Study on a New Train Control System in the IoT Era: From the Viewpoint of Safety2.0

Safety2.0 which advocates cooperative safety is attracting attention. Assuming that Industry4.0 proposed by the German authorities is an IoT-based production revolu-tion, Safety2.0 is a Japanese-originated proposal that seeks to create a more flexible and sophisticated safety by introducing Internet of Things (IoT) into production sites. This chapter introduces the concepts of Safety2.0 and its spread internationally, focus-ing on the activities of IGSAP, a Safety2.0 promoter. Furthermore, we look back on the conventional train control from the viewpoint of Safetyx.x and look at the appearance of the train control suitable for Safety2.0 using IoT. As a result, in this chapter, we propose a simple and smart train control system unified train control system (UTCS), in which a train control system is realized in a hierarchical structure of a logic layer, a network layer, and a terminal layer, and discuss its processing method.


Introduction
The safety of manufacturing today is mainly based on European-style methodology mainly based on certification found in functional safety standards (IEC61508) and the like. Since stakeholders have different standing positions for certification, there is a reflection that productivity cannot be improved by mutually balancing each other. Safety2.0 focuses on the realization of "cooperative safety" that creates a highly safe condition by mutually exchanging information among the elements that constitute systems based on IoT. Therefore, under Safety2.0, stakeholders are required to share their wisdom with each other and to manufacture products based on IoT. What is the meaning of "relying on IoT" for railways? Radio train control systems advanced train administration and communications system (ATACS) and communications-based train control (CBTC) will be analyzed and evaluated from the viewpoint of Safety2.0, and future train control will be considered.
in 2016) was established. The conclusion was that the essential elements of the system exchanged information with each other to create optimal safety, which was the construction of a cooperative safety methodology suitable for the IoT era [1,2]. Safety2.0 was, of course, preceded by Safety0.0 and Safety1.0, which supported present-day safety. However, the use of IoT is very effective in overcoming the sense of occlusion on it. In this chapter, we review the changes in safety initiatives from the perspective of Safety0.0 and Safety1.0, and confirm the today's status of Safety2.0. In addition, practical activities aimed at realizing Safety2.0 have begun, and we would like to introduce the situation.

Safety0.0 to maintain safety with sustained arousal
Direction calls are famous for railway safety culture. This is also an easy-tounderstand case of Safety0.0, which attempts to prevent accidents by drawing attention and keeping the spirit awake at all times. Japan has been regarded as a leader in the sustainable implementation of the "Zero-Accident Motion" and other activities leading to Safety0.0. Looking back at this, various activities have been carried out, including the enactment of the Occupational Safety and Health Law in 1972 and the start of the "Everyone's Participation in Zero Accidents" motion by the Center Industrial Accident Prevention Association in 1973. On the other hand, it is interesting to note that the European version of the Zero-Disaster Motion, which is a top-down movement but corresponds to Safety0.0, is beginning to take place in Europe, where the International Society for Social Security (ISSA; International Social Security Association) has achieved outcomes at Safety1.0 through the launch of Vision Zero and the launch of Zero Accidents Forum by Europe and Finland.

Safety1.0 to prevent accidents
There are limitations to ensuring safety by Safety0.0 alone, since no mistakes will be made and the machinery will be destroyed, no matter how well people are trained. Therefore, technological efforts to implement some sort of safety measures for "goods" such as machinery and systems have progressed on the assumption that "people make mistakes" and "machinery breaks down." In Europe, this was established as a mandatory standard, and work accidents were greatly reduced by providing industrial machinery with safety protection measures. The basic idea was to establish a barrier between industrial machinery, which is a hazardous source, and humans, and to establish a mechanism for moving machinery only when humans are absent. This is Safety1.0. In Japan, the Industrial Safety and Health Law was revised in 2005, and risk assessment was added as an obligation to make initiatives. Efforts learned from European experiences and outcomes are now being developed. For this implementation, a number of safety mechanisms have been developed and incorporated into devices at each industrial site. However, even though it is isolated from hazardous sources, it is not possible to completely isolate workers during maintenance. In addition, many sites are difficult to isolate, such as construction work.

