1380 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 18, NO.

6, JUNE 2017

A New Analytical Approach to Evaluate the

Critical-Event Probability Due to Wireless
Communication Errors in Train Control Systems
Khanh T. P. Nguyen, Julie Beugin, Marion Berbineau, and Mohamed Kassab

Abstract—Wireless communication links tend to be employed to develop numerous intelligent and safe train control appli-
more and more in safety-critical railway applications. Their safe cations additionally to the TCS one (e.g., DAVS-Driver Assist
use in an advanced train control system (TCS) is an issue that is Video System) [2]. Indeed, its architecture supports multiser-
addressed in this paper by characterizing the TCS service inter-
ruption due to communication errors. More precisely, occurrence vice traffic and is also much less vulnerable to security threats
probabilities of single errors are first discussed. Then, we obtain than other wireless technologies [3]. For TCS, LTE makes
probabilistic analytical expressions of several temporal conditions possible the convergence of ETCS and CBTC systems in a
that lead to a TCS service interruption, here a train emergency unique system combining all features [4]. Besides the operation
braking (the critical event). The accuracy of this analytical ap- reliability and safety, the passenger comfort is also addressed by
proach is proved when the results are compared with those given
by a simulation approach with a Petri net model. Additionally, as employing social network services for rail traffic applications
the use case related to the “trains’ separation” is considered in this [5]. Therefore, WCS for future railways is required to evolve
paper, an analytical evaluation process is proposed to discuss the from voice and signaling services to multiservice of high data
tolerated time margins that can be fixed to limit the critical-event rates [6]. This integration has to be realized by maintaining the
occurrence probability due to the wireless communication errors. current safety conditions provided today by existing TCS. This
Index Terms—Rail transportation communication, rail trans- issue is addressed in this article by analyzing the impact of
portation reliability, probabilistic model, intelligent transporta- wireless communication errors on the TCS service interruption.
tion systems, wireless communication errors. In the literature, the close relationship between WCS and
I. I NTRODUCTION TCS is generally approached in three ways. The first way, from
the automation engineering domain, considers the impact of the
T RAIN control systems (TCS) are relying more and more
on wireless communication systems (WCS) [1] as they
improve train operations, especially by offering continuous
WCS performances on the train traffic flow. It is based on the
assumptions that performance parameters of the WCS are
known and modeled by stochastic or probabilistic variables.
communications between embedded and ground installations.
In [7], the authors proposed a cellular automata model to
Today, the European Train Control System (ETCS) Level investigate the impact of end-to-end communication delay on
2 used for mainlines and high speed, relies on continuous railway traffic flow. [8] studied the impact of random packet
exchanges via wireless cellular network known as Global
drops due to the frame error rate (FER) and handovers on the
System for Mobile Communications Railway (GSM-R). stability and performances of CBTC systems.
Communication Based Train Control (CBTC) systems used for
Unlike the first way that simplifies the WCS modeling, the
mass transit lines, rely on wireless local area network (WLAN),
second way focuses on the performance of the WCS with
IEEE 802.11x standards. In the future, among new wireless their close-to-reality-models in train control applications. In
technologies, the Long Term Evolution (LTE) technology is
this context, the WCS performance issue takes even greater im-
considered as one of the promising solutions to satisfy the need portance and is considered from the telecommunication expert’s
point of view while the train control modeling is simplified.
Manuscript received November 30, 2015; revised May 4, 2016 and July 28,
2016; accepted August 24, 2016. Date of publication September 13, 2016; date Using Colored Petri Nets (CPN), the authors in [9] focused on
of current version May 29, 2017. This work was performed in the framework modeling the WCS of the CBTC system in order to evaluate
of the CISIT project (Campus Interdisciplinaire de recherche, d’innovation the transfer delay of messages between the trains and the zone
technologique et de formation à vocation Internationale centré sur la Sécurité et
l’Intermodalité des Transports de surface ) and SYSTUF project (SYStème de controller (ZC). In [10], using OPNET (Optimized Network
Télécommunications pour les Transports Urbains du Futur) supported by the Engineering Tool) simulations, the authors proved that QoS
French Government under the PIA (programme d’Investissements d’Avenir). (Quality of Service) mechanisms of a deployed LTE network
The Associate Editor for this paper was S. Siri. (Corresponding author:
Khanh T. P. Nguyen.) are efficient enough for ensuring simultaneously safety and
K. T. P. Nguyen is with the ROSAS Department, University of Technology non-safety applications in ETCS. In [11], the authors also used
of Troyes, 10010 Troyes, France (e-mail: [email protected]). the OPNET simulator to evaluate the performances offered by
J. Beugin and M. Berbineau are with the IFSTTAR-COSYS, University of
Lille Nord de France, 59000 Lille, France. the LTE system to safety and non-safety applications in urban
M. Kassab is with the HANA Laboratory, ENSI, University of Manouba, guided-transport. In [12], the authors derived the stochastic
2010 Manouba, Tunisia. delay thresholds of high speed train control services over fad-
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org. ing channels using the analytical analysis based on stochastic
Digital Object Identifier 10.1109/TITS.2016.2604043 network calculus.
1524-9050 © 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
NGUYEN et al.: CRITICAL-EVENT PROBABILITY DUE TO WIRELESS COMMUNICATION ERRORS IN TCSs 1381

