An [email protected] project update

Posted: 21 May 2014 | | No comments yet

The openETCS® concept consists of two components: a commercial one, requesting open source licensed ETCS OBU software, plus a three-year openETCS® R&D project within the ITEA2 cluster of the EUREKA R&D framework. Now almost halfway through, the project has already reached one of its mayor milestones – providing a tools chain for formalising the ETCS system specification (SRS Subset-026), generating a reference software from the formal specification. Tools can be freely downloaded from the openETCS®website1. Activities are now concentrating on the conversion of the ‘prose’ SRS into a formalised executable model and verification and validation tasks. Klaus-Rüdiger Hase, Project Leader – openETCS at DB Netz AG, explains more.

openETCS®: the basics

The basic principles of the openETCS® concept have already been highlighted in previous publications2,3 – openETCS® is a new approach to specify, design, tender, further develop and maintain on-board units for the unified European Train Control System (ETCS) to better meet railway undertaking’s needs to equip trains in a more economical way, based on open standards on various levels, including interface definitions and Open Source Software (OSS), initiated by some major European railway operators. The openETCS® initiative is characterised by two components:

  • A commercial component, requesting for the tendering process for new ETCS On-Board Units (OBU) OSS license options for the software inside the OBU, as well as some selected tools, in order to avoid ‘Vendor Lock-in’ situations for further system maintenance and long-term support
  • A strategic component, given by an accompanying R&D project for implementing a concept called ‘Open Proofs’4 with the goal to provide three major results: a) a software development tools chain for creating the following artefacts; b) a formalised specification derived from the ETCS natural language System Requirement Specification (SRS) Subset-026, which can be directly used as an executable model of the system for direct verification of functional definitions; c) a non-vital ERTMS OBU software package generated from this formalised specification in order to be used inside a European Vital Computer (EVC) providing the sector with a vendor-neutral reference device for (laboratory) OBU or track site acceptance test purposes.

All artefacts created in the project were supposed to be licensed under an open source license, preferably the European Public License (EUPL), utilising cost sharing effects, accelerating innovation, standardising software production, improving software productivity and system security by more transparency, and in the longer run providing vendor-independent very long-term system support, securing operator’s investments.

At the time when the above-mentioned article was written, a three-year ITEA2 project within the EUREKA R&D framework with more than 30 European partners from approximately 10 EU Member States led by Deutsche Bahn was about to start, still waiting for final funding decisions.  

Project start in 2012

In early-2012 it was not yet clear which EU Member State’s funding authority would finally provide public funding according to the ITEA2 funding scheme. While project approval is centralised by the ITEA2 organisation, a EUREKA cluster for “Information Technology for European Advancement”, individual funding decisions are made on national level. The national organisations have their own agenda and therefore it took almost a year between the first positive decision made by France and the last one by Spain. The latter is worth emphasising since funding was provided despite all financial turbulences at that time. Further funding is provided by the Brussels region in Belgium and last but not least by the German Ministry of Research and Education. Up to now, all 32 partners who have signed-up for this project are still on-board. All partner and basic project information can be found on the official ITEA website5.

Despite pending funding decisions, the project was able to successfully start as scheduled on 1 July 2012 and was online2 and productive within less than three weeks thanks to an open source repository framework providing state-of-the-art Git® version control repository services provided  by GitHub®. GitHub is a hosting service providing free-of-charge hosting for open source projects but charges only for private repositories, which are not accessible to the general public6.

While the technical set-up was accomplished within a few days, the legal set-up for a fully open European R&D project was a complete novelty for an industry that never had applied open source in the past, and therefore it took almost six months to reach the current status. For this [email protected] project however, following the ‘open proofs’ philosophy, full transparency of the entire process of document and software generation was an essential goal. Even decision-making processes are public and therefore fully transparent. Therefore a completely new legal contract had to be created. In order to make sure that the open source software and open source documents can be used commercially, one aspect had to be guaranteed right from the beginning, and that is called ‘IP cleanness’. This means that all artefacts (documents, software, etc.) are using the same Intellectual Property Rights (IPR) concept and artefacts must not be ‘contaminated’ neither by elements ‘stolen’ from other closed source projects, nor other even open source items, not compatible with the project’s IPR profile and therefore potentially violating third party’s IPR.

