 So good morning to the new people who just arrived and to everyone else who was already here. We're at the third presentation now. Julia Thaisel from Vienna University is here to give her experiences about using ADA in a novel project in autonomous train control, sorry. And there's a lot to say about that, so I will give it forward to you. Welcome to my presentation about autonomous train control system. It was the first approach. Why am I using ADA and why am I programming things for autonomous trains? I was a student of embedded systems engineering at FA Campus Wien in Vienna and my lecturer came to me and said, ah, I heard you're interested in autonomous cars. They are so complicated, so why not autonomous trains? It's easier and there's a very beautiful programming language and there's an IDE for the Raspberry Pi, so why not? I was a bit sick of writing C code and of pointers and all that stuff. So I said, why not? Give it a try. And so I was introduced to the AUSADOTS project. It means Autonomous Schienengebundene on Demand Open Track Systeme. Very catchy name, I know. In English it means Autonomous Rail Bond on Demand Open Track Systems. It's a project by the Vienna Institute of Safety and Systems Engineering at FA Campus Wien and it's funded by the Magistral Department for Economics, Job Market and Innovation Policy Aspects and Statistics. Also a catchy name. So as you see, Austrians are not that good in naming things. The MR-23, so the Magistral Department, is funding a lot of college, university and research projects in Vienna. So what are the project objectives? They want to create a safety concept for development and application of AUSADOTS. They want to check if the existing standards, for example, the 10-Elec standard can be applied for AUSADOTS and they want to perform and analyze and risk assessment. So autonomous and rail bonds. There are special requirements for different things. For the vehicles, it means they have to monitor the approaching area because if there is something on the track, it's not good that the train is continuing his drive. There must be communication between the cabins. There must be communication with the control center and the intersections. And then there are special requirements for the control center. It must schedule the cabins and the cars. It must create a priority allocation. There must be track monitoring and there must be intersection monitoring. And also performing emergency actions if necessary. There are also special requirements for the stations. There must be station monitoring regarding safety and security concerns because if somebody is hacking your camera system, it concerns the safety of your passengers. There must be platform and platform edge monitoring and there must be information about arriving and departing vehicles and there must be communication with the control center. What means on-demand and what is so special about on-demand? Normally trains have a fixed schedule. This is not the part of our system. In our system, a cabin drives only to a station if somebody needs a cabin right now. It's like an horizontal elevator so you press a button, a cabin is coming. There are two push buttons per station which decide in which direction you want to drive and there are push buttons inside each cabin like an elevator where you can say I want to go out here or I want to go out on the next station. And you have to place trains along the track to reduce waiting time because if you have two terminals in a very large distance from each other and somebody is calling a cabin in the middle of the track, this person doesn't want to wait half an hour for a cabin. So open track. What is an open track? To explain what an open track is, I first explain what closed tracks are. Closed tracks are completely closed off. As the name says, there are tunnels or fences or walls around it. There is no interaction with cars, bicycles or pedestrians and seldom there is oncoming traffic. A good example is the Rubin project. It's the autonomous subway in Nuremberg. Regarding open track systems, it's a bit different. The track is not closed off. So for example, if the track is next to a forest and a tree falls down, you have to check if there is something on the track or there could be a cow walking along your track and saying oh, that's fine. That's a good place to stand and chew. Also, there is interaction with cars, bicycles and pedestrians because there will be intersections. And if it's a single track, there will be oncoming traffic. The railway network, the actual situation in Austria is that 50% of all tracks in Austria are single track branch lines. 50% of these branch lines are not electrifying. And most of these branch lines are underexploited or shut down because of high operational costs and declining passenger numbers. So we need a new solution. We are searching for a new solution and we hope our project will be the new solution. One project location would be the Valley of Dürer Liesing. It connects the outskirts of Vienna to Carlton-Loidgim, which is a small town next to Vienna. There are five stations. Some parts are next to a forest. It was in the 1950s that the passenger transport was shut down and in 2014 the last train drove to a cement plant. Then they closed the track completely, but in the last years a lot of houses were built there and there is only one road inside the Valley. So in the mornings and in the evenings when the people go to work or are coming from work they are