On the other hand, numerous studies aimed to proposed an duration of every principal error types of the WCS, was pro-
efficient solution to limit the negative impact such as ping-pong posed. Based on the previous work, we develop an analytical
effect, handover delay, packet loss on the performance of TCS. process in this paper. This allows us to analyze the impact of
The paper [13] presented a handoff algorithm with frequency wireless communication errors on the TCS and then to eval-
combination that allows for ensuring the channel quality and uate the occurrence probability of the CE in braking control
optimize handoff time. In order to reduce the handover delay, applications. The contribution of this paper is to develop a
the multiple-input-multiple output (MIMO) assisted handoff methodology from the railway operator’s point of view that
scheme is proposed for CBTC system based WLAN technology allows us (1) to analyze and to evaluate communication errors
[14] and for the one based on LTE technology [15]. The authors that lead to the CE when no valid position message is received
in [16] proposed using cooperative relaying for train-train com- by the train control center (TCC) for more than a certain
munication in order to enhance the train control performance of time, and (2) to calculate the occurrence probability of this
CBTC systems. CE. This methodology could be applied in general to different
The third way considers the WCS performances from railway communication technologies, such as GSM-R, WLAN, or LTE
operator’s point of view and addresses the question whether by considering the corresponding transmission procedure and
the WCS ensures the desired performance level for safety appropriate parameters.
application according to the railway safety standards [17]. In The paper is structured as follows: in Section II, we will
this context, a single communication error can be negligible. describe the problem statement and formalize the performance
Only communication errors that last more than a certain time parameters of the WCS. The proposed analytical approach
and that can lead to a critical event (CE) like a collision are in- that integrates the principal communication errors degrading
teresting. Therefore, it is necessary to reduce the WCS model’s CBTC services, will be presented in Section III. Then, the
complexity of the second way when focusing on the railway case study dedicated to LTE technology, its modeling and the
safety and operation aspects by neglecting WCS details such as model simulations are summarized in Section IV. An evaluation
fading channel effects, resource allocation, power control, etc. process based on the analytical approach will be proposed in
However, the WCS modeling in this third way is more aided Section IV-C. The process accuracy will also be proved by
than in the first way by taking into account numerous channel comparing its results with those of a simulated PN model in
features such as transfer delay, loss connection rate, reconnec- this subsection. Finally, Section V will present the conclusions
tion procedure, handover occurrence rate, handover execution and the further research works.
time, etc. The authors in [18] presented a stochastic Petri net
(SPN) model for ETCS real-time communication system in
order to investigate the impact of train head-to-head distance II. P ROBLEM S TATEMENT AND M ODEL F ORMULATION
on the train stopping probability. The proposed discrete event A. Requirements of Train Ground Communication for TCS
model corresponds to a simplified model of transmission error
and recover behavior of the real-time WCS of the ETCS. Focusing on railway control commands, the expected re-
In [19], authors used stochastic automation networks to model quirements for a WCS are categorized into two groups accord-
CBTC systems in order to examine the impact of the time ing to following applications:
interval between two consecutive trains on the probability to 1) High-speed railway applications: In Europe, the require-
trigger the emergency braking of the train behind. A SPN ments for a WCS linked to ERTMS are defined in
simulation-based approach for the dependability analysis of an numerous documents (e.g., [25]1 ).
LTE-based WCS in CBTC application is presented in [20]. 2) Urban guided transport applications: The standard IEEE
Nevertheless, the efficiency of these above articles, which are 1474 provides operational and safety requirements of
based on modeling and simulations, i.e., the ratio between the CBTC and mentions general requirements of perfor-
result accuracy and the execution time, is an issue. Therefore, mance data related to a communication system. However,
an analytical treatment is recommended. these requirements could not be directly applied for con-
The authors in [21] presented an analytical estimation for struction of communication system. To our knowledge,
evaluating the probability of train emergency stopping due to each transport operator group defines its own needs for a
Global System for Mobile Communications Railway (GSM-R) specific project in order to design a corresponding WCS,
communication errors in ETCS. The communication delays as was done in Systuf.2
were analyzed in more details in [22]. However, these two
A summary of the requirements of train ground communi-
studies are only based on the bit error rate (BER) analysis.
cation for TCS is outside the scope of this paper because in
This value does not take into account any perturbing effects
case of (1), the requirements (qualitative and quantitative) are
caused by interferences or cell handovers as presented in [23].
numerous and in case of (2), the requirements are specific to
In addition, these studies only consider the occurrence rate of
every operator group and in most cases are non-public.
communication errors during a long operating time but do not
consider the duration of errors. For a TCS, the duration of
1 Note that the requirements defined in this document are not fixed and
communication errors is essential in terms of safety because
a CE (an emergency braking for example) can occur when will evolve according to technology evolution (this is written on the European
Railway Agency website at http://www.era.europa.eu/Core-Activities/ERTMS/
consecutive messages are missed for more than a fixed time Pages/The-Program-Evolution-of-Railway-Radio.aspx.
interval. In [24], a new analytical analysis that examines the 2 http://systuf.ifsttar.fr/index-en.php
1382 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 18, NO. 6, JUNE 2017

B. Problem Statement
Let us consider an urban railway line equipped with an
advanced TCS and assume that train 1 runs ahead of train 2.
Let Tm (s) be the journey time of trains. During a journey, the
position/integrity messages generated by the trains are trans-
mitted periodically to the TTC each Ts (s). When receiving the
position message of train 2, the TCC takes into account the po-
sition of train 1 and the signaling states of other trains, and then,
sends back a movement authority message (MA) to train 2.
A message is considered valid at the reception if and only if
its transmission time does not exceed a value To (obsolescence
deadline for a message). To ensure safety conditions when no
valid position message from train 1 is received by TCC within
a period of Tb (s), an emergency braking message is sent from
the TCC to train 2. It corresponds to a CE that is relevant for Fig. 1. Examples for the transmission and retransmission mechanisms.
safety and dependability evaluations. In order to evaluate the
occurrence probability of this CE due to the communication is considered as an obsolescent message and does not valid for
errors during a train journey, the performance parameters of train control application.
the LTE communication process between the train and the TCC 3) Connection Loss: Let Dl be the time to the connection
will be examined in next subsections. loss, in other words, the on-time duration of connection, and
let Drc be the reconnection time. Dl is assumed to follow the
exponential distribution, [18]:
C. Performance Parameters of the Communication Process
Between the Train and the TCC fDl (t) = λl exp(−λl t). (2)
1) Transmission Delay: Let Dp be the transmission delay of The train hardware detects this state after some time-out,
the packet sent by a train or by a TCC in the normal case. Dp is Td and tries to establish a new connection with the failed
assumed to follow the exponential distribution with the mean reconnection probability pf . In detail, when the reconnection
value λp . Although this assumption seems to be too simple duration is greater than b, the re-establishment is considered
to take into account the up bound values of the packet delay, as false and then another attempt is made, [18]. The recovery
it is still widely used in communication systems, especially time of a successful connection is assumed to follow the
in the queuing theory. In fact, according to [26] (pp. 44–45), uniform distribution of UNIF[a, b]. Thus, for h reconnection
the assumption of exponential distribution for network delays with h ∈ {1, 2, . . . , ∞}, the probability density function of the
is adequate for a number of experimental observations and reconnection time is given by:
applications. Then, the probability density function (pdf) of Dp ⎧
⎪
⎪ 0 t≤a
is given by: ⎪
⎪
⎪
⎪
⎨(1 − pf ) b−a t ∈]a, b]
1

fDp (t) = λp exp(−λp t). (1) fDrc (t) = . . .

⎪
⎪
⎪0
⎪ t ∈](h − 1)b, (h − 1)b + a]
⎪
⎪
2) Retransmission Mechanism: The goal of this paper is to ⎩(1 − p )p(h−1) 1 t ∈](h − 1)b + a, hb].
f f b−a
propose a new methodology that could be applied in multiple
(3)
different communication technologies. Therefore, we present
in this section a general retransmission mechanism. When a If the connection is established at the first attempt, h = 1,
message is sent, nr copies are created. If the transmitter (Tx) re- then the reconnection time, Drc , belongs to the interval [a, b].
ceives ACK sent by the receiver (Rx), these copies are deleted, The probability that the connection is successful at the first
for example, see Fig. 1.1) when Tx receives ACK from Rx. attempt is 1 − pf . Therefore, the probability density function
Next, for the message 2, see Fig. 1.2), after the retransmission of the reconnection time is given by fDrc = 0 for t ≤ a and
time, TRE , if Tx does not yet receive ACK, it send another copy fDrc = (1 − pf )/(b − a) for t ∈]a, b]. Next, the probability
until all nr copies are sent. For GSM-R and WILAN, nr = 0 that the first attempt of reconnection is failed and the second
when we do not consider the retransmission mechanism. For reconnection is successful (h = 2) is (1 − pf )pf . In this case,
LTE, we consider the Sync HARQ with nr = 3. Due to tem- the reconnection time Drc , only belongs to the interval ]b +
porarily bad radio signal conditions, the packet loss occurs with a, 2b]. Similarly, if the (h − 1)-th attempts are failed and the
rate pET . The obsolescence deadline To includes the nr + 1 h-th reconnection is successful, the reconnection time Drc only
versions of a message (1 original version and nr copies). For belongs to the interval ](h − 1)b + a, hb].
example, see Fig. 1.2), Rx does not receive the original version 4) Handover Performance: Handover processes occur every
and two first copies of message 2 due to packet loss errors. Next, time the train crosses the limit between the communication
the third copy arrives at Rx after the obsolescence deadline To areas of two neighboring radio base stations (called eNodeB
(counted from the first sending time of the message 2), then it in an LTE network). When the train is operating normally, the
NGUYEN et al.: CRITICAL-EVENT PROBABILITY DUE TO WIRELESS COMMUNICATION ERRORS IN TCSs 1383

inter-occurrence time of handovers can be associated with one

of the two assumptions that follow:
• either it can be considered as a constant, THo (s). Then,
the distribution of time Dk when handover occurs for the
k-th time is:

FDk (t) = δ{t≥kTHo } (4)

where δ{condition} = 1 when the condition is true and

δ{condition} = 0 when the condition is false.
• or it can be considered as independent and exponentially
distributed with the rate λHo [18]. Then, the distribution
of the time Tk when handover occurs for the k-th time
follows the Gamma law:


k−1
(λHo t)j
FDk (t) = 1 − exp(−λHo t). (5)
j=0
j!

