Thameslink core ATO into use

[Tim M]

There is a lot of waffle on this thread about eliminating drivers, the chances that this will happen in the near or far future are less than zero.

I have mentioned this before but it is worth reiterating. ATO on Thameslink and Crossrail core IS NOT about getting rid of the driver, it is all about consistent and therefore predictable inter station run times, required in order to reliably maintain the specified 24 trains per hour.

Let’s also look at the practical issues with adding ATO onto a train, something that is relatively easy to do if a new train is designed to include it, but I will start by looking at ATP/ETCS interfaces on the train.

Space is required for the electronics, and as on the Cambrian Coast 158’s this is not small but size will or even may have come down, it depends on the supplier. Speed and distance measuring devices, axle end tachogenerators, Doppler radar and Balise reader need space and wiring back to the electronics as does the driver interface.

How does the ATP interface to the train to do its job of stopping the train if an unsafe condition occur, well that’s quite simple. The ATP/ETCS operates an Emergency Stop Relay (ESR), contacts of which are cut into the trains emergency brake circuit. If the ESR deenergises for whatever reason the emergency brakes are applied and traction power cut off. Another relay, the Zero Velocity Relay will energise when the train is at a stand permitting doors to open etc.

There is more to this than I have described but you get the gist, however the ATO interface is rather more complex. This requires direct control of the traction and braking systems, the shear variety of such systems on the U.K. rail network presents a significant challenge. There is really no case for eliminating the driver is therefore unlikely to happen soon if at all. But read on.

Unattended operation, that is with no staff on board, is great for the mass transit market where public access to the track can be made secure, requiring Platform Screen Doors at stations and robust fencing on above ground sections. If this is not possible or prohibitively expensive there is no advantage in removing the driver, and except from high density service areas there is little to be gained with adding ATO.

 

[HSTEd]

There is a lot of waffle on this thread about eliminating drivers, the chances that this will happen in the near or far future are less than zero

Just like driverless cars are never going to happen?
In a long enough time horizon it is almost certain it will, if the railway even still exists at that point.

I have mentioned this before but it is worth reiterating. ATO on Thameslink and Crossrail core IS NOT about getting rid of the driver, it is all about consistent and therefore predictable inter station run times, required in order to reliably maintain the specified 24 trains per hour.

It is, does this mean that ATO will always be about this?

Let’s also look at the practical issues with adding ATO onto a train, something that is relatively easy to do if a new train is designed to include it, but I will start by looking at ATP/ETCS interfaces on the train.

ATO doesn't require much equipment fitted in addition to that fitted for ETCS - it is primarily a software installation or extra messages carried over the existing ETCS infrastructure, or certainly implementations exist which are largely this.

Space is required for the electronics, and as on the Cambrian Coast 158’s this is not small but size will or even may have come down, it depends on the supplier. Speed and distance measuring devices, axle end tachogenerators, Doppler radar and Balise reader need space and wiring back to the electronics as does the driver interface.

Most or all of this equipment will be required for ETCS fitment anyway, and ETCS is the wave of the future now.
The fraction of stock that will be ETCS fitted in the future will increase rather steeply.

There is more to this than I have described but you get the gist, however the ATO interface is rather more complex. This requires direct control of the traction and braking systems, the shear variety of such systems on the U.K. rail network presents a significant challenge. There is really no case for eliminating the driver is therefore unlikely to happen soon if at all. But read on.

Modern trains do all this in software now anyway, so the extra equipment required for the ATO interface to issue commands to the traction system is not really very large.

We really are in the drive-by-wire era in railway terms.

Unattended operation, that is with no staff on board, is great for the mass transit market where public access to the track can be made secure, requiring Platform Screen Doors at stations and robust fencing on above ground sections. If this is not possible or prohibitively expensive there is no advantage in removing the driver, and except from high density service areas there is little to be gained with adding ATO.

If we reach the point where driverless cars are released onto roads, why can't the same thing be done for trains?
The same sort of technologies are required in each case - in that it simply has to detect an obstruction ahead and apply the brakes.
Otherwise obey the commands of the signalling system.

 

[AlexNL]

in that it simply has to detect an obstruction ahead and apply the brakes.

The Copenhagen Metro had a laser and infrared based Obstacle Detection System on its overground stations when the network opened back in 2002. A lot of disruption was caused by this system, as it was triggered by a lot more than "people falling from the platform". It also got triggered by newspapers, leaves and snowfall.

Somewhere after 2014, the ODS has been replaced with platform screen doors.

 

[HSTEd]

The Copenhagen Metro had a laser and infrared based Obstacle Detection System on its overground stations when the network opened back in 2002. A lot of disruption was caused by this system, as it was triggered by a lot more than "people falling from the platform". It also got triggered by newspapers, leaves and snowfall.

