It's said that on the day of opening of the famous Stockton & Darlington Railway (S&DR), celebrated as the first public railway for fare-paying passengers, its first locomotive "Locomotion" was preceded by several men on horses carrying flags with stirring mottos in Latin, such as ‘Periculum privatum utilitas publica” (The private danger is the public good).
Many would argue that an undercurrent of risk and danger associated with mechanised transport continues to this day with the majority of accidents on road and rail attributable to human error and dangerous human choices. The rail industry has introduced automatic systems to mitigate human error such as the widespread application in many countries of Automatic Train Protection (ATP) and the more limited application or Automatic Train Operation (ATO). In recent years, the car industry has been playing catch-up with automated driving applications such as Lane Keeping Assist and Auto Emergency Braking and is now poised to make a game-changing leap forward to Autonomous Vehicles (AVs).
As we enter the fourth industrial revolution, significant advances in technology are again about to impact the rail sector in dramatic ways, prompting a myriad of challenges. The rail industry now has the opportunity to capitalise on this technology to bring about widespread automation of open rail networks, beyond the current limitations of segregated metros. Safety and minimising risk remain at the heart of these challenges.
The fundamental question is, “How does society enjoy the benefits of a cost effective, reliable and efficient transport system, enabled by widespread automation and ultimately autonomous systems, while maintaining and improving safety for all?”
There’s no doubt we live in exciting times for rail, with regular announcements of new systems and technology promising improvements that align with changing transport and modality patterns, and apparently, changing community expectations of service.
Most people would accept that automation in controlled and repetitive environments can be utilised to reduced costs and improve the efficiency of the transport task, as is exemplified by the increasing number of fully automated metros that operate in segregated environments with minimal variance.
Sydney Metro Northwest is the latest metro in the world and first in Australia to be added to the growing list of fully automated, unattended metros, achieving what the International Association of Public Transport (UITP) classifies as Grade of Automation 4 (GoA4) - where starting and stopping, operation of doors and handling of emergencies are fully automated without any on-train staff.
However, as we all know, this is often not the case for mainline and light rail networks, where the environment cannot be absolutely controlled and rules are not always followed. This relates in particular to any interaction with passengers, road users, neighbours and the public, and in future, other automated/autonomous vehicles/systems. There is also a need to contend with changes in weather and degraded situations (flooding or heatwaves, for example).
Ultimately autonomous systems will be required to handle all these unexpected events on the rail network, using narrow Artificial Intelligence (AI). This is similar to autonomous vehicles, but while autonomous rail has arguably less variables, there are potentially more catastrophic consequences.
Most transport systems require a human driver to interpret real time information and respond to this information. The human driver controls the vehicle, following the defined rules - and most significantly, the driver or attendant can also respond to unplanned /unexpected events.
When a system is fully automated or autonomous on a network that cannot be absolutely controlled, how will the same (if not greater) level of real time information interpretation be achieved, and how does an automated or autonomous system decide what to do when a rule is not followed?
When managed correctly AI has the potential to significantly improve safety. However, to achieve societal acceptance, research from the autonomous car industry suggests that this may need to be about two orders of magnitude better than the average driver, likely necessitating both a high Hardware Fault Tolerance along with a high Safety Integrity Level.
Legislation will also need to keep pace, to establish minimum standards, while individual companies (suppliers and specifiers) should aim to exceed them when developing and deploying automatic and autonomous systems.
The systems that are developed will need to consider the sensors available to the vehicle and what information might be provided from the connected network. How will this information be interpreted? Will the vehicle follow simple rules or will it analyse the situation, calculating possible scenarios and choose the best outcome? And if it does, who determines what defines the best outcome – legislation, business or other?
Do our safety standards need to change?
Currently in Australia there are no explicit regulations covering automated driving functions for rail or road. The National Transport Commission (NTC) has initiated a project to develop a safety assurance system to support the safe, commercial deployment and operation of automated vehicles at all levels of automation. NTC released the Safety Assurance for Automated Driving Systems: Decision Regulation Impact Statement (RIS) in November 2018. Although the safety assurance of automated rail vehicles is out of scope, it does provides some direction and clarity on the broader expectations.
However, rail (and aviation) already has a more flexible safety assurance approach that is less prescriptive than the approach taken in road transport. This approach has already facilitated the introduction of automated functions for metros and mainline railway train control to avoid or mitigate human error.
