A Relative Operation-Based Separation Model for Safe Distances of Virtually Coupled Trains

Virtual coupling is a novel railway transport concept that allows trains to split and join on-the-fly by switching from mechanical to virtual couplers. One of the main challenges in applying virtual coupling in metro railways is to reduce the tracking distance between trains without compromising safety. This article proposes a relative operation-based train separation model to reduce the safe distance between trains. This model applies a fault tolerance principle. The principle is that the preceding train normally operates for a time interval from its last-known state before initiating an emergency brake to stop the train. A difficulty in applying the proposed model is to predict the boundary of all possible time-position trajectories of the preceding train, which is the reachability problem of a hybrid system. To solve this problem, we formalise the operation of the preceding train by a parameterized hybrid automaton. A polytope-based algorithm is then developed for computing an over-approximated reachable set of the automaton. We compare our approach with a state-of-the-art relative braking distance-based train separation model for virtual coupling on a concrete metro line in Chengdu, China, and evaluate the method with several benchmarks. The results demonstrate that the relative operation-based model substantially reduces the safe distances between trains. Compared to conventional approaches, the proposed model provides a considerable 90.7% decrease in unnecessary waiting time at railway stations for virtually coupled trains and a 4.9% increase in the capacity of the given railway lines.

control concepts, such as virtual coupling [1].This concept entails tracked trains virtually coupled via distributed controls and vehicle-to-vehicle communication.The distance between two virtually coupled trains is much shorter than conventional railway systems.On the one hand, virtual coupling expands the railway transportation capacity of existing networks.On the other hand, trains can split and join on-the-fly according to transport demand.Virtual coupling is a promising technique for achieving the zero capacity waste target proposed by the European Rail Research Advisory Council (ERRAC).
One of the main challenges in applying virtual coupling in metro railway transportation is reducing the distance between the tracked trains without compromising safety.A long tracked distance can make it difficult for trains to arrive simultaneously at stations, resulting in unnecessary additional waiting time at the station.This shortcoming significantly reduces the transportation capacity and service quality of metro railways.
A typical train control system in metro railways adopts an ATP-ATO control scheme, which consists of an automatic train operation (ATO) controller supervised by an automatic train protection (ATP) controller [2].The ATO is similar to an adaptive cruise controller used in road vehicles.It performs nominal train driving actions like speed regulations, tractions and service brakes.In contrast, the ATP protects a train by computing a safe distance to prevent collisions and initiating an emergency brake whenever a safe distance cannot be guaranteed.A similar control scheme has also been proposed for autonomous vehicles to guarantee safety [3].
In railways, the ATP is safety-critical, following the fail-safe principle, i.e., the safe distance must prevent collisions even with the worst-case credible latent system failure modes.An example of the worst-case is that the following train loses partial braking capacity by equipment failures while its preceding train decelerates with an emergency brake.Existing ATP controllers of train control systems use pneumatic brake systems to perform emergency brakes.Compared to the electric braking systems used by autonomous road vehicles, a pneumatic brake system leads to extra difficulties in reducing the safe distance for the following reasons.On the one hand, a pneumatic brake is an open-loop mechanical controller with significant controlling error.The worst-case of the braking performance must always be considered to ensure collision-free.On the other hand, once a train initiates an emergency brake, it is impossible to reduce the braking force or release the brake until it has fully stopped.When the preceding train initiates an emergency brake, it cannot adjust the braking force even if the following train runs too close.
Reducing the safe distance between trains is a central problem in virtual coupling because the safe distance decides the smallest possible tracking distance between the trains under the ATP-ATO control scheme.The safe distance is computed in railways by a so-called train separation model.Conventional train control systems use the absolute brake distance-based train separation (ABS) model (also known as "moving block"), where the safety distance equals the emergency braking distance of the following train plus a safety margin.Adopting that a train is physically impossible to stop instantly, a relative brake distance-based train separation (RBS) model is proposed.In the RBS model, the preceding train is assumed to apply an emergency brake from its last-known state.The safe distance between two tracked trains is decided by ensuring that both trains do not collide under the worst-case stopping scenario [4].By assuming that the trains always have the same braking performance, the safe distance is simplified to be the difference of the emergency braking distances of the trains plus a safety margin [5].Unfortunately, the safe distance computed by the RBS model is still too big for virtual coupling in metro railways.For example, considering the worst-case control errors and failures of real-world pneumatic brake systems, the safe distance between two trains is greater than 100 meters at 80 km/h even if the trains have the same braking performance.With such a considerable safe distance, it is difficult for trains to arrive simultaneously at stations.Consequently, gaining actual capacity from the concept of virtual coupling is impacted.
This article addresses the needs to further reduce the safe distance by defining a novel train separation model and solving the model to find the required safe distance without compromising safety.The model mainly builds on the assertion that the ATP only applies an emergency brake in the occurrence of failures and fault propagation takes time.Therefore, it is unrealistic that an ATP applies an emergency brake instantly if there are no faults in the last-known state of the train.In this model, the preceding train is assumed to operate by the ATO for a short time and then applies an emergency brake by the ATP.Because the model uses the relations between the operation processes of the tracked trains to compute the safe distance, we name it by relative operation-based train separation model (ROS).
The RBS model requires the tracked trains to have the same emergency brake performance.The safe distance between the trains in an RBS model equals the difference in the braking distances of the trains.However, this safe distance cannot guarantee collision-free if the trains have different deceleration rates.To solve the problem, in the proposed ROS model, the safe distance is decided by ensuring that all possible time-position trajectories of the trains never join until both have fully stopped.Therefore, the boundaries of all possible time-position trajectories of the trains must be predicted.When a train is controlled with a constant strategy of braking, such as an emergency brake or a more complicated deceleration profile, the boundaries of possible time-position trajectories can be computed by simply using the boundary values of the deceleration [6].Unfortunately, predicting the preceding train is complicated when applying the fault tolerance principle.In the normal operation phase, the control input is multi-variant with discrete changes that follow ATO control rules.The maximal/minimal accelerations for each point in time are difficult to obtain, and the boundaries of the possible time-position trajectories of the train cannot be predicted with global boundary values of control inputs (Theorem 2).
In the ROS model, the operation of the preceding train is a hybrid system, where evolutions of train positions depend on interactions of continuous (train dynamic) and discrete (changes of control inputs) components.The analysis of the behaviour boundary of a hybrid system is inherently complex.In this article, we develop a reachable set-based approach to predicate the boundary of all possible time-position trajectories of the preceding train.This approach first formalises the train operation with a parameterized hybrid automaton with uncertain nonlinear switch conditions.Because the dynamic of the automaton is linear, we choose to use a polytope-based algorithm to compute the over-approximation of the reachable set of the automaton.
We further illustrate the practicality of the proposed approach with numerical experiments.The safe distance is translated into the emergency brake intervention (EBI) speed of the following train.With an EBI speed, the target speed of the ATO controller of the following train can be obtained.We compare the method of the paper with the state-of-the-art RBS model.As demonstrated through the simulation results, the tracked distances between the trains can be reduced, and the train capacity can be improved by applying the proposed ROS model.
The main contribution of the paper is the development of the ROS model that reduces the safe distance between virtually coupled trains without compromising safety.In metro railways, a shorter safe distance is conducive to the simultaneous arrival of virtually coupled trains at stations.Consequently, the model reduces the unnecessary waiting time of trains at stations and improves the capacity of railway lines.
The remainder of this article is organised as follows.Section II provides a brief overview of related work.Section III introduces the preliminaries of automatic train control systems and the conventional relative brake distance-based train separation model.Section IV proposes a relative operation-based train separation model for virtual coupling.Section V develops a reachable set-based method for predicting the boundary of time-position trajectories of the preceding train.Section VI demonstrates the proposed approach using concrete data from Chengdu Metro Line No. 8 in China.Section VII presents the conclusions and directions for future work.

