A GoA4 Control Architecture for the Autonomous Driving of High-Speed Trains Over ETCS: Design and Experimental Validation

This work deals with the design of a control system enabling the autonomous driving of Grade of Automation 4 (GoA4) for high-speed trains over ETCS. GoA4 requires trains to autonomously adapt their behaviour to the different driving conditions occurring in real-world trips and involving a wide range of possible maneuvers, even in the presence of unexpected events forcing ETCS interventions. To ensure this high automation level, we propose a hierarchical, modular and scalable control architecture, named Autonomous Driving Function (ADF). It embeds the main ATO functionalities, i.e., optimization of the recommended speed profile and train speed tracking, both nontrivial tasks due to train nonlinear dynamics and complex external environment, while being still compliant with railway standards. Hence, ADF is devoted to the real-time trajectory planning, considering the actual data acquired and the current driving situation along with the related on-line constraints, and to the trajectory tracking which, realized via different classes of controllers, ensures a safe and efficient train motion, also compliant with the railway standard. ADF is designed according to the Model Based Control Design (MBCD) approach which fully covers the V-Cycle development process and supports automatic C code generation compliant to standard EN50128, early design validation, testing, simulation and run-time verification. Finally, thanks to the experimental validation, carried out on an inspection high speed prototype vehicle, ADF has the prospect of becoming an inherent architecture for guaranteeing the GoA4 autonomous diving for HST over ETCS.

Abstract-This work deals with the design of a control system enabling the autonomous driving of Grade of Automation 4 (GoA4) for high-speed trains over ETCS.GoA4 requires trains to autonomously adapt their behaviour to the different driving conditions occurring in real-world trips and involving a wide range of possible maneuvers, even in the presence of unexpected events forcing ETCS interventions.To ensure this high automation level, we propose a hierarchical, modular and scalable control architecture, named Autonomous Driving Function (ADF).It embeds the main ATO functionalities, i.e., optimization of the recommended speed profile and train speed tracking, both nontrivial tasks due to train nonlinear dynamics and complex external environment, while being still compliant with railway standards.Hence, ADF is devoted to the real-time trajectory planning, considering the actual data acquired and the current driving situation along with the related on-line constraints, and to the trajectory tracking which, realized via different classes of controllers, ensures a safe and efficient train motion, also compliant with the railway standard.ADF is designed according to the Model Based Control Design (MBCD) approach which fully covers the V-Cycle development process and supports automatic C code generation compliant to standard EN50128, early design validation, testing, simulation and run-time verification.Finally, thanks to the experimental validation, carried out on an inspection high speed prototype vehicle, ADF has the prospect of becoming an inherent architecture for guaranteeing the GoA4 autonomous diving for HST over ETCS.
Index Terms-High speed train, automatic train operation, grade of automation 4, control architecture for autonomous I. INTRODUCTION R AIL transportation systems, involving the main railway line, urban rail transit and new High-Speed Railway (HSR), have received great interest in the last decades due to the strong changes required by the higher technological level, travel speed and services quality [1].In this context, new challenges arise for HSR systems about the insurance of train operation safety [2].Three main components influence it, i.e., the ground infrastructure, the moving train body and the signaling/control system.This latter, called Automatic Train Control (ATC) system, imposes smooth acceleration/deceleration maneuvers and supports the energy saving, as well as brake wearing, by replacing the trackside signalling with cab signalling [3].Indeed, according to the technical literature, ATC is defined as an automatic control architecture which allows guaranteeing not only collision avoidance by increasing safety requirement, but also the improvement of control and signaling systems performance, as well as the reduction of energy consumption [4].ATC system involves the following interactive sub-modules: i) Automatic Train Protection (ATP), designed to prevent collisions; ii) Automatic Train Operation (ATO), which provides partial or complete automatic train piloting and driverless functions; iii) Automatic Train Supervision (ATS), responsible for the monitoring of the train movement to satisfy the intended schedule and traffic pattern.Specifically, with the development of Information and Communication Technologies (ICT), ATO represents an emerging technology aiming at improving the efficiency of railway traffic operations by automatically making real-time decisions in terms of accelerating, coasting and braking commands [1], [5].The main ATO functionalities can be summarized as follows [1]: i) guaranteeing an autonomous driving between two stations by exploiting real-time information in terms of speed limits, actual speed and position from ATP, and travel direction and destination from ATS; ii) ensuring the automatic train stopping when it enters the stopping area; iii) insurance of automatic opening and closing for train doors when the train dwells or departs from each station by exploiting information exchanging between HST and wayside equipment; iv) guaranteeing the train automatic direction reverse at terminals.The international standard IEC 62290-1 2014 clarifies the automated level of train operation systems by defining five Grades of Automation (GoA) [6].According to this international standard, GoA0 and GoA1 require the presence of operations staff to manually pilot the train.GoA2 introduces some partial or automatic train piloting by guaranteeing the control of the speed at cruising and the stopping of the train at the stations.However, the train driver must be ready to take over control at any time and to handle emergency situations, which, hence, are not managed by ATO.Conversely, with GoA3, ATO automatically performs normal operations, such as route setting and train regulation, but still under the supervision of train operations staff.The highest level of automation is the Unattended Train Operation (UTO) or GoA4, where the train is fully autonomous and has to adapt its behaviour based on the encountered driving scenarios and the ETCS supervision limits, even in unexpected situations forcing the ETCS intervention.Therefore, all the tasks are performed by ATO without any on-train staff, which, however, can remotely control the train motion [7].How ensuring GoA4 autonomous driving is still an open issue in the technical literature [8] which is going to be explored, especially in high-speed and complex external environment.Indeed, existing works on ATO system for HST focus either on trajectory planning [9] or trajectory tracking problems [10].Nevertheless, to the best of authors knowledge, there is a lack in the designing of a unified control architecture towards the GoA4 of HST over ETCS, where several on-line requirements have to be matched and unexpected events/anomalies have to be timely counteracted via adaptive mechanisms.With the aim of addressing this challenge, this work deals with the design of Autonomous Driving Function (ADF), a novel unified hierarchical control architecture, which guarantees both real-time trajectory planning and tracking for HST over ETCS in GoA4 perspective, where different driving scenarios along with the related on-line constraints are tackled.To this aim, ADF is equipped with different classes of controllers in order to ensure a safe and efficient train motion, also compliant with railway standards.The proper selection of the controllers to be invoked is managed by a behavioural adaption algorithm which, based on the specific driving condition involved, selects the suitable action to impose on the train motion with bumpless transfer features during controllers switching phases.Most notably, the second main contribution of this work relies on the experimental performance evaluation of ADF on a real inspection prototype vehicle provided by Rete Ferroviaria Italiana S.p.A. (RFI).Experimental results, carried out considering a wide range of train maneuvers, confirm the effectiveness and the efficiency of the proposed solution.
Finally, this article is organized as follows.Section II presents the closely related works on ATO system for HST and highlights the advantages of ADF w.r.t. the literature.The crucial requirements and functionalities of ATO system over ETCS for HST in GoA4 perspective are deeply detailed in Section III, where we also state the problem to be tackled, along with the description of the longitudinal control-oriented HST dynamics appraised for MBCD approach.In Section IV, the ADF architecture is presented and details about each layer/module are provided along with the description of the designed endowed controllers.The experimental set-up, the driving scenarios and the obtained results are presented in Section V. Conclusions and future works are drawn in Section VI.