Somewhere after 2014, the ODS has been replaced with platform screen doors.

Yeah, but we didn't have anything like driverless cars, even in theory, in 2002.
We now have automated obstacle detection on level crossings, and self driving cars driving around.
Moore's Law has made it practical in the last few years - indeed the first self driving car Grand Challenge run by DARPA had to be abandoned because none of the vehicles even made the starting line, the next one was a massive success with hundreds of vehicle-miles covered.

This is one of these problems where we have just reached the level of having the processing power and sensors to make it practical.

 

[BRblue]

Yeah, but we didn't have anything like driverless cars, even in theory, in 2002.
We now have automated obstacle detection on level crossings, and self driving cars driving around.
Moore's Law has made it practical in the last few years - indeed the first self driving car Grand Challenge run by DARPA had to be abandoned because none of the vehicles even made the starting line, the next one was a massive success with hundreds of vehicle-miles covered.

This is one of these problems where we have just reached the level of having the processing power and sensors to make it practical.

Ha,ha,ha
Because they nave not been the cause of any problems and are working fine I suppose?

 

[XDM]

Unattended operation, that is with no staff on board, is great for the mass transit market where public access to the track can be made secure, requiring Platform Screen Doors at stations and robust fencing on above ground sections. If this is not possible or prohibitively expensive there is no advantage in removing the driver, and except from high density service areas there is little to be gained with adding ATO.

I have travelled on 3 nopo, no person operation, railways that operate without any platform screen doors. The platform looked like any railway platform, although they were always straight. Two were lengthy satellite lines in open country running off the main driverless Singapore metro line(which does have platform doors). The third was a ten mile long line in China. I was apprehensive about using a NOPO line with no platform doors, but soon got used to it. My children took it for granted.And on all three lines people were hopping on an off like happy crickets. So it is wrong to say unattended trains need platform doors to operate safely.

 

[HSTEd]

Ha,ha,ha
Because they nave not been the cause of any problems and are working fine I suppose?

Well working well enough that it hasn't all been ripped out yet, which I think is the criterion.

 

[Tim M]

Just like driverless cars are never going to happen?
In a long enough time horizon it is almost certain it will, if the railway even still exists at that point.

It is, does this mean that ATO will always be about this?

ATO doesn't require much equipment fitted in addition to that fitted for ETCS - it is primarily a software installation or extra messages carried over the existing ETCS infrastructure, or certainly implementations exist which are largely this.

Most or all of this equipment will be required for ETCS fitment anyway, and ETCS is the wave of the future now.
The fraction of stock that will be ETCS fitted in the future will increase rather steeply.

Modern trains do all this in software now anyway, so the extra equipment required for the ATO interface to issue commands to the traction system is not really very large.

We really are in the drive-by-wire era in railway terms.

If we reach the point where driverless cars are released onto roads, why can't the same thing be done for trains?
The same sort of technologies are required in each case - in that it simply has to detect an obstruction ahead and apply the brakes.
Otherwise obey the commands of the signalling system.

I’m not going to try and respond to your individual comments except to say in my experience of nearly thirty years, managing the installation of ATP and ATO systems on new and existing trains from a wide variety of suppliers, the ATO is always the biggest challenge. Particularly if provision for ATO was never in the train manufacturers remit, and although most/all trains built over say the last ten years for the U.K. have passive allowance for ETCS, I doubt the ORR have included ATO. Adding Hitachi ATO (if they have a suitable product to a Japanese design) on a CAF train might be interesting, particularly if the ETCS is from say Thales.

 

[Bletchleyite]

Adding Hitachi ATO (if they have a suitable product to a Japanese design) on a CAF train might be interesting, particularly if the ETCS is from say Thales.

Probably not in reality, e.g. the Voyagers have an Alstom TMS to ensure compatibility with Pendolinos.

 

[HSTEd]

The ETRMS Working group is even now defining an ETCS Extension that will be the standard for ATO in new trains.

 

[pt_mad]

So everything that currently isn't 'totally safe, fool proof', (and anything short of perfect) should be stopped/withdrawn/never considered. Mmmm, do you drive a car, use plastics, drink alcohol, go into a public place if you feel unwell etc.? If the answer to all of those questions (and a hundred other normal activities) is NO, then if you are a train driver, you must be a hermit living next to your signing-on point. Of course even train drivers have (thankfully infrequent) failures in their duties which is not in any way a criticism of their performance, - the person who never makes a mistake hasn't been born yet. The railway is there to provide mass transport for the public, and employs people to do just that. It is not a job creation scheme that can carry passengers.
The ATO that will assist drivers in the TL core to meet the requirement of a nominal 24tph (30tph max.) service which is dictated by the demands of mass transport in parts of London and its environs. So far, it has passed its first passenger-carrying test. Any incidental issues arising will be dealt with as this new 'kettle of fish' is implemented over the next few months.