standing in a traffic jam. There is one public transport. It's a bus. The bus is also standing in the traffic jam. But still the Austrian Railway Foundation says no, it's not cost effective to re-establish the connection. So we hope that our system will be not that expensive and will give the people an opportunity of public transport. So what was my part in the whole system? I had to build a model railway. Easy. People are doing this in their free time. It can't be so hard. Program autonomous on-demand systems. An autonomous on-demand system. It shouldn't be that hard either. And finding the optimal position for passing loops since most of the track is a single track. Yeah, two years later I finished my master's thesis so it was a bit high. This is my model railway. Well, picture looks good. It's close to the track in Carton-Lloyd-Gaben but I had to build a spiral since my space was a bit limited. My system architecture consists of nine different things and I will explain them in detail later. The track, the trains, an ASU command station, a microcontroller and STM32F1, LEDs, push buttons, two Raspberry Pis, a switch and a laptop. So normally the railway system works with blocks. Blocks are segments of a track. And normally in front of each block you have two signals, a pre-signal and a main signal. The pre-signal indicates what is probably going to happen and the main signal indicates if the next block is free or occupied. This is state of the art. This is what the 10LX standard requires but since I didn't want to build a normal railway system I developed my own safety concept to avoid collisions. I divided my track into sections. Between the red dots are the possibilities for a train to stop and a section is going from, for example, here to here. Each section has a start point, a centerpiece and an endpoint. And if, for example, a train wants to reserve a section it has to look if all the other sections with the same centerpiece are also free because, for example, if a train wants to drive from here to here another train could be driving from here to here and they are using the same centerpiece and since it's single track it would be a collision would occur. So these are my rail cars. They are looking very old-fashioned but these were the only cars with a passenger compartment and a toilet. Inside the train you can see a lot of cables. These are connected to an MX632 decoder which converts the signals which are transported along the tracks into a protocol that the train understands. Then you have the ASU command station which is normally the heart of a model railway because you can perform all the actions you want. You can switch turnouts, you can set the train speed and so on. I used it as an expensive converter because it converts the DCC railcon format protocol to IP packages which were easier to handle. So it's a 600 Euro converter. And I'm using it to test things because I was new to model railways so I used it to test if my track is working if my turnouts are switching and so on. Then I'm having an STM32F1 microcontroller and LEDs. The software is written in C. At the moment I tried to program the software with my students in ADA but we had some problems with ADA on microcontrollers. The microcontroller receives commands via UAD, acknowledges each command and then uses a PVM signal to control the LEDs. We designed and 3D printed the cases ourselves and glued some RGB LEDs inside. And I positioned several LEDs along the track and I divided them into four different lines, the two terminal stations, the stations at the passing loops, the stations on the single track and we have an intersection with the track. So the push buttons, each station has two push buttons to determine in which direction you want to go. If the LED is turned on inside the push button it indicates that a train call is in process and the LEDs turn off when the train arrives at the station. We have a control Raspberry Pi which is the system's brain. It knows everything, it decides everything and the software is written in ADA why I'm here today. I will talk about it in detail later. Then we have the message Raspberry Pi, the software is written in C-Shop, also by a colleague of mine. It handles all the messages inside the system between the control Raspberry Pi, the ASU command station, the STM32 and the push buttons. Then we have a switch because I had a lot of ethernet connections and a laptop to debug the message Raspberry Pi and start the server application because there was no screen attached to both Raspberry Pis. So this is the whole system architecture. You can see the track and the trains here. They are communicating with the ACOS. ACOS is translating the DCC RAIDCOM protocol into IP packages. The IP packages are then sent to the message Raspberry Pi which analyzes them and sends them to the control Raspberry Pi. We have the laptop to start the server application and watch the output. Then we have the STM32 which is connected to the signals and the push buttons attached to the GPIO pins of the Raspberry Pi. There is the possibility to push an emergency stop button because each safety critical system should have an emergency stop which can be pushed from the outside. It cuts the power supply of the ACOS and there is also the possibility to make a hardware stop via software when the control Raspberry Pi says, okay, I have to perform an emergency action and the emergency action is to cut the power of the ACOS so no train is moving. Looks very