A. Related Works
The state-of-the-art on ATO system for HST is extensive and varied.Two main issues have been recognized for the improvement of ATO systems [1]: i) optimization of recommended speed profile, which is a complex problem with multiple objectives and several constraints, including speed limits, track curvature and traction efficiency; ii) train speed tracking, which is even more difficult due to train complex dynamic models induced by extremely high-speed and complex external environment.
To address control objective i), a large amount of works designs novel algorithms able to generate optimal speed reference trajectories by taking into account energy consumption minimization and both operational and safety constraints.For instance, [9] addresses and solves the on-line generation problem of train speed profile in energy-saving perspective via Model Predictive Control (MPC) approach in a moving-horizon manner, which embeds real-time running conditions (e.g., temporary speed restrictions) allowing the on-line scheduling process of the train.Herein, by repeatedly solving the train control problem as a multi-phase one via pseudospectral method, the energy-efficient train speed trajectory can be obtained on-line, while also considering a delay recovery process to re-schedule the train operation when the delay time during the trip exceeds a specific threshold.A real-time Dynamic Multi-Objective Optimization Problem (DMOOP) algorithm is proposed in [11] to compute the eco-driving speed profile by fulfilling punctuality requirement and passengers comfort.This latter mechanism mixes two dynamic algorithms, i.e.Dynamic Non-dominated Sorting Genetic Algorithm II (DNSGA-II) and Dynamic Multi-Objective Particle Swarm Optimization algorithm (DMOPSO), to faster track the Pareto front changes w.r.t.static procedures and achieve better energy savings.Again, a notch speed trajectory optimization method, based on Mixed Integer Linear Programming (MILP), is introduced in [12] to satisfy the traction/braking demands, which dynamically change with the selected notch by introducing a series of binary variables.Some works leverage the Genetic Algorithm (GA) technique to solve the optimization process of ATO speed curve [5], [13].For example, [13] designs the optimization procedure by considering some performance indexes for ATO systems, such as speed protection, punctuality, accurate parking, comfort indexes and energy saving requirements.Based on the same performance indexes, [5] suggests a multi-objective optimization strategy for the modified genetic algorithm, where its convergence speed has been increased by adding a penalty term into the fitness objective function.
As above-mentioned, train speed tracking control objective ii) becomes a hard task as speed increases and running interval decreases, since the running process of HST is coupled with nonlinear and uncertain dynamical model and the related complex environment.To deal with these challenging issues, an adaptive output feedback control protocols is introduced in [14] to guarantee a robust position and speed tracking, which is based on neural network observers allowing velocity estimation and model uncertainties approximations.Herein, observer/controller parameters are adjusted online, while the system stability is proven through a formal proof based on Lyapunov method.Among the different control techniques, Siding Mode Control (SMC) is widely recognized as one of the most efficient control scheme when dealing with control of nonlinear uncertain system along with disturbances/uncertainties rejection [15].Along this line, a robust adaptive nonsingular terminal sliding mode (NTSM) control strategy, with an online estimation of the unknown parameters of the sliding manifold, is proposed in [16].It is able to guarantee the convergence towards zero of the position/velocity tracking errors for ATO systems in the presence of unknown parameters, model uncertainties, and external disturbances.To improve SMC performance in counteracting uncertain nonlinear dynamics and external disturbances, [15] proposes a combination of Model Reference Adaptive Control (MRAC) and SMC.
According to [17], by running along a fixed line day by day, the operation environment for a HST can be considered almost repeatable due to the presence of same tunnels, slopes, bridges and so on [18].The repeatability property of train systems can be useful to improve trajectory tracking and speed regulation performance via Iterative Learning Control (ILC) theory, which exploits tracking errors and control input information of the previous executions (iterations) (see [17], [19], [20] and references therein).Specifically, [20] is able to fully exploit the available information related to previous running cycles to adjust the current driving behaviour, while also guaranteeing that the HST can effectively track the guidance trajectory without deviation after repeating the same trip enough times.
However, the conventional ILC algorithms always consider the repeatability property in time domain, while the operation process of HST is repetitive in spatial domain.To overcome this problem and address a spatial learning, [17] reveals the link between temporal and spatial gradients, thus enabling the conversion of the operation dynamics from time to spatial domain.In doing so, the ILC algorithm designed in [17] becomes feasible and it is able to ensure the convergence of the tracking process in the presence of time-varying adhesion dynamics between wheel and track via the definition of a new Composite Energy Function (CEF), without requiring the common assumption in ILC theory of globally Lipschitz property for the dynamic system.To face both uncertain dynamics and actuator saturation, an adaptive data-driven Koopman MPC strategy is introduced in [21] to solve the automatic train tracking control problem.Herein, firstly the Koopman operator theory is used to obtain an explicit linear dynamical train model that reflects train nonlinearities, thus resulting in a Koopman model involving an online adaptive mechanism able to cope with the changing dynamic characteristics; then MPC is designed under comfort and actuator constraints.In the wide range of advanced control methods for ATO systems, fuzzy control [22] and predictive fuzzy control [23] are extensively employed.Specifically, an adaptive fuzzy controller, based on residual nonlinearity approximation, is adopted in [22] to solve ATO trajectory tracking problem in the presence of protection constraints provided by ATP and Movement Authority (MA).These latter allow solving the problem via the error-prescribed performance control methodology, thus establishing the Uniformly Ultimately Boundedness (UUB) property of the entire system.By organically integrating fuzzy decision making and predictive control, a fuzzy predictive control strategy is proposed in [23], where the predictive control allows obtaining output and errors predictions, while the fuzzy controller with a proper set of rules ensures tracking performance.As in [22], protection constraints have been considered also in [10], where a resilient nonlinear gain-based feedback control approach is suggested.This strategy is able to guarantee that, if initial conditions are properly chosen, protection constraints are satisfied along with tracking performances.To reduce the transmissions of redundant information and the control updating frequency, [24] introduces an event-triggered control technique for prescribed tracking performance control problem of ATO systems, which guarantees that prescribed dynamic tracking performance (in terms of transient bounds, over-shooting and ultimate values of tracking errors) falls into a prescribed region, while avoiding Zeno behavior.
To make a train stop smooth and accurate at the appointed stopping location, it is helpful to carefully model the braking process.This aspect is investigated in [25], where the braking process for stop control of HST is formulated as a single-point time delay model and a Picard iteration-based identification method is applied to the resulting time delay system, meaning that system parameters are identified via principles of Ordinary Differential Equations (ODEs).
As the current ATO technology is still based on traditional automata theory, a first attempt in innovating the global ATO structure via Artificial Intelligence (AI) technologies can be Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
found in [26], where the concept of iATO architecture is introduced.Herein, authors emphasize the benefits that the introduction of big-data on operation conditions, as well as of Deep Reinforcement Learning (DRL) on decision-making process, could lead in safety, energy efficiency and comfort, but without providing a discussion on control objectives i) and ii) and their integration in iATO architecture.