Sorry I didn't mean that ATO has to be free of risk when clearly even crossing the road carries risk as does driving our own car.


But, I was trying to put across that i think an ATO caused accident would be judged by the public on a different level to that of a human caused accident like a car crash if a major rail incident were to occur. As we judge automated machines by different standards to how we judge another living person. And we are less accepting when they make a critical error. As there are no punishment consequences which can be inflicted to a machine or computer.

The implications would be deemed as far more serious and with far greater long term consequences if the computer was in control at the time (if it turned out it was and the computer caused the incident). And as suggested earlier, society will not except consequences which can only be blamed on a computer system rather than a named person or organisation.

UK society (not sure about abroad tbh) I feel for example would not accept if a driverless car went out of control and fatally injured an innocent passenger or say a pedestrian stood on the pavement. Now I hope to word this in the most respectful way but society does in general as a whole accept the fact that manually driven cars can, do and will kill innocent people (obviously we hate that), but still permits their use. However, this is largely due to the fact that blame for a colision can nearly always be attributed to a person's error whether accidental or negligent. And this person then pays the consequences. If it were caused by a technical malfunction then a person may still likely be held responsible for not maintaining their vehicle or ensuring it is safe to drive.

Now this is where the motor industry is having problems with the principal of these driverless cars in the UK. Who takes out insurance, for what reason when they can't make errors, and at what cost? And who takes the blame? One fatal crash could in theory put a driverless car manufacturer out of business permanently if it killed someone through computer error. As who'd buy them? And who'd want them on the road even if there were a hundred deaths of innocent people a year rather than the thousands we have with manual cars today?


Now apply the same principle to the railway. In traditional fully manual driver operation, if the driving of the train is such which causes a serious incident, the driver will be questioned and punished if required. And the public I believe would believe that is the right way to deal with such an incident. Like with the tram incident where the driver lost consciousness and derailed. It was found to be driver cause and the public still use the tram and accept such a verdict. As the blame lay with a person. Same when that guy fell asleep in a 4x4 and it went off the road and rolled onto the ECML at Selby. A train collided with it and the blame lay with the driver of the car as he was negligent. The public still used the trains and didn't seem to blame Railtrack for not fencing off the verge because blame is preferred to lead to a person and usually does when a human is in full control of a vehicle or machine.


However, if you put a good share or more of the train driving into the capability of the computer, in the way we understand ATO does, and the computer did happen to cause a serious accident (I know people have said it's very very very very unlikely), but if it did happen, and the driver could not or wasn't quick enough to stop it, I don't believe the public would accept a verdict of blaming the train and it's computer. We can't put the train in prison and nothing can hurt it.

Blame would be expected to lead to either a person, like to blame the driver even if it was in ATO mode for not stopping the error even if the train didn't process a signal it received. Or, blame would be expected to lead to the system manufacturers, or NWR for commissioning it. Or all of the above.

And I don't think the consequences would be like they are if a driver makes a mistake. As in the driver is seriously repremanded and legally accountable, but trains continue in service and public still trust and support the system.
I suspect if there ever was (goodness forbid) an accident like we last saw in the 1990s in the UK and it ended up an onboard computer in ATO mode was found to be the cause, then I suspect if it went public the population would expect the use of ATO to be suspended immediately wherever it was used, pending a long and full investigation. And if it was deemed such errors could not be ruled out again even if it was once in every 250 billion processes, it would possibly mean faith and trust in the system would end up lost, and the industry would likely be expected to revert to manual operation until further notice.

Even if network rail took the blame for any serious incident, if anyone got hurt goodness forbid, if it (nwr) continued to support the system, I just don't see how it could get around telling the public very odd mistakes are possible very rarely and we have to see past that. They surely couldnt admit publicly there has to be some risk and passengers have to accept the onboard computer may make an error 0.000000000000000001 percent of the time and it just may be the time when it could do real damage. Whereas if there's a direct human blame we do tend to accept that in society.

I can't really see how this can be overcome. It will be ok providing that no critical errors are ever made which result in serious injury to a person due to the result of an ATO computer error onboard.

But the key point I am trying to make is that we will judge an automated computer program different to how we judge a person making a mistake. If you had a person in a factory using a welding tool and they made an error and ended up blinding someone through negligence, blame would likely be atributed to that person and the process at the factory would likely continue unskathed.
However, if you had an automated machine doing the factory welding and the computer made an error and blinded a person the machine would probably be withdrawn immediately and would probably never be used again at the factory due to no trust left in the automated system.

