may be configurable such that it automatically adjusts, based on characteristics of an expected location of the train. For example, where the train is in a location where GPS/GNSS signals are impacted by such things as buildings, bridges, increased elevation or similar, the margin of tolerance is adjusted appropriately to reduce the possibility of false alarms. However, such a margin of tolerance would have a limit, so as to avoid the arrangement of the invention missing genuine issues with spoofing or jamming of GPS/GNSS signals that the invention attempts to solve.

    [0020] In certain embodiments, additional calculations can be made by the invention. For example, a "sense check" calculation may be performed to check whether the train has changed position from its last known location by an unrealistic amount e.g. 10 miles (16km) within less than 5 minutes (indicating an average speed of 120 miles per hour (193 km/h), which may be unrealistic depending on the type of train in question). Although a reported location of the train may be along the intended route, such a sudden change in location may indicate an incidence of spoofing. If such a discrepancy is found, then a separate "sense check" alarm or alert can be activated that is different from that normally reported when a discrepancy in a train's location is determined.

    [0021] Similarly, additional calculations can be made by the invention to determine whether a train has remained at a standstill for an unusual length of time, and as previously, a separate type of alarm or alert could be reported to highlight this discrepancy.

    [0022] Discrepancies determined for a train's location by any of the described means, or others as will be apparent to those skilled in the relevant art, can be reported to parties having an interest in the train's position, other than the Railway Control Centre. For example, stations, crossings, goods yards, ports, airports.

    [0023] The following examples illustrate more specific embodiments of the present invention.

    [0024] Fig. 4 represents an example of the invention which is implemented by a software module 10 in the Railway Control Centre 12. In this example, the software module 10 serves in interpreting and cross-checking train position information and generating resultant alerts. The software module receives and monitors GPS/GNSS data sent from trains over a communication link, such as a GSM-R signal 14. The GPS/GNSS data is received by a train 16 from satellites 18. In some embodiments, the GPS/GNSS data is communicated directly by a train 16 to the Railway Control Centre over the communication link 14. In other embodiments, the GPS/GNSS data is interpreted and a location calculated by equipment on board the train 16 and the calculated location coordinates are reported to the Railway Control Centre over the communication link 14. The software module 10 may then determine whether the reported information corresponds to that expected for the railway line over which the train is travelling, as determined by independent means.

    [0025] The software module 10 of the embodiment of Fig. 1 may also determine whether the train's movement has been unrealistic or whether the train has remained stationary for an unexpected period of time: which may include either unexpectedly long periods of time, or unexpectedly short periods of time. If a discrepancy is detected a suitable alarm or alert is raised and any other interested parties 19 (such as stations) may be informed of the issue with the train's reported location, for example over a GSM-R link.

    [0026] The discrepancy may indicate spoofing of GPS/GNSS data, but might also indicate a failure in location determination.

    [0027] Fig. 5 illustrates a scenario wherein GPS/GNSS signals received by a train are spoofed, i.e. originate from a fake source 21. Tracks 20 define a region of acceptable GPS locations, lying within a certain distance of the track, and outlined in phantom. The dimension of the region of acceptable GPS locations in the direction perpendicular to the track may be defined with regard to local conditions, such as tree cover or nearby large or tall buildings.

    [0028] According to this scenario, a device 21 spoofs the GPS/GNSS satellite 22, in providing false GPS/GNSS data 24 to a train 23. Device 21 may block signals from the genuine GPS/GNSS satellite 22, or may simply transmit false GPS/GNSS data such that it is received at train 23 with greater amplitude than the genuine GPS/GNSS data.

    [0029] Train 23 receives the false GPS/GNSS data 24 and uses this to calculate its location 23x. Since the calculated location is based on the false GPS/GNSS data, the calculated location will be incorrect. In the illustrated example, the calculated location 23x differs from the genuine location of the train 23 by an offset 25. The calculated, incorrect, location 23x is then transmitted to the Railway Control Centre 12 over a data channel 26 such as a GSM-R link. Due to the reception of spoofed GPS/GNSS data 24, the calculated location 23x which is reported, is erroneous.

    [0030] A software module 10 according to the present invention within the Railway Control Centre 12 may perform sense-checks, for example as discussed above, to determine whether the calculated location received is located on the railway line expected for that train. Should the received calculated location fail this sense-check, the Railway Control Centre may raise an alarm or an alert to indicate such discrepancy to a user, and the Railway Control Centre may also alert other parties such as stations or clients that make use of the train's location. Further action, such as signalling to the train, may result, as will be apparent to those skilled in the art.