Pioneering a fully open software project for safety critical software

Since this is most likely the first public project in the railway sector, which results will eventually be used in commercial safety critical devices, the legal liability provisions needed to be fully in-line with European legal liability and product responsibility laws. Most open source license concepts have their origin in the U.S. and therefore in almost all cases are not fully compliant with the European legal system. That has been recognised by the European Commission (EC) who had therefore already issued a first version of the ‘European Union Public License’ (EUPL7) in 2007, which was then refined as version 1.1 in 2009. The EUPL in its current state was mainly made for software in the sense of computer programmes and does not cover all aspects of documentation. However, since much of the safety work results in elaborate documentation, mainly text, but also drawings and occasionally pictures, the ‘openETCS Open License Terms’ (oOLT) are a combination of the EUPL V.1.1 and complemented by the ‘Creative Commons – by – Share Alike 3.0’ (CC-by-SA 3.08 license or so-called ‘Wikipedia License’. The latter is particularly suitable for all textual and graphical artefacts and widely used in the open source community; a lot of CC-by-SA licensed material is available on the internet that can be used within the openETCS® project.

On the other hand for all potential users of the project results, it must be simple to meet the license terms: artefacts found on the openETCS® GitHub repositories can be freely used, modified and redistributed, as long as sub-licensing is taking place under the same terms and conditions as acquired. That means the oOLT carries a so-called ‘Copy-Left’ provision, which secures the freedom of an artefact to be used for any purpose, freedom to analyse it, freedom to modify it and freedom to redistribute it, but forbids that project results are redistributed under proprietary licenses. This helps that future improvements are flowing back to the project.

Everyone can actively participate in the openETCS® project – i.e. read documents, download and try out any software and then write comments, critique, make suggestions, or provide improvements by using the ‘issue tracker’ which is an easy to use online editor on the web. The person responsible for that particular repository, usually the work package leader or task leader, has then to react in due time to those issues. The only requirement is that individuals have to register with the GitHub service and as long as their contributions do not exceed a certain volume, no special paperwork has to be processed. However, once contributed material exceeds a certain limit, usually 200 characters, contributors have to reveal their identity to the project office and need to agree in writing with the terms and conditions of this project, in order to make sure that the IPR is kept clean. Posted issues can be discussed by other parties and once they are settled, they get closed by the responsible person, but can be traced back at any time. Even formal reviews are carried out by means of the issue tracker, since it perfectly guarantees full traceability and transparency of the decision-making process.

However, not everyone is allowed to contribute directly to the repositories by modifying existing or uploading new material. Only individuals who are qualified according to CENELEC EN50128:2011 chapter ‘5.2 Personnel competence’9 are allowed to do so. Those people with such ‘write’ privileges are called ‘Committers’. Project partners, which are mostly corporations or academic organisations, have to comply with the ‘Corporate Committer Agreement’ as part of the above mentioned PCA and have to guarantee that their staff meet those requirements. However, any individual can set-up a personal repository on GitHub, separated from the openETCS® repositories and offer their contribution to Committers. The Committer has to act as a ‘Quality Gate Keeper’ who has to check the material for technical as well as IPR compliance before uploading artefacts to the openETCS® repositories. Details about the procedures are laid down in the ‘Governance’ repository and are defined in the ‘openETCS Development Procedure’ and ‘openETCS Charta’, which are all available on the openETCS repositories. In general, the openETCS projects follows closely the Eclipse® procedures, as provided by the Eclipse Foundation, the largest professional open Source Community.

