A Key Step to Virtual Coupling

First A. Zhenkai Hao, Second B. Fei Yan, Third C Ru Niu

Abstract Nowadays, the transport capacity of rail transit provided by the automatic train protection system. In the
lines has reached saturation, so it is urgent to improve the virtual coupling scheme, there is no electrical or mechanical
utilization and capacity of existing lines. In another area of connection between trains, and information of each other is
intelligent transportation, cars can significantly improve not obtained through ground equipment. Instead, information
capacity by cooperative driving, and researchers have been is shared between trains through vehicle-vehicle
inspired to propose a virtual coupling scheme. The scheme communication. Whether the scheme of the train control
improves the capacity of the line by reducing the headway. system or the mode of operation organization, the virtual
However, the design of train control system based on virtual coupling system has a great change from the traditional train
coupling is lack of mature standard, and the traditional safety control system. Therefore, it is of great significance to
analysis method is difficult to carry out. The system theoretic analyze the safety of the train control system based on virtual
process analysis (STPA) method can build the control structure
coupling.
for the function and organization of the system, and then carry
out the safety analysis, put forward the safety constraints, At present, the train control system based on virtual
reaction to the system safety design. In this paper, the STPA coupling scheme is in the stage of design and experiment,
method is used to construct a train control system based on and some structural schemes have appeared successively, but
virtual coupling, and some potential hazards not easily detected there are no mature standards for reference, which makes the
by traditional safety analysis methods are found. Based on this, application of traditional safety analysis methods in the
a visual research method of the system safe state is proposed, system design process more difficult. In the virtual coupling
which is helpful to show the safety constraint intuitively, and
scheme, multiple trains are formed to run in formation
can assist the decision-making in the safety design of the system.
through vehicle-vehicle communication, and the control
I. INTRODUCTION mode is changed from centralized control by radio block
center (RBC) or zone controller (ZC) to decentralized control
Cooperative driving is the trend of intelligent by trains. The system theoretic process analysis(STPA)
transportation system[1]. Its advantage lies in that through focuses on the control process in the system, which can
the Internet of vehicles and group intelligence technology, it effectively identify potential cause scenarios and play a
improves the vehicle's perception and coordination ability, specific role in the safety analysis of the scheme.
improves the road capacity and reduces the probability of
traffic accidents. In the rail transit system, the traffic capacity In this paper, a common structure of the train control
of existing lines has reached saturation, while new lines need system based on virtual coupling is selected to carry out the
to bear a large cost. Therefore, improving the utilization rate safety analysis. In the section II, we introduce the blocking
and passing capacity of existing lines has become the main system in rail transit and the characteristics of the existing
goal of the development of rail transit. In the research and train control system. The section III introduces the main
development of the next generation of train control situation of system theoretic process analysis and an
technology, researchers draw on the experience of expansion of this method. In section IV, we introduce a kind
collaborative driving in the automotive field and propose a of structural assumption of the train control system based on
virtual coupling scheme. The scheme can significantly virtual coupling. In section V, we used STPA to analyze the
improve the line passing capacity by reducing train spacing train control system based on virtual coupling described in
to a large extent. part 3, and applied the extension ideas in part 3. In the section
VI, we summarize the work and look forward to the
Similar to the need of Internet of vehicles for collaborative development direction of STPA analysis in the field of train
driving, virtual coupling scheme needs high-speed and control system.
reliable vehicle-vehicle communication. In the field of
railway, the existing train control system includes two main II. WHY CHOOSE VIRTUAL COUPLING
functions of automatic train protection (ATP) and automatic
In the railway field, in order to ensure the safe operation
train operation (ATO). The automatic train protection system
guarantees the safe operation of the train by limiting the of trains on the line , the method of isolating trains in space is
speed of the train. The automatic train operation system (or used. Only one train is allowed to run within a certain range
human driver) controls the train under the speed limit of lines, which can guarantee the safety of train operation.
The range of areas allowed for train operation is called
F. A. Zhenkai Hao, School of Electronic and Information Engineering, movement authority (MA). Trains should stop at the end
Beijing Jiaotong University, P.R.China,e-mail: [email protected] ). point of MA to prevent collisions. A line is divided into
S. B. Fei Yan, School of Electronic and Information Engineering, Beijing several divisions, one of which allows only one train to run.
Jiaotong University, P.R.China,e-mail: [email protected] ).
T.C, Ru, Niu, State Key Laboratory of Transport Safety and Control
The train occupancy check is completed through the track
Beijing Jiaotong University, P.R.China,e-mail: [email protected] ). circuit, and MA is displayed by the signal light indicating the
The paper is supported by Beijing Natural Science Foundation number of free blocks ahead, which is called fixed block. The

L181006and Beijing Laboratory of Urban Transit.