The execution time of handovers is assumed to follow the

exponential distribution with the rate λeH , [18]. Let DeH be
Fig. 2. Time chart of the occurrence of error Type A.
the handover delay, then its pdf is:

fDeH (t) = λeH exp(−λeH t). (6)

Because of the complexity, the analytical analysis for the hybrid
error types is not presented in this section. It will be approxi-
When the packet is sent during the handover processes, its
mated for a particular case study in Section IV. The value of n,
transmission delay is defined by DeH + Dp .
T1 will also be investigated in Section IV-C.

III. A NALYSIS OF P RINCIPAL T YPES OF C OMMUNICATION A. Occurrence Probability of Error Type A

E RRORS IN THE TCS
In this paragraph, the mathematical formulation of the prob-
For the advanced TCS, a single communication error (such as ability that n consecutive valid messages cannot arrive at the
losing one packet) can be negligible. The communication error receiver during normal connection will be derived. As presented
becomes important when a fixed time interval is exceeded. In in the above section, a message is considered as failed when
other words, missing consecutive valid messages at the train or the nr + 1 packets of the retransmission mechanism are failed.
the TCC will lead to CE. Therefore, in this section, we will In fact, during normal connection period (without connection
analyze the principal types of communication errors that can loss or handover procedure), the packet error at the reception is
lead to missing consecutive valid messages at the receiver. In caused by:
general, these errors are classified by the following types:
• the packet error rate, pET .
• Type A—loss of n consecutive messages in normal con-
• the packet obsolescence: transmission time is more than
dition (without a handover process or a connection loss)
the obsolescence deadline, To .
where n is the minimum number of invalid messages that
can lead to the CE. Then, the probability that the i-th packet transmission is incor-
• Type B—long execution time of handovers during more rect is given by:
than T1 s where T1 is the minimal duration of errors that
can lead to the CE. pi = pET + P (Dp ≥ To − (i − 1)TRE ) . (7)
• Type C—long timeout of connection during more than
T1 (s). As the errors of packet transmission during normal connection
• Hybrid type, i.e., the combination between the above are independent, the probability that a message transmission is
types. The higher the combination order between error failed, pm , is given by:
types is, the lower the occurrence probability of this event
n
r +1
is. Then only the combination of order 2 (i.e., combination
pm = [pET + P (Dp ≥ To − (i − 1)TRE )] . (8)
between 2 error types) is considered in this paper:
i=1
1) combination between packet losses and a handover.
2) combination between packet losses and a connection Let Qi be the probability that error type A occurs for the first
loss. time at the i-th message sending. It is easy to see that: Qi = 0
3) combination between a handover and a connection for i < n and the probability that error type A occurs at the n-th
loss. message sending, Fig. 2(a) is: Qn = pnm .
1384 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 18, NO. 6, JUNE 2017

Then, the probability that error type A occurs for the first where Dk is the k-th occurrence time of handover process,
time at the (n + h)-th message sending is: Qn+h = (1 − defined by (4) or (5); DeHk is the execution time of the k-th
pm )pnm for 0 < h ≤ n. Indeed, we find that error type A occurs handover, defined by (6). As the occurrence times of handover
for the first time at the (n + h)-th message sending (0 < h ≤ and their relevant execution times are independent, the FBk (t)
n) if the h-th message is valid at the receiver and then, n next can be rewritten as:
consecutive messages are failed, for example, h = 1, Fig. 2(b).
(k−1) −λeH T1
Next, considering Fig. 2(c), error type A occurs for the first FBk (t) = P(Dk ≤ t − T1 )(1 − e−λeH T1 ) e . (11)
time at the (2n + 1)-th message sending if:
• the train receives the (n + 1)-th message, then it does not Finally, we obtain the following property.
receive n next consecutive messages. Property 2: The probability that at t, t > T1 , the handover
• and error type A does not occur for the first time at the execution time is more than a certain time, T1 (s), which is the
n-th message sending. distribution function of error type B, is given by:
∞
 (k−1) −λeH T1
Q2n+1 = (1 − pm )pnm (1 − Qn ). FB (t) = P(Dk ≤ t−T1 )(1−e−λeH T1 ) e (12)
k=1
Similarly, we have:
 where P(Dk ≤ t − T1 ) is calculated by (4) or (5).

n+1
Q2n+2 = (1 − pm )pnm 1− Qh .
h=n
C. Distribution Function of Error Type C
In summary, the probability that error type A occurs for the first Recall that:
time at the i-th message sending is given by:
⎧ • Dl1 , . . . , Dlk are i.i.d. following (E(λl )), they are the
⎪
⎪ 0 i<n durations associated to connection losses.
⎪
⎪
⎨pn i=n • Doc1 , . . . , Dock are the out-time durations of connection
m
Qi = (9) where Dock = Drck + Td given that Drck are i.i.d. fol-
⎪
⎪ (1 − p m )p n
n < i ≤ 2n
⎪
⎪
m
lowing (fDrc (t)) and is the time to reconnection and that
⎩(1 − pm )pn 1 − i−n−1 Qh i ≥ 2n + 1.
m h=n Td is the time to detect the timeout.
Therefore, we obtain the following property:
Property 1: Let Nm (t) be the number of train messages that (Dlk )k≥1 and (Drck )k≥1 are independent.
are sent during [0, t], t > Ts , Nm (t) = int[t/Ts ] where int[x] is
the integer part of x; and let DA be the occurrence time of error
Let DC be the first time occurrence of error type C. Similarly
type A. The probability that error type A occurs during [0, t] can
to case B, we have: P(DC ≤ t) = 0, ∀t < T1 and it remains to
be calculated by:
calculate:

Nm (t)
P(DA ≤ t) = Qi (10) FC (t) = P(DC ≤ t) for t ≥ T1 .
i=n

where Qi is defined by the (9). If Dock is the first out-time duration which is longer than T1
then:

B. Distribution Function of Error Type B DC = (Dl1 +Doc1 )+ · · · + Dlk−1+Dock−1 +Dlk +T1 . (13)
Error type B can only occur during handover process. Let DB
be the first time occurrence of error type B then DB is always The probability that error type C occurs at t is given by:
greater than T1 . It is easy to see that: ∞