B. Contributions
From the literature review on ATO system, it is possible observing a lack of a unified control architecture towards the GoA4 of HST over ETCS.Indeed, from Section II-A, a wide part of the technical literature is more focused on optimization speed profile problem, while another part addresses the train speed tracking control problem.Moreover, the different existing solutions analyse specific driving scenarios with a limited number of maneuvers to be performed.
However, GoA4 requires trains to adapt their behaviour to the different driving conditions occurring in real-world trips and involving a wide range of possible maneuvers [27].This implies that the train has to autonomously choose the specific maneuver to perform on the basis of the encountered driving situation -even in the presence of unexpected events requiring eventually a re-scheduling of its trajectory (e.g., due to ETCS intervention)-and to manage the transitions, as well as the priorities among them.
To this aim, differently from the technical literature, we propose a novel unified control architecture which guarantees both the real-time trajectory planning and tracking for HST over ETCS in GoA4 perspective.The proposed control architecture is modular and organized into three different layers where, besides the primary one dealing with the input storage, the secondary and tertiary layers embeds two main crucial tasks, i.e., the trajectory planning and trajectory tracking.The trajectory planning, embedded into the secondary layer, generates the Optimal Driving Profile (ODP) that train has to track as the result of the total energy consumption minimization during the track segment.This optimization problem takes into account both actual acquired data and the current driving situation along with the related on-line constraints, such as punctuality, safety, comfort, train physical limits, ETCS intervention and position limits.It results that the secondary layer is the orchestrator of ADF architecture.Then, the tertiary layer deals with the trajectory tracking task of the computed energy-friendly ODP by exploiting different classes of controllers which, enabled/disabled by trajectory planner and based on the specific driving situation, aim at ensuring a safe and efficient train motion, also compliant with the railway standard, while facing external disturbances, parameters uncertainties and gradient profile.Note that, the tertiary layer supervises the overall driving maneuvers and guarantees a smooth train motion by ensuring that no bumpless phenomena occur during the switching among the different controllers.Most notably, by exploiting real-world Track data from Italian railway, experimental analysis confirms the effectiveness of the proposed solution.
In light of the above, Table I offers a prompt comparison of the proposed ADF control architecture with respect to existing ATO state-of-the-art controllers, from 2019 up to now, in terms of guaranteed functional requirements, i.e.: i) addressed problem (speed optimization and/or tracking); ii) constraints to be ensured in the design process; iii) presence of ATP/ATS intervention; iv) flexibility to several driving modes and behaviour adaptation capability; v) validation (simulation and/or experimental validation on a realistic/simplified scenario).

III. ATO OVER ETCS FOR GOA4 HIGH SPEED TRAINS
ATO is a key subsystem within ATC module and deals with all the control issues of the train operations in different driving conditions, such as stopping operation, traction and braking control (see [14] and references therein).Thus, it plays a crucial role in monitoring and driving the HST in a safe and GoA4 perspective, where driverless capability and unattended operation system are required [27].To this end, ATO has to perform three main tasks, namely: i) trajectory planning to compute the reference motion profile for the next trip by defining the acceleration, cruising, coasting, or braking phases during the whole trip so to satisfy the timetable and trackside constraints; ii) trajectory tracking to guarantee that the train, in real-time, travels according to the planned reference behaviour; iii) behaviour adaption to real-time constraints imposed by the ETCS system or unexpected events, such as changes in End of Authority (EoA) position and MA, in order to ensure punctuality, safety and energy-efficiency behaviour.
Controlling HST in GoA perspective is not a trivial task since the ATO system has to drive the train motion such that it could be: 1) compliant with the journey profile, expressed in terms of timetable for each passing points and stopping points, i.e., the End of Autority (EoA), and maximum allowable speed along the trip (i.e., the Limit of Autority (LoA)); 2) compliant with ETCS constraints, such EoA, braking curve and speed limits in order to guarantee the travel safety; 3) compliant with train physical constraints, such as maximum speed, headway time and braking reaction time; 4) able to face with sudden anomalies events which could occur during the travel, such as the presence of obstacles along the railway road or of a new EoA imposed by ETCS, via an emergency braking maneuver; 5) capable of being re-scheduled according to real-time train/track conditions; 6) able to guarantee the comfort, safety and energy saving while realizing an accurate position and velocity tracking of the journey Profile; 7) able to ensure robustness and resilience to train dynamics nonlinearities and exogenous environmental factors (such as adhesion factors and gradients changes), which becomes harder as the train speed increases and the running interval decreases.Now, it is possible formulating the problem statement as follows.
Problem 1: Consider an HST driving along a railway line under the supervision of ETCS.Our aim is to design a novel control architecture for ATO system, named Autonomous Driving Function, able to drive the HST according to GoA4 requirements, i.e. guaranteeing the achievement of the control tasks i)-ii)-iii) while ensuring the fulfillment of requirements 1)-7).
ADF, consisting of three layers embedding all the ATO over ETCS under GoA4 functionalities, is designed according to MBCD approach [28], [29] by leveraging a control-oriented second-order nonlinear model for HST dynamics.
Remark 1: ETCS supervision in Problem 1 also allows considering the occurrence of possible unexpected events such that ETCS intervention is invoked [30] 1 .

A. Dynamical Control-Oriented Model for Longitudinal HST
The control-oriented HST longitudinal dynamics can be described by the following second-order 1 https://transport.ec.europa.eu/transport-modes/rail/ertms/what-ertms-andhow-does-it-work_ennonlinear system [14]: where p(t) [m] and v(t) [m/s] are the longitudinal position and velocity of the HST, while M [kg] refers to its mass; F r (v(t)) [N ] is the resistive force depending on rolling and aero-dynamic drag, computed as [31]: being γ , η and ι the physical Davis parameters of the system; F grad ( p(t)) [N ] and F cur ve ( p(t)) [N ] are the forces due to the slope gradient and curve radius, respectively, which are evaluated as [32] F grad ( p(t)) = M r s g sin(α( p(t))), Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
being M r s [kg] the rolling stock mass, g [m/s 2 ] the gravity acceleration, α( p(t)) and ρ( p(t)) the gradient angle and the radius of curvature, respectively, while κ( p(t)) an empirical parameter that depends on the curvature radius and the track gauge [27].Finally, u(t) [N ] is the control input that provides the desired traction/braking force according to train movement mode.Indicating with x(t) = [ p(t) v(t)] ⊤ ∈ R 2×1 the HST state vector, the nonlinear dynamics in (1) can be recast in the state-space form ẋ(t) = f (x(t), u(t)), i.e.: where b = 1/M and ψ( p(t), v(t)) is the nonlinear vector field defined as