    [0031] Fig. 5 illustrates an example of spoofed GPS/GNSS data reported as the location of the train; which, according to an example of the invention, is determined to be erroneous as the reported location is detected as not lying on a track in a sense-check performed by the Railway Control Centre.

    [0032] Fig. 6 illustrates another scenario to which the present invention may be applied. Genuine GPS/GNSS signals 30 are received by a train 23, and those GPS/GNSS signals, or a location calculated therefrom, are sent by the train to the Railway Control Centre 12 but are intercepted en route and spoofed.

    [0033] For example, as represented in Fig. 3, a genuine GPS/GNSS position is detected by train 23, from genuine GPS/GNSS data provided by genuine satellites 22. The genuine position data, either in the form of raw GPS/GNSS data, or as interpreted into other formats, is transmitted by the train 23 to the Railway Control Centre 12.

    [0034] However, the genuine position reported by the train 23 is intercepted en route by a fraudulent device 31 before it reaches the Railway Control Centre. Fraudulent device 31 sends a spoofed location to the Railway Control Centre 12 over a communication path such as a GSM-R channel 26.

    [0035] A software module 10, according to an embodiment of the present invention, within the Railway Control Centre 12 determines that the location data received does not indicate a position on the railway line expected for the train, using a sense check for example as described above, and/or comparing the location data received to location data calculated from an independent source. As the data received is deemed to be erroneous, an alarm or an alert may be raised by the software module 10. Third parties 19 such as stations/clients that make use of the train's location may also receive such alarms and alerts.

    [0036] Fig. 7 illustrates another scenario which may be addressed by an arrangement according to the present invention. In this scenario, according to the present invention, a software module 10 located within Railway Control Centre 12 is used to sense-check received location data of a train 23 to determine whether the train appears to have moved by an unexpectedly large distance since a previous reported location.
    A genuine GPS/GNSS position is detected for a train 23, from genuine GPS/GNSS data received from genuine satellites 22. The train 23 reports this genuine location to the Railway Control Centre 12, either as raw GPS/GNSS data or as a calculated position in another format.

    [0037] However, next, a device 21 spoofs GPS/GNSS satellite signals to provide a new false location 23x for the train, whose false location is reported to the Railway Control Centre, for example over a GSM-R channel 26.

    [0038] The Railway Control Centre determines that the new position 23x received is unrealistic to represent a genuine change in position for the train 23 since the last time the GPS/GNSS location was received by the Railway Control Centre. As illustrated, the spoofed position 23x would represent a change in position 25 of the train. The software module 10 in the Railway Control Centre 12 compares the distance 25 between the spoofed position 23x and the previous genuine position 23 and considers the time elapsed between these two position reports, to calculate an apparent average speed. Where that apparent average speed is unrealistic for the train in question, the spoofed position 23x is identified as erroneous. A corresponding alarm or alert may be raised by the Railway Control Centre, to a user, to the train, to a signaller or to third parties, or any appropriate combination.

    [0039] Attempts to spoof GPS/GNSS data are known. For example, if attempts to spoof received GPS/GNSS data were successful, invalid GPS/GNSS coordinates could be used when calculating a train's location. This in turn may lead to disruptions to railway systems that rely on being able to correctly and accurately determine said train's location. This could result in potential safety issues depending on the use of the information received.

    [0040] A system or method according to the present invention verifies that the received GPS/GNSS coordinates for train positions are valid and genuine, or at least are plausible, by comparison of a position based on GPS/GNSS data and reported by the train, with reference location data derived from independent means. Expected location data is calculated on the basis of known departure and arrival times of the train. If the reported GPS/GNSS location data is deemed plausible, it is used by appropriate train monitoring and control systems. Where reported GPS/GNSS location data is deemed not plausible, an alarm or alert is raised. The reported GPS/GNSS data is not used. Associated systems may use the reference location data derived from independent means as the position of the train, or may cease to use location-based services.

    [0041] Such plausibility checking is not done through securing or any decryption of the signals received, although such methods may additionally be used within the scope of the present invention, but rather the invention provides a plausibility check through comparing reported GPS/GNSS location data with a train location calculated by independent means. Examples of such independent means include using calculated track, or previous train position, information. The result of such a plausibility check is to alert responsible authorities as soon as discrepancies arise, thereby to mitigate any potential problems. Any reported GPS/GNSS location found to be not plausible is preferably not used further to represent the location of the train.