Authorized licensed use limited to: IFSTTAR. Downloaded on November 29,2023 at 12:41:43 UTC from IEEE Xplore. Restrictions apply.
ETCS-2 level completes the track occupation check by the However, the safety constraint is maintained by the control
train through the track circuit, and sends MA to the train structure in the system. If improper control behavior occurs,
through the radio block center (RBC)[2]. The train's MA will the safety constraint will be violated. Therefore, this method
extend to the blocks entrance where the previous train was can identify the non-secure interactions in the system due to
located, in a way known as a quasi-moving block. On the the unreasonable design and identify the causative scenarios.
basis of the ETCS - 3 level has made a significant change to The corresponding safety constraints are then designed to
gear to the needs of new technology, similar to the CBTC eliminate the danger. STPA enables safety work to be
system, through the way of wireless communication for integrated into the design. The STPA safety analysis method
position and speed of vehicles, the RBC or ZC send train MA, enables the safety work to be integrated into the design,
extending from the end of the MA back end (including safety through the continuous iteration of safety analysis and design,
interval), eliminating the concept of partition, this way is throughout the whole life cycle of the system. In addition, this
called moving block. The spacing between trains using the process can also accumulate relevant safety design
moving block system can be further reduced to increase line experience and record the risk library, which can help the
capacity. At the same time, railway wireless communication design and safety work of the next generation system. At
technology is evolving from GSM-R to LTE and 5G , so on present, STPA has been widely applied in safety demanding
the basis of ETCS-3, new communication technology can be system, and has been successfully applied in aerospace,
combined to realize new operation mode, which provides the nuclear power and other fields.
possibility for the realization of virtual coupling using V2V
B. STPA process
communication technology, namely, ETCS-3+virtual
coupling. The STPA method is divided into two steps. The first step
The virtual coupling scheme is similar to the way in is to identify potential hazard control, and the second step is
which the train is connected through the couplers, with the to determine how unsafe control occur. Specific
front train and the rear train running at the same speed and at a implementation processes include dividing system
smaller interval (the MA of the rear train extends to the stop boundaries, identifying high-level system hazards,
point of the front train rather than the current position, which establishing safety control structures, identifying potential
is the minimum kinematically achievable distance). Through hazard control and defining safety constraints, determining
V2V communication, the rear train can obtain information how unsafe controls occur, refining and assigning safety
such as the position and speed of the front train, so that the constraints.
intelligent vehicle controller (IVOC) can realize autonomous
calculation of MA. Compared with the fixed block and the
moving block , virtual coupling makes the line capacity
improved while the corresponding train control system
structure is more simple, weaken the ground equipment, the
original radio block center (RBC), regional controller (ZC),
and the function of interlocking system most moved onto the
smart car controller (IVOC). It weakens the ground
equipment while making information transmission more
efficient. This provides the conditions for a more flexible
organization of operations.
Realizing virtual coupling scheme depends on the reliable
V2V communication and sensing technology, its advantage
mainly concentrated in the surge line capacity and transport
flexibility, but the introduction of a new scheme of system
safety is also put forward the request, if there's any new risk
or potential cause of hazard, to solve the problem need to pass Figure 1. Cause factors that should be considered in unsafe control.
through safety analysis.
The system boundary is divided because the division of
III. SYSTEM THEORETIC PROCESS ANALYSIS ITS EXTENSION the system boundary determines the cause of the danger, so
A. Background and main viewpoints of STPA the safety analysis can be carried out for the system that
determines the boundary. Identify high-level system hazards
STPA is based on system theory, proposed by Professor
Nancy Leveson[3]. As the emergent property of different for top-down safety analysis to avoid ignoring some unsafe
level systems, safety can be studied by system theory. With interactions. The establishment of safety control structure is
equivalent to the modeling of the studied system and provides
the increasing complexity of the research object system, the
the object for the subsequent analysis of potential risk control.
traditional safety analysis methods based on failure theory
After identifying the potential hazard control, the
have some limitations or are no longer correct in engineering
corresponding safety constraints can be defined, and the
applications. However, the STPA method believes that the
reason for the accident is that the system violates the causes of unsafe control can be identified, so that the safety
corresponding safety constraints during the operation process constraints can be more refined and reasonably distributed.
and transfers from the safe state to the non-safe state.