IV. AUTONOMOUS DRIVING FUNCTION CONTROL ARCHITECTURE
To solve Problem 1, we propose the novel ADF architecture which, on the basis of ATO operating modes, computes the ODP to follow in order to satisfy timetable and protection constraints.The ODP is, then, optimized in real-time so to take into account dynamical ETCS constraints, Journey profile re-scheduling necessity and resilience to disturbances and uncertainties factors while ensuring safety, comfort and energy-saving.Finally, this latter becomes the input of the low-level train control system for driving the HST motion.As depicted in Figure 1, ADF is composed of three layers, namely: • the primary layer aims at collecting in real-time the different input necessary for the computation of ODP, i.e., position and current speed train measurements, information about journey profile, ATO operational mode, ETCS speed and distance limits, and so on; • the secondary layer is the orchestrator of ADF, which, based on the information coming from the primary layer, plans the proper ODP trajectory to be imposed to HST -according to the requirements 1)-2)-3) in Section IIIand, eventually, re-schedules the computed ODP so to face sudden anomalies events or changing in trains/tracks conditions, as required by points 4)-5) in Section III; • the tertiary layer deals with the trajectory tracking task of the resulting energy-friendly ODP, thus providing the low-level control input.The main focus of this work are the secondary and tertiary layers since the primary one only handles with information storage.Note that, if information are noises [33], different filtering methods, such as Kalaman filters can be embedded into the primary layer [34].
The tertiary level embeds two controller which are enabled on the basis of the required driving mode: a) the Remote Driving (RD), if there is an external operator piloting the HST; b) the Autonomous Driving (AD), if all the driving operations are autonomously carried out.Each of them computes the control action u(t) in ( 1) to be imposed on the train, based on the ODP reference signal provided by the secondary layer, while also considering real-time constraints and robustness issue w.r.t.unexpected events/anomalies.Therefore, the secondary layer, i.e. the Supervisory Controller (SC), represents the core of ADF since it computes in real-time all the possible ODP for the different driving situations, even if some critical events and unexpected situations occur.Meanwhile, it manages the proper enabling/disabling of the RD/AD modes, while optimally handling the transition between the two control logic.Specifically, when a constant desired speed reference input signal is received from an external operator, SC computes the reference time-varying speed v r e f (t) and enables the RD for guaranteeing its tracking objective while considering track constraints.Conversely, based on journey profile and track data, SC computes the ODP profile, i.e. x r e f (t), expressed in terms of timetable position and speed while empowering AD for tracking performance.
In the sequel, we explain in detail all the main features of these designed controllers in order to better clarify their corresponding functionalities and control objectives.For the sake of clarity, we start the description from the control design carried out at the tertiary level.
Remark 2: ADF is a scalable and modular control architecture able to be customized for different kind of HST, such as freight, passenger and inspection.This latter type strongly motives the usage of the two driving modes, as proposed in the tertiary level, where the RD modes can be strongly helpful for diagnostic purposes [35].

A. Remote Driving
In RD mode, the aim is to design a proper control action that allows guaranteeing the safe and precise tracking of the reference speed v r e f (t), real-time computed by SC according to: the constant speed imposed by an external operator; speed limits constraints imposed by track, i.e. 0 ≤ v(t) ≤ v max ; train maximum acceleration/deceleration; the presence of EoA and Stopping point.Therefore, given the reference speed profile v r e f (t), the control goal is the design of the control action u(t) = u R D (t) such that: lim t→∞ ∥v(t) − v r e f (t)∥ = 0, while counteracting all external disturbances and uncertainties, due to track-side, acting on the vehicle dynamics.To this end, the RD controller is designed as a robust Gain-Scheduling Proportional-Integral-Derivative (GSPID) strategy plus a feedforward action ensuring the train control and robustness in all the operating conditions, i.e.: where   The stability of the overall nonlinear closed-loop system under the action of RD control in (7) can be easily derived following well-known procedures in technical literature (e.g., see [36], [37]).Namely, closed-loop stability can be ensured according to the following main steps.First of all, train operating points are parameterized according to the scheduling variable v r e f .Then, PID controllers are designed by leveraging linearized models of (1) at each operating point x = [ p, v] ⊤ = [ p r e f , v r e f ] ⊤ , i.e.: with Specifically, the feedback control gains k p (σ ), k i (σ ) and k d (σ ) in ( 7) are selected to ensure the robust stability of the closed-loop frozen linearized system at a related operating point v r e f = v = σ .To this end, we first leverage pole-placement technique to proper assign the control gains so to obtain a Hurwitz-stable closed-loop linearized matrix [37]; then Lyapunov-based method analytically proves the stability of the entire frozen closed-loop system for each given operating point (interested reader may refer to [36] for more details).Iterating the procedure for each v r e f (t) ∈ [0, v max ] with step 1[m/s], the parameterized family of linear controllers is obtained to achieve the desired performance for each operating train condition.Gain values are hence stored in a gain look-up table.The parameter-varying controller k p (v r e f (t)), k i (v r e f (t)), k d (v r e f (t)) is finally generated from the above mentioned finite set of linear time-invariant controllers.The interpolation method in [38] preserves the stability of the overall closed-loop nonlinear system.

B. Autonomous Driving
In AD mode, given the reference behaviour imposed by SC, i.e. x r e f (t) = [ p r e f (t) v r e f (t)] ⊤ , computed on the basis of Journey Profile information, as well as ETCS/track-side constraints, the aim is to design a proper control strategy aiming at: i) optimizing the reference driving profile and guaranteeing its optimal tracking performance; ii) guaranteeing the energy saving; iii) taking into account any possible dynamical motion constraints and legal requirements arising during the travel.Hence, the objective is to design a proper control law u(t) = u AD (t) such that: To fulfill control objectives in (10), while satisfying real-time constraints on train motion, we design the control input u AD (t) via a Nonlinear Model Predictive Control (NMPC) strategy as the solution of the following constrained optimization problem: where u AD (τ, t) denotes the control input to be optimized; x(τ, t) is the actual state of the HST, while (•) min and (•) max stand for the minimum and the maximum bounds of the related variable (•).Note that v max in ( 11) is defined as the minimum value between the maximum allowable train speed and the Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
where ω 1 , ω 2 , ω 3 and ω 4 are positive weights to be properly selected [39].Note that, the first and second terms in (12) guarantee that the HST tracks the reference profile x r e f (t), while the last ones ensure comfortable and smooth adjustment of the manipulated variable so to avoid its strong sudden variations.