P(DB ≤ t) = 0 ∀t < T1 . FC (t) = FCk (t)
k=1

It remains to calculate FB (t) = P(DB ≤ t) for t ≥ T1 . As

the occurrence times of handover are totally independent of where
the time when the previous handover process finishes, the 
probability that error type B occurs for the first time during the FCk (t) = P DC ≤ t, Doc1 < T1 , . . . , Dock−1 < T1 , Dock ≥ T1 .
k-th handover process at t is:
Because (Dlk )k≥1 are i.i.d. with exponential distribution fol-
lowing E(λl ), the random variable Dl1 + · · · + Dlk is Gamma-
FBk (t) = P (Dk + T1 ≤ t, DeH1 < T1 , . . .
distributed with parameters (k, λl ). Furthermore as (Dlk )k≥1
. . . , DeHk−1 < T1 , DeHk ≥ T1 and (Dock )k≥1 are independent, it implies that in (13), we
NGUYEN et al.: CRITICAL-EVENT PROBABILITY DUE TO WIRELESS COMMUNICATION ERRORS IN TCSs 1385

can replace the sum Dl1 + · · · + Dlk by a random variable TABLE I

I NPUT PARAMETERS FOR THE C ASE S TUDY
Wk ∼ Γ(k, λl ). Hence we obtain:

FCk (t) = P Wk + Doc1 + · · · + Dock−1 + T1 ≤ t,
Doc1 < T1 , . . . ., Dock−1 < T1 , Dock ≥ T1


k−1
= E FWk t − T1 − Doci
i=1

· δ{Doc <T1 } . . . .δ{Doc <T1 } δ{Dock ≥T1 }

1 k−1

where FWk is the c.d.f. of Wk .

Property 3: The distribution function of error type C when
the time of connection is more than a certain time T1 is written
by ∞ k=1 FCk
Fig. 3. Distribution of eNode-B along the urban railway line.

T1C 
T1C

FCk (t) = ... FWk (·)dDrc1 . . . dDrck−1

our analytical approach is not time-consuming. It allows us to
0 0
avoid the simulation execution time and to obtain results as
∞ good as the one of the classic PN simulation. The difference
· fDrc (uk )duk (14) between analytical result (AR) and simulation result (SR) is
T1C quantitatively evaluated by the relative error, r :

where fDrc (t) is defined in (3), T1C = T1 − Td , and FWk (·) = |AR − SR|
r = . (15)
FWk (t − T1 − k−1 SR
i=1 Doci ), given that:


k−1
(λl t)j A. Description of the Case Study
FWk (t) = 1 − exp(−λl t) for t ≥ T1 + (k − 1)Td .
j=0
j! Considering the train’s journey time, Tm = 3600 s (average
journey duration of urban train, [23]). Several values of Ts ,
the interval time between two consecutive position message
IV. C OMPARISON B ETWEEN A NALYTICAL A PPROACH AND
sending of the train, are chosen in the context of CBTC systems
S IMULATION A PPROACH : VALIDATION ON A C ASE S TUDY
(in the SYSTUF project3 ), Ts ∈ [0.2, 0.6] s. Note that these
In the previous section, we derive three properties for eval- values are very low compared to the value of 5 s mentioned in
uating the occurrence probabilities of the principal communi- ETCS requirements. This is due to the continuous monitoring
cation error types. In this section, using these properties, we requirements for the Mass Transit system—CBTC, aiming to
calculate the occurrence probability of the CE, e.g., “sending enforce train speed profiles, headway and dwell times, [4]. As
an emergency braking message from TCC to train 2” due to LTE technology is considered as the final answer-piece in the
communication errors between the TCC and train 1. This is puzzle to the convergence prospect between ETCS and CBTC
a probability related to the Tb value mentioned in Section I. systems, our case study is dedicated to a simple example of
We will firstly describe the case study in Section IV-A. LTE-based TCS, and furthermore the parameter values in both
Next, the simulation approach (PN here) will be is briefly in reference sections of ETCS and CBTC can be inherited, given
Section IV-B. Finally, the analytical process will be performed in Table I.
(by Matlab) in order to evaluate the CE probability occurrence Note that the input parameters are chosen(1) based on [18],(2)
in Section IV-C. We also compare the results obtained by every based on [9] (mean transfer delay for a message of 500 bytes
step of the analytical process to the ones obtained by the PN is about 5 ms),(3) based on [27],(4) based on [28] with the
simulation to verify their accuracy. assumption that the target cell is already known,(5) arbitrarily
Note that the mathematical formulas in Section IV-C could but try to come close to reality.4 In fact, Fig. 3 presents the
be evaluated by any numerical computing environment, such considered distribution of the eNodeB along the urban railway
as Matlab, R, C++, etc. In this paper, we use Matlab. On the line. As the distance between two eNodeB is fixed and also
other hand, according to standard IEC 61508-part 6 (page 76), the relevant velocity parameters of the train are specified in
the PN based on Monte Carlo simulation is an efficient method advance, then the occurrence time of the handover could be
for modeling dynamic system. Therefore, we believe that a considered as constant, THo s for a given radio planning.
comparison with a PN simulation tool (of GRIF platform) is
enough to highlight the performance of the proposed approach, 3 http://systuf.ifsttar.fr/index-en.php

which is totally independent of the PN simulation. In fact, 4 Project SYSTUF.

1386 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 18, NO. 6, JUNE 2017

Fig. 4. PN structure for the ZC operation model.

B. Modeling and Simulation Approach Applied to the Fig. 5. Missing consecutive valid messages for more than Tb s due to commu-
Case Study nication error Type A.

Petri net (PN) is a graphical and mathematical formalism for

C. Formulation of the Analytical Approach and Discussion of
modeling discrete event systems with time-dependent behav-
the Accuracy of Its Results
iors and is widely employed to model complex systems, [29].
Simulation of PN models is a common technique to perform 1) Missing Consecutive Valid Messages for More Than Tb s
dependability assessments. Due to the Communication Error Type A: In the Section III-1,
In this paper, we propose to use the PN module of the soft- the occurrence probability of error type A (n consecutive valid
ware platform GRIF5 for evaluating the occurrence probability messages cannot arrive at the receiver during normal connec-
of the CE. In detail, SPN with predicates and assertions are tion) was evaluated. Now, in this section we will present the
used to model the CBTC system based on the LTE technology. way to evaluate the occurrence probability of the CE caused
Note that in the CBTC system, the TCS is normally called by error type A (CEA ). This way depends on the relationship
zone controller (ZC). For quantitative evaluation, a high-speed between Tb (maximum accepted duration without valid position
Monte Carlo simulation engine (MOCA-RP) is used. message) and Ts (time between two position/integrity messages
The CBTC system is modeled with 4 sub-nets describing: generated by the train). In detail, the occurrence probability of
CEA will be evaluated in the following two cases (where n is
1) handover procedure an integer such as n = int [Tb /Ts ]):
2) re-connection procedure 1) Tb > nTs + To
3) transmission and re-transmission procedure 2) Tb = nTs .
4) Zone controller (ZC) operation.
As To is very small, it is not necessary to consider the case
nTs < Tb < nTs + To . This case can be considered as the
The sub-nets modeling procedures 1, 2, and 3 are similar to
case Tb = nTs .
those presented in [20]. Fig. 4 presents the sub-net for modeling
In the first case when Tb > nTs + To (cf. case 1) in Fig. 5
the ZC operation: “sending emergency braking message”. In
where n = 3), the CE occurs when n consecutive messages are
detail, after receiving a valid packet from the train, “Tr12”
invalid. In this case the pdf of the CEA is given by (9).
is triggered and the ZC sends an ACK to the train, i.e., the
In the second case when Tb = nTs , the CEA will occur if:
token in “packet_OK” place (num. 6) is removed and another is
created in “ZC_ACK” place (num. 12). The ACK processing of 1) n consecutive messages are invalid (similar to the first
the train is modeled in the “transmission and re-transmission” case), or
sub-net described in [20]. Another token simultaneously comes 2) only (n − 1) consecutive messages are invalid with the
to the “ZC_preaction” place (num. 7). Within the deadline To condition that the transmission delay of the n-th message,
of the train message, if the ZC receives another copy of this Dp , is superior to the transmission delay Dp of the
train message, these copies are rejected, i.e., the “rejectdouble” message 0. The message 0 is the last valid message that
transition is then triggered. When a token is created in place 58, arrives at the ZC before the missing consecutive mes-
the timer (place 11 that validates the “Tr20” transition for the sages, (cf. case 2) in Fig. 5 where n = 3). The probability
Tb time counting) is reset. If not, after Tb s, the ZC sends an that Dp > Dp is calculated by:
emergency braking message to train 2 and the variable “CE” is ∞ ∞
 