clean and nice. Yeah. This is what happens when a software engineer starts soldiering for the first time. And a problem was that I had to build the system on two plates because the idea was it has to be transportable. It was never transported but it had to be. So I had to design connectors. Yeah, requirements. Yeah. A lot of work. Okay, the control Raspberry Pi software. We have eight AIDA packages, one C and a header file and seven tasks. There is the communication task, the reading interface task and for each train, a task. So five tasks because I have five trains at the moment on the track. The communication task starts all the other tasks, establishes a connection to the message Raspberry Pi which is acting as a server, analyzes all the messages and forwards the messages to the train tasks. What means analyzing a message? It disambles the received string, decides if for example a push button was pressed or a message is coming from the ACOS or if it is an acknowledgement from the STM32. If a push button was pressed the software has to select a train. I can't select every train. I have to decide is there a train already driving in the direction of the station and is it possible for the train to stop at the station? If not, which train is closest? If there are two trains in the same distance I have to choose the one with the least operating hours because I assume that after a certain amount of operating hours each train has to be serviced so it would be good if all the trains had at least approximately the same amount of operating hours. If the message is coming from the ACOS I have to look which train is waiting for an acknowledgement or which train task is waiting for a message. The reading interface task is very short it reads all the messages coming from the message Raspberry Pi and pushes them into a queue where they are read by the communication task. So the train tasks. The train task starts when it is for example the closest to a station. The train is set as reserved. The end station is set depending on the button which was pressed. And then I have to look am I perhaps already standing at the station where the call came from? If yes, I can directly set the direction depending on the terminal station. If not, I have to drive first to the calling station. Then I have to search a section. I have to try to reservations if it works fine. If not, the whole process is started again. At the moment there is no action if this is an infinite process. I have to change this because it's not very safe if a train is searching and searching and searching and never becoming a section. But if the reservation was successful I can set the first turnout wait for an acknowledgement and the second turnout in the section set the second turnout. Then communicating with the STM32 I forgot to say my signals only indicate if a section was reserved successfully and the train starts to drive. So if a section is reserved successfully the signal will turn green while all the other signals are turned red. I accept the intersection where it's the other way around. If a train is driving through the section with the intersection the signals for the cars turn red. So first we have to decide which light line we want to choose then set the LED numbers this can be one LED or all the LEDs of the line. We can choose a color and then we have to look if the crossing light is needed and if yes we have to repeat the whole process for the crossing line. Then we set the light inside the train to indicate that the train will start now then we set the train direction and finally we can start to drive. We increase the operating hours then we have to wait if the centerpiece is reached within time if yes we have to wait if the next station is reached within time if no we perform an emergency stop where we cut the power of the ACA so all trains have to stop. Because I decided if an autonomous system fails there must be a human interaction to guarantee freedom of errors because it's not possible I decided that it's not possible that the system corrects itself. If we reached the next station we reset the light so we turn the green light to red we free the section so another train can use the section and then we have to look are we already at the terminal station if not we have to repeat the whole process for the next section if yes we set the train speed to 0 we free the train and turn off the light again and wait for the next call so special features of ADA which I really enjoyed I really liked the reason why I don't want to program in any other language than in ADA once you start you never can stop creating your own data types it really helps to map the real world to your code and it helps to prevent assigning variables bigger or smaller variables it helps to so values outside of the skirt of your variables cannot be assigned so you can be sure that only values that you want to be assigned are assigned to your variables protected types really beautiful thing if different tasks are using the same functions because for example the function for reserving a train shouldn't be used by different tasks at the same time it will cause problems rendezvous with the synchronization and communication mechanism between tasks I really liked it because it's very beautiful to use records which are like structs easy to use, beautiful to use and procedure parameters I really liked that it's possible to assign as many parameters as I want to assign to a procedure I can have free in parameters