1) NMPC Design and Closed-Loop Stability:
The stability of the overall nonlinear closed-loop system under the action of AD control in (11) can be easily derived following well-known results in the control theory literature (e.g., see [39], [40]).Namely, the NMPC stability is mathematically ensured if the plant satisfies the following assumptions: A1) the nonlinear vector field in the plant model is twice continuously differentiable; A2) the control input region is compact, convex and contains the origin; A3) the Jacobian linearization of the nonlinear system is stabilizable; A4) the optimal control problem is feasible at time t = 0.
Note that, the nonlinear system model for train dynamics, i.e., ψ( p(t), v(t)) in ( 6), is such that A1 and A3 surely hold (see the Jacobian Matrix in ( 8)).Moreover, the control input (11) satisfies A2 by construction since its admissible region is defined as U : {u AD ∈ R : u min ≤ u AD (τ, t) ≤ u max }.Finally, A4 holds for the selection of the train initial conditions within the train physical limits.

C. Supervisory Controller
The SC represents the core layer of ADF since it computes the ODP profile to be put in input to the tertiary layer and manages the enabling/disabling of RD/AD controllers based on the encountered driving situations and ATO operational modes.
Specifically, given the ATO operational state, the SC control objective is twofold: i) enabling the RD/AD controller and computing the ODP to put in input to them as reference behaviour; ii) guaranteeing the proper management of the transition phases between the two controllers so to avoid that train acceleration could jump during these switching phases.
For the enabling of the tertiary layer and for the selection of the proper controller to be activated, we consider the 9 ATO operational mode described in Table II.Herein, for each ATO event we provide its description and the corresponding required controller.
Remark 3: As it is possible to observe in Table II, unless particular conditions requiring for a maximum braking maneuver, SC properly enables/disables the RD or AD controllers so to guarantee a solution to Problem 1. Specifically, five states do not demand the train motion control to tertiary level.Besides UP, SBM and FA, which are managed by external on-board protection control system, the train motion in DE and CO is driven by SC itself.While CO deals with initialization phase (where train is at standstill), in DE, SC is the main responsible of the braking and it properly imposes a Service Brake and/or a Hard Brake if either some of EG conditions do not hold or some detectable anomalies along the trip occur.
Remark 4: The engagement conditions, involved in EG operational mode, include the operational traction conditions enabling the functioning of ATO over ETCS and the correct driving functioning verifying that no crucial problems occur during the train travelling.
1) SC Trajectory Planning: Based on the enabling of RD or AD mode, SC is responsible for the generation of the ODP.When in AD mode, the ODP, i.e. [ p r e f (t) v r e f (t)], is computed on the basis of the received Journey Profile (JP) to perform.The JP is expressed as a list of relevant points, located on the track, and, for each point, specifies the departure and the arrival time, i.e. t d and t a , respectively, as well as if this point is a stopping or a passing one.For the generation of the ODP, we leverage the Point-To-Point (PTP) trajectory planning method through Linear Segments with Parabolic Blends (LSPB), useful to find a trajectory connecting an initial to a final configuration while satisfying other specified constraints at the endpoints (in terms of arrival time and final speed limit) [41].This method results in trapezoidal speed profile consisting of three main phases: i) a constant acceleration with a linear velocity and parabolic position; ii) zero acceleration, with constant velocity and linear position; iii) constant deceleration, with linear velocity and parabolic position.In particular, given two consecutive significant points, i.e.A and B (which can be both passing and stopping), the method plans: a constant acceleration maneuver in the starting phase during the time interval [t d ; t 1 (; a coasting phase during the time interval [t 1 ; t 2 ]; a constant deceleration maneuver towards the arrival point B during the time interval )t 2 ; t a ].Hence, the time travelled interval required by the timetable is such that T A→B = t a + t c + t d , where t a = t 1 − t d , t c = t 2 −t 1 and t d = t a −t 2 , being t 1 and t 2 the optimization variables.Specifically, given the HST configuration space of all possible ODP, namely X , x r e f (t) = [ p r e f (t) v r e f (t)] : [t d , T A→B ] → X is a time-parametrized function, generated by minimizing the total energy consumption during the track segment, also considering the constraints 1-5 in Section III.In doing so, the trajectory x r e f (t) prescribes how the configuration of the train evolves over time.Let X r e f (X , T A→B ) be the set of all possible ODP functions, with [t d , T A→B ] → X , and let X goal ⊆ X be the goal region.Denote with x t d ∈ X the initial configuration of the HST at time t d .Furthermore, let J 1 (x r e f ) : X r e f (X , T A→B ) → R be the cost functional.Under these premises, the ODP x r e f is the solution of the following optimization problem: x r e f = arg min x r e f ∈X r e f (X ,T A→B ) subject to x r e f (t d ) = x t d and x r e f (T A→B ) According [42], the functional cost J 1 (x r e f ) is selected as the train energy consumption, i.e., J 1 (x r e f ) = Procedure in ( 13) is also exploited for the generation of the ODP in RD mode, with the solely difference that the reference speed profile, i.e. v r e f (t), is imposed by the external operator and, hence, the optimization process only involve the variables t 1 .In this case, (13) provides, starting from x act , an acceleration maneuver bringing the actual train speed towards the imposed coasting speed set-point.It is worth noting that, the planned trajectory x r e f remains frozen till the next change of the driving mode.Indeed, when the SC invokes a switching of the tracking controller (i.e., RD to AD or viceversa), the ODP updating is required.Therefore, the SC re-computes and updates the solution of the optimization problem in (13), starting from the actual HST state x act ∈ X , according to the enabled driving mode.It follows that, in those situations, t d in (13) refers to any switching timeinstant.This guarantees that the resulting ODP does not exhibit any bump during the transition between AD and RD modes (and viceversa).Solutions of ( 13) are provided via nonlinear programming methods (see different techniques in [43]).
2) SC Finite State Machine for Driving Mode Management: For the selection of traction control input to be imposed on the train dynamics, i.e. u(t), as well as for the management of the transition between the RD and AD controllers, we propose the FSM reported in Fig. 2 and composed of 5 states, i.e.: • OFF: ADF is inactive and no controller is invoked by the SC; • AD: SC enables the AD controller and, hence, u(t) is set equal to u AD (t) as in (11); • RD: SC enables the RD controller and, hence, u(t) is set equal to u R D (t) as in ( 7); • HRD2AD: in this handling state from RD to AD controller, the SC imposes to the train a bumpless transfer control action u(t) such that the continuity of the control can be ensured when switching to AD; • HAD2RD: in this handling state from AD to RD controller, the SC imposes to the train a bumpless transfer control action from AD to RD.
From the 5 FSM (see Fig. 2), it is possible to appreciate that the ATO operational modes in Table II dictates the behavioural adaption provided by SC.Note that, bumpless transfer control is necessary to avoid undesirable transients behaviour or destabilizing effects due to discontinuities in the control input during the control strategies switching.
3) SC Handling States Management via Bumpless Switch: Switching among controllers usually produces discontinuous control signals with several bumps, which can be harmful in practical applications, thus deteriorating the dynamic performance [44].Therefore, it is desirable to use a bumpless transfer control input signal to drive the system during handling states [45].The problem can be recast as finding a continuous control input signal, instead of a switching one, to achieve the target the switching control can attain [45].
During handling states, since u R D (t k ) ̸ = u AD (t k ), the control input signal could have a sudden change, where the generic t k is the time instant at SC selects HRD2AD/HAD2RD state.Hence, the aim is to modify the control strategy during handling states in order to ensure continuity of the control input signal without breaking other system performance.Up to now, different bumpless transfer strategies have been proposed in the literature to reject the transients at multi-controller switching,.Among these latter, we select the approach such that, during the switching time instants, both the controllers simultaneously run, while the effective control input, driving the train motion, is due to the controller to be disabled.Once both the control inputs assume the same value, the enabling controller effectively substitutes the disabling one.More in detail, the bumpless control is such that: • in both HRD2AD and HAD2RD, the manipulated variables of RD and AD controllers are always computed, independent whether they are used or not; • in HAD2RD, while the AD controller in ( 11) is applied to the process, its controlled variable is set as the reference value of the RD controller in (7), i.e. y R D r e f (k) = y AD (k), Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.and its previous manipulated variable is set as • in HRD2AD, while the RD controller in ( 7) is applied to the train dynamics, its controlled variable is set as the reference value of the AD controller in (11), i.e. y AD r e f (k) = y R D (k) and its manipulated variable u AD (k) is applied to the system.4) Handling Phases Stability: The stability during the handling phases is here ensured by the exploitation of the conditioning technique in [46] and the fulfillment of its related Assumptions.These essentially require to initialise the state of the off-line controller to those of the on-line controller by partially inverting the off-line controller to synthesise a realisable reference [47].In doing so, the control authority is passed by smoothly substituting on-line and off-line controllers, guaranteeing the continuity of the control input signal without any bump [45].