Hope that makes some sense.

If nothing else the thread is providing a very interesting and eye opening debate.

 

[bramling]

Just like driverless cars are never going to happen?
In a long enough time horizon it is almost certain it will, if the railway even still exists at that point.

It is, does this mean that ATO will always be about this?

ATO doesn't require much equipment fitted in addition to that fitted for ETCS - it is primarily a software installation or extra messages carried over the existing ETCS infrastructure, or certainly implementations exist which are largely this.

Most or all of this equipment will be required for ETCS fitment anyway, and ETCS is the wave of the future now.
The fraction of stock that will be ETCS fitted in the future will increase rather steeply.

Modern trains do all this in software now anyway, so the extra equipment required for the ATO interface to issue commands to the traction system is not really very large.

We really are in the drive-by-wire era in railway terms.

If we reach the point where driverless cars are released onto roads, why can't the same thing be done for trains?
The same sort of technologies are required in each case - in that it simply has to detect an obstruction ahead and apply the brakes.
Otherwise obey the commands of the signalling system.

There’s one other task that mainline ATO would have to perform - drive the train as fast as possible in changing weather and adhesion conditions. None of the ATO systems we have today have got anywhere near perfecting that without introducing a range of other issues, which ultimately start tipping the scales back in favour of the driver.

London Underground, Glasgow Subway, Thameslink Core, Crossrail Core, DLR - all Metro applications.

I tend to agree with comments made elsewhere in the thread, namely that automation may gradually (very gradually) reduce the amount of route knowledge required, and the reduction of training time may serve to slightly diminish the amount of bargaining power the driving grade has. But this is still some way into the future, and is by no means inevitable. Especially when as things stand at the moment the overall performance of train drivers is generally very good - both in terms of safety and productivity.

 

[philthetube]

The trains going through the TL core come from Brighton, Cambridge, Peterborough - locations which are up to around 150 miles apart - and converge on the core.

They also come across a variety of routes, ranging from the rural Sevenoakes line, the Sutton Loop, to the ECML and the MML.

The core is but 9 minutes of a 2+ hour journey.

It’s very, very, different to the tube.

The north side of the circle will soon have trains arriving from Uxbridge Amersham Watford Barking Edgeware Rd, and the south side of the circle, and I am sure that I will have missed something. I dont see how trains arriving form 30 miles away is any different to 150 miles. Many of these routes also interact with other services.

 

[axlecounter]

My understanding was that the transmission was always passive, but that the transparent data baslises were powered insofar as the LEU provided some power such that it changes the telegram (because if it were truly unpowered, I'm unaware of any way it could change what telegram was transmitted to the train)?

Fair enough. I thought you were specifically referring to the train-track transmission. Some kind of powering (from the LEU) of the balise input circuitry is needed, but none for the up-link transmission. Energy is especially required to evaluate signal quality and - when needed - do the above mentioned failsafe switch to the default telegram.

 

[Sunset route]

The north side of the circle will soon have trains arriving from Uxbridge Amersham Watford Barking Edgeware Rd, and the south side of the circle, and I am sure that I will have missed something. I dont see how trains arriving form 30 miles away is any different to 150 miles. Many of these routes also interact with other services.

I’m not sure, but I think the point or part of the point that Bromley Boy was trying to make was that for the 4miles ish of the ETCS ATO through Core to work is that the whole of the southern timetable, parts or the south Eastern timeble have had to rewritten, the midland main line and east coast time tables modified and have become subservient to Thameslink timetable to ensure that trains are presented correctly in their slot for the core for this marvel of modern computer wizardry to do its work. We now have trains from Ramsgate, Dover, Hastings, all along the south coast to Southampton, up to Milton Keynes, Sheffield, Nottingham, Leeds, Hull, Edinburgh, Inverness and Aberdeen amongst other that will have a direct regaulateing affect on what will happen to the service through the core. Thameslink is going to be complicated and the boffins are putting all their eggs in this ETCS and ATO technology to ensure as much as possible it will work. As a signaller I don’t think effects me much other than we might lose a couple of panels if they rollout ETCS ATO down to East Croydon to improve the presentation of the train service, but that will put the train drivers into a longer supervisory role in their cabs monitoring what the computer is up to. The same will apply if they extend ETCS ATO further out on both the MML and ECML.

 

[Tim M]

However, if you put a good share or more of the train driving into the capability of the computer, in the way we understand ATO does, and the computer did happen to cause a serious accident (I know people have said it's very very very very unlikely), but if it did happen, and the driver could not or wasn't quick enough to stop it, I don't believe the public would accept a verdict of blaming the train and it's computer. We can't put the train in prison and nothing can hurt it.