set to true. P Dp > Dp = fDp (x)dx.fDp (y)dy
0 y
∞
5 GRaphical Interface for reliability Forecasting, http://grif-workshop.com/ = exp(−2λp y)λp dy = 0.5.
grif/petri-module/. 0
NGUYEN et al.: CRITICAL-EVENT PROBABILITY DUE TO WIRELESS COMMUNICATION ERRORS IN TCSs 1387

TABLE II
C HOOSING Tb A CCORDING TO Ts AND pET IN O RDER
TO L IMIT THE O CCURRENCE P ROBABILITY OF CEA

Fig. 6. Occurrence probability of error Type A according to the relationship

between Tb and Ts . Note: Simul—Simulation approach; Anal—Analytical
approach. The relative error between two approaches is presented by percentage
numbers in the figure. Fig. 7. Illustration of CEB when Tb > nTs + To .

Then, the probability that CEA occurs for the first time at the occurrence. Similarly to the previous subsection, the occurrence
n-th message sending is given by: probability of the CE caused by error type B, CEB will be

Qn = P Dp > Dp · P (only (n − 1) invalid messages) evaluated in two cases.
For the first case when Tb > nTs + To (cf. the example in
+ P (n invalid messages)
 n−1 Fig. 7 with n = 3), the CEB occurs at the k-th handover when
m (1 − pm ) + pm = 0.5 pm + pm .
= 0.5pn−1 n n
the execution time of the handover is more than T1 s. T1 is
given by:
Therefore, from (9), the pdf of the CEA (missing consecutive ⎧  
⎪ (n − 1)Ts + To + int D Ts + 1 Ts − Dk ;
valid messages for more than Tb s) can be rewritten as follows: ⎪ k
⎧ ⎪
⎨
⎪
⎪ 0 i<n when mod D >0 (17)
 n−1 T1 = k
⎪
⎪ ⎪ Ts
⎪
⎪ n ⎪
⎪
⎨0.5 pm + pm i=n ⎩(n − 1)Ts + To ; when mod D k
=0
Qi = (1 − pm )0.5 pm + pm n < i ≤ 2n
n−1 n Ts
(16)
⎪
⎪
⎪
⎪ (1 − pm )0.5 pm + pm
n−1 n
where n = int [Tb /Ts ], Dk is the occurrence time of the k-th
⎪
⎪
⎩ × 1 − i−n−1 Q i > 2n. handover, mod(Dk /Ts ) is the remainder when we divide Dk
h=n h
by Ts .
Fig. 6 compares the results between the analytical approach Then, from (11), the probability of the CEB occurs for
and the simulation approach of the occurrence probability the first time at the k-th handover when Tb > nTs + To is
of the CEA (presented by the vertical axis) during a train given by:
journey when pET = 0.1, Tb = Ts + 0.1 (an example for the (k−1) −λeH T1
case Tb > nTs + To ) or Tb = 2Ts (an example for the case P(CEBk ) = δ(Dk ≤t−Tb ) (1 − e−λeH T1 ) e (18)
Tb = nTs ). We find that the results for both approaches are where Dk = kTHo when the time interval THo between two
almost the same. In fact, the r , that is presented by percentage handover occurrences is assumed to be constant.
number according to every value point of PCEA , is smaller than For the second case when Tb = nTs , the CEB occurs for
1.3% for all cases. the first time at the k-th handover when:
Then, the analytical approach is used to consider how Tb
is chosen in order to limit the impact of error type A on the 1) the execution time of the handover is more than T1 , given
CE during a train journey. It means that Tb is investigated by (17).
such as PCEA (1 h) ≤ 1E − 5. Table II presents the occurrence 2) or the execution time of the handover is more than T1 =
probability of the CEA according to every value of Ts , pET , Tb . [T1 − T s]+ (where [x]+ = max[0, x]) and the transmis-
All probability values are indicated in the second line of each sion delay of the n-th message, Dp is superior to the
row corresponding to a value of pET . Hereunder are two transmission delay Dp of the message 0. (Fig. 8 when
examples taken from Table II: n = 3).
1) for Ts = 0.2 and pET = 0.1, the occurrence probability Then, when Tb = nTs , the probability that CEB occurs for
of CEA can be negligible when Tb ≥ 0.7. the first time at the k-th handover is given by:
2) for Ts = 0.2 and pET = 0.4, the occurrence probability  
of CEA can be negligible when Tb ≥ 1.3. 
k−1
P(CEBk ) = δ(Dk ≤t−Tb ) 1 − P(CEBi )
2) Missing Consecutive Valid Messages for More Than Tb s i=1
Due to the Communication Error Type B: Let message 0 be the
last valid message that arrives at the ZC before the handover · [P(DeH > T1 ) + 0.5P (T1 ≤ DeH ≤ T1 )] . (19)
1388 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 18, NO. 6, JUNE 2017

loss rate is 10−4 /h [18], the probability that the connection loss
occurs more than 2 times during a train journey is negligible.
Therefore, FC (t) can be re-written as:
∞
FC (t) = FW1 (t − T1 ) fDrc (u)du (20)
T1C

where T1C = [T1 − Td ]+ ; fDrc (u) is given by (3)

Fig. 8. Illustration of CEB when Tb = nTs .
FW1 (t − T1 ) = 1 − exp (−λl (t − T1 )) .

Similarly to the communication error Type B, the occurrence

probability of the CEC is calculated in the following two cases:
For the first case when Tb > nTs + To , CEC occurs if the
connection time-out Doc is more than T1 , that is given by (17)
when replacing Dk by Dl .
where Dl is the occurrence time of the l-th connection loss.
As (n − 1)Ts + To ≤ T1 < nTs + To , from (20), the occur-
rence probability of the CEC in this case is:

PCECinf (t) ≤ PCEC (t) < PCECsup (t)

∞
PCECinf (t) = FW1 (t − Tb ) fDrc (u)du
Fig. 9. Occurrence probability of error Type B according to the relationship
between Tb and Ts . Note: Simul—Simulation approach; Anal—Analytical T1Cinf
approach. The relative error between two approaches is presented by percentage ∞
numbers in the figure.
PCECsup (t) = FW1 (t − Tb ) fDrc (u)du (21)
TABLE III T1Csup
C HOOSING Tb A CCORDING TO Ts AND meH IN O RDER
TO L IMIT THE O CCURRENCE P ROBABILITY OF CEB
where T1Csup = [(n − 1)Ts + To − Td ]+ , and T1Cinf =
[nTs + To − Td ]+ .
For the second case when Tb = nTs , similarly to error
type B, the probability that CEC occurs during [0, t] is given by:

PCECinf (t) ≤ PCE (t) < PCECsup (t)