A. Control Approaches for Virtual Coupling
The problem of optimising train operations has a long tradition in the railway community, including optimising operation trajectories [7], control strategies [8], [9], [10] and timetables [11], [12].The concept of virtual coupling in railways was first proposed by Bock et al. to improve the capacity of existing railway lines [13].In this concept, trains are no longer physically coupled; each has individual propulsion and brake systems.An advantage of virtual coupling is that trains can split and join on-the-fly to fulfil transportation needs.Chai et al. considered the time-dependent passenger demand and train loading capacities in virtual coupling.They proposed a linear programming-based approach for virtual coupling to improve line capacity and reduce congestion in metro railway networks [14].The distance between virtually coupled trains must be small enough for simultaneous arrival to make the concept practicable in metro railway transportation.In railways, a train control system adopts the ATP-ATO scheme.Both the controllers of the ATO and ATP have been investigated for reducing tracked distances between trains.
Using model predictive control (MPC) and its extensions to design the ATO for virtual coupling is one of the most popular research directions in recent years.Su et al. proposed a centralized MPC for virtual coupling with nonlinear safety equilibrium spacing policy [15].Decentralised model predictive control methods for virtually coupled trains have been investigated, where the trajectories of the preceding trains are assumed to be predictable over a short time horizon [16], [17].Di Meo et al. defined a coupling algorithm by considering time-varying delays in vehicle-to-vehicle communications of trains [18].Park et al. proposed a robust gap controller based on sliding mode control [19].Liu et al. designed a gap reference generation algorithm to allow the trains to merge into the same convoy, maintain the convoy and then separate [20].Luo et al. proposed a robust MPC approach to reduce the tracking distance between virtually coupled trains while satisfying the safety constraints of trains [21].
The smallest possible tracked distance between trains cannot be smaller than the safe distance used by the ATP.Therefore, reducing the safe distance without compromising safety is a fundamental problem in virtual coupling.Two train separation models have been carried out in railways to compute the safe distance between two tracking trains [5].The first model assumes the preceding train stops instantly at its last-known position, called absolute braking distance-based model (also known as moving block).In this model, the safe distance between tracked trains equals the emergency braking distance of the following train.The second model adopts the fact that the preceding train is physically impossible to stop instantly, called relative brake distance-based model.In this model, the safe distance reduces to the difference in the emergency braking distances of the trains.
Ning showed that the relative brake distance-based model only prevents collisions when the preceding train has a worse braking performance than the following train [22].A similar result was shown by Althoff et al. in the context of road vehicles [6].Because it is impossible that two trains always have the same emergency brake performance in practice, the conventional RBS model cannot guarantee collision-free in virtual coupling.Quaglietta et al. proposed a train-following model with a dynamic safety margin that considers differences in braking performances of the tracked trains [23].A specific braking performance manoeuvre is designed for the RBS model to avoid collisions [24].Zhao et al. proposed a more general train separation method by considering the whole braking process of the trains [4].Their model can guarantee collision-free with arbitrary emergency braking performances of the tracked trains.Su et al. proposed an approach to predict the braking process of the preceding for computing the safe distance [25].The above models are extensions of the RBS model, assuming that the preceding train applies an emergency brake.The safe distance computed by these models is still too big for virtual coupling in metro railways.To the best of our knowledge, no train separation model has been proposed yet that considers the fault tolerance time before initiating an emergency brake of the preceding train.

