Autonomous Systems - Facing up to the Regulatory Challenges
"It is critical that the rail industry starts to develop a commonly agreed and accepted regulatory framework to aid the introduction of autonomous systems." - Vaibhav Puri
The first issue that people face when discussing autonomous system is that the term is used interchangeably with ‘automation’ or ‘automated systems’. All autonomous systems are automated systems, however, not all automated systems are truly autonomous!
At a basic level, a truly ‘autonomous system’ can decide for itself what to do and when to do it, with no human intervention. To reach true autonomy, a system in most cases evolves through stages from human operated to fully autonomous. Given the complexity of railway systems and their environment, it is likely that any autonomous systems will need to be integrated with other systems that are at different stages in the automation scale.
According to the International Association of Public Transport (UITP), there are five Grades of Automation (GoA) of trains:
- GoA 0 is on-sight train operation, similar to a tram running in street traffic.
- GoA 1 is manual train operation where a train driver controls starting and stopping, operation of doors and handling of emergencies or sudden diversions.
- GoA 2 is semi-automatic train operation (STO) where starting and stopping is automated, but a driver operates the doors, drives the train if needed and handles emergencies. Many ATO systems are GoA 2.
- GoA 3 is driverless train operation (DTO) where starting and stopping are automated but a train attendant operates the doors and drives the train in case of emergencies.
- GoA 4 is unattended train operation (UTO) where starting and stopping, operation of doors and handling of emergencies are fully automated without any on-train staff.
From this grading system it can be claimed that it is only at level GoA 4 that the train as a system becomes fully autonomous … but is that the case?
It all comes down to the boundaries and definition of the system in question. A train could have a specific function, for example - its braking function could be fully autonomously operated by Artificial Intelligence (AI), but train still have a driver for other functions, therefore, the train as a system is not fully autonomous (may be only at GoA 2). Similarly, even if GoA 4 is claimed to have been achieved, it is possible that the train is being remotely supervised and is probably a mixed initiative of the train AI and the human supervisor working together.
Does the law care about whether a system is autonomous or not?
No. Or at least not yet. The law places obligations on people and organisations and is ultimately disinterested in the nature of those systems as such – self-thinking or otherwise. It only cares about how individuals and organisations manage implications (safety or otherwise) for themselves, their employees and others, by taking reasonable steps to minimise negative implications.
There can be legal obligations on parties responsible for:
- Supplying, including design and manufacture of assets
- Operating and maintaining the assets and performing related functions/activities
- Regulating and supervising the supply and operation of assets
The law often states ‘what’ those obligations apply to, which starts to define a system boundary of those legal obligations. It is important to understand how these overlap with the ‘autonomous engineering system boundary’. If the autonomous system goes beyond an organisation’s current legal obligations as shown on the left side of Figure 1, then its deployment will require more than one party to act. Thereby, placing a greater emphasis on cooperation and coordination for successful implementation.
Figure 1: Does the autonomous system go beyond the boundary of obligations of a single legal entity?
For the railway, the subsystems are defined in the Railway Interoperability Directive and obligations associated with those subsystems are found in relevant regulations such as Rail (Interoperability) Regulations (RIR) 2011, Technical Specifications for Interoperability (TSIs), etc.
The railway subsystems are either structural (assets) or functional (around operation and management of the assets). Figure 2 shows that, as a function becomes increasingly autonomous, it moves from being a pure functional system to becoming part of an asset (it is increasingly black boxed). This transfers the legal obligations from the operator (in terms of conditions of use) to the designer/manufacturer of the asset (which now includes the previously human function) and increases the need for having a more complex higher-level system which monitors and controls other systems (some autonomous and others less so).
Figure 2: The change in system characteristics, obligations and control mechanisms while evolving towards autonomy
Additionally, as this move from functional to structural subsystems occurs, the demands on co-ordination and integration with other non-autonomous systems becomes greater as Figure 3 illustrates. Therefore, moving from a human function to an autonomous one does not necessarily mean less complexity in terms of management of the whole system, and requires greater clarity and transparency of how the whole system is managed. It is a cycle that repeats itself as more autonomy is sought, more functional areas go through the cycle, adding to the management and monitoring complexity.
Figure 3: The cycle of transition from functional to structural systems leading to an increasing demand for co-ordination, integration and supervision
The level of autonomy should not undermine the ability to monitor, supervise and intervene, and should continue to allow a duty holder to easily answer two basic questions required by law:
- Is our operation sufficiently safe, or do we need to make a change and who do we need to consult about this change?
- We have decided to change something affecting our operation: is the change sufficiently safe?
How can we assure that autonomous systems meet legal obligations?
There needs to be a clear rationale about why an autonomous system is the appropriate solution. Is it because the current level of human involvement has become too ineffective or unreliable to reasonably address objectives and concerns (such as those relating to safety and reliability) to an acceptable level? Or are there productivity gains to be had?
If autonomy is considered a reasonable way forward by the duty holder, then how can it be implemented in such a way that it achieves expectations and meets all the legal obligations? RSSB’s general guidance on Taking Safe Decisions and risk analysis provide the foundations for a robust and adequate assessment.
This needs to include the requirement to examine what the introduction of ‘autonomy’ does to the wider railway system affected by the change in question. The wider railway system is NOT limited to the legal obligation boundary of one party, or the autonomous engineering system boundary. It is the boundary of the changed system as a result of the introduction of autonomy. This can extend beyond the proposer’s legal obligation boundary and could require other parties to do something differently to support safe operation and implementation of a change to the railway system.
Figure 4: The wider boundary of the changed railway system
Managing risk: how can risk assessment and standards help?
Implementation decisions are almost always required in law to be underpinned by suitable and sufficient risk management and assessment approaches such as the application of the Common Safety Method on Risk Evaluation and Assessment.
Some of the challenges relate to the confusion between the:
- Acceptance of a changed railway system because of introduction of autonomy
- Acceptance of an autonomous product by a user from a manufacturer as a reliable and safe product .
The basis for risk acceptance when it comes to autonomous systems has proved to be a challenge due to a lack of consensus and formalisation of verification and validation procedures and approaches.
Sector and area specific standards and guidance agreed through industry governance would go a long way in addressing these challenges. Developing frameworks which allow clear categorisation of critical parameters of an autonomous system which differentiate one autonomous system from another based on their benefits and risks, will also go a long way in developing a common language of how to grapple with rapid progress in this area. Standards increasingly written with functions and expected and acceptable performance in mind, rather than hardwiring solutions or human operator assumptions and constraints, also help.
Clearly, rapid technological progress is being made and when it comes to autonomous vehicles, legislation is also progressing. For example, in the UK a bill is going through Parliament at the moment to define when insurance companies will pay out in the event of a crash.
In rail we do not yet have the commonly agreed and accepted regulatory frameworks, standards and guidance in place to aid their introduction. That’s the real challenge and technology may be the easy bit. If this challenge is not addressed, then, as always, technology will lead the way and the regulatory framework will have to follow and react potentially causing delay or acting as a barrier to progress. Therefore, it is critical that the rail industry starts to address this issue now.
In the next article Luisa Moisio, R&D Programme Director, will reflect on what growing automation could mean for rail jobs.