  
Fig. 9 compares the results between the analytical approach 0.5 P T1Cinf
 ≤ Drc ≤ T1Cinf
PCECinf (t) = FW1 (t − Tb )
and the simulation approach of the occurrence probability of + P (Drc > T1Cinf )
the CEB (presented by the vertical axis) during a train journey  
0.5 P T1Csup
 ≤ Drc ≤ T1Csup
when Tb = 2Ts + 0.1 (an example for the case Tb > nTs + PCECsup (t) = FW1 (t − Tb ) 
To ) and Tb = 3Ts (an example for the case Tb = nTs ). We + P Drc > T1Csup
find that the results of two approaches are almost the same. In (22)
fact, the r , that is presented by percentage number according to
every value point of PCEB , is not important. In the worst case, where T1Cinf = T1Cinf − Ts and T1Csup
 = T1Csup − Ts .
when PCEB < 0.005, then r < 5% of PCEB obtained by the Fig. 10 compares the results between the analytical approach
simulation approach. and the simulation approach of the occurrence probability of the
Then, the analytical approach is applied to evaluate the CEC during a train journey, according to Tb ∈ [1, 6] s. We find
occurrence probability of rare events in order to consider for that the simulation results are between the inferior threshold
which value of Tb , the impact of error Type B during a train (PECCinf ) and superior threshold (PECCsup ) of the analytical
journey can be negligible (PCEB (1 h) ≤ 1E − 5). Hereunder approach. Then, hereafter the probability that CE occurs due
are two examples taken from Table III that has the same presen- to error type C can be approximated by:
tation principles of Table II: PECCinf (t) + PECCsup (t)
PECC (t) = . (23)
1) For Ts = 0.2 and meH = 0.05, the occurrence probabil- 2
ity of CEB can be negligible when Tb ≥ 1.2 s. CEB can The maximal value of PECC (t) during a journey is about
be negligible when Tb ≥ 1.8 s. 10−4 . Hence, the occurrence probability of any hybrid commu-
2) For Ts = 0.2 and meH = 0.096, the occurrence probabil- nication error where one error among the two is a connection
ity of CEB can be negligible when Tb ≥ 2 s. loss, is always inferior to 10−4 . Therefore, the hybrid error
3) Missing Consecutive Valid Messages for More Than Tb s where one error among the two is a connection loss can be
Due to the Communication Error Type C: As the connection negligible in further works.
NGUYEN et al.: CRITICAL-EVENT PROBABILITY DUE TO WIRELESS COMMUNICATION ERRORS IN TCSs 1389

For the second case when Tb = nTs ,

• The occurrence probability of CEH , caused by the event
that one message is invalid due to error type A before
(or after) the k-th handover, is given by:
PCEH_1 (.)
  
P Dp > Dp P(T1_s1 ≤ DeH < T1 )
= 2pm ·
+ P Dp ≤ Dp P(T1_s2 < DeH < T1_s1 )
 
P(T1_s1 ≤ DeH < T1 )
= pm ·
+ P(T1_s2 < DeH < T1_s1 )
= pm · P(T1_s2 ≤ DeH < T1 ) (26)
Fig. 10. Occurrence probability of error Type C according to the relationship where pm is given by (8), T1 is given by (17), and T1_si =
between Tb and Ts . Note: Simul—Simulation approach; Anal—Analytical
approach.
[T1 − i · Ts ]+ .
• Similar to the first case, the occurrence probability of
CEH could be approximatively by CEH_1 .
4) Missing Consecutive Valid Messages for More Than Tb s
Due to the Hybrid Error “Error Type A and Error Type B”: 5) Analytical Process for Evaluating the Occurrence Proba-
In this section, we examine the cases, in which error Type A bility of CE During the Mission Time:
occurs before or after the handover process, and this combina-
tion leads to missing consecutive valid messages for more than Input: Tb , Ts , To , Tm and all parameters characterized the
Tb (s). It is called error Type H. WCS performance (λl , λp , λeH , pf , a, b, Td, THo , TRE , pET ).
Note that for this hybrid error type, we consider that the du- Output: Probability that CE occurs during the mission time
ration of handover cannot directly lead to CE as this case was (Tm ) of the train, PCE (Tm )
presented before. So, error type A is combined with handover Initialisation: i = 1
processes in order to have CEH . 1: Evaluate the probability PCE1 , that CE occurs for the first
Similarly to other error types, the occurrence probability of time before the first handover.
error Type H is evaluated in two different cases linking Tb Evaluate PCEA (t ≤ THo ) by
and Ts . Eq. (9) if Tb > nTs + To
For the first case when Tb > nTs + To , Eq. (16) if Tb = nTs
Evaluate PCEC (t ≤ THo ) by
• The occurrence probability of CEH , caused by the event
Eq. (21) & Eq. (23) if Tb > nTs + To
that one message is invalid due to error type A before
Eq. (22) & Eq. (23) if Tb = nTs
(or after) the k-th handover, is given by:
PCE1 = PCEA (t ≤ THo ) + PCEC (t ≤ THo ).
PCEH_1 (k − th handover) = 2pm
 LOOP Process
· P [T1 − Ts ]+ ≤ DeH < T1 . (24) 2: for i = 2 to int [(Tm − Tb )/THo ] do
3: Evaluate the probability P̄CE that CE does not occur yet
where pm is given by the (8) and T1 is given by the (17). until the i-th handover.
• Similarly, the occurrence probability of CEH , caused by
the event that i messages are invalid due to error type A 
i−1
P̄CEi = 1 − PCEj
before (or after) the k-th handover, is given by: j=0
 
[T1 − i · Ts ]+ ≤ DeH 4: Evaluate PCEA ((i − 1)THo < t ≤ iTHo ) by
PCEH_i (·) = 2pm · P
i
< [T1 − (i − 1)Ts ]+ Eq. (9) if Tb > nTs + To
Eq. (16) if Tb = nTs
• Hence, the occurrence probability of CEH is given by: 5: Evaluate PCEC ((i − 1)THo < t ≤ iTHo ) by
Eq. (21) if Tb > nTs + To

(n−1)
Eq. (22) Tb = nTs
PCEH (·) = PCEH_i (·). (25) 6: Evaluate PCEB ((i − 1)THo < t ≤ iTHo ) by
i=1
δ{t≥THo +Tb } P(DeH > T1 ) if Tb > nTs + To
We find that
δ{t≥THo +Tb } [P(DeH > T1 ) + 0.5 P (T1 ≤ DeH ≤ T1 )]
PCEH_1 (·) exp (−λeH · (i − 1)Ts )
= . if Tb = nTs
PCEH_i (·) pi−1
m
7: Evaluate PCEH ((i − 1)THo < t ≤ iTHo ) by
When (PCEH_1 (·))/(PCEH_i (·)) 1, the PCEH can be Eq. (24) if Tb > nTs + To
approximated by the PCEH_1 . Eq. (26) if Tb = nTs
1390 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 18, NO. 6, JUNE 2017

negligible. For example when Ts = 0.6 s and Tb = 2 s, the

occurrence probability of the CE strictly depends on error
type C: “connection loss”, PCE (= 9.25E − 5) PCEC (=
9.27E − 5). Moreover, considering Fig. 10, the decreasing
of PCEC is not important according to Tb . Therefore, when
Tb = 2 s, it is not necessary to increase Tb in order to reduce
the occurrence probability of CE.