B. Predictions of Train Operations
A central problem in applying a train separation model is predicting all possible tracked train operations.
Machine learning-based methods that apply data-driven models have been investigated for predicting trajectories of autonomous vehicles [26].However, as machine learning has an inherent unexplainable problem, a machine learning-based method cannot guarantee to predict the boundaries of train operations.Therefore, it cannot be used to compute the safe distance between trains.
Proving the correctness of a train control system with formal methods is an important research direction [27].Runtime verification is a lightweight formal method that can predict undesired behaviours while the system is running [28].In the following, we mainly focus on previous work on reachable set-based prediction approaches since this work can guarantee obtaining boundaries of system behaviours.Hybrid automata have been proposed to formalise systems with discrete-continuous state spaces [29].This formalism is expressive but has considerable difficulties in solving its reachability problem.Girard et al. proposed a zonotope-based approach for overestimating the reachable set of hybrid automata with linear dynamics and guards [30].Based on those works, Kochdumper et al. proposed an algorithm for computing intersections between nonlinear guards and reachable sets with Taylor models or polynomial zonotopes [31].Ramdani et al. presented an interval Taylor method-based approach of computing reachable sets of hybrid systems with uncertain nonlinear monotone dynamics [32].
Various reachable set-based collision avoidance approaches have been developed by predicting the complete operations of a system.Based on the computation of reachable sets, a collision detection method for autonomous driving has been proposed for predicting possible crashes during specific trajectories [33].Malone et al. proposed an accurate potential field generation approach for autonomous robotics based on stochastic reachable sets considering the effects of uncertain and dynamic environments [34].Lin et al. presented a real-time path planning algorithm for unmanned aerial vehicles (UAV) by predicting possible collisions in the region reachable set of an obstacle aircraft [35].Zhou et al. proposed an onboard collision avoidance method that guaranteed the safety of UAVs by computing the trajectories within the reachable tube [36].Söntges et al. presented an approach for determining the optimal intervention time to mitigate and prevent collisions of intelligent vehicles by computing the over-approximation of the possible trajectories in the reachable sets [37].Loos et al. combined hybrid system verification techniques with a wireless communication model to analyse the effectiveness of timeout values to a provably safe cruise adaptive control system [38].Stursberg et al. used a counterexample-guided verification approach to prove the correctness of a cruise control system, which is modelled as a hybrid automaton [39].Xu et al. proposed a collision prediction approach for satellites with zonotope-based reachable sets, in which the satellites are simplified as cuboids to compute reachable domains and dangerous domains with uncertain motions [40].These works focus on proving the correctness of a system.How to compute the safe distance between trains when considering normal operations of the preceding train in virtual coupling is still an ongoing research topic.

A. Automatic Train Control System
Due to unpredictable driving actions and the reaction time of human drivers, virtually coupled trains must be operated by automatic train control (ATC) systems to maintain a safe small tracked distance.An ATC system adopts an automatic train protection-automatic train operation (ATP-ATO) control scheme, as shown in Fig. 1.The ATP provides fail-safe protections with the emergency brake to ensure the tracked trains keep a safe distance.In contrast, the ATO performs automatic driving functions by applying propulsions and service brakes.A safe distance between tracked trains is transferred to a movement authority of the following train, which is the authority for the train to enter and travel through a specific section of track.An EBI speed is the maximal speed that ensures under no circumstances will the train stop at the movement authority limit (i.e., the furthest position of the movement authority) by applying an emergency brake.It is derived from the braking curve of the train with the guaranteed emergency brake rate.The EBI speed curve is regarded as a "safe envelope" for automatic driving [41].The ATO shall maintain the train speed below the EBI speed.If the EBI speed at the train location is exceeded, the ATP initiates an immediate emergency brake application.

B. Relative Brake Distance-Based Train Separation Model
In railways, the safe distance between two tracked trains is computed by a train separation model to guarantee collision-free.A relative brake distance-based separation (RBS) model has been proposed that the safe distance between two trains equals the difference in the braking distances of the trains plus a safety margin [5].A safety margin is an extra distance to handle the impact of other unknown factors, such as the measurement error of train position and speed and communication delays.Fig. 2 illustrates an RBS model.Let S d be the safe distance between two tracked trains; B p (V p ) and B f (V f ) be the emergency brake distances of the preceding train and the following train starting from their current speed V p and V f respectively, and S m be a safety margin.The RBS model is defined as follows.
A train separation model guarantees the collision-free property, i.e., two tracked trains are never in the same position simultaneously.The standard RBS model, as defined by (1), simplifies the train separation model indicating that the property can be satisfied if the distance between two trains is always greater than the relative emergency braking distances.Unfortunately, this simplification only holds at some ideal conditions.Ning proved that the standard RBS model could prevent collisions only if the braking performance of the preceding train is worse than or equal to the braking performance of the following train [22].Because the ATP uses the open-looped pneumatic brake system, it is possible that the emergency brake of the following train has a smaller deceleration.This braking rate combination must be considered in real-world train control systems.Therefore, the standard RBS model is insufficient to guarantee collision-free in real-world applications.Consider the following example.Let the initial speeds of two tracked trains be V p = 17 m/sec and V f = 22 m/sec, the emergency brake accelerations be a p = −0.8m/sec 2 and a f = −1.2m/sec 2 .Let the safety margin be S m = 5 m.The safe distance is 26.1 m according to the RBS model.Fig. 3 shows that when the preceding train applies an emergency brake, a collision occurs even if the following train initiates an emergency brake immediately.