Sorry to come back to this again, but I don’t think you understand the hierarchy of Railway signalling and train control systems and the safety levels used in their design, this link may be of interest:

http://www.irse.org/knowledge/publicdocuments/ITC Report 38.pdf

The signalling interlocking is rated as SIL4, sometimes called ‘safety critical’ as is the ATP/ETCS system. The ATO today is SIL2 or ‘safety related’. There is in my direct experience of a a number of train control systems in a 38 year career, a very clear segregation of ATP and ATO such that the ATO cannot override any safety function provided by the ATP. Put simply the ATO cannot continue to drive the train if the ATP has applied the brakes. I can’t speak for other suppliers systems.

If you replaced ATO by ATP in your long, very long, comment you might have more of a point, but nobody in the signalling industry would suggest getting rid of an ATP system and just rely on the only system left, the driver. How many accidents would have been prevented with ATP, Harrow & Wealdstone is a prime example. AWS certainly helps, TPWS even more so but ATP is the ideal.

If an incident occurs, as has recently been found with problems applying temporary speed restrictions on the Cambrian Coast ETCS, the proper process is to use the RAIB, possibly the Health & Safety at Work Act and established law.

By the way, are you aware that UBER have tried a driverless taxi in the USA, a pedestrian was killed. I remain to be convinced that driverless cars are viable unless some form of physical segregation is provided.

 

[ComUtoR]

amongst other that will have a direct regaulateing affect on what will happen to the service through the core.

An interesting point there.

If I was at Shortlands with a Vic (on time) and there was a Blackfriars (running late) Would any regulating decision be based on its need to get to the Core at a specifc time ? You would be half forced to regulate based on Core running.
How far out would core regulation need to be applied ?

 

[jon0844]

Sorry I didn't mean that ATO has to be free of risk when clearly even crossing the road carries risk as does driving our own car.

But, I was trying to put across that i think an ATO caused accident would be judged by the public on a different level to that of a human caused accident like a car crash if a major rail incident were to occur. As we judge automated machines by different standards to how we judge another living person. And we are less accepting when they make a critical error. As there are no punishment consequences which can be inflicted to a machine or computer.

Look at the recent Uber incident with a pedestrian killed to see how people are already discussing this, as well as the long-term discussions about the moral dilemma of a computer having to decide what to do if there is a choice of swerve and X happens or keep going and Y happens.

 

[Sunset route]

An interesting point there.

If I was at Shortlands with a Vic (on time) and there was a Blackfriars (running late) Would any regulating decision be based on its need to get to the Core at a specifc time ? You would be half forced to regulate based on Core running.
How far out would core regulation need to be applied ?

For us in southern land, it’s everything that runs on the BML comes second to Thameslink core, even Gatwick express services will have to wiggle out of the way and the mainline to Victoria has to be seen as a branch line to the the main core network. As I said, for the computers to do their magic the humans that do the steering (set the routes) and the ones that do the stop/go/ and how fast (at the pointy end) have to do their bit first.

 

[Bald Rick]

Sorry I didn't mean that ATO has to be free of risk when clearly even crossing the road carries risk as does driving our own car.


But, I was trying to put across that i think an ATO caused accident would be judged by the public on a different level to that of a human caused accident like a car crash if a major rail incident were to occur. As we judge automated machines by different standards to how we judge another living person. And we are less accepting when they make a critical error. As there are no punishment consequences which can be inflicted to a machine or computer.

The implications would be deemed as far more serious and with far greater long term consequences if the computer was in control at the time (if it turned out it was and the computer caused the incident). And as suggested earlier, society will not except consequences which can only be blamed on a computer system rather than a named person or organisation.

UK society (not sure about abroad tbh) I feel for example would not accept if a driverless car went out of control and fatally injured an innocent passenger or say a pedestrian stood on the pavement. Now I hope to word this in the most respectful way but society does in general as a whole accept the fact that manually driven cars can, do and will kill innocent people (obviously we hate that), but still permits their use. However, this is largely due to the fact that blame for a colision can nearly always be attributed to a person's error whether accidental or negligent. And this person then pays the consequences. If it were caused by a technical malfunction then a person may still likely be held responsible for not maintaining their vehicle or ensuring it is safe to drive.

Now this is where the motor industry is having problems with the principal of these driverless cars in the UK. Who takes out insurance, for what reason when they can't make errors, and at what cost? And who takes the blame? One fatal crash could in theory put a driverless car manufacturer out of business permanently if it killed someone through computer error. As who'd buy them? And who'd want them on the road even if there were a hundred deaths of innocent people a year rather than the thousands we have with manual cars today?


