Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

Transcript

1. Safety First: Certifying AI Control Systems for Fixed-Guideway Transit Joffrey

   Lauthier | May 5, 2026 | Detroit, MI

2. The Internet of (automated) Trains Advancing rail automation requires a

   shift to intelligent vehicles Software lifecycles must be decoupled from hardware lifecycles Ensuring the safety of complex technology stacks is a challenge Approaches to AI/ML safety certification 2 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

3. Driverless systems already move 25 million riders daily METROS Unattended

   operations 480-ton trainsets 60,000 pphpd HEAVY HAUL Mine to port Three locomotives Distributed power 28,000 tons 3 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

4. Automation is a competitive imperative for transit and rail Increased

   frequency, flexibility, capacity Improved safety and reliability Reduced operating cost Better passenger experience Higher ridership 4 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

5. The next frontier: expanding automation to more transport modes MAINLINE

   Passenger lines and freight lines Shunting yards STREETCARS Driverless trams Depot automation Collision avoidance BUS AUTOMATION Gated BRT Precision stopping Bus depots FREIGHT WAGONS Autonomous electric platforms Platooning Automated yards 5 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

6. Automating railroads is hardest – complex uncontrolled environment Transit Closed

   system Single operator for infrastructure and vehicles Passenger transport only, limited special services Single fleet, vehicles of identical performance Right-of-way protected from intrusions Integrated system procured in a single package Railroad Open system Different operators for infrastructure and fleets Freight, commuter, intercity passenger rail Multiple fleets with different characteristics Publicly accessible right- of-way, grade crossings Network-wide interoperability required 6 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

7. AI is improving the performance of safety-critical functions DRIVER ASSISTANCE

   Optimized acceleration and braking based on track map, schedule goals, and the movement of other trains VEHICLE POSITIONING Train positioning based on onboard perception rather than traditional lineside beacons COLLISION AVOIDANCE Collision avoidance using forward- facing multispectral perception for obstacle detection BROKEN RAIL DETECTION Broken rail detection through continuous monitoring of track structural integrity 7 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

8. GoA 1 GoA 2 GoA 3 GoA 4 Four grades

   of (rail) automation – from manual to unattended Manual train operation Train operator controls train dispatching Train operator detects obstacles and intrusions Train operator or attendant intervenes when automated operations fail and in emergencies Semi-automated operation Central control of train dispatching: constant headway, timetable Driverless train operation Automated obstacle detection and right-of-way intrusion protection Unattended train operation Remote dispatching for handling failures and emergencies 8 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

9. AI is unlocking higher grades of automation Train Management Automatic

   Train Protection Automatic Train Operation Obstacle Detection Remote Operation CCTV + Public Address GoA 0 GoA 1 GoA 2 GoA 3 GoA 4 Network Control Center Wayside Intrusion Detection Remote Operation Center AI diagnostics AI optimization AI perception AI perception AI analytics Brakes Traction Doors 9 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

10. Legacy train control relies on trackside computing infrastructure Control center

    Train supervision Power SCADA Tunnel ventilation Scheduling Crew rostering Asset management Wayside equipment Interlocking systems Train control zone controllers Wired networking equipment Track equipment Signals Switches Train detection Transponders Wireless radio access points Rolling stock Driver console Train control computers Transponder antennas Positioning system Train-to-wayside radios Train communication network 10 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

11. Cloud and edge computing enable intelligent vehicles Control center Train

    supervision Power SCADA Tunnel ventilation Scheduling Crew rostering Asset management Private cloud Wayside equipment Interlocking systems Train control zone controllers Wired networking equipment Track equipment Signals Switches Train detection Transponders Wireless radio access points Rolling stock Driver console Train control computers Transponder antennas Positioning system Train-to-wayside radios Train communication network Carborne controllers 11 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

12. Six technologies shifting movement authority to intelligent vehicles V2I RADIO

    COMMS Continuous vehicle-to- infrastructure communications High availability, low latency VEHICLE POSITIONING Vehicles computing their own position against a track map Accurate, precise, robust VEHICLE PERCEPTION Obstacle detection, collision avoidance, vehicle location, infrastructure monitoring EDGE COMPUTING Onboard computers supporting low latency, robustness, and autonomy Real-time, safety-critical hypervisors SOFTWARE- DEFINED VEHICLE Modular onboard software components running on virtualized real-time operating systems AI / MACHINE LEARNING Artificial intelligence enabling perception: analyzing sensor data from LiDAR, radar, camera, IMUs 12 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

13. Europe is writing the software- defined train playbook NG-TCMS Next

    Generation Train Control and Management System Single Ethernet backbone for all vehicle subsystems, vital and non-vital FRMCS Future Railway Mobile Communication System Standardized V2I communications interfaces supporting future wireless radio technologies CCS TSI Control Command and Signalling Technical Specifications for Interoperability Interoperability with the trackside infrastructure OCORA Open Control Command and Signalling On-board Reference Architecture Standardized, modular, and future-proof architecture 13 Software-Defined Vehicles 2026