Authorized licensed use limited to: IFSTTAR. Downloaded on November 29,2023 at 12:41:43 UTC from IEEE Xplore. Restrictions apply.
C. Comparison between STPA and traditional safety on-board controller (IVOC) and object controller (OC)[4].
analysis methods The system also includes axle-counting devices and other
Before the start of the comparison, we need to realize railwayside devices, we call them source.
that, this paper studies on virtual coupling scheme and the
corresponding train control system is not currently in the
product or standard for reference, so we carry out safety
analysis in the requirements analysis stage, using the
traditional safety analysis method is rather difficult, this is
the paper determines the key reason of STPA.
Typical traditional safety analysis methods are fault tree
Figure 2. An idea of train control system structure
analysis and HAZOP, we can compare them in the following
dimensions. In terms of theoretical basis, STPA is based on The process of virtual coupling is: according to the
systems science and identifies risks by studying control information uploaded by IVOC, ITS determines whether
structures and control behaviors. The fault tree is based on there is a condition for virtual coupling. When conditions are
event chain and component failure theory. The risk of available, the virtual coupling command and the information
accidents is evaluated by probability statistics method and of followers are issued to the first vehicle. The first vehicle
hazard sources are identified. HAZOP uses lead words to began to run the designated area, then first vehicle and
identify hazards based on system parameter deviations and follower establish the communication through V2V
physical component diagrams. communication or active recognition, start virtual coupling.
In terms of causal models. The STPA uses a hierarchical
control structure model to identify hazards due to failure and A. ITS
other causes, such as improper component interaction.  Receive train information sent by IVOC, including
However, the fault tree is based on the event chain model, and train speed, position, train number and state.
it is believed that there is an inevitable relationship between
events. HAZOP relies on the physical part diagram and USES  According to the information sent by IVOC, judge
the lead word for identification. whether the train has the conditions for starting
In terms of the difficulty of work, both STPA and HAZOP virtual coupling and give instructions. After
completing the virtual coupling, ask OC to release
are checked in a similar way to a set of leading words, and the
the resources occupied by the following vehicle.
analysis ends when the check is completed. The fault tree
focuses on the analysis of the minimum cut set that causes the  Determine the fault vehicle and calculate its area
accident and evaluates the risk by the probability of the event. send it to other vehicles.
In terms of analysis effect, since STPA analyzes all
inappropriate control behaviors for the control structure of B. IVOC
the system, it can also identify the risks caused by improper  Autonomous computing MA, uploading operation
component interactions and system changes over time based information to ITS.
on the risks caused by component failures or physical
 After obtaining ITS instruction, virtual coupling can
parameter deviations in the other two methods. In addition,
be started through vehicle-vehicle communication or
STPA is an iterative process that can cope with changes in
active identification.
open systems over time.
 Apply to OC for resources.
D. Limitations in the use of STPA and an expansion idea
When applied to the safety analysis of complex systems, C. OC
STPA can comprehensively identify inappropriate control  Manage the resources on the line according to the
behaviors and their causes, and determine the priority of instructions of ITS and the application of IVOC.
improvement based on the impact of them in the process of
V. STPA FOR VIRTUAL COUPLING
system transition to dangerous state. However, the
assessment of the size of the impact depends on the subjective A. Partition system boundary
factors of people, and sometimes it is not convenient to make The system studied in this paper, as described in the
a choice. In the safety analysis of the column control system third part, includes ITS,IVOC,OC, turnout and trackside
based on virtual coupling, the space constituted by the safety resources, and five parts of the train.
state of the system formed by some constraints is shown
visually, which can help designers to make decisions and B. Identify high level system hazards
evaluate the system safety. The identification of high-level system risks conforms to
IV. A STRUCTURAL ASSUMPTION OF A TRAIN CONTROL the top-down analysis order of STPA, which can effectively
SYSTEM BASED ON VIRTUAL COUPLING
avoid missing potential hazard sources.