A. Relative Operation-Based Train Separation Model
We propose a relative operation-based separation (ROS) model to compute the safe distance for virtual coupling.In the ROS model, the safe distance between two tracked trains is decided by ensuring that when the following train applies an emergency brake, the smallest distance between the trains is greater than or equal to the safety margin with the predicted worst-case operation of the preceding train.According to the ATP-ATO control scheme, as shown in Fig. 1, the ATP computes the EBI speed from the ROS model.After that, the ATO generates its speed constraint concerning the EBI speed.
An ATP only initiates an emergency brake with certain failures.Because fault propagation consumes time, if the last-known status of a train does not meet any pre-conditions of such a failure, it is safe to predict that the train will operate normally without triggering an emergency brake for at least a period of fault-tolerant time.According to this assertion, the ROS model applies a T fault tolerance ( T -FT) principle with T being an interval of a fault-tolerant time.With this principle, the operation of the preceding train is divided into two phases.In the first phase, the train operates normally for T seconds by the ATO.In the second phase, the train applies an emergency brake strategy that the ATP initiates an emergency brake to stop the train.The T -FT principle is formally defined as follows.
We use time-position state (TPS) to define the train position at some time point.Given the set R of real numbers and a time t ∈ R, a TPS D(t) represents the position of a train at time t.A timeposition trajectory (TPT) D (D(T 0 ), D(T 1 ), . . ., D(T N )) is a finite sequence of TPSs, where N is an index.A TPT represents an operational process of a train.A TPT is called complete if it indicates that the train eventually stops, i.e., a TPT D is complete if and only if By "•" we denote the concatenation of sequences, e.g., the concatenation of sequences A and B yields a sequence A • B.
The T -FT principle is defined as follows.We illustrate the T -FT principle with the communication failure, one of the pre-conditions of triggering an emergency brake.An ATC system exchange messages periodically with wayside and central systems while operating a train.When the ATC fails to receive a periodic message, it starts a timer and attempts to reconnect.No message is received by the ATC continuously for a time interval, e.g., T seconds.The ATP system can confirm the occurrence of a communication failure and initiates an emergency brake application.In this case, if a message is received in the last-known state of the ATC, one can predict that an emergency brake will not occur within T seconds caused by communication failure.
A time-position space D is the set of all possible complete time-position trajectories of a train under an automatic train control system.
Definition 2 (ROS model): Let D p and D f be the timeposition space of the preceding train and the following train, respectively.Given a safety margin S m , the safe distance S d between the trains in the ROS model can be computed by solving the following problem: An illustration of the ROS model is shown in Fig. 4. In the ROS model, the safe distance is computed by ensuring that the smallest distance between the time-position trajectories of the tracked trains is greater than or equal to the safety margin.
We prove that if the safe distance between two virtually coupled trains is computed by the ROS model, collision-free can be guaranteed with an arbitrary configuration of emergency brake rates of the trains.
Proposition 1: Given two tracked trains with an arbitrary configuration of emergency brake rates, if S d is computed by the ROS model as defined in (3), then (S p (t) − S f (t)) ≥ S m for all t > 0.
Proof: According to the definitions, D p and D f are timeposition spaces that contain all possible complete time-positions of the preceding train and the following train, respectively.The Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
smallest distance between the trains equals or exceeds the safety margin S m until both trains have fully stopped.
One of the main challenges in the ROS model is predicting the time-position spaces (i.e., all possible TPTs) of the tracked trains.