V. C ONCLUSION
In this paper, we proposed a new analytical analysis to
evaluate the consequences on safety level of the wireless
communication errors in train control application. In detail,
three principal error types, which lead to consecutive invalid
messages, such as packet error rate, long handover execution
time, and connection loss, were analyzed. The new analytical
approach was developed to evaluate the occurrence probability
of CE: “missing invalid consecutive messages sent from the
train to the zone controller for more than Tb s”; where Tb is the
waiting time before sending an emergency braking message
from the TCC to the train behind. When comparing the new ap-
proach with the simulation approach based on a Petri net model,
we obtained the same results. Furthermore, the efficiency and
the robustness of our analytical approach were highlighted in
the cases of small probabilities of CE when the accuracy of the
simulation approach and its execution time cannot meet user
Fig. 11. Comparison between analytical and simulation results of PCE .
Note: Simul—Simulation approach; Anal—Analytical approach. (a) Occur- requirements due to its approximate statistic calculations.
rence probability of the CE according to Tb . (b) Relative error between Considering the case study of the LTE-based CBTC system,
analytical and simulation results. our approach was applied to identify the appropriate threshold
of the waiting time, Tb , in order to limit the occurrence
8: Evaluate the probability PCEi , that CE occurs for the probabilities of the CE according to every error type.
first time during ](i − 1)THo , iTHo ]. The analytical results presented in this paper constitute the
prerequisite to analyze the RAMS parameters of the WCS in
PCEi = P̄CEi (PCEA (·) + PCEC (·) + PCEB (·) + PCEH (·)) train control application. In order to ensure the desired level of
9: end for performance for the safety application (CBTC here), according
10: Evaluate the probability that CE occurs during the to the V-model of the product life-cycle presented in the EN
mission time Tm 50126 standard, a new system (LTE-based communication

Tm −Tb
 system in this case) is not only evaluated and tested in the
int last phases after the complete development but also in the
TH
o

PCE (Tm ) = PCEi early design phases. Indeed, following the studies of [10], [11]
i=1 corresponding to every proposed configuration (or architecture)
11: return PCE (Tm ) of the LTE-based communication system, the performance
parameters of the communication system (such as packet delay,
packet error rate, communication loss rate, etc) can be obtained
Fig. 11 presents the simulation results and the analytical by OPNET simulation. Then, using these parameters as inputs,
results for the occurrence probability of the CE during a train the analytical approach proposed in this paper can examine
journey according to Tb . We find that for the case study, the whether the studied system is able to guarantee a given level
analytical approach gives close results compared to the results of performance (an acceptable value of the probability of
of the simulation approach [see Fig. 11(a)]. However, for the the critical events) or not. Moreover, our analytical approach
small value of PCE (PCE ∼ = 1E − 4), the relative error is could be applied in order to identify the appropriate values
quite significant 0.2 < r < 0.25 [see Fig. 11(b)] because of the for communication performance parameters. Therefore, it aims
simulation approach’s defect when evaluating the small proba- to make recommendations for implementing the appropriate
bilities. In fact, considering only 106 scenarios, the simulation architecture/configuration of the LTE based CBTC system.
approach cannot give the results within 12 h, for example when On the other hand, as the assumption about exponential
Ts = 0.3 s and Tb > 1.2 s. Therefore, for small probabilities, distribution of delay packet and of handover execution time
the analytical approach is more powerful. And based on the is considered as limitation of our model. It should be better
analytical approach result, we find that when Tb is large enough to study which distribution is more appropriate to empirical
compared to Ts , the impact of error type A, B, and H can be data. Note that the modification of these assumptions does not
NGUYEN et al.: CRITICAL-EVENT PROBABILITY DUE TO WIRELESS COMMUNICATION ERRORS IN TCSs 1391