In this paper, the train control system based on virtual

Authorized licensed use limited to: IFSTTAR. Downloaded on November 29,2023 at 12:41:43 UTC from IEEE Xplore. Restrictions apply.
 TABLE I. ACCIDENT control identified according to the hierarchical control
number unexpected accident structure is as follows:
A1 Train collision
A2 Train derailment TABLE IV. UNSAFE CONTROLLING BEHAVIOUR
According to knowledge, we can analyze the hazards leading
to the above two kinds of accidents: Controlling Unsafe controlling behaviour
behavior
TABLE II. HIGH LEVEL SYSTEM HAZARDS control
action
number System hazard accident
B2.1When the system outputs the braking, the
H1 Train MA exceeds minimum driving interval A1 IVOC
output of traction causes the driving to exceed
H2 Train access to no-pass area A1,A2 ->trai traction II
the minimum safety interval or overspeed.
H3 Train overspeed A1,A2 n
H2,H3
H4 The switch works as the train passes A2 IVOC traction III B1.1The system ends the output of traction too
H5 A train approaches or passes when the switch works A2 -> late, which leads to driving at the minimum
H6 Switch is at wrong position A1,A2 train safety interval or overspeed. H1H2,H3
For the corresponding hazard we can determine the initial IV B1.2The system outputs the traction for too
safety constraints: long, causes the train to exceed the minimum
safety interval or overspeed. H1H2,H3
TABLE III. INITIAL SAFETY CONSTRAINTS
IVOC Emergency I B1.3The system does not produce emergency
-> braking braking in dangerous situations to slow the
number safety constraints train train down to a safe state. H1H2,H3
The system shall ensure that MA does not exceed the III B1.4Late output or premature termination of
SC1
minimum travel interval emergency braking prevents the train from
The system shall timely inform the information of prohibited slowing down to a safe state. H1,H2,H3
SC2
areas IV B1.5The output emergency braking time is too
SC3 The system shall provide protection against overspeed short to slow the train to a safe state.H1,H2,H3
The switch must not be unlocked when the train has not IVOC Occupation I B2.2An unused switch may cause a train to
SC4 -> of Switches enter a restricted section. H2,H4,H5,H6
passed it
SC5 When the switch moves, the train must not enter OC III B2.3Late issue of the command or early end,
SC6 The system should guard against switch errors switch is not ready, the train into the unsafe
area. H2,H4,H5,H6
IV B2.4Command control for too short, the train
can not leave the switch before it moves. H4
IVOC Release the II B4.1The switch moves when a train passes or
-> occupied is about to pass. H4
OC switch III B4.2The train releases the switch too early,
causing the switch to move as the train
approaches or passes through it. H4
OC Lock the I B4.3When the train passes, if the switch is in
-> switch to a motion, it will cause derailment; if it is still in
source certain the last lock position, it may cause train
position and collision. H4,H5,H6
keep it II B6.1 If the switch is locked in the wrong
position, a collision may occur. H6
III B4.4Locking the switch to a certain position
too late may cause the train to pull in when the
switch is in motion. Locking the switch
prematurely may cause the switch to move
C. Establish a safety control structure when the train passing through it. H4,H5
IV B4.5 Locking the switch too short can lead to
Figure 3. A safety control structure
dangerous unlocking before the train has fully
passed. The time for locking execution is too
The hierarchical control structure is established through long, may not lock in the switch when the train
each unit in the system and the functional logic relationship enter. H4
between them or control information. The control structure ITS Occupation I B1.6The train may enter the area where the
can be established and safety analysis can be carried out -> of Switches crash occurred. H1,H2
OC III B1.7If the instruction is given too late or the
without relying on the real system. The hierarchical control end is too early, the train may enter the area
structure is shown in the figure above. where the fault vehicle H1,H2
IV B1.8Command duration is too short, the train
D. Identify potential hazard controls and initially define may enter the area where the fault vehicle is
safety constraints located and cause a collision H1,H2
The train control system itself does not cause harm, but its Lead words: not provided-I, wrong provided-II, provide at the wrong
time-III, action for too short or too long-IV
improper control behavior can cause accidents. Therefore,
potentially inappropriate controls can be identified according
to the hierarchical control structure. Safety constraints are The following safety constraints can be defined accordingly:
preliminarily determined accordingly.The potential hazard