B. The Time-Position Space of Preceding Train
With the T -FT principle, the ATO behaviour of the preceding train must be considered when predicting the time-position space of the train.An ATO system can choose different control strategies by considering operation efficiency, energy savings, passenger comfort, etc.This article considers a typical strategy in which a train operation process between two stations is divided into three phases: departure, cruising and arrival.The ATO target speed in the first two phases is according to the EBI speed, whereas in the third phase, it is computed according to the intended stopping position.During the departure phase, the train accelerates with its maximum propulsion until it reaches the target speed.During cruising, the ATO system ensures that the train operates at the target speed.During the arrival phase, the ATO applies a programmed stopping process.An ATO system applies the following adjustment inhibition strategy (AIS) to avoid frequent control adjustments.Once the ATO system is in either the propulsion or brake status, the system stays in that status for a time interval before switching to the other status.
Let a control u ∈ R be the acceleration of a train.A control trace u is defined as a sequence of controls, i.e., u (u 0 , . . ., u N ).Given an integer K, the set R K contains all control traces with length K over R. Given integers K 1 and K 2 , we denote by T Δ and [T Δ K 1 , T Δ K 2 ] the control cycle and the time interval of the AIS, respectively.An ATO control space contains all possible control traces concerning the ATC operation logic.
Definition 3 (ATO control space): Let V i Tar be the ATO target speed at the ith position in a control trace, and A P and A B be the range of accelerations of propulsion and service brake, respectively.The ATO control space U O is the set of all possible ATO control traces as follows.
We denote by D the last TPS of D (D(T 0 ), . . ., D(T n )), i.e., D D(T n ).Given a control trace u (a P T , . . ., a P T ) with a F T being the emergency brake acceleration of the preceding train and the last-known TPS D(T 0 ) of the preceding train, the time-position space D p of the preceding train in the ROS model with the T -FT principle is as follows.
Intuitively, the subsequence D 1 specifies the normal operation phase, controlled by ATO, with the T -FT principle, whereas D 1 represents the emergency brake phase.
Due to unmodelled dynamics and mismatched parameters, the ROS model contains uncertainties in parameters and control traces.When the time value T of the T -FT principle is greater than 0 sec, the boundaries of the time-position space cannot be computed with boundary values of accelerations.Because the ATC operations follow specific logical rules, the possible accelerations at each time point are multi-variant.They are challenging to obtain.We prove that using the global acceleration boundaries of an ATO cannot cover all possible TPTs of a train.Proof: According to the T -FT principle, the train operation trajectory is as follows.The ATO system controls the train for T seconds.After T seconds, the ATP system immediately initiates the emergency brake, and then the train moves with its maximum emergency brake acceleration until it fully stops.Without loss of generality, we use the following parameters in the proof: The ATO target speed is 20 m/sec.The upper and lower boundaries of the propulsion acceleration are 1.0 m/sec 2 and 0.4 m/sec 2 , respectively.The upper and lower boundaries of the service brake acceleration are −0.3 m/sec 2 and −0.6 m/sec 2 , respectively.The time duration of the adjustment inhibition strategy is set to be between 5 and 12 control cycles; The control period is 0.2 sec.The acceleration of the emergency brake is −1.2 m/sec 2 .The time duration of the T -FT principle is 6 seconds.
Let the initial train speed be 18.5 m/s.Simulations according to the boundaries of the parameters (PCS-BA) suggest that the complete time-position trajectories are shown as the grey area Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply. in Fig. 5.However, there are possible operations where the train stops faster than the simulation results.For example, one counterexample is that the propulsion acceleration is 0.75 m/sec 2 , the service brake acceleration is −0.5 m/sec 2 , and the time duration of the adjustment inhibition strategy is 7 control cycles.The TPT D o is indicated by the red line in Fig. 5.There exists T > 0 such that D(T ) o is smaller than any TPS in the grey area at the same time.If T = 0, the counterexample D o does not exist.That is because the train has a constant deceleration in this case.

C. The Time-Position Space of the Following Train
The following train in the ROS model implements an emergency brake.Therefore, the time-position space of the following train can be predicted by using the boundary acceleration of the emergency brake.The worst case of establishing an emergency brake is the safe braking model [42], in which the braking process is divided into four components of (A) propulsion disabled, (B) coasting, (C) emergency brake building-up and (D) emergency brake at the guaranteed emergency brake rate (GEBR).The acceleration a fc (t) of the following train at time t in the ROS model is where a f (0) (m/sec 2 ) is the possible greatest acceleration at the last-known state of the following train; j dp (τ ) (m/sec 3 ) and j eeb (τ ) (m/sec 3 ) are the derivatives of the decelerations at time τ while the propulsion is disabled and the emergency brake is activated, respectively; a F T (m/sec 2 ) is the GEBR of the following train; and T A , T B , T C and T D are the time points at the end of the four components, respectively.Note that the emergency brake acceleration a F T of the following train is allowed to be different from the emergency brake acceleration a P T of the preceding train used in (6).Compared to the conventional RBS model, the ROS model as defined in (1) can guarantee collision-free with an arbitrary combination of emergency brake performances, e.g., the counter-example as shown in Fig. 3. Let a d (t) (m/sec 2 ) be the additional acceleration at time t by unmodelled dynamics, such as the resistances of the aerodynamics, the grad and curve of the railway line and the rolling and bearing.The acceleration a f (t) of the following train at time t is Let D(T 0 ) and a FT be the last-known TPS and the possible biggest emergency brake deceleration of the following train, respectively.The time-position space of the following train D f contains all complete TPT such as

V. PREDICTING THE TIME-POSITION SPACE OF THE PRECEDING TRAIN
As shown in proposition 2, the time-position space of the preceding train cannot be predicted with boundary values of the accelerations of the preceding train.To overcome this problem, we propose a reachable set-based approach, i.e., computing all reachable (possible) TPSs of the preceding train from its lastknown state.
In our approach, the operation process of the preceding train is first formalised with a parameterized hybrid automaton (PHA).The automaton is then instantiated by evaluating the parameters according to the last-known TPS of the train and the related railway line data.We design a polytope-based algorithm to compute an over-approximation of the reachable set of the instantiated automaton.The reachable set of the automaton covers the time-position space of the train.Therefore, it can be used in the ROS model to guarantee collision-free.