five out parameters if I want to I don't have to use a structure I don't have to use a pointer I can map whatever I want to my code so a short demonstration I already had to detach the light because I needed them for another project you will see I decided that there must always be a train waiting here to reduce waiting time and if this train starts another train has to take its place hopefully it starts I'm calling a train to a station the train starts it starts to drive you will see here another train starting the first train arrives at the station it waits a short amount of time and then drives to this terminal station now something really really bad happens because the train with the passengers inside has to wait until this train passes the single track bad design didn't thought about it but the next version will look at this so that if two trains want to use the same single section the train without passengers inside has to wait until all other trains with passengers inside passes and if there are two trains with passengers inside I have to look at the amount that the trains have already taken during their drive and the amount they probably will take and the one with the smaller amount has to wait so what's next? that's my next track looks nice these are 46.75 square meters my old track had 4.2 square meters a bit bigger but since numbers are numbers it's hard for me to map them to the real world here's a picture in the background you can see half of my old track and since it's also difficult to see how really big it is that's me standing on it but playing with model railways is not my job, I'm a software engineer so what will the next software version look like? I want to write most of the code in Spark Spark is the part you use for safety applications the part of ADA you use in safety applications I want to customize the scheduling algorithm to reduce waiting time and to reduce traveling time we will see if a Raspberry Pi is fast enough I also want to distribute the intelligence so every train becomes its own controller and a lot of sensors around it so each train can decide if it's safe to drive or not and then we will see how many unnecessary lines of code I wrote these are the sources of the pictures thank you for your attention any questions? yes, I never measured it I don't know but it maps there's a track in Austria from Obavad to Pinkafeld which says nothing if you don't live in Austria about in the real world 30 km and it's 1 to 87 km if you map it to a model railway one of the problems you might face could be deadlock prevention did you plan for that already? yes because all your three posts at the end are full and for some reason the fourth car arrives you have a deadlock we have different solutions but there is a possibility to move trains on the next track I will not use sections this big the sections are really really small for example on this track you have five sections where you can stop and trains are allowed to move one step behind so the next train can approach did you test how many cabins you meet per passenger or how many passengers fit into that system? we didn't test it but the cabins will hold 15 to 20 passengers can you estimate how many? no we have to test it two years ago and now there is one cabin and we have to start testing and you have to see if the passengers are willing to take the train because it's always difficult with autonomous systems that the passengers are willing to use them in Austria it's especially difficult what is new is we don't want to use it and if it's autonomous it's even more so it's difficult otherwise the cabins behind the first one always have to wait for the next car to come through the question if I understood it right was to combine cabins to a train if there are many calls we want to do that for example in the morning there are a lot of calls we want to switch to a fixed schedule instead of a demand option if you push a button and call a train it doesn't mean the train is coming immediately it means there are between 10 and 5 minutes waiting time so you can't look if there are other people on the train you mentioned you had problems using ADA on the STM yes I didn't get the runtime running yes but it's a problem I hopefully will fix today I don't know who wants to go first you were saying that you are trying to distribute the logic on the track so are you planning to distribute sensors on the track and have the logic distributed on that matter also in the beginning of the presentation you talked about that you may have open tracks this is an open track so on that matter are you also thinking any kind of solution to detect those obstacles and have some we will have special sensors on the intersection on the intersections to detect for example cars approaching or pedestrians approaching and on the trains we will test radar, ultrasonic and oh my god I forgot the third leader thank you yes and we have to see what solution is the best if we have to combine all three methods and we want to use machine learning algorithms to monitor the stations and are you already working on projects with real units or just models not me but colleagues of me yes and my system is for testing the scheduling algorithms and do a few tests with sensors what was the question does the system take into account the profile of trucks because different vehicles can move at different speeds depending on for example incline declines and arrive at different speeds so you come there and you decide