In loco intellegentia: Human factors for the future European train driver

The European Rail Traffic Management System (ERTMS) represents a step change in technology for rail operations in Europe. It comprises track-to-train communications and intelligent on-board systems providing an unprecedented degree of support to the train driver. ERTMS is designed to improve safety, capacity and performance, as well as facilitating interoperability across the European rail network. In many ways, particularly from the human factors perspective, ERTMS has parallels with automation concepts in the aviation and automotive industries. Lessons learned from both these industries are that such a technology raises a number of human factors issues associated with train driving and operations. The interaction amongst intelligent agents throughout the system must be effectively coordinated to ensure that the strategic benefits of ERTMS are realised. This paper discusses the psychology behind some of these key issues, such as Mental Workload (MWL), interface design, user information requirements, transitions and migration and communications. Relevant experience in aviation and vehicle automation is drawn upon to give an overview of the human factors challenges facing the UK rail industry in implementing ERTMS technology. By anticipating and defining these challenges before the technology is implemented, it is hoped that a proactive and structured programme of research can be planned to meet them

Correct-by-Construction Tactical Planners for Automated Cars

One goal of developing automated cars is to completely free people from driving tasks. Automated cars that require no human driver need to handle all traffic situations that a human driver is expected to handle, and possibly more. Although human drivers cause a lot of traffic accidents, they still have a very low accident and failure rate that automated systems must match.Tactical planners are responsible for making discrete decisions during the coming seconds or minute. As with all subsystems in an automated car, these planners need to be supported with a credible and convincing argument of their correctness. The planners\u27 decisions affect the environment and the planners need to interact with other road users in a feedback loop, so the correctness of the planners depend on their behavior in relation to other drivers and the environment over time. One possibility to ascertain their correctness is to deploy the planners in real traffic. To be sufficiently certain that a tactical planner is safe by that methods, it needs to be tested on 255 million miles without having an accident.Formal methods can, in contrast to testing, mathematically prove that the requirements are fulfilled. Hence, they are a promising alternative for making credible arguments of tactical planners\u27 correctness. The topic of this thesis is how formal methods can be used in the automotive industry to design safe tactical planners. What is interesting is both how automotive systems should be modeled in formal frameworks, and how formal methods can be used practically within the automotive development process.The main findings of this thesis are that it is natural to express desired properties of tactical planners in formal languages and use formal methods to prove their correctness. Model Checking, Reactive Synthesis, and Supervisory Control Theory have been used in the design and development process of tactical planners, and all three methods have their benefits, depending on the application.Formal synthesis is an especially interesting class of formal methods because they can automatically generate a planner based on requirements and models. Formal synthesis removes the need to manually develop and implement the planner, so the development efforts can be directed to formalizing good requirements on the planner and good assumptions on the environment. However, formal synthesis has two limitations: the resulting planner is a black box that is difficult to inspect, and it is difficult to find a level of abstraction that allows detailed requirements and generic planners