A. Parameterized Hybrid Automata
We briefly present basic notions regarding parameterized hybrid automata (PHA).A dimension of a system is the number of state variables.Given real numbers R, the state of a dynamic system can be modelled by a vector in R n , where n is the dimension of the system.A hybrid automaton is a directed graph that specifies a system with discrete and continuous components.The edges of the graph denote discrete control switches, whereas the flows (ordinary differential equations, ODEs) associated with the vertices specify the continuous changes of states of the system.The parameterized hybrid automata is an extension of hybrid automata that introduces parameters, which are specific variables with constant values as the automaton operates.
Definition 5 (Parameterized Hybrid Automata (PHA)): A parameterized hybrid automaton consists of the following components: r Constraints: A finite set Φ {ϕ 1 , . . ., ϕ n } of parametric linear constraints.A parametric constraint ϕ is constructed as follows, with x ∈ X and p ∈ P : r Valuations: A finite set Ω 2 X →R of variable valuations, each of which maps a variable to a real-number value.
r Flows: A finite set F of flows.Each flow f(x) is an ODE containing variables in (X ∪ Ẋ) and parameters in P .
location is labelled by a nominal in the set N .The set contains the flows of continuous changes of variables in F and an invariant from Φ.An invariant constrains the legal values of a variable when the hybrid system is at a given location.
r Initial: An initial (ϕ 0 , q 0 ) ∈ (Φ × Q) is a pair with the initial values of the variables and the initial location of the automaton.
that represent the control switches of the system.The switch condition is a proposition expressed by a parametric constraint from Φ.The possible discrete updates to a variable during control switches are subsets of the variable valuations in Ω. Fig. 6 illustrates a PHA of a thermostat.The variable x represents the temperature, and p 1 , p 2 and p 3 are parameters in the system.The system has two control modes on and off.The initial temperature is x ∈ (18.2, p 1 ), and the temperature changes are specified by the derivatives of x within the respective locations.The constraints x < 19 and x > p 3 describe the translation conditions between control modes.

B. Train Operation Model With PHA
The train operation is formalised with a PHA S H as shown in Fig. 7.The main notations of the automaton are listed in Table I.
The Locations of the automaton formalised the train control status as follows.Location Tra represents the train operating with propulsion.The flow at this location presents the dynamics governing the train position, speed, local time and global time.The constraint specifies that a train can remain at location Tra for at most k TC seconds according to the adjustment inhibition strategy (AIS).Furthermore, the global time of the system must be less than k T seconds according to the T -FT principle, and the

TABLE I MAIN NOTATIONS
train speed must be less the EBI speed.Similarly, location SB represents the train control status of the service brake.The location EBEst models the behaviour when the emergency brake is established, where the derivative of the acceleration (jerk) is k jEB (m/sec 3 ).The train remains at that location until the acceleration reaches the maximal emergency brake rate k aEB plus the additional acceleration.The location EB models the control status that the train operates wit h its maximal emergency braking rate.
The edges represent the discrete transitions between train controls.The edge between locations Tra and SB is crossed if the speed of the train is between the ATO target speed and the EBI speed, the local time is greater than or equal to k TC seconds, or the global time is less than k T seconds.The discrete variable update t l := 0 specifies that the local clock is reset Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
after the transition.If the local time is greater than or equal to k TC seconds but the train speed is still less than the ATO target speed, a self-transition is triggered at location Tra to maintain the propulsion.If the speed of the train is greater than or equal to the EBI speed or the global time is greater than k T seconds, the emergency brake is initiated by transitioning to location EBEst.The edge between locations EBEst and EB specifies that the emergency brake has been established.There is the transition out of location EB because once the emergency brake has been activated, it cannot be released until the train fully stops.Uncertainties of flows and switch conditions in the automaton represent unmodelled dynamics and parameters mismatched in train operations.
The PHA S H models the behaviour of the preceding train within a two-train convoy.The operation of the train is only affected by the movement authority and line speed restrictions.When a convoy has more than two trains, the operations of the preceding trains are more complicated because they are additionally affected by their preceding trains.

C. Reachable Set Computation of the Train Operation Model
The train operation model has 5 dimensions.A train operation state (TOS) is defined as a vector σ (s, v, a, t l , t g ) from the set R 5 , where s, v, a, t l and t g represent the train position, train speed, train acceleration, local time and global time, respectively.A TOS represents a TPS of a train and changes according to the following rules for the PHA H as shown in Fig. 7.
1) Discrete change: an edge instantaneously changes the control mode and variable values.2) Continuous change: the variable values change continuously according to the flow of a location.A path of the hybrid automaton H represents a TPT of a train modelled by H; this path is a possible evolution of the TOS over time.By w we denote a finite path of TOSs, i.e., w σ 0 σ 1 . ..σ n .With any i ≥ 0 the relation between σ i+1 and σ i follows one of the above two rules.We define State(w) as all TOSs appearing in w.A path w reaches a TOS σ if and only if σ ∈ State(w).Let Path(H) be all possible paths of the hybrid automaton H.The reachable set of H is defined as follows.
Definition 6 (Reachable Set): Given a hybrid automaton that represents train operations, the reachable set R(H) of TOSs is the set such that:

⎭
Although the reachability problem of hybrid automata is undecidable in general [43], various convex models have been proposed to represent a segment of the reachable set of a hybrid automaton [44] [32] [45].Due to the dynamic part of train operations being linear, we use polytopes to represent TOSs of H.An algorithm to compute an over-approximation of the reachable set of H is as follows.
Definition 7 (Generator): Given a TOS c ∈ R 5 , a generator g(c, f, ΔT ) ∈ R 5 yields a new the TOS c according to a flow condition f within a time interval ΔT .
A generator g(c, f, ΔT ) ∈ R 5 changes c by solving the ODE f.Let flows f and f be the slowest and fastest changes of the TOSs within a location, respectively.As a result, generators g g(c, f, ΔT ) and g g(c, f, ΔT ) can be obtained.Given a vector C [c, c] of a TOS and generators G [g, g], we define a vector evolution function as follows, where additions are made with the regular vector addition manner.
r Case 1: v ≤ v and s < s: r Case 2: v > v and s ≤ s: r Case 3: v = v and s = s: By Based on the initial TOS c 0 and a location q representing the initial train control status, the reachable set of TOSs can be computed with Algorithm 1.This algorithm can terminate because H inevitably translates into location EB after T seconds and the variable v eventually decreases to 0.
According to the definitions, if the parameters of the PHA H cover possible concrete data of train dynamics and railway lines, then the reachable set of H represents a superset of the time-position space of the train.Therefore, the automaton is reachset conformance to the real train control system, i.e., a possible TPT from an arbitrary TPS of the train is in the reachable set of H [46].