All projects will eventually end and in many cases the question ‘Who takes care of the project results in the aftermath?’ is not given sufficient attention right from the beginning. For the openETCS® initiative, the ‘openETCS Foundation e.V.’ (oEF e.V.) has been founded in the legal framework of a registered association according to German Civil Code as a not-for-profit organisation to secure future utilisation and exploitation of all project results and managing the IPR. The oEF e.V. has been founded mainly by railway individuals (ATOC, DB, NS, SNCF, Trenitalia), but is open to all actively participating individuals (Committers) as well as corporations, contributing to the openETCS® project.

First results on the Tools Chain

Beside setting-up the ‘production platform’ and providing process definition and requirement documents, the first major milestone was due in January 2014 and was supposed to deliver a Tools Chain for further work. That Tools Chain will be used for converting the ETCS System Requirement Specification, namely SubSet-026 and related documents, into a formalised specification. This will be completed in a way that it represents an executable model, which then subsequently is supposed to be converted into an executable software package. The software derived from a formal specification is intended to run on a non-vital reference ETCS OBU for laboratory test purposed only, but later also for the use in regular EVC (European Vital Computers). Additional proofing tools providing verification and validation support will complete this Tools Chain.

The goal for this Tools Chain was to support a two-step formalisation approach with an initial easy to handle semi-formal model based description format and in addition a strictly formal step providing well defined syntax and semantic allowing formal proofing methods to be used for very critical functions. A code generator will convert the model into common programming languages used in safety software application, like ADA or restricted ANSI C. All those tools should support a seamless production flow (see Figure 1) delivering all intermediate as well as final artefacts in an open format, while supporting full traceability. A version management has to cover the entire creation process. Supporting all major operating systems and utilising a widely accepted modelling framework was equally requested and everything had to be at a high quality level and therefore certifiable for CENELEC EN50128:2011 SIL 4 software production AND available under OSS license term as well.

Developing all tools from scratch was not intended, since such tools can be very complex. However, since several other projects like TOPCASED10 had already developed such tools, the tools group (Work Package 7) had the task to research the open source tools ‘market’, select potential candidates for the openETCS® tools chain and compare their performance with respect to tools matureness, usability, actual distribution and acceptance in the railway signalling industry and compatibility with major platforms and operating systems. More than 20 tools had been identified and were used for converting samples of the SRS during an elaborate benchmark process. The OSS tools were also compared with closed source proprietary tools11.

For the semi-formal formalisation step all requirements could be met by selecting:

  • Git version control management system on GitHub hosting services
  • Eclipse Modelling Framework (EMF) as a platform for executing formalised models
  • SysML as modelling language, supported by the
  • Papyrus tool developed by the Eclipse eco-system
  • ProR a requirement and traceability tool supporting the ReqIF interchange format.

This set of tools basically covers all modelling work on a semi-formal level and tools are well accepted in the industry. Additional tools are available for code generation, as well as verification and validation work.

However, our further market research on tools has come to the result that for more strictly formalisation work, supporting tools for methods like the ‘B method’ are principally available under an OSS license, however a link between the SysML level and the B language level needed to be developed, and most likely exceeding our time frame set by the ITEA2 project. On the other hand, closed source tools like SCADE® for formalisation as well as code generation were available, already certified for SIL4 software production, providing open specified artefact formats, but the tool itself is only available under a proprietary software license.

Since the formalisation, code generation and implementation activities were not able to wait any longer, a compromise had to be found to accommodate further activities as defined in the ITEA2 project. Therefore, SCADE System and SCADE Suite have been selected to provide a fully operational Tools Chain immediately, which supports open formats, SysML artefacts, is compatible with Papyrus, and provides code generators.

That does not mean, that the openETCS® initiative is giving up on the ‘open proofs’ philosophy, but pragmatic reasoning had come to the conclusion that tools supporting strictly formal methods may need a few more years and intensive development work to become available under OSS licensing, allowing vendor-independent very long-term tools support. Since the software industry has already recognised this issue and e.g. has formed an industrial working group within the Eclipse eco-system under the name POLARSYS12 addressing such problems, chances are that by joining such working group a migration path from a partly open/partly closed Tools Chain to a fully open source Tools Chain can be provided within the foreseeable future. Therefore the ‘tools work package’ has put its focus on formulating a migration strategy to be used for a future follow-up project.

