Autonomous CPS mobility securely designed

Christoph Schmittner; David Hofbauer; Manuela Brandstetter; Markus Tauber

arxiv: 1907.00967 · v1 · pith:UETOZDJAnew · submitted 2019-07-02 · 💻 cs.OH

Autonomous CPS mobility securely designed

David Hofbauer , Christoph Schmittner , Manuela Brandstetter , Markus Tauber This is my paper

Pith reviewed 2026-05-25 10:48 UTC · model grok-4.3

classification 💻 cs.OH

keywords autonomous trainsdigital interlockingmeta-modelsecondary railway linessafety and securityinteroperabilitysocio-technical aspectscyber-physical systems

0 comments

The pith

A meta-model integrates safety, security, interoperability and socio-technical aspects to design digital interlocking systems for autonomous trains on secondary lines.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper outlines a process for creating a meta-model that supports the design of digital interlocking systems for autonomous trains on less-used secondary railway lines. Current automation efforts focus on main tracks, leaving secondary lines without cost-effective solutions for sensors and operations. The meta-model aims to address this by combining safety requirements, security measures, interoperability technologies such as 5G, and socio-technical factors into one framework applied at design time. This approach targets gaps in existing autonomous CPS work to enable lower installation and operation costs for industrial use cases.

Core claim

The authors motivate research needs by identifying gaps in existing work on autonomous trains and present a meta-model as a possible solution. The model considers safety, security as well as interoperability like 5G and socio-technical aspects to provide a holistic modeling approach for the development of the interlocking system for industrial secondary line use cases.

What carries the argument

The meta-model, which integrates safety, security, interoperability and socio-technical aspects into a single framework for designing digital interlocking systems at design time.

If this is right

Autonomous train operations become feasible on secondary lines by reducing the expense of sensor infrastructure and personnel.
Design-time modeling prevents conflicts between safety, security and interoperability requirements before deployment.
Use of 5G and similar standards enables reliable communication in the interlocking system for industrial applications.
Socio-technical factors are incorporated to address human roles in the automated railway environment.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same integration strategy could extend to other cyber-physical mobility systems such as road-based autonomous vehicles.
A concrete test would involve applying the meta-model to an existing secondary line and measuring cost reductions against current manual operations.
The emphasis on socio-technical aspects points to potential requirements for training or interface design in future autonomous rail systems.

Load-bearing premise

A single meta-model can effectively integrate and balance safety, security, interoperability, and socio-technical aspects for practical industrial use in secondary railway lines.

What would settle it

Development and testing of a prototype system based on the meta-model that fails to handle a documented safety or security requirement in a secondary line scenario would show the integration does not work as intended.

read the original abstract

In the last years the interconnection and ongoing development of physical systems combined with cyber resources has led to increasing automation. Through this progress in technology, autonomous vehicles, especially autonomous trains are getting more attention from industry and are already under test. The use of autonomous trains is known for increasing operation efficiency and reduction of personnel and infrastructure costs, which is mostly considered for main tracks. However, for less-used secondary lines, autonomous trains and their underlying sensor infrastructure are not yet considered. Thus, a system needs to be developed, which is less expensive for installation and operation of these trains and underlying infrastructure for secondary lines. Therefore, this position paper describes the process of how to derive an approach to help develop a digital interlocking system at design time for the use with secondary railway lines. In this work, we motivate the necessary research by investigating gaps in existing work as well as presenting a possible solution for this problem, a meta-model. The model considers safety, security as well as interoperability like 5G and socio-technical aspects to provide a holistic modeling approach for the development of the interlocking system for industrial secondary line use cases.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Position paper flags a gap for cheap secondary-line rail automation but never shows the promised meta-model or any integration of its four concerns.

read the letter

The paper is a short position piece that correctly identifies why main-line autonomous train tech is too expensive for low-traffic secondary routes and argues that a single meta-model should handle safety, security, 5G-style interoperability, and socio-technical factors together. That motivation is straightforward and the use case is narrow enough to matter to people working on niche rail systems. The authors also note gaps in prior work, which is fair as far as it goes. Beyond that, the text supplies no model. It states that the meta-model will consider all four aspects and deliver a holistic approach, yet it contains no classes, relations, constraints, diagram, or even a toy example of how the concerns would be represented or traded off at design time. The claim therefore stays at the level of assertion. Readers who want an actual modeling method or a worked illustration of the integration will find nothing usable. The paper is internally consistent as a call for research, but it does not contain a result that could be evaluated or built upon. I would not bring it to a reading group, would not cite it, and would not send it to referees. A serious editor should desk-reject rather than review.