IoT-based Safety2.0 concepts
Safety2.0 is a system that ensures methodology suitable for the IoT era, in which the essential elements constituting the system exchange information with each other to achieve optimal safety [1,2]. In this respect, it is different from the idea of relying on human attention (Safety0.0) and of taking some protective measures against human errors and mechanical failures to ensure safety (Safety1.0). These relationships are summarized in Figure 1. In Safety0.0, risks exist in a wide range, including coexistence areas, in order to prevent accidents due to attention and judgment. On the other hand, in Safety1.0, the risks were reduced by dividing the human area into the machinery domain and by providing various safety measures in the machine domain. Safety of isolation that creates as little coexistence as possible is fundamental.
On the other hand, in Safety2.0, machineries and humans exchange information and cooperate with each other to ensure safety, so that both machines and humans can coexist with each other. In addition, since appropriate safety using information is maintained during operation, the overall risk is greatly reduced.
The Nikkei BP brochure [1] explains Safety2.0 as follows: "Frankly speaking Safety2.0 is a collaborative safety built by people, goods, and the environmental in cooperation with each other. The best mean to achieve this Safety2.0 is to make rapid progress today. In Safety1.0, there was only a choice between "stop" and "go." In Safety2.0, however, detailed operations are carried out by exchanging information between people and machineries, and the safely coexistence between both is aimed at (Omitted hereafter.)." A case of Safety2.0 is indicated in Figures 2 and 3.
Management understandings and support are essential to Safety2.0's in-house promotion. Fortunately, IoT-based safety technologies were widely developed prior to the conceptual development of Safety2.0, and there were certain grounds to accept Safety2.0. However, in order to expand Safety2.0 from Japan to a wide range of countries as well as in Japan, we would like to have a promotion base. To this end, the Safety Global Promotion Mechanism (IGSAP; The Institute of Global Safety Promotion) was established.

Current stage of Safety2.0 (activities centered on IGSAP)
IGSAP has established the safety management forum as a forum for managers and managers to gather and replace information and experiences in order to actively engage in the safety of customers, employees, and the safety of the company as a company. In addition, Japan has been vigorously inviting European opinion leaders to work to eradicate occupational accidents under the Vision Zero and replace opinions through visits to Europe. In February 2018, NIPPO's automatic stop tire roller/wheel loader, equipped with an emergency stop technology for construction machinery, was the first Safety2.0 automatic stop tire roller/wheel loader to be registered.  On October 14, 1872, Japan's railway opened between Shimbashi and Yokohama. Following the opening of the railway, the railway construction regulations and railway dormitory train transport regulations were enacted, and other rules for ensuring safety operation were rapidly established. This is a summary of the standards and regulations that form the base of Safety0.0. Technologies have also been imported overseas. For example, 1887, a voucher-type blocking method with the use of occlusion telegraphs was established between Kyoto and Osaka, and a secondclass mechanical interlocking device was installed at the junction of the Yamanote Line and the Tokaido Line in Shinagawa Station. In addition, the manufacture of railway signals and interlocking equipment began at the Mimura Factory of Tokyo Tsukishima, and the move toward in-house production also progressed [3].
Signaling devices based on these technologies are mainly designed to ensure routes and link signals, and the safety of drivers can be guaranteed if they operate according to the signals. However, there was an accident caused by a mistake by the station manager that the train line between stations was forgotten and the opposite route was set in the single-line section. The emphasis was placed on raising human attention in the meaning that mistakes could lead to accidents as they were.

Actual state of safety assurance based on Safety1.0
Machinery is a hazard source in the world of machine safety, such as factories. For this reason, a mechanism for confirming that no human or body part exists in the work area of the machinery and allowing the machine to operate only at that time has been adopted. Furthermore, the sensors used therein and the devices for confirming safety are fail-safe, and the Safety1.0 mode is constructed.
On the other hand, trains are the main source of hazard in railways. For this reason, the "concept of isolation" that allows only one train to exist in one section was established as a blockage. In addition, in the station premises, an interlocking device has been developed, which ensures absolute safety even if erroneous signal handling is performed. In addition, the use of fail-safe orbit circuits has resulted in advanced signal systems. However, even under these mechanisms, mistakes of the driver, such as signal advancement, can cause an accident. For this reason, in-vehicle alarms have been developed, which give an alarm to wake up when a stop signal is approached, and they have evolved to an ATS, which applies an emergency brake when a driver does not perform a predetermined treatment.
However, the technology introduced in the field of railways and industrial machinery that is safe but that is basically safe to stop was not the same as the technology introduced in the case where flight continuity is safe instead of stopping as in the case of an aircraft. In addition, own technologies were developed in the industrial machinery field and railways. As a result, no agreement was reached on common safety and fail-safe technologies across industries, and there was no common measure of safety.