System safety is demonstrated against functional safety standards; this is the foundation for best practice risk management and assurance. Functional safety for railway systems is currently addressed by the standards EN50126, EN50128, EN50129, originally predicated on deterministic systems (based on the inputs the output can be predicted). In the event that the driving functions and/or train controller (signaller) functions and/or network manager functions and/or maintenance scheduling are devolved to autonomous systems based on artificial intelligence (AI), then the approach to functional safety standards and methods, will need to adapt. In fact, the guidance from the generic functional safety standard (IEC61508) is that AI is ‘positively not recommended’ for a Safety Integrity Level (SIL) greater than 1, and at SIL 1 has ‘no recommendation for or against it being used’. It is clear functional safety standards need to catch-up with technology advances.
The IEC, recognising this situation, is actively developing a new International Standard for a risk management framework for AI. Depending on the level of autonomy and the target functionality, future standards will need to consider various AI environments. These may include AI environments such as partially observable, competitive, stochastic and the appropriate tolerability criteria.
How do we make the transition?
In current systems, Safety Critical Application Conditions (SCAC) that cannot be addressed by technology are exported to the human domain and usually result in human tasks within a prescribed Rule Book. In autonomous applications all functions must be addressed by the system.
Organisations will need to be suitably resourced, managed and supported with technical and ethical regulatory guidance. A suitable approach is required with society with respect to the use of AI. A period of increasing AI support for drivers (semi-autonomous), with a transition over to AI driving (autonomous), will be required.
The expected approach is longitudinal testing (repeated observation), required for developing an inductive long-term dynamic safety case (‘proven in use’). Delivered through aggressive training environments that use training sets and test conditions that place the system in ‘extreme’ operating environments. Supported by in-service experience with a driver present to ensure AI algorithms are able to operate safety with the eventual operational demands. Where feasible, further techniques can be applied to constrain or control the operational environment (limit variability).
What do network managers/owners need to consider?
There’s no doubt that as we continue to move away from human driven vehicles, automated or autonomous systems will increasingly be required to handle any unexpected events on the network.
The methods employed to make decisions remains a significant and unresolved risk that all transportation network managers/owners will need to consider as we move into the ‘Fourth Industrial Revolution’.
Has the journey already begun?
Interestingly, Australia is leading the world in automated railway operations beyond the relative simplicity of segregated metro operations driven by the private sector for commercial considerations.
In Australia, the railway network is a core part of most mining operations and significant safety and productivity benefits can be achieved by migrating from manually operated trains to a fully automated system. At the beginning of 2019, Rio Tinto announced the successful deployment of AutoHaul technology for the automated operation of iron ore trains in the Pilbara region of Western Australia, creating what has been described as “the world’s largest robot”.
This system uses Automatic Train Operation over ETCS Level 2 (AoE) to support GoA4. This paves the way for the future progressive automation of passenger, freight and mixed traffic railway operations building on the core functionality of ETCS, augmented with semi-autonomous and autonomous driving and safety aids appropriate to the specific application, associated risks and the desired Grade of Automation.
What is clear is that in terms of automation there is a significant difference between automatic systems applicable to segregated environments such a metros, and the autonomous systems required for open networks.
It is important to establish a common language to distinguish between the characteristics of automatic and autonomous systems. To promote discussion, the following definitions are offered:
- Automatic System: a system that performs task sequences based on pre-defined rules. The information required to understand the environment is provided to enable the system to undertake rehearsed actions (characterised as deterministic).
- Autonomous System: a system capable of making independent decisions to respond to all cases in real-time, and in some situations without reference to pre-defined instructions. It must therefore manage the functions of perception, environmental awareness, and spontaneous decision making (characterised as stochastic).
Will autonomous road vehicles provide both the technology and the imperative?
Autonomous train operations on open networks will need to be equipped with sensors and algorithms that are very similar to those used in self-driving cars. Autonomous capabilities for trains operating on open networks are likely to become an essential response to the market disruption envisaged from the widespread adoption of fully autonomous self-driving cars, trucks and buses coupled with a continuing road pricing deficit that leaves significant unrecovered road system costs, in particular, favouring road freight.
The rail industry must also avoid technology fragmentation by maintaining standardisation/interoperability throughout the digitisation and automation journey. This will be essential to achieve longer-term cost effective solutions on a scale and refresh cycle that can compete with road transport and that builds upon existing or planned investments in train control technology.
John Cranley
National Rail Leader – Australia
+61 733 163 670
John.Cranley@ghd.com
For more information please visit Digital train control