V. PERFORMANCE EVALUATION
To validate the effectiveness of ADF, we perform an experimental analysis which involves an unmanned inspection railway high speed vehicle provided by RFI.This vehicle prototype, designed through cooperation with industrial and academic partners, aims at monitoring railway tracks and surrounding areas, with maximum speed of 200 [km/ h] and acceleration within the range [−0.9; 0.9] [m/s2 ].The ADF control architecture is designed via the Matlab/Simulink platform according to MBCD approach, which fully covers the V-Cycle development process supporting automatic C code generation compliant to standard EN50128, early design validation, testing, simulation and run-time verification.In the following, we first describe the experimental set-up, the driving scenario and, then, we show the experimental results.

A. Experimental Set-up
The experimental set-up, reported in Figure 3, consists of: 1) an external computer, equipped with Track-Side Simulator, able to emulate the sensing/localization system, the track data along with the Journey Profile; 2) an external computer, equipped with ETCS Simulator, able to emulate the ECTS system according to the ERTMS-System Requirements Specification -UNISIG SUBSET-026 2 ; 3) an ATO On-Board rack, endowed with the ADF control architecture; 4) an high-speed unmanned inspection vehicle which, driven by its own ECU, rests upon four side supports, hence suspended from the ground.ETCS simulator, provided by RFI, aims at performing the following monitoring activities, namely [48]: ceiling speed monitoring; target speed monitoring; release speed monitoring.Its intervention, occurring when train motion is not compliant with these activities, is emulated via the signals Traction Cut-Off (TCO), Service Brake (SB) and Emergency Brake (EB) which impose a braking on train motion.On the other hand, Track-Side Simulator, provided again by RFI, acts as a bridge between the primary and the secondary layers of the proposed ADF architecture (see Figure 1) by providing to train the following information: the Journey profile according to the appraised railway sector where train will move on, i.e. passing points, stopping points, EoAs, maximum allowable speeds; gradient profile and curvature radius related to the appraised railway sector; train parameters, also including the rolling stock mass, the Davis parameters; sensing and localization.Moreover, it allows emulating possible external disturbances acting on the train motion such as variations in the wind speed which impact on the aerodynamic drag and rolling resistance.The external PCs are connected with the ATO On-Board rack via Ethernet connection, while the inspection vehicle is piloted by ADF via CAN bus standard.The ADF C code runs on a commercial board which, mounted on the ATO on-board rack, is endowed with 1.2 GHz Dual-Core CPU unit, 4 GB of RAM and 32 GB of ROM and is supported by Linux commercial operating system with a real-time framework.Based on the information related to the surrounding environment, provided by the simulated track side and the virtual ETCS, the ATO On-Board rack, embedding ADF code, proper computes the  driving commands to be imposed on the low-level control system, i.e. the vehicle ECU (a commercial Bosch).Real-time interaction with ADF is enabled via the HMI, realized via Matlab/Simulink and reported in Figure 4, which runs on ATO On-Board rack.
Remark 5: Note that, due to the experimental configuration for train prototype, the rolling resistances, as well as the air drag, are not present, while the vehicle mass is considered of about 1.5 [ton].Hence, Track-Side simulator still accomplishes its bridge role by emulating track gradient profile and curvature radius (according to the appraised railway track), but it is not required to emulate exogenous environmental disturbances factors (e.g.wind speed disturbances).However, its configuration is already prone to future roller bench testing phase, where rolling resistance effectively exists and the emulation of external disturbances is strongly required.

B. Driving Scenarios
ADF is experimentally validated considering the realistic railway segment Milano Rogoredo -Bologna Centrale on the Italian high-speed railway.The route, reported in Table III

C. Experimental Results
1) AD Driving Scenario: Once the configuration process is terminated, the ADF state of the 5-FSM switches from OFF to RD, waiting for the remote driver commands.After 10 [s] from the activation of ADF, the holding brake of the inspection vehicle is removed and the reference speed set-point of 10 [km/ h] is imposed.After 9 [s], during which the low-level control unit checks for drives/brakes status and effectively releases the holding brake, the vehicle starts moving and reaches the imposed speed in 44 [s].It travels at this speed until reaching the first virtual balise which allows the enabling of AD mode.Therefore, ATO operational mode evolves to EG, while the 5-FSM switches to AD, passing through the handling state HRD2AD.In this case, the SC provides the ODP to AD controller, which is properly computed according to Section IV-C by considering a constant acceleration/deceleration value of 0.6 [m/s 2 ] and a cruising speed of 165 [km/ h] for the railway section Bologna-Reggio Emilia AV Medio Padana.Once stopped, the SC switches to RD, passing through the handling state HAD2RD.After a stop of around 1.3 [min], the AD mode is again invoked for reaching in time Milano Rogoredo station, also taking into account the passing point constraint located at Piacenza station.The SC computes the ODP by also taking into account speed constraints imposed by the railway track and causing unsafe situations.Hence, the vehicle starts from the stopping point with a speed limit of 180 [km/ h] while passing in correspondence of Piacenza station.During the journey, it also accelerates to reach the speed of 200 [km/ h] in accordance to the maximum allowable speed limits, while avoiding violating speed constraints.This clearly implies small acceptable position errors, which, however, do not impact on ADF main objective, which is the compliance with the Journey Profile Timetable (see Fig. 5 III.Indeed, the inspection vehicle correctly stops at Reggio Emilia AV Medio Padana at 1500 [s] and at Milano Rogoredo at 4560 [s], while passing for Piacenza at 3060 [s] (see also 5(e)).Figure 5(b) discloses the time history of the vehicle speed, where it is possible appreciating that for each track section, the vehicle tracks the reference speed profile, computed from the ODP while avoiding to violate the maximum allowable speed limits with bounded errors during transient phases (see also Figure 5(d)).Finally, the control input imposed by ADF is reported in Figure 5(c), where the traction force is properly computed by AD/RD controller according to the ADF operational modes reported in Figure 5(f).