Now apply the same principle to the railway. In traditional fully manual driver operation, if the driving of the train is such which causes a serious incident, the driver will be questioned and punished if required. And the public I believe would believe that is the right way to deal with such an incident. Like with the tram incident where the driver lost consciousness and derailed. It was found to be driver cause and the public still use the tram and accept such a verdict. As the blame lay with a person. Same when that guy fell asleep in a 4x4 and it went off the road and rolled onto the ECML at Selby. A train collided with it and the blame lay with the driver of the car as he was negligent. The public still used the trains and didn't seem to blame Railtrack for not fencing off the verge because blame is preferred to lead to a person and usually does when a human is in full control of a vehicle or machine.


However, if you put a good share or more of the train driving into the capability of the computer, in the way we understand ATO does, and the computer did happen to cause a serious accident (I know people have said it's very very very very unlikely), but if it did happen, and the driver could not or wasn't quick enough to stop it, I don't believe the public would accept a verdict of blaming the train and it's computer. We can't put the train in prison and nothing can hurt it.

Blame would be expected to lead to either a person, like to blame the driver even if it was in ATO mode for not stopping the error even if the train didn't process a signal it received. Or, blame would be expected to lead to the system manufacturers, or NWR for commissioning it. Or all of the above.

And I don't think the consequences would be like they are if a driver makes a mistake. As in the driver is seriously repremanded and legally accountable, but trains continue in service and public still trust and support the system.
I suspect if there ever was (goodness forbid) an accident like we last saw in the 1990s in the UK and it ended up an onboard computer in ATO mode was found to be the cause, then I suspect if it went public the population would expect the use of ATO to be suspended immediately wherever it was used, pending a long and full investigation. And if it was deemed such errors could not be ruled out again even if it was once in every 250 billion processes, it would possibly mean faith and trust in the system would end up lost, and the industry would likely be expected to revert to manual operation until further notice.

Even if network rail took the blame for any serious incident, if anyone got hurt goodness forbid, if it (nwr) continued to support the system, I just don't see how it could get around telling the public very odd mistakes are possible very rarely and we have to see past that. They surely couldnt admit publicly there has to be some risk and passengers have to accept the onboard computer may make an error 0.000000000000000001 percent of the time and it just may be the time when it could do real damage. Whereas if there's a direct human blame we do tend to accept that in society.

I can't really see how this can be overcome. It will be ok providing that no critical errors are ever made which result in serious injury to a person due to the result of an ATO computer error onboard.

But the key point I am trying to make is that we will judge an automated computer program different to how we judge a person making a mistake. If you had a person in a factory using a welding tool and they made an error and ended up blinding someone through negligence, blame would likely be atributed to that person and the process at the factory would likely continue unskathed.
However, if you had an automated machine doing the factory welding and the computer made an error and blinded a person the machine would probably be withdrawn immediately and would probably never be used again at the factory due to no trust left in the automated system.

Hope that makes some sense.

If nothing else the thread is providing a very interesting and eye opening debate.

I understand what you are saying, but I disagree.

If (and it’s a very big if) there was an incident caused by the automatic system, there would understandably be public concern. However I would expect the public to be reasonably logical and set it in the context of the big picture.

As far as I know, there has never been a fatal accident caused by an ATO system on any railway worldwide. If I’m wrong someone will no doubt correct me. Similarly I’m not aware of any fatal incidents caused by autoland on airliners. Back to railways there have been no fatalities caused by MCB-OD level crossings. In all three of these areas of automation, there is plenty of history that shows that having these in manual control causes incidents and fatalities. I would expect the public to ask what had gone wrong, but set it in the context of the much, much better safety record through automation than than through manual operation.

Sticking with a hypothetical railway example - if one day an SSI interlocking somehow causes a collision, would the public demand all SSI interlockings be switched off and we go back to men with flags?

 

[Bletchleyite]

Look at the recent Uber incident with a pedestrian killed to see how people are already discussing this, as well as the long-term discussions about the moral dilemma of a computer having to decide what to do if there is a choice of swerve and X happens or keep going and Y happens.

Most probably the only way to handle this is for the debate to be had on a national level and for legislation to be in place.

 

[jon0844]

Most probably the only way to handle this is for the debate to be had on a national level and for legislation to be in place.

What's the betting there will be a scandal in the future where it is found that a car maker used a recognition system to determine that some people were considered a more worthy 'target' than others when a collision is inevitable? Does it go for the child, the elderly person, the person of a particular colour/race?

At least on the railway these moral dilemmas don't really exist as a train can't steer, and people shouldn't be in the path of a train. If they are, it wouldn't be the fault of the train or operator.

 

[swt_passenger]

An interesting point there.