14. Navigating the U.S. regulatory environment for train control systems INTEROPERABILITY

    SAFETY CYBERSECURITY Federal Railroad Administration (FRA) ‒ Positive Train Control (PTC) Association of American Railroads (AAR) ‒ Interoperable Train Control (ITC) American Public Transportation Association (APTA) ‒ Passenger Rail Equipment Safety Standards (PRESS) New York City Transit (NYCT) ‒ Interoperability Interface Specification (I2S) IEEE 1474 Series ‒ Communications-Based Train Control (CBTC) European Union Agency for Railways ‒ European Rail Traffic Management System (ERTMS) Federal Railroad Administration (FRA) ‒ Positive Train Control (PTC) Federal Transit Administration (FTA) ‒ Signal System Safety and Train Control advisory ‒ Project Management Oversight (PMO) State Safety Oversight Agencies (SSOAs) ‒ Public Transportation Agency Safety Plan (PTASP) ‒ Safety and Security Certification CENELEC EN 5012x functional safety ‒ IEC 62278 / EN 50126 – RAMS ‒ IEC 62425 / EN 50129 – Hardware ‒ IEC 62279 / EN 50716 – Software Transportation Security Administration (TSA) ‒ Security Directives 1580/1582 National Institute of Standards and Technology (NIST) ‒ Transit CSF Community Profile Federal Transit Administration (FTA) ‒ Critical Infrastructure Security and Resilience (CISR) American Public Transportation Association (APTA) ‒ Securing Control and Communications Systems in Rail Transit Environments IEC Cybersecurity standards ‒ ISA/IEC 62443 – Industrial Automation and Control Systems (IACS) ‒ IEC 63452 – Cybersecurity in railway systems 14 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

15. In rail vehicles, SDV prioritizes hardware abstraction ROAD VEHICLES GUIDED

    TRANSIT Scope Vehicle only Vehicle + infrastructure Failures, lifespan MDBF 30,000 miles, 10-15 years 400,000 miles, 30-50 years Production model Mass production: proven-in-use arguments based on fleet data Low volume, small batches, highly customized, site-specific Approach Goal-oriented. Hardware architectural metrics Systematic safety cases and formal argumentation Standards ISO 26262, ISO 21448, IATF 16949, ISO/SAE 21434 EN 50126, EN50129, EN 50716, IEC 63452 15 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

16. The AI certification challenge ‒ technical and regulatory hurdles Demonstrable

    coverage of safety requirements through structured testing – AI cannot guarantee behavior across all operational scenarios Training data becomes a critical safety artifact – Data errors propagate as systematic failures in deployed systems AI may produce incorrect predictions outside its operational design domain – Runtime monitoring, confidence bounds, safe fallback mechanisms ML frameworks, training pipelines, deployment tools for safety-critical functions are classified as T2/T3 – Commercial tools lack T2/T3 qualification Environmental changes may degrade model performance over time – Criteria for when re-certification is required EN 50128 written for deterministic behavior EN 50716 evolved to address AI/ML: probabilistic outputs, learned behavior, emergent properties Verification & validation Data quality and lifecycle Failsafe behavior Tools qualification Model drift Functional safety standards 16 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

17. The blueprint for trust: our AI system assessment framework NORMAL

    OPERATION Interoperability, reliability, performance, safety DISRUPTION Cybersecurity, physical security, robustness EXPLAINABILITY Traceability, transparency, observability, explainability INDIVIDUAL Privacy, controllability, usability GROUPS Non-discrimination, bias, fairness SOCIETY & BEYOND Accountability, representativeness, sustainability M MANAGEMENT LAYER Assessing organizational structure, processes, and plans D DOCUMENTATION LAYER Assessing design documents, hazards, risks, safety analyses T TEST LAYER Assessing test coverage, and verification & validation results 17 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

18. TÜV AI.Lab assessment matrix: safe, secure, and explainable Dimension Phase

    SAFE SECURE EXPLAINABLE Regular Operation (AI System → Outside) Disruption (AI System ← Outside) Epistemology (AI System ← Individual) Interoperability Reliability Performance Safety Cybersecurity Robustness Traceability Transparency Observability Interpretability Inception D D D D D D D Design & Concept M D T D D T D D D D D D Development D T D M D T D T D D T D T Verification & Validation D D D D D Deployment D D D D D D D D D Operation D M D T D T D D T D T D D M Monitoring D M D T M D T M M D T M M Retirement D D D D D D 18 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

19. Four strategies for a successful AI system certification AI systems

    are exceptionally difficult to certify to Safety Integrity Levels 3-4 without extensive additional controls AI in a non-vital advisory role supervised by a safety-certified control system Driver assistance system paired with a SIL4 automatic train protection system Design operational monitoring – Define drift detection thresholds and re-certification triggers Strong configuration management and no learning on the job: deployed model is frozen Redundant channels independently developed on distinct hardware, models, and training data Arbiter logic becomes safety-critical, constraining the highest-performing model Use safety-certified hardware and software stacks No AI support yet on vital rail platforms – Explore ISO 26262 ASIL D automotive platforms Safety-caged AI Continuous monitoring Diverse redundancy Qualified platforms 19 Software-Defined Vehicles 2026 – Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

20. AI enables automation of open rail systems Rail vehicle safety

    and availability requirements are more demanding than for road vehicles Rail SDV prioritizes hardware abstraction to facilitate obsolescence management The certification strategy must be designed into the architecture from the conceptual stage Cross-industry collaboration can accelerate the availability of safety platforms and tools 20 Safety First: Certifying AI Control Systems for Fixed-Guideway Transit

21. Thank you Joffrey Lauthier | Head of Rail North America

    | [email protected]