2) Multiple Driving Modes Scenario:
To highlight the effectiveness of ADF architecture in dealing with switching between AD and RD, while successfully managing with several handling phases, herein, we consider a more troublesome scenario where multiple driving modes changing (along with the fault occurrences bringing to ETCS interventions) occur.It is worth noting that, according to system requirements specification, it is mandatory, for ETCS, an intervention time interval less than T ime_Out (see Table II) in order to avoid dangerous situation; otherwise, the vehicle has to be stopped, but this latter case is out of the scenario interest.Note that, ETCS supervises train motion when FSM is in AD mode.However, to guarantee robustness w.r.t. the above-mentioned events, ETCS also intervenes in all other possible driving modes.Under these circumstances, ETCS interventions lead the train operation to OFF state; thereafter, once anomalies are properly counteracted, according to T ime_Out, the previous FSM state is properly restored.In the appraised scenario, the following list of events occur during the journey travelling: • at t = 0 [s], the ATO operational mode is CO and the ETCS is powered on, while the 5-FSM state is set at RD; • at t = 10 [s], the remote driver sets the movement direction forward, sets a target speed of 10 [km/ h] and removes the holding brake; • at t = 19 [s], the vehicle starts moving until reaching the desired imposed speed; • at t = 71 [s], the remote driver increases the target speed up to 40 [km/ h]; • at t = 106 [s], the remote driver engages the AD mode and the ADF automatically adapts the trajectories so to track the ODP provided by SC, while optimizing this latter and fulfilling the maximum speed requirement; • at t = 2737 [s], the remote driver engages the AD mode; • at t = 4116 [s], the remote driver decreases the target speed to 0 [km/ h]; • at t = 4150 [s], the remote driver engages the AD mode; • at t = 4230 [s], the ETCS increases the speed limit up to 200 [km/ h]; • at t = 4732 [s], the SC reduces the target speed to 160 [km/ h] in order to avoid breaking due to the incoming limit speed reduction; • at t = 4257 [s], the ETCS decreases the speed limit to 160 [km/ h]; • at t = 5055 [s], the SC starts the braking maneuver in order to properly stop the vehicle at the Milano Rogoredo.Experimental results are reported in Fig. 6.Herein, it is possible observing how the ADF properly works also in these multiple driving conditions.Specifically, for each driving mode, the control architecture is able to successfully perform trajectory planning and tracking in the presence of speed constraints, even if ETCS interventions occur due to some dangerous situations encountered during the travel.Indeed, as it is possible to observe in Fig. 6(d), when TCO, SB and EB are invoked by ETCS, the ADF properly faces these situations by re-scheduling the trajectory and drives the vehicle according to this optimal profile.See Fig. 6(a)-(b).As required by the driving scenario, during the travel, several switching between AD/RD controllers are required, thus implying the enabling of 5-FSM handling states, as shown in Fig. 6(f).To better appreciate the correct functioning of the FSM design in managing the multiple driving modes, we report in Fig. 6(g)-(h)-(i) a focus of Fig. 6(f) for three different main situations occurring.Specifically Fig. 6(g) shows the transition between RD/AD and vice-versa, while Fig. 6(h)-(i) disclose the behaviour of FSM when ETCS intervenes.According to the design in Fig. 2, when ETCS intervenes in AD mode, FSM evolves towards the OFF state, due to the occurrence of event D E (see Fig. 6(h)).Once the anomaly is solved, the state machine quickly evolves towards the handling state H R D2AD until reaching again the AD state.Moreover, since we are under the assumption ETCS intervention, even in RD mode, ETCS interventions in these cases lead the train operation to OFF state; thereafter, once anomalies are properly counteracted, the previous FSM state is properly restored (see Fig. 6(i)).As it is possible appreciating in Fig. 6(c), by ADF designing no discontinuous control input is imposed to the vehicle motion.This is ensured by the bumpless transfer switching logic which successfully drives the inspection vehicle during the handling states.ETCS intervention and the multiple switching between the two controllers are also highlighted in Fig. 6(e), where we report the time history of the distance of vehicle w.r.t. the next stopping point.Specifically, this latter is different than the one reported in Fig. 5(e), since multiple braking maneuvers and speed reductions are required to deal with this troublesome scenario.Note that, the arrival time at Milano Rogoredo station in this scenario is not compliant to the timetable reported in Fig. 5(a) due to the several interruptions of the nominal ride.However, although timetable delay arises, the stopping point policy is always fulfilled.Indeed, even if the vehicle is in RD mode, when approaching a Stopping Point, a braking maneuver is imposed to vehicle so to guarantee the respect of the scheduled journey.Accordingly, besides some peaks arise in the position tracking errors in correspondence of ETCS intervention (according to Fig. 6(d)), the proposed control architecture is able to counteract these phenomena by imposing a control action such that they can be restored within a small acceptable bound.Time-history of position tracking error is omitted for the sake of brevity.
3) Performance Evaluation: In this section we assess the effectiveness of the proposed control architecture w.r.t. the speed tracking error performance requirement, defined accord-Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.ing to the V-cycle model in the Requirements design phase [29].Specifically, in compliance with RFI requirements, the speed tracking error has to be within the range ±10% of the reference signal v r e f (t).Results in Fig. 7 confirm that the HST, under the action of the proposed GoA4 control architecture, successfully meets the given performance requirement both in AD driving scenario (see Fig. 7(a)) and in Multiple driving mode scenario (see Fig. 7(b)).Note that, as expected, the speed error exceeds the appraised tolerance in Fig. 7(a) only when the train, due to inertial lag, has to restart the journey after a stopping point (see the time interval [1690; 1710] [s]).Similarly, as expected again, the speed error exceeds the appraised tolerance in Fig. 7(b) also due to ETCS intervention.To further confirm the effectiveness of the proposed control architecture in tracking the reference behaviour even in FSM state changing, we also compute the mean and the standard deviation of tracking index [49] in both the appraised driving scenarios.Specifically, in AD driving scenario, we have a mean of about 0.1770 and a standard deviation of 0.9317 while, due to ETCS intervention, in Multiple driving mode scenario, the tracking index index increases its values of mean and standard deviation as 0.5283 and 1.2954, respectively.Finally, a comparison analysis w.r.t. the robust adaptive sliding mode controller, proposed in [16] for motion tracking control objective, is carried out to disclose the advantages of our solution.As exemplary driving scenario we consider again the AD driving scenario while for the comparative analysis we take into account the tracking index [49] and the energy consumption [50] KPIs.Results confirm the improved tracking performance ensured by the proposed solution and an improved energy saving requirement, crucial for HST in GoA4 perspective.Specifically, regarding the tracking index, the control strategy in [16] allows reaching a mean of about 0.2731 and a standard deviation of about 0.8924.Regarding, instead, the energy consumption, our solution performs about 0.83 [kW h/t km], while [16] needs about 0.88 [kW h/t km].In doing so, ADF ensures an energy-saving of 4.76%, hence highlighting the benefits of the proposed solution from sustainable perspective.