    [0042] The present invention accordingly provides automatic detection that a train is unlikely to be at the position it is currently reporting to the Railway Control Centre, therefore requiring further investigation. The present invention may provide automatic detection that a reported position would indicate a train travelling faster than the speed limit set for the section of track it is travelling. The present invention may also provide automatic detection that a train has been stationary for an unacceptable, or unexpected, amount of time.

    [0043] The present invention may be implemented in software running on a general purpose digital computer. Alternatively, an application-specific digital computer may be employed, dedicated to executing a sequence of instructions to perform a method of the present invention, or to be an example of apparatus of the present invention. In other alternatives, a dedicated hardware apparatus may be provided to implement a method according to the present invention; or to be an example of apparatus of the present invention.

    [0044] In the example embodiments described above, a spoof data detection arrangement provided within a Railway Control centre is referred to as a software module 10. This "software module" could be implemented via a modification to the existing software running in the control centre, or alternatively, the function of such a software module may be provided by introducing a new tangible device that is integrated into the existing railway control centre, such a device being responsible for detecting issues with received GPS/GNSS data or other location data. The invention may be realised by a new physical device in the Railway Control Centre. Although a fully hardware implementation is possible and within the scope of the present invention, it is likely that such a physical device would include executable software involved in determinations to detect issues with the location data received at the Railway Control Centre.

    [0045] In an example of a system employing an embodiment of the present invention, a train is subject to automated control that is implemented on board the train itself. The detection of an issue with the GPS/GNSS location data by such an embodiment may be used by that system to determine how to then control the train. The system may be arranged to respond to such detection, for example by halting the train, or lowering its current speed etc. In alternative arrangements, the train's movements are controlled by a system external to the train, in which case a similar indication may provide an input to that system to allow it to determine how the train should proceed, and suitable control may be applied to the train, either by commands to an on board train control system, or by instructions to a signalling system.

    [0046] A difference between the location calculated from received GPS/GNSS signals and a location calculated by independent means may indicate spoofing of the GPS/GNSS signals, or at least indicate their inaccuracy.

    [0047] While the present description makes particular reference to satellite-based location systems such as GPS or GNSS, the present invention may be applied in similar form to arrangements based on other location services.


    Claims

    1. A method for detecting erroneous location data reported by a train, comprising the steps of:

    - receiving location data at a train;

    - calculating expected location data by independent means;

    - comparing the received location data to the expected location data;

    - detecting whether the received location data differs significantly from the expected location data;

    - in response to a detected significant discrepancy between the received location data and the expected location data, raising an alarm or alert; and,

    - in response to a determination that no significant discrepancy exists between the received location data and the expected location data, accepting the received location data as valid;

    characterised in that the expected location data is calculated on the basis of known departure and arrival times of the train.
     
    2. A method according to claim 1 wherein the received location data is reported to a railway control centre, and wherein the railway control centre calculates the expected location data and performs the step of comparing the received location data to the expected location data.
     
    3. A method according to any preceding claim, wherein the expected location data is calculated on the basis of predicted train speed and time elapsed since a previous valid received location.
     
    4. A method according to any preceding claim, wherein the expected location data is calculated on the basis of correspondence between a current received location data and route data.
     
    5. A method according to any preceding claim, wherein the expected location data is calculated on the basis of location references other than satellite data.
     
    6. A method according to any preceding claim wherein the step of determining that no significant discrepancy exists itself comprises the step of defining a significant discrepancy as one resulting in a difference between the received location data and the expected location data greater than a margin of tolerance defined considering proximity of the train to structures which may block satellite data.
     
    7. A system for detecting erroneous location data reported by a train, comprising:

    - a receiver (102, 202) for receiving location data at a train;

    - means (10) for calculating expected location data by independent means;

    - means (10) for comparing the received location data to the expected location data;

    - means (10) for detecting whether the received location data differs significantly from the expected location data; and

    - means for raising an alarm or alert in response to a detected significant discrepancy between the received location data and the expected location data;

    - characterised in that the expected location data is calculated on the basis of known departure and arrival times of the train.


     
    8. A system according to claim 7 comprising a railway control centre arranged to receive location data and to calculate the expected location data and to perform the step of comparing the received location data to the expected location data.
     




    Drawing

























    Search report









    Search report