what truck should be moved first to the section yes for this track it's very easy because it's in the Burglund and the Burglund is plain so but the first track I showed the Carlton Leutgen track there we have big problems because there is a huge decline thank you and we have to test it at the moment we have one real cabin and it's now driving in the Burglund and not at the other track so we have to test if it's working when you are testing your software moving collisions have you seen good yes block oriented safety is a very old concept however it's very effective do you see a chance to replace it by something smoother which takes into account the speed of the trains and the distances there is something it's called moving blocks we want to adapt it but it's difficult with the standard because the railway standard is very strict and the people in Austria are very strict concerning the standard so we will see if we have to use moving blocks or if we are allowed to create something new right now you're creating a heuristics of this small train and you have one separate strategy what do you think of the well done is that on a scale to a real large train system that connects in many places is that going to come up with the right heuristics I never thought about it it was a first approach we tested it with one track we will see if my software is working with a bigger track but it's not planned to replace the whole railway network in Austria it's we just want to replace the branch lines which are not used very frequently so it's not planned for the whole railway system so many questions when I press a button to ask for a train or when I'm in a train and I press a button for destination can the schedule algorithm predict and show me the time of arrival? not right now but it will but it depends always if you are I don't know at the third station and you are driving in this direction and they're in between two stations it can't predict and you have to step in at the two stations but there will be in the meantime yes yes something like this you said you had a colleague program there you have exchanges on the merits of your respective approaches and underlying technologies did you exchange on the merits of each technology and what it brings? they had the fixed idea not to use ADA and I couldn't convince them so yeah maybe you can show them this stuff perhaps you mentioned in your next version you will be using spark and the question is what level of spark are you planning to just freedom of exceptions so basically no runtime hours so where are you going all the way to actually prove functional correctness? I want to prove functional correctness because it's required for a safety application your system only has one brain one CPU there so that fails and done for so presumably you are going to plan to have multiple processes and somehow have redundancy of tasks not redundancy of tasks but there will be a supervisor looking if everything goes right and if it detects a failure then there will also be an emergency stop so we will have redundancy well an emergency stop seems a bit dramatic yeah but that's in normal railways we have multiple systems so that if one computer fails yes but that's only a model in the real world there will be multiple computers but I don't design the real system so I'm not sure and it's not designed yet so we are testing different solutions and we will see what will be the best solution so I can't tell how many computers there will be but of course there must be redundancy not really a question but since you mentioned the idea of the horizontal elevator the university in Prague has something that surprised me it was an elevator but instead of asking for direction and then going into the elevator and asking for your story they have the buttons to choose the story outside already the system knows beforehand where you want to go maybe that helps you also so you know where the passenger actually wants to go but what if the passenger inside the cabin gets a call and wants to go out at another station of course it's just I mean most of the time it will go where you want to go I can only reinforce what he said this is really the future of elevators okay we have this elevator so it exists already yeah it exists but it will be the future of elevators okay okay so I don't know if I missed it but I was wondering you are building all these giant model trains is there any reason why you are not using some kind of simulator or trying to work on having a simulator for this? yes because we have to convince politicians and they need real buttons to press and see things moving around I imagine that so it would be interesting to have a simulator we also have a simulation yes yes yes of course do you have a set of requirements that you need on the wheel tracks in order to do this and have you evaluated the possible effort and the process to retrofit what you need on to the existing tracks? no no because at the moment there are no requirements they are writing the requirements right now and I will adapt my software to these requirements later but I have to start with something so yes one of my friends is specialist for elevators and there are tenders to develop elevators which can only move vertically but also horizontally so there will be a similarity between trains and elevators in the future on the flight on the way here I read something about elevators going in all directions okay thank you for an interesting presentation thank you