VI. CONCLUSION
This work has tackled the problem of designing a control architecture for the autonomous driving of HST over ETCS, ensuring the GoA4 automation level.To this aim, we have proposed the ADF control system which guarantees both trajectory planning and tracking, while also taking into account real-time constraints arising from the current encountered driving scenario.ADF, thought to be a three-layer hierarchical, modular and scalable platform, has been designed according to MBCD approach and embeds all the ATO over ETCS GoA4 functionalities.These objectives have been realized by leveraging multiple controllers with bumpless switching features.The proposed architecture is general purpose and can be customized for different kind of HST, such as freight, passenger and inspection vehicles.This latter kind of vehicle, rest upon four side support and raised from the ground, has represented the testbed for the performance evaluation of the proposed solution.Experimental results, carried out considering two driving scenarios, have confirmed the effectiveness and the energy efficiency of ADF.At this design stage, the proposed control architecture does not consider an effective primary layer which accounts for ADF input measurements errors.Future works will include the design of a robust and resilient perception layer able to counteract the different measurements errors sources so to achieve better GoA4 performance at the higher level of the proposed ADF.Furthermore, experimental validation of the proposed solution will be carried out when travelling along a real-world railway segment, also considering on-board sensors and track-side measurements errors.

v
r e f (t) as scheduling variable σ .In this way, the control gains reflect the changes required by the reference behaviour and are able to drive the nonlinear train motion for all the different imposed operating conditions, hence ensuring good tracking performance despite the nonlinearities due to the aerodynamic drag.Therefore, the controller gains in (7) are selected as a function of v r e f (t), i.e., k p (v r e f (t)), k i (v r e f (t)) and k d (v r e f (t)).The feed-forward control action, instead, allows counteracting the uncertainties factors arising from the track-side and acting on train motion.More specifically, in combination with adaptive mechanisms, it faces the possible mismatches between the desired train position p r e f (t), i.e. the position assumed by train when travelling at v r e f (t), and the actual position measurements p(t), which leads to α(t) = f ( p(t)) ̸ = ᾱ(t) = f ( p r e f (t)).1)Gain Scheduling Design and Closed-loop Stability:

Fig. 2 .
Fig. 2. Finite State Machine (FSM) for the management of the driving controllers.

Fig. 5 .
Fig. 5. AD driving scenario.Time history of: a) vehicle position p(t); b) vehicle speed v(t); c) vehicle control input; d) vehicle speed error v r e f (t) − v(t); e) vehicle distance from stopping point; f ) ADF Operational mode.
(a)) and Fig. 5(e)).Note that, for sake of brevity, time-history of position tracking errors are herein omitted.Finally, ADF allows the vehicle reaching the final stop of Milano Rogoredo at position 204.999627[km] after 76 [min], with a stopping error of 0.371 [m].Experimental results are reported in Figure 5. Specifically, Figure 5(a) shows the time history of the vehicle position and highlights the fulfillment of timetable as reported in Table
A GoA4 Control Architecture for the Autonomous Driving of High-Speed Trains Over ETCS: Design and Experimental Validation Lorenzo Barruffo, Bianca Caiazzo , Member, IEEE, Alberto Petrillo , Member, IEEE, and Stefania Santini , Member, IEEE

TABLE I COMPARISON
W.R.T. THE RELATED WORKS: FUNCTIONAL REQUIREMENTS , is 205 [km] long and lasts about of 76 [min].It is composed of the following significant points: the starting point is Bologna Centrale station at p 0 = 0 [km]; a first stopping point occurs at p 1 = 63.481[km] in correspondence of Reggio Emilia AV Medio Padana station with an arrival time t a = 25 [min] and departure time t d = 26 [min]; a passing point is located at p 2 = 135.853[km] in correspondence of Piacenza station

TABLE III JOURNEY
PROFILE TIMETABLEwith t a = t d = 51 [min]; the end of the route is Milano Rogoredo station.Two exemplary driving scenarios are considered for validation phase, namely: 1) AD driving scenario, where the whole JP is performed in AD mode, activated when ETCS evolves in Full Supervision state at the position of 80 [m], and no faults occur; 2) multiple driving modes scenario, where the switching between AD and RD modes (and the related controllers) is invoked several times during the journey, while different faults are injected for forcing the ETCS traction cut-off and brake interventions.Finally, regarding control gains parameters for AD controller, they are: ω 1 = 200, ω 2 = 100, ω 3 = 100 and ω 4 = 50.The RD control gains, obtained from the procedure detailed in Section IV-A.1, are such that: k p (t) ∈ [470; 570], k i (t) ∈ [3.44; 222.53] and k d (t) ∈ [30.31; 43.67].licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
at t = 1210 [s], the ATO operational mode evolves to AV and the desired speed, imposed by the external operator, is set to 100 [km/ h]; while traveling at the current speed of 100 [km/ h], the ADF detects that the distance w.r.t. the next Stopping point, i.e.Reggio Emilia AV Medio Padana, is close enough to the required braking distance; in this case, the ADF engages an autonomous braking maneuver in order to not skip the Stopping Point, planned on Journey Profile, without explicit command; the ATO operational mode state evolves to AV and the speed set-point is set to 100 [km/ h], while at t = 2654 [s], the reference speed changes to 40 [km/ h]; the same latter speed is imposed at t = 4012 [s]; •• at t = 1673 [s],• at t = 1715 [s], the ADF automatically sets a target speed of 5 [km/ h] in order to adjust the vehicle position at the Stopping Point;• at t = 1726 [s], the ADF stops the vehicle and automatically activates the holding brake;• at t = 1799 [s], the ATO operational mode state evolves to AV and the ADF automatically removes the holding brake;• at t = 1877 [s], the 5-FSM state evolves towards AD and the vehicle starts moving to achieve the speed of 180 [km/ h];• at t = 2022 [s], t =2030 [s] and t = 2474 [s], ETCS commands a Traction Cut-Off (TCO); • at t = 2075 [s], t = 2512 [s], t = 2820 [s], t = 4016 [s] and t = 4191 [s], ETCS commands a Service Brake (SB); • at t = 2140 [s], t = 2551 [s], t = 4067 [s] and t = 4215 [s], ETCS commands an Emergency Brake (EB); • at t = 2338 [s]