Computer-based safety control device and Safety1.0
In the 1980s, computers were introduced into Safety1.0, which had been secured with sophisticated circuitry. As a result, the aspects of safety technologies that have been uniquely pursued in each industry have changed. In addition to the conventional technology, the concern of engineers in various industries has been to ensure the safety of the computer itself (hardware) used and to prevent bugs (quality assurance) in the software to be incorporated.
Computer hardware safety has been solved by redundant configuration and verification of processing results and appropriate integration of diagnostic circuitry, but the methodology has been discussed across industries. Software has a common issue: how to develop high-quality, bug-free software. What is important is that the sophisticated circuits that have once been inherited as the essence of safety technology by various industry sectors have all been incorporated as software logic and have not appeared on the surface.
This resulted in a deeper recognition of common methodologies across industrials and the establishment of a new IEC61508 of international standards that can be applied across industries under the new concept of "functional safety. " In order to ensure safety in the age of functional safety, first of all, the safety level of the target systems is determined as safety integrity levels (SILs) as a result of the risk analysis. In addition, the design requirements of the hardware and the targets of the hazardous side failure rate are indicated in accordance with the SIL value. In software, the design requirements for each phase of the life cycle are determined according to the SIL value. Thus, "risk" became a common measure of safety. On the other hand, the authenticating organization has evaluated the validation of the determination of the SIL value and the validity of the specific work according to the value of the SIL.
The situation is different in the age of reliance on circuit technology and in the age of use of computers. Nevertheless, the concept of Safety1.0, which seeks to safeguard safety by protection measures in the event of human error or device defect, is common.
What is important is the fact that computer use is evolving the control system into a more sophisticated one. There is a great difference between the age and today of the development of computerized signaling devices that have solved the issue of how to make hardware and software safe and have replaced safety technology with program logic to produce electronic interlocks and level crossings.
The elimination of concerns about the use of computers for safety control has facilitated the addition of advanced functions. In addition, the successful use of diagnostic technology has opened the way to integrate communication technologies such as networks and wirelesses into safety control devices. The issue of "train control system using IoT" is also due to the fact that communication including wireless communication can be freely used for safety control. Today, the challenge of developing new computer-based systems is continuing, and sophisticated control systems are emerging. In 2011, the world-first full-fledged wireless-train control systems ATACS was launched on the Sensei Line and has been achieving excellent results. Based on this achievement, it was also introduced between Ikebukuro and Omiya on the Saikyo Line in 2016, and has been operating stably. The SPARCS (simple-structure and high-performance ATC by wireless communication system) of radio train control systems developed by Nippon Signal Co. Ltd. is also well received oversea. What are the relationships between these advanced systems and Safety2.0? What kind of system should we look at next to these advanced systems?
We would like to consider on the base of the specifications of the computer-and radio-aided train (CARAT) control system in which the author participated in the development when he was in the Railway Research Institute.

Advanced train control systems and Safety2.0
The interlocking of the CARAT is called point-control. The position of the train is managed by the block-ID and the position (kilometer) in the block. A plurality of trains can exist in one block except for the section of the point machine in order to realize the movement blocking even in the station premises. Point control does not include path locking or segmented locking. Since the route is pulled back by exchanging information with the on-board device, it is not determined only by the train position. A reasonable and safe process is substituted for the time of the access lock, which was uniformly applied when the line is in the approaching section. The prototype of this point control was installed at Tsubame-Sanjō Station, and the function was confirmed by a monitor run.
Since the CARAT was designed to cope with the Shinkansen, the level crossing control function is not required. However, investigation of functions and check of the effect by simulation were carried out, and it was proven to be effective for the fixed-time control and safety improvement, which had been regarded as an issue of the existing level crossing. As a result, the point control and the level crossing control are positioned as processes for extending the point where the train is allowed to travel. The interval control device generates the "traveling permit point information" and transmits the result to the on-board device, thereby making it possible to unify the processing in the interim of the station and in the premises of the station. The form in which each of the emerging devices performs reasonable processing while exchanging information in various directional is precisely located in the IoT. The compatibility between CBTC and Safety2.0 appears to be good.