If I was at Shortlands with a Vic (on time) and there was a Blackfriars (running late) Would any regulating decision be based on its need to get to the Core at a specifc time ? You would be half forced to regulate based on Core running.
How far out would core regulation need to be applied ?

It's called a traffic management system, (TMS) and I think Bald Rick has explained its coverage area (either distance or time based) in another thread, I'll see if I can find it...

 

[Sunset route]

It's called a traffic management system, (TMS) and I think Bald Rick has explained its coverage area (either distance or time based) in another thread, I'll see if I can find it...

Outside the core only the BML controlled by TBASC not to be confused with TBROC has a contract signed for TMS and we are still waiting to see something.

 

[AM9]

Sorry I didn't mean that ATO has to be free of risk when clearly even crossing the road carries risk as does driving our own car.


But, I was trying to put across that i think an ATO caused accident would be judged by the public on a different level to that of a human caused accident like a car crash if a major rail incident were to occur. As we judge automated machines by different standards to how we judge another living person. And we are less accepting when they make a critical error. As there are no punishment consequences which can be inflicted to a machine or computer.

The implications would be deemed as far more serious and with far greater long term consequences if the computer was in control at the time (if it turned out it was and the computer caused the incident). And as suggested earlier, society will not except consequences which can only be blamed on a computer system rather than a named person or organisation.

UK society (not sure about abroad tbh) I feel for example would not accept if a driverless car went out of control and fatally injured an innocent passenger or say a pedestrian stood on the pavement. Now I hope to word this in the most respectful way but society does in general as a whole accept the fact that manually driven cars can, do and will kill innocent people (obviously we hate that), but still permits their use. However, this is largely due to the fact that blame for a colision can nearly always be attributed to a person's error whether accidental or negligent. And this person then pays the consequences. If it were caused by a technical malfunction then a person may still likely be held responsible for not maintaining their vehicle or ensuring it is safe to drive.

Now this is where the motor industry is having problems with the principal of these driverless cars in the UK. Who takes out insurance, for what reason when they can't make errors, and at what cost? And who takes the blame? One fatal crash could in theory put a driverless car manufacturer out of business permanently if it killed someone through computer error. As who'd buy them? And who'd want them on the road even if there were a hundred deaths of innocent people a year rather than the thousands we have with manual cars today?


Now apply the same principle to the railway. In traditional fully manual driver operation, if the driving of the train is such which causes a serious incident, the driver will be questioned and punished if required. And the public I believe would believe that is the right way to deal with such an incident. Like with the tram incident where the driver lost consciousness and derailed. It was found to be driver cause and the public still use the tram and accept such a verdict. As the blame lay with a person. Same when that guy fell asleep in a 4x4 and it went off the road and rolled onto the ECML at Selby. A train collided with it and the blame lay with the driver of the car as he was negligent. The public still used the trains and didn't seem to blame Railtrack for not fencing off the verge because blame is preferred to lead to a person and usually does when a human is in full control of a vehicle or machine.


However, if you put a good share or more of the train driving into the capability of the computer, in the way we understand ATO does, and the computer did happen to cause a serious accident (I know people have said it's very very very very unlikely), but if it did happen, and the driver could not or wasn't quick enough to stop it, I don't believe the public would accept a verdict of blaming the train and it's computer. We can't put the train in prison and nothing can hurt it.

Blame would be expected to lead to either a person, like to blame the driver even if it was in ATO mode for not stopping the error even if the train didn't process a signal it received. Or, blame would be expected to lead to the system manufacturers, or NWR for commissioning it. Or all of the above.

And I don't think the consequences would be like they are if a driver makes a mistake. As in the driver is seriously repremanded and legally accountable, but trains continue in service and public still trust and support the system.
I suspect if there ever was (goodness forbid) an accident like we last saw in the 1990s in the UK and it ended up an onboard computer in ATO mode was found to be the cause, then I suspect if it went public the population would expect the use of ATO to be suspended immediately wherever it was used, pending a long and full investigation. And if it was deemed such errors could not be ruled out again even if it was once in every 250 billion processes, it would possibly mean faith and trust in the system would end up lost, and the industry would likely be expected to revert to manual operation until further notice.

Even if network rail took the blame for any serious incident, if anyone got hurt goodness forbid, if it (nwr) continued to support the system, I just don't see how it could get around telling the public very odd mistakes are possible very rarely and we have to see past that. They surely couldnt admit publicly there has to be some risk and passengers have to accept the onboard computer may make an error 0.000000000000000001 percent of the time and it just may be the time when it could do real damage. Whereas if there's a direct human blame we do tend to accept that in society.

I can't really see how this can be overcome. It will be ok providing that no critical errors are ever made which result in serious injury to a person due to the result of an ATO computer error onboard.