D. Computing the Following Train EBI by the Reachable Sets
In virtual coupling, the ATP of the following train uses the ROS model to compute the EBI speed, which is further used as the speed constraint by the ATO.
Let R p be the reachable set of the TOSs of the preceding train within the ROS model.The EBI speed of the following train is computed according to the worst-case of the TOSs Σ pw of the Algorithm 1: Reachable Set Computation for TOSs.preceding train as follows: Let R f (v) be the reachable set of the following train with the initial train speed v.The EBI speed v f of the following train is the maximal speed such that there is no TOSs in the R p and R f (v) indicating the trains collide, i.e., A switch in the ROS model is treated as a special "preceding train" whose speed is always 0. If the nearest obstacle of the following train is a switch, e.g., during joint manoeuvres, the worstcase TOSs Σ pw of the "preceding train" equals {(S swi , t i )} with S swi being a constant value of switch position.A speed margin between the ATO target and EBI speeds must be considered to avoid emergency brakes triggered by control overshoots.

A. Performance of the ROS Model
We first evaluate several fundamental aspects of the proposed approach with a basic scenario.In this scenario, the virtually 1) Influence of the Value of T : Several simulations are run to analyse the minimal safety operation distances between two trains following the T -FT principle.Since it is more challenging to have a long fault tolerance time in train controls, we consider the optimal value of T , which is the time when the safe tracking distance is equal to the safety margin.
The safe tracking distances for different values of T with various emergency brake configurations are shown in Fig. 8(a).The figure shows that T has a smaller optimal value if the following train has a better brake performance.In contrast, T has a bigger optimal value if the preceding train has a better brake performance.If the two trains have the same brake performance, the optimal value of T is between these two situations.
2) Safe Distances Concerning Train Speed: We analyse the safe tracking distances between virtually coupled trains at different speeds.The T values are 0 to 4 seconds in these simulations.
When T is 4 seconds, the tracking distance is a constant value of 10 m according to the predefined safety margin, the minimal possible safe tracking distance in our simulation model.When T is less than 4 seconds, the tracking distances progressively increase with increasing train speed.When T is greater than 4 seconds, the safe tracking distance equals the safety margin of the trains with the greater speed.These results are shown in Fig. 8(b).
3) Efficiency of the Reachable Set Computation: We analyse the efficiency of the reachable set computation algorithm with Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.different values of T , ΔT and initial train speed.In these simulations, the ATO target speed is 20 m/sec.
The computation of the reachable set requires more time with a shorter time step ΔT or a larger value of T .With a smaller value of Δt, a more accurate reachable set can be obtained; with a larger value of T , a shorter tracking distance can be achieved.Furthermore, the computation of the algorithm requires more time when the initial train speed is between 19.5 m/sec and 20.5 m/sec.This result occurs because the control system has more control switches at these initial train speeds.These results are shown in Fig. 9.We choose ΔT = 0.1 because this value balances reasonable computational efficiency and accuracy.

B. Typical Metro Line Simulation Environment
The ROS model is to reduce the safe distance between trains without compromising safety.The state-of-the-art train separation method in railways is the relative brake distance model.To guarantee collision-free, a standard RBS model restricts that the tracked trains either have the same emergency braking performance [5] or follow a specific braking performance manoeuvre [24].Zhao et al. proposed a general version of the RBS model that allows tracked trains to have an arbitrary combination of emergency braking performance [4].Instead of considering the braking distances of the trains, their model uses the whole time-position trajectories of the trains to compute safe distances.By RBS + we denote Zhao's model for comparisons in the rest of the paper.
We analyse two distinct segments of a metro railway line.In Segment I (SI), the speed limit between two adjacent stations 1) Performance of Train Operations: The initial distance between the trains is the safety margin S m in the simulations.Figs. 10 and 11 show SI and SII simulation results, respectively.In Figs.10(a) and 11(a), one can see how the tracked trains can have a more consistent speed with the ROS model in test conditions.If the following train uses the RBS + model in its ATP, the EBI speed is affected by the speed of the preceding train.The EBI speed of the following train increases slowly with the speed of the preceding train.As the ATO target speed must be lower than the EBI speed, the speed of the following train is difficult to consistent with the preceding train.With the ROS model, the EBI speed of the following train is not restricted by the speed of the preceding train.It can quickly reach the highest permitted speed of the railway line.The ATO controller of the following train has a greater speed adjustment window.As a result, the speed of the following train is more consistent with the preceding train.The distances between the trains with the two models are shown in Figs.10(b) and 11(b).The ROS model allows the virtually coupled trains to maintain a stable formation and arrive simultaneously at the next railway station.The comparisons of speed differences and the distances between the tracked trains are shown in Fig. 12.
2) String Stability: String stability is an important problem in virtual coupling.By (s R (t), v R (t)) we denote a constant reference trajectory tracked by the preceding train.Let (s L (t), v L (t)) and (s F (t), v F (t)) be the trajectories of the preceding train and the following train, respectively.According to [24] and [47], string stability can be defined as follows.For a step change in the speed v L of the leading train at time t = 0, a train platoon can be said lead-follower string stable if there exists a constant α ∈ (0, 1) such that , if ΔS(t) < 1 for all t > 0, then an α ∈ (0, 1) in ( 16) exists and the train platoon is string stable.A desired separation distance S sep between trains must be greater than the safe distance to guarantee collisionfree.Due to the proposed ROS model providing a smaller safe distance than the RBS + model, the string stable can be held with a smaller desired separation distance.As illustrated in Fig. 13, a platoon with the ROS model is string stable with desired separation distance S sep = 20 m.However, the string stable does not hold for this desired separation distance with the RBS + model because there exists some t such that ΔS(t) > 1.The platoon is string stable with the RBS + model when S sep ≥ 93 m.