Outlook for future train control systems
Existing train control systems have condensed know-how learned from the experience of large accidents caused by human error. As shown in Figure 4, the basic control function is the blocking function and the interlocking function. However, safety cannot be ensured by this function alone. Today's safety is achieved in cooperation with safety devices such as ATS and ATC for the objective of preventing accidents caused by human error. Nevertheless, as shown in Figure 4, the actual situation is a complex combination.
A simple and orderly system as shown in Figure 5 emerges from the IoT-based train control system. On the scene, there are only point machines, level crossings, and trains that make up the route of travel. The processing unit of the center directly transmits "information up to the section where the vehicle can safely travel" to the on-board device of the train as a control command (travel command). In the CARAT, the interval control device sent the "travel permission point information" to the company office device below the information of the point control. The interval control device is centralized at the center, and at the same time, both the point control and the level crossing control are centralized at the center. Therefore, this form is organized only by adding the IoT viewpoint to that demonstrated in the CARAT. The "interlocking device," "blocking device," and "ATC/ATS," which have been so popular in the signal field as to be the three types of gods, disappear. However, it is not the introduction of the "centralized linkage device." Existing interlocks have incorporated various locking logics to ensure the safety of whatever handling is done by the signal handler. In this respect, the centralized interlocking device does not change at all. Instead, it is claiming to replace the complex interlocking logic itself with point control, which makes it unnecessary. Point-control algorithms have been demonstrated in the monitoring run of the next-generation train control systems CARAT carried out by the Railway Institute on the Joetsu Shinkansen.
The overall system architecture consists of a terminal layer and a center device (functional layer) for controlling site equipment/on-board safety control devices, and an IP network (network layer) connecting them. This level next-generation system is named unified train control system (UTCS), and various studies are being conducted [5,6]. This system also conforms to the concept of Safety2.0, which consists essentially only of the equipment necessary for the system: trains, point machines, level crossings, and center equipment, and "the essentially necessary equipment exchanges information with each other and realizes functions (I have called this intrinsic control)."

Outline of the UTCS processes
In the UTCS, the concept of a "path" (labeled "authorized route" in Figure 5) for a train is introduced for the standardization of processes. A path means a "limit position to which running is possible," and is derived from an associated preceding train, a point machine, and the states of a level crossing for each train. For this reason, train processes by unified processors are realized by train tracking, path searching (or "route searching"), and control processes that are initiated by route searching processes in order to control level crossings and point machines.
When paths for trains are determined, an authorized command with additional speed restriction information in a path is also generated and sent to the corresponding terminal device of the terminal layer. Path searching creates a search for a limit point to which running is possible (a path) in the train movement direction. In the case of station premises, however, a search is made according to a scheduled running path acquired from the running control device (or "traffic control system") on the functional layer. The path at this time is based on the terminal end of the running path and is determined by the state of point machines existing in between and at the tail position of a possible preceding train (including the safety margin).
On the other hand, in the case of a midway point between stations, the tail position of the preceding train or the state (labeled "status" in Figure 5) of an existing level crossing is associated with the determination of a path. If the level crossing is controlled by the relevant train and the status indicates "passing allowed," which means closing completion and no obstacle, the search is extended up to a further remote position. Although on-board devices are responsible for on-board safety processing, a continuous speed check according to a pattern is realized on the train anyway. Moreover, in the case of the CBTC, a high-level speed check function can be realized by installing a terminal device on the train, rather than providing an ATP terminal device on the ground. In Figure 6, a data flow under UTCS is illustrated.
An example of a UTCS that relies on Safety2.0 is ATP-block system [4][5][6], which is typical of intrinsic control, although the detail of the ATP-block system is omitted, and  the essential devices constituting the system mutually exchange information as IoTs, thereby realizing advanced functions. In the case of ATP-block system, the blocking device and the interlocking device, which were previously located at the station and controlling the driving direction with the adjacent station, disappear(see Figures 7, 8) The history of technological progress in a train control system and its relation to the Safety(x,x) is illustrated by Figure 9.

Afterword and conclusion
Development of new systems involves certification work in accordance with international standards. Especially in the train control, the train is subjected to the baptism of the standard of the reliability, availability, maintainability and safety (RAMS; IEC62278). To make this baptization smart, it avoids complications and makes the system as simple as possible. Railways are one of the social systems and have a long service life. Erroneous selects can leave the roots of the trouble. Examining and simplifying the components as much as possible improves the system's visibility and facilitates certification. Furthermore, the reliability is increased by the reduction of the amount of goods, and protection becomes unnecessary. The   fewer the number of interfaces, the greater the safety. In addition to the advantages of these nonfunctional requirements, we believe that systematization in accordance with Safety2.0 can be an informative methodology in this regard. Under these circumstances, if information such as orbit protection is automatically extracted by AI based on vehicle vibration data and the like during daily driving, the railway can be reconstructed as a competitive transportation means.
Safety2.0 is an initiative that contributes not only to safety effects but also to productivity improvements and contributes to management. I hope that UTCS will be a successful development. We believe that this will also contribute to the dissemination of Japanese Safety2.0.