Authorized licensed use limited to: IFSTTAR. Downloaded on November 29,2023 at 12:41:43 UTC from IEEE Xplore. Restrictions apply.
 TABLE V. SAFETY CONSTRAINTS This paper selects the hazard of IVOC not output
emergency braking in emergency situations as an example,
number Safety constraints and use the common guide words of STPA to identify the
SC1.1
Calculation of MA should take into account the most adverse cause scenarios.
conditions such as the maximum delay of removal traction. It can be seen from figure 4 that there are two kinds of
When IVOC outputs traction, it shall check with the speed limit reasons for the danger caused by safety constraint violation in
SC1.2
every time T.
The train should be able to output emergency braking to slow
the control link. First, the controller could not give correct
SC1.3 control instructions, and second, the feedback link led the
the train to a safe state in a crisis situation.
IVOC calculated that MA should consider the establishment of control to the dangerous side, which violated the principle of
SC1.4
the most adverse conditions such as the maximum delay of fault safety. In addition,it is possible that the system itself
emergency braking, and the train state should be confirmed conforms to the principle of fail-safe, but the output of the
before the removal of emergency braking.
Train output emergency braking time should consider the most
system does not conform to the principle of fail-safe when
SC1.5 interacting with other systems.The safety constraints that can
adverse circumstances to leave enough margin.
IVOC calculation MA shall consider the timely extension of be assigned to IVOC from the above analysis are:
SC1.6 the fault vehicle protection area provided by ITS, and ITS shall  The calculated furthest point to which MA can be
inform IVOC of relevant area information. extended shall not exceed the stop point under the
IVOC computing MA should take into account the most most unfavorable conditions of external input
SC1.7 unfavorable conditions such as the maximum delay of ITS
instructions and OC execution. information (information from the preceding vehicle,
ITS should release switch resources after the breakdown ITS, OC) and self-stored information (electronic map,
SC1.8 train performance parameters).
vehicle leaves a certain safe distance.
IVOC shall confirm the speed control effect or check the
SC2.1
traction after the output braking.  IVOC periodically confirms safety with the speed
The IVOC calculation MA shall not exceed the switch limit curve during the traction process.
SC2.2
resources not applied successfully.
The IVOC calculation MA should consider the time required to
 IVOC shall have the ability to output emergency
SC2.3 braking under any circumstances, and the priority of
apply for turnout resources.
SC2.4 emergency braking shall not be lower than other
No switch resources shall be released when the train has not
SC4.1
cleared the switch.
non-safety related control methods.
SC4.2
OC must confirm and report the results of the execution of F. A bit of an extension of the STPA approach
SC4.3
IVOC or ITS orders. The system is in a dynamic process from the initial
OC must confirm and report the result of the execution of the
demand analysis to the subsequent design and operation, and
SC4.4 IVOC or ITS command, and IVOC shall take into account OC
and turnout action time in calculating MA. safety, as an emergent characteristic of the system, is also in a
When the train has not cleared the turnout, it is not allowed to dynamic change. When the system is in different states, its
SC4.5
unlock and release the turnout resources. safety also changes. Therefore, we can show the possible
OC must confirm and report the results of the execution of state of the system as a space under certain constraint
SC6.1
IVOC or ITS orders.
conditions, which can assist decision-making in safety design,
or provide a basis for quantitative evaluation. We simulated
E. Determine how unsafe controls occur, refine and assign the train under some constraint conditions, so as to visually
safety constraints demonstrate the safety constraint and assist the
decision-making.
We set the train length Lt=120m, the safety margin
Ls=15m, the speed range is 0-400km/h, the maximum
braking acceleration is 1m  s 2 and the vehicle communication
technology is 5G, the communication delay and the braking
delay are 50ms[5][6].
It is a dynamic process for two cars to start virtual
coupling and run in steady state. Therefore, in the first
scenario, we simulated the change of the minimum headway
of two cars at different speeds.