C. Real Metro Line Simulation Environment
We validate the proposed ROS model on a simulation platform developed using the digital twin techniques.This platform models a real-world physical asset of the Chengdu No. 8 metro line in China.The operation of the preceding train uses actual  data of the trains running on the railway line.The following train in the platform is modelled digitally.The ATP of the following train applies the ROS model and its comparisons to compute the EBI speed.The ATO regulates and controls the train speed accordingly.
In the simulations, the initial speed of both trains is 0 m/sec, and the initial distance between the trains is a safety margin S m = 10 metres.The dwell time of the virtual coupling in every station is 30 seconds.The first-stopped train can only depart after the second-stopped train has stopped 30 seconds in a station.train operation trajectories with the ROS and conventional RBS + models.Fig. 14(a) demonstrates that ROS provides a higher EBI speed for the following train.Therefore, the model maintains a much more consistent speed between trains.Fig. 14(b) shows that due to having a lower EBI speed and a bigger speed difference using the RBS + model, the following train arrives significantly later at the stations than the preceding train.This disadvantage does not appear in the ROS model, where the following train has a high enough EBI speed.Consequently, the following train has a consistent speed with the preceding train.The trains arrive almost simultaneously at the stations.Fig. 14(c) shows the distances between the trains with ROS and RBS + , whereas Fig. 14(d) presents the speed differences between the trains.The results show that when using the ROS model in the following train, the tracked trains have more consistent speeds and closer distances during virtual coupling operations without compromising safety.The ROS model could be beneficial for increasing the capacity of the railway line.The total operation time within the six tested railway sections is 803.4 seconds with the RBS + model.In contrast, the ROS model reduces the operation time to 765.6 seconds.The operation time of a non-virtual coupling train (i.e., a conventional CBTC train) within these sections is 761.6 seconds.A train platoon with the RBS + model gives an extra operation time of 41.8 seconds due to the speed inconsistency of the trains.This time significantly drops to 3.9 seconds by using the ROS model.The ROS model

Fig. 3 .
Fig. 3. Counter-example showing that the RBS model cannot guarantee collision-free.

Definition 1 (
T fault tolerance principle ( T -FT principle)):Let D be a complete TPT of the preceding train in virtual coupling with D D 1 • D 2 .If the train applies the T -FT principle, then D 1 (D(T 0 ), . . ., D(T N )) is a normal operational (control by ATO) TPT with T N − T 0 = T , and D 2 is an emergency brake (control by ATP) TPT.
we define the solution of the model f (D(T ), u) as the TPS at time T + T Δ from D(T ) under a control u, then f (D(T 0 )), u) is a TPT (i.e., a sequence of time-position states) starting fromD(T 0 ) under a control trace u such that f (D(T 0 ), u) (D(T 0 ), D(T 1 ), . . ., D(T n ))(4)where ∀i ∈[1, n]  :D(T i ) = f (D(T i−1 ), u i−1 ).Definition 4 ( T -time-position space): Let U K O be the subset of the ATO control space U O containing all control traces, i.e., U K O ⊂ U O , each of which has a length K with K = T T Δ .The T -time-position space D T (D(T 0 )) is the set of all possible TPTs starting from D(T 0 ) within T seconds such that

Proposition 2 :
Let D 1 , . . ., D N be the complete TPTs of the preceding train in the ROS model obtained by simulations with the boundary values of accelerations.If T > 0, then there exits a complete TPT D o ∈ D p and a point of time T , it holds that D(T ) o < min(D(T ) 1 , . . ., D(T ) N ), where D(T ) o ∈ D o and D(T ) i ∈ D i with i ∈ [1, N].

Fig. 6 .
Fig. 6.Exmaple of PHA modelling a thermostat.r Variables: A finite set X {x 1 , . . ., x n } of real-number variables.By Ẋ { ẋ1 , . . .ẋn } we denote the set of first derivatives of the variables during a continuous change, and by X {x 1 , . . ., x n } we denote the set of values at the conclusion of a discrete change.rParameters: A finite set P {p 1 , . . ., p n } of real-number parameters, where ∀p i ∈ P : ṗi = 0.
[[x, x ]] we denote the set of all points in vector [x, x ].The polytope representing an over-approximation of the reachable set of TOSs is defined as follows.Definition 8 (Polytope of TOSs): Given a vector C = [c, c], generators G = [g, g], and C 1 and C 2 obtained by solving B(C, G) = {C 1 , C 2 }, a polytope of TOSs P(C, G) is a set such that:

Fig. 8 .
Fig. 8. Safe Distances concerning parameters of the ROS model.

Fig. 12 .
Fig. 12. Speed differences and distances of two virtually coupled trains.

Fig. 13 .
Fig. 13.String stability of a train platoon, where the initial speed of the platoon is 22 m/sec.

Fig. 14 (
a) and (b) show the differences in train movements between the two train separation models.It appears to have Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.