But the key point I am trying to make is that we will judge an automated computer program different to how we judge a person making a mistake. If you had a person in a factory using a welding tool and they made an error and ended up blinding someone through negligence, blame would likely be atributed to that person and the process at the factory would likely continue unskathed.
However, if you had an automated machine doing the factory welding and the computer made an error and blinded a person the machine would probably be withdrawn immediately and would probably never be used again at the factory due to no trust left in the automated system.

Hope that makes some sense.

If nothing else the thread is providing a very interesting and eye opening debate.

Without repeating your post line for line, I will make three points:

1) Autonomous road vehicles are in a different situation to rail vehicles, at least in the UK, namely that the former operate on highways where other humans control their own movements, - thus their operators are required to account for unplanned (but perfectly legal) actions which may require emergency action to prevent loss of life and/or property. The latter (rail vehicles) operate on TOC/track operator controlled property where public access is strictly controlled which is established in law. So there is a totally different situation of an incident being the railway's responsibility with the exception of cases where unauthorised trespass is concerned when any claim on behalf of the trespasser would be diminished ort even dismissed. In the case of an incident deemed after RAIB investigation to be a failure of the operator or a manufacturer (which could include a software error), there would be a legal process to determine ultimate liability.
2) Railway systems (like flight, car, plane and many other systems that have the potential to cause harm when failures occur) do fail very rarely and it has been the case since the very first trains ran. The UK, and much of the developed world has routinely investigated, analysed and recommended/mandated changes following event to remove or reduce the likelihood of them recurring. Railway investigations in the UK have been very fastidious for most of the railway's life resulting in a good safety record. Most of the safety infrastructure and practices we have today are as a result of this process.
3) Automation is not new on the railway, automatic block signalling has been around in some form or other for over 100 years. Occasionally failures occur, the main impact being everything stops delaying passengers. Very rarely, something goes wrong that creates a danger. It's unfortunate for those involved, but everybody usually benefits from that knowledge gained and the fix that follows. Failures that involve erroneous human activities aren't so easily fixed, out of a large population, there are always a few who aren't careful enough to do everything correctly, and worse - even fewer who decide to 'game' the system because they know better. With computers there is much less chance of misuse so they can reduce the opportunities for that type of abuse, (and provide a record of attempts to do so). As far as absolute reliability of computers in safety critical and safety support roles, the avionics industry have been key to developing the designs and their support processes such that even in a very weight, power and overall cost sensitive industry, automation failures are very rare. Most of the events causing harm* are through electromechanical failures (which would be there even in a fully manual flight operation) or human error. So I don't see automation integrated with established systems on the railway as any kind of safety threat providing it is executed responsibly.
* assuming that the aircraft is being operated within its specified limits.

 

[bramling]

The north side of the circle will soon have trains arriving from Uxbridge Amersham Watford Barking Edgeware Rd, and the south side of the circle, and I am sure that I will have missed something. I dont see how trains arriving form 30 miles away is any different to 150 miles. Many of these routes also interact with other services.

It's still a metro application, and let's see how the system handles changing adhesion conditions on the long open sections. The Central Line tolerates operating incidents and manual driving on a regular basis, and the Jubilee and Northern lines are set to a low brake rate in the open. Neither of these workarounds are suitable for the mainline.

 

[Bald Rick]

It's still a metro application, and let's see how the system handles changing adhesion conditions on the long open sections. The Central Line tolerates operating incidents and manual driving on a regular basis, and the Jubilee and Northern lines are set to a low brake rate in the open. Neither of these workarounds are suitable for the mainline.

What is the brake rate in the open on the Jubilee & Northern? It feels about the same as the normal full service braking rate for mainline trains (0.9%g)

 

[hexagon789]

What is the brake rate in the open on the Jubilee & Northern? It feels about the same as the normal full service braking rate for mainline trains (0.9%g)

I think it's 5-6%g, roughly equal to Step 2 on mainline disc braked trains.

 

[bramling]

What is the brake rate in the open on the Jubilee & Northern? It feels about the same as the normal full service braking rate for mainline trains (0.9%g)

I forget which, but it's either 4m/s/s or 5m/s/s IIRC. LU have been trying to improve upon this since implementation, but have essentially hit against a proverbial brick wall - for various reasons. Even with this brake rate there are adhesion issues on occasions.

 

[whoosh]

When driving a car, you have to actually ignore the Highway Code and rules of the road when it's busy. Instead of giving way, you seek eye contact with another Driver for them to let you out. A computer can't do that. Not unless ALL cars drive themselves and can speak to each other. And that's just one scenario.

Why can't we create a computer with a brain that can drive stuff? Oh hold on, it's already here, is called a person, and can charge itself up with food.