Figure 4. Reason of unsafe control

Authorized licensed use limited to: IFSTTAR. Downloaded on November 29,2023 at 12:41:43 UTC from IEEE Xplore. Restrictions apply.
 system based on virtual coupling, 5G communication
technology is likely to be adopted for vehicle-vehicle
communication, whose low delay (up to 50ms) can improve
the system safety.
Using this method, the space defined by the safety state
of the system can be expressed by various constraints, which
is beneficial to find the way to improve the safety of the
system intuitively. At the same time, the influence of
different factors on system safety can be studied, which
provides a basis for safety design decisions and reduces the
influence of subjective factors.
Figure 6. Moving blocks
VI. CONCLUSION
The height of the surface in Figure 5 and Figure 6 This paper firstly introduces the train control system
corresponds to the minimum distance between the two cars at based on virtual coupling and its advantages, and points out
different speeds. Since the minimum distance between the the key step that the virtual coupling scheme needs to go
two cars cannot be less than 135m (body length and safety
through when it is put into application, that is, the safety
margin exist), 135m is taken as the reference height in our
analysis is carried out to continuously improve the system
coordinate system.
and make the safety meet the requirements. Then we
Theoretically, the surface in the graph and the space introduce the system theoretic process analysis (STPA)
above it are composed of safe states, and the space below the method, which is advanced to the traditional safety analysis
surface is defined as dangerous states. Comparing figure 5 method. The advantages of this method in complex system
with figure 6, both in the case of vehicle-vehicle safety analysis are also introduced. Then we use this method
communicationit can be found that compared with the train to analyze the safety of the train control system based on
control system based on moving block, the train control virtual coupling, identify the danger of the system and put
system based on virtual coupling effectively expands the forward the corresponding safety constraints. Then the
definition space of safety state, reduces the distance of method is expanded and a method is proposed to visualize the
locomotive to a great extent, and improves the transportation space constituted by the system safety state to assist the safety
efficiency.when the running speed is 400km/h, the safe analysis. It is necessary to carry out the iterative process of
locomotive distance of the virtual coupled train is 157.2m, safety analysis, hazard identification, refinement of safety
and when the running speed is 82.05km/h, the safe constraints and improvement of safety design. In the future,
locomotive distance of the virtual coupled train is 139.6m. As all the behaviors of the system should be modeled by
the communication delay in the 5G scenario set by us is only computer, and all the potential causative scenarios, namely
50ms, the vehicle spacing is smaller than the previous virtual the accessible dangerous state of the system, should be
coupling scheme. In the practical application, when the identified under the guidance of STPA method, so as to pave
system state is close to the surface, the risk is increased, the way for the application of virtual coupling scheme.
which can cause the corresponding concern.
In the second scenario, we simulated the relationship REFERENCES
between the minimum safety interval, communication delay [1] F. Flammini, S. Marrone, R. Nardone, A. Petrillo, S. Santini and V.
(0-200ms) and speed when the virtual coupling of two trains Vittorini, "Towards Railway Virtual Coupling," 2018 IEEE
reaches steady state, that is, the same speed. International Conference on Electrical Systems for Aircraft, Railway,
Ship Propulsion and Road Vehicles & International Transportation
Electrification Conference (ESARS-ITEC), Nottingham, 2018, pp. 1-6.
[2] C. Di Meo, M. Di Vaio, F. Flammini, R. Nardone, S. Santini and V.
Vittorini, "ERTMS/ETCS Virtual Coupling: Proof of Concept and
Numerical Analysis," in IEEE Transactions on Intelligent
Transportation Systems.
[3] SUN Chao
STPA based safety analysis method applied to next
generation train operation control system[J].Railway Computer
Application,2019,28(11):44-48,58.
[4] Traffic Control Technology Joint stock company
Train control
system of urban rail transit based on vehicle-vehicle
communication:CN201710963594.X[P].2019-04-23.
[5] Jin Dong-ming, Li Bo
Analysis of Movement Authority Calculation
for Train Operation Control System Based on Vehicle to Vehicle
Communication[J].Computer Knowledge and Technology,
Figure 7. Influences from delay of communication 2018,14(1):259-263.
[6] J. Felez, Y. Kim and F. Borrelli, "A Model Predictive Control
Approach for Virtual Coupling in Railways," in IEEE Transactions on
From figure 7 , we can see that with the increase of Intelligent Transportation Systems, vol. 20, no. 7, pp. 2728-2739, July
communication delay or running speed, the minimum 2019.
headway to be maintained also increases correspondingly,
which is consistent with our cognition. In the train control

Authorized licensed use limited to: IFSTTAR. Downloaded on November 29,2023 at 12:41:43 UTC from IEEE Xplore. Restrictions apply.