All open source tools can be downloaded from the ‘tools’ download section of the openETCS® website while the aforementioned closed source tools need to be obtained from the original supplier.

Beside the aforementioned SysML based Tools Chain, one openETCS® partner has provided their tool, called ‘ERTMS Formal Specs’ (EFS), utilising a ‘Domain Specific Language’ under the EUPL v.1.1 OSS license. It can be downloaded from the openETCS® repository. EFS has neither yet a link to SysML nor a code generator for embedded control system integration, but is used within the verification and validation activities, since a large portion of the SRS had already been processed with EFS.

Initial work for formalising the SRS

During the tools evaluation, certain sections of the SRS have been formalised with all tools for benchmark purposes, as so with the tools selected for the openETCS® Tools Chain. Final preparation for the formalisation work with the final choice was started in the last quarter of 2013 after the preliminary report on the final primary Tools Chain was available from work package 3.

The on-going work in the [email protected] project is now focussing on formalising and modelling with Papyrus and SCADE. 


After having contracted a first open source licence for the ICE-T (Class 411/515) ETCS OBU, the accompanying ITEA2 R&D project was successfully started in July 2012 and has reached one of its major milestones ahead of time – delivering a working Tools Chain in order to accomplish further project tasks like formalising the ETCS SRS and generating a reference software package for an OBU. The goal for a Tools Chain for supporting a semi-formal model based software development framework was fully accomplished by utilising software tools from other projects, in particular TOPCASED and Eclipse. However, a professional grade strictly formal tools set and certifiable code generators are not yet available under open source license and so a compromise had to be found to fill the gap with proprietary tools, by not compromising on quality and safety. That solution allows the project to go on, but does not mean that the larger goal for a full implementation of the open proofs concept has been given up. A migration concept is under investigation to eventually come to a fully open source licensed Tools Chain preferably in cooperation with working groups like POLARSYS, which are pursuing similar objectives.


The [email protected] project is funded by authorities in Belgium, France, Germany and Spain:


  2. European Railway Review, Volume 18 Issue 3, May 2012, Pages 30-34 – ‘openETCS: applying ‘Open Proofs’ to European Train Control
  3. Hase, Klaus-Rüdiger: “Open Proof” for Railway Safety Software – A Potential Way-out of Vendor Lock-in, Advancing to Standardization, Transparency, and Software Security; Eckehard Schnieder, Géza Tarnai (Editors); FORMS/FORMAT 2010, Tagungsband; Springer-Verlag, Berlin Hei-delberg 2011; ISBN 978-3-642-14260-4
  4. Open proofs:
  7. European Commission, IDABC: European Union Public Licence – EUPL v.1.1 Jan. 9, 2009.
  8. Creative Commons
  9. EN 50128:2011 – Railway applications – Communications, signalling and processing systems – Software for railway control and protection systems. Preliminary Version for vote, CENELEC European Committee for Electrotechnical Standardization, Central Secr.: Rue de Stassart 35, B1050 Brussels, 06/2011.
  10. TOPCASED®: The Open Source Toolkit for Critical Systems;
  11. Details can be found in the document named: “Report on the Final Choice of the Primary Tool Chain” (“toolchain” repository, document D.7.1). All documents are available in PDF format.
  12. POLARSYS®; Eclipse Industrial Working Group:

Dr. Klaus-Rüdiger Hase has been working for Deutsche Bahn since 2002, currently at DB Netz AG in charge of the openETCS® project. Until 2007, Klaus-Rüdiger was managing DB’s regional EMU/DMU engineering group. Between 1987 and 1998 he used to work for AEG Transportation in Berlin and Pittsburgh, PA, (USA) before he became Head of R&D for on-board electronics at Knorr-Bremse AG, Munich. In 2008, Klaus-Rüdiger launched DB’s international openETCS initiative, which has resulted in 2012 in an ITEA2 project within EU’s EUREKA R&D programme.