Referee Report

2 major / 2 minor

Summary. This position paper motivates the development of a digital interlocking system for autonomous trains on secondary railway lines, arguing that existing work leaves gaps in cost-effective, multi-concern design. It proposes a meta-model as the solution that integrates safety, security, interoperability (e.g., 5G), and socio-technical aspects into a holistic modeling approach at design time.

Significance. A validated meta-model of this kind could enable practical deployment of autonomous CPS on low-traffic lines by making explicit trade-offs among the four concerns; however, the manuscript supplies neither the meta-model itself nor any worked example, so the claimed holistic benefit remains untested.

major comments (2)

[Abstract] Abstract: the central claim that the meta-model 'considers safety, security as well as interoperability like 5G and socio-technical aspects to provide a holistic modeling approach' is unsupported; the text motivates gaps and names the meta-model but exhibits neither its entities/relations/constraints nor any demonstration of joint representation or trade-off.
[Body] Body (process description): the 'process of how to derive an approach' is stated at the level of motivation only; no concrete steps, intermediate artifacts, or evidence that the four concerns can be integrated without conflicts are supplied, rendering the proposal non-falsifiable.

minor comments (2)

The title does not mention railway interlocking or secondary lines, reducing discoverability.
No references to prior meta-modeling efforts in safety-security co-design (e.g., in automotive or avionics) are discussed, leaving the novelty claim unanchored.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive feedback on our position paper. We agree that the manuscript's scope as a high-level motivation and proposal should be stated more clearly, and we will revise accordingly while preserving the position-paper character of the work.

read point-by-point responses

Referee: [Abstract] Abstract: the central claim that the meta-model 'considers safety, security as well as interoperability like 5G and socio-technical aspects to provide a holistic modeling approach' is unsupported; the text motivates gaps and names the meta-model but exhibits neither its entities/relations/constraints nor any demonstration of joint representation or trade-off.

Authors: We accept that the abstract phrasing implies a realized model rather than a proposed direction. As a position paper our contribution is the identification of the gap and the suggestion that a meta-model integrating the four concerns is needed; we do not claim to have constructed or validated the model itself. We will revise the abstract to describe the paper as a motivation for and outline of such a meta-model. revision: yes
Referee: [Body] Body (process description): the 'process of how to derive an approach' is stated at the level of motivation only; no concrete steps, intermediate artifacts, or evidence that the four concerns can be integrated without conflicts are supplied, rendering the proposal non-falsifiable.

Authors: The manuscript deliberately remains at the motivational level because its purpose is to argue for the necessity of a multi-concern design process rather than to deliver that process. Concrete steps, artifacts, and conflict-resolution evidence would require a separate research paper with case studies. We can add a short section sketching high-level phases of the envisioned derivation process to improve clarity without changing the paper type. revision: partial

standing simulated objections not resolved

Supplying the actual meta-model (entities, relations, constraints) together with worked examples and integration evidence, because these elements are not present in the current position paper and would require substantial new research beyond the scope of a revision.

Circularity Check

0 steps flagged

Position paper proposes meta-model without any derivation, equations, or exhibited structure.

full rationale

The manuscript is a position paper that identifies gaps in prior work on autonomous trains for secondary lines and states that a meta-model 'considers safety, security as well as interoperability like 5G and socio-technical aspects to provide a holistic modeling approach'. No equations, classes, diagrams, worked examples, or derivation steps are supplied. With no claimed derivation chain or predictive result present, no reduction to inputs by construction, self-definition, or self-citation load-bearing can be identified. The paper is self-contained as a high-level motivation and scores 0 under the circularity criteria.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides no details on parameters, axioms, or entities.

pith-pipeline@v0.9.0 · 5721 in / 999 out tokens · 44232 ms · 2026-05-25T10:48:03.391432+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

25 extracted references · 25 canonical work pages

[1]

Rio Tinto operates first fully -autonomous test train,

Railway Gazette, "Rio Tinto operates first fully -autonomous test train," 2017 10 02. [Online]. Available: https://www.railwaygazette.com/news/single-view/view/rio-tinto- operates-first-fully-autonomous-test-train.html. [Accessed 05 02 2019]

work page 2017
[2]

Towards the safety properties of moving block railway interlocking system,

N. A. Zafar