significantly affect the proposed approach. Indeed, when con- [21] T. Babczynski and J. Magott, “Dependability and safety analysis of
sidering another distribution for packet delay, such as gamma or ETCS communication for ERTMS level 3 using performance statecharts
and analytic estimation,” in Proceedings of the Ninth International Con-
logistic distribution [7], we only re-evaluate the probability that ference on Dependability and Complex Systems DepCoS-RELCOMEX,
the transmission time is more than the obsolescence deadline Poland. Cham, Switzerland: Springer International Publishing, 2014,
[in Eq. (7) of the Section III-A]. Finally, a further work could pp. 37–46, doi: 10.1007/978-3-319-07013-1_4.
[22] T. Babczynski and J. Magott, “New analytic estimation for dependability
consider distance management between trains to perform the and safety of GSM-R communication in ERTMS level 3,” in Proc. 10th
sensitivity analysis of the dependability and the safety parame- Symp. FORMS, Braunschweig, Germany, Jan. 2014, pp. 146–155.
ters of the TCS based on WCS. [23] ETCS/GSM-R Quality of Service Operational Analysis EEIG ERTMS
Users Group, Brussels, Belgium, Oct. 2005.
[24] K. Nguyen, J. Beugin, M. Berbineau, and M. Kassab, “Analytical ap-
R EFERENCES proach for evaluating LTE communication errors in train control appli-
cation,” in Proc. IEEE ICCW, Jun. 2015, pp. 2369–2374.
[1] B. Ai et al., “Challenges toward wireless communications for high-speed [25] “Commission decision on the technical specification for interoperability
railway,” IEEE Trans. Intell. Transp. Syst., vol. 15, no. 5, pp. 2143–2158, relating to the control-command and signalling subsystem of the trans-
Oct. 2014. European rail system,” Official J. Eur. Union, T. E. Comm., Brussels,
[2] J. Moreno, J. M. Riera, L. D. Haro, and C. Rodriguez, “A survey on future Belgium, Under Doc. C (2012) 172, vol. 55, Dec. 2012.
railway radio communications services: Challenges and opportunities,” [26] E. Serpedin and Q. M. Chaudhari, Synchronization in Wireless Sensor Net-
IEEE Commun. Mag., vol. 53, no. 10, pp. 62–68, Oct. 2015. works: Parameter Estimation, Performance Benchmarks and Protocols.
[3] J. Cao, M. Ma, H. Li, Y. Zhang, and Z. Luo, “A survey on security aspects New York, NY, USA: Cambridge Univ. Press, 2009.
for LTE and LTE-A networks,” IEEE Commun. Surveys Tut., vol. 16, [27] S. Kangude, “Lecture MAC—HARQ & scheduling. EETS 8316,
no. 1, pp. 283–302, 1st Quart. 2014. wireless,” SMU Eng., Dallas, TX, USA, 2013.
[4] R. Alvarez and J. Roman, “ETCS L2 and CBTC over LTE—Convergence [28] L. Zhu, F. R. Yu, and B. Ning, “Availability improvement for WLAN-
of the radio layer in advanced train control systems,” presented at the based train-ground communication systems in Communication-Based
IRSE Technical Meeting, Perth, WA, Australia, Oct. 2013. Train Control (CBTC),” in Proc. IEEE 72nd VTC—Fall, Sep. 2010,
[5] B. Ai, X. Cheng, L. Yang, Z. D. Zhong, J. W. Ding, and H. Song, “Social pp. 1–5.
network services for rail traffic applications,” IEEE Intell. Syst., vol. 29, [29] T. Murata, “Petri nets: Properties, analysis, and applications,” Proc. IEEE,
no. 6, pp. 63–69, Nov. 2014. vol. 77, no. 4, pp. 541–580, Apr. 1989.
[6] B. Ai et al., “Future railway services-oriented mobile communications
network,” IEEE Commun. Mag., vol. 53, no. 10, pp. 78–85, Oct. 2015.
[7] J. Xun, B. Ning, K.-P. Li, and W.-B. Zhang, “The impact of end-to-
end communication delay on railway traffic flow using cellular automata
Khanh T. P. Nguyen received the B.E.E. degree
model,” Transp. Res. C, Emerg. Technol., vol. 35, pp. 127–140, 2013.
from Ho Chi Minh City University of Technology,
[8] B. Bu, F. Yu, and T. Tang, “Performance improved methods for
Ho Chi Minh City, Vietnam, in 2008; the M.Sc.Tech.
communication-based train control systems with random packet drops,”
degree in system optimization and security from
IEEE Trans. Intell. Transp. Syst., vol. 15, no. 3, pp. 1179–1192, Jun. 2014.
University of Technology of Troyes (UTT), Troyes,
[9] T. Xu and T. Tang, “The modeling and analysis of Data Communication
France, in 2009; and the Ph.D. degree in automation
System (DCS) in Communication Based Train Control (CBTC) with
and production engineering from École Centrale de
Colored Petri Nets,” in Proc. 8th ISADS, Mar. 2007, pp. 83–92.
Nantes, Nantes, France, in 2012.
[10] A. Sniady, J. Soler, M. Kassab, and M. Berbineau, “Ensuring ETCS data
From March 2013 to December 2015, she was a
integrity in LTE,” IEEE Veh. Technol. Mag., vol. 11, pp. 60–70, 2016.
Postdoctoral Researcher with the French Institute of
[11] A. Khayat, M. Kassab, M. Berbineau, M. A. Abid, and A. Belghith,
Science and Technology for Transport, Development
“Based communication system for urban guided-transport: A QoS perfor-
and Networks (IFSTTAR). She has been part of the European project GaLoROI
mance study,” in Communication Technologies for Vehicles, ser. Lecture
in the field of global-navigation-satellite-system-based solutions embedded in
Notes in Computer Science. Berlin, Germany: Springer-Verlag, 2013,
train control applications and the SySTUF project in the field of long-term-
pp. 197–210, doi: 10.1007/978-3-642-37974-1_16.
evolution-based wireless communication links used in communications-based
[12] L. Lei et al., “Stochastic delay analysis for train control services in next-
train control applications. Since 2016, she has been an Assistant Professor
generation high-speed railway communications system,” IEEE Trans.
with UTT. Her research interests include system reliability, maintenance opti-
Intell. Transp. Syst., vol. 17, no. 1, pp. 48–64, Jan. 2016.
mization, stochastic modeling, and safety assessment of railway safety-related
[13] L. Xiaojuan and Z. Yanpeng, “A fast handoff algorithm with high
systems.
reliability and efficiency for CBTC systems,” in Proc. TMEE, 2011,
pp. 1461–1464.
[14] L. Zhu, F. R. Yu, B. Ning, and T. Tang, “Handoff performance improve-
ments in MIMO-enabled communication-based train control systems,”
IEEE Trans. Intell. Transp. Syst., vol. 13, no. 2, pp. 582–593, Jun. 2012. Julie Beugin received the B.Eng. degree from
[15] M. Cheng, X. Fang, and W. Luo, “Beamforming and positioning-assisted National School of Engineering in Computer
handover scheme for long-term evolution system in high-speed railway,” Science, Automation, Mechanics and Electronics
IET Commun., vol. 6, no. 15, pp. 2335–2340, Oct. 2012. (ENSIAME), Valenciennes, France, in 2002; the
[16] L. Zhu, F. R. Yu, B. Ning, and T. Tang, “Communication-Based M.Eng. degree in automation engineering from Uni-
Train Control (CBTC) systems with cooperative relaying: Design and versity of Valenciennes, Valenciennes, in 2002; and
performance analysis,” IEEE Trans. Veh. Technol., vol. 63, no. 5, the Ph.D. degree in automation engineering in 2006.
pp. 2162–2172, Jun. 2014. Her Ph.D. dealt with the safety assessment of
[17] Railway Applications Communication, Signalling and Processing Systems railway safety-related systems using risk concepts
Safety Related Electronic Systems for Signalling, CENELEC European and reliability, availability, maintainability and safety
standard (European Committee for Electrotechnical Standardization), (RAMS) evaluation methods. During these research
EN 50129, 2003. works, she has been part of European projects in the field of urban guided
[18] A. Zimmermann and G. Hommel, “Towards modeling and evaluation of transportations (UGTMS and MODUrban). Since 2007, she has been a Re-
ETCS real-time communication and operation,” J. Syst. Softw., vol. 77, searcher with the French Institute of Science and Technology for Transport,
no. 1, pp. 47–54, 2005. Development and Networks. Her research interest is in dependability and safety
[19] H. Zhao, T. Xu, and T. Tang, “Towards modeling and evaluation of avail- evaluation of complex guided transportation systems. Part of her activities
ability of Communication Based Train Control (CBTC) system,” in Proc. addresses RAMS demonstration issues of global-navigation-satellite-system-
IEEE ICCTA, Oct. 2009, pp. 860–863. based solutions embedded in train control applications and were developed
[20] K. Nguyen, J. Beugin, M. Berbineau, and M. Kassab, “Modelling com- through the GaLoROI and the QualiSar European projects and through the
munication based train control system for dependability analysis of the Tr@in-MD project. Her recent activities address, in addition, the dependability
LTE communication network in train control application,” in Proc. EMS, analysis of long-term-evolution-based wireless communication links used in
Oct. 2014, pp. 320–325. communications-based train control applications inside the SySTUF project.
1392 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 18, NO. 6, JUNE 2017

Marion Berbineau received the M.Eng. degree in Mohamed Kassab received the B.Eng. degree in
electronics, automatic and metrology from Polytech computer sciences and the M.Sc. degree in computer
Lille, Lille, France, in 1986 and the Ph.D. degree in networks from National School of Computer Studies,
electronics from University of Lille, Lille, in 1989. Manouba, Tunisia, in 2003 and 2004, respectively,
In 1989, she joined the French Institute of Sci- and the Ph.D. degree in computer sciences from
ence and Technology for Transport, Development Telecom Bretagne, Brest, France, in 2008.
and Networks as a Researcher in wireless telecom- From 2009 to 2013, he was a Postdoctoral Fellow
munications for transports. From 2002 to July 2013, with the French Institute of Science and Technol-
she was the Director of the LEOST Laboratory. ogy for Transport, Development and Networks. In
She is currently the Research Director and the January 2014, he joined University of Monastir,
Deputy Director of the Components and Systems Monastir, Tunisia, as an Assistant Professor. His re-
Department that consists of 12 laboratories. She was involved in several search interests include wireless network architecture, quality-of-service man-
national projects (CORRIDOR, MOCAMIMODYN, SYSTUF, and VEGAS) agement and mobility management in wireless networks, machine-to-machine
and European projects (MOSTRAIN, LOCOPROL, ESCORT, INTEGRAIL, communication, and software-defined networks. He is particularly interested in
BOSS, and GALOROI). She is currently involved in the ROLL2RAIL the study of these issues in transportation contexts.
(H2020) project. She previously took part in the Global System for Mo-
bile Communications—Railway (GSM-R) development in several European
projects (MORANE) and is active as an expert in GSM-R deployment. She is an
author and a coauthor of several publications and patents. Her fields of expertise
are electromagnetic propagation and modeling, channel characterization and
modeling for transport and complex environments particularly in tunnels, signal
processing for wireless communication systems in multipath environments,
multiple-input–multiple-output systems, and cognitive radio for intelligent
transport systems and for railway applications including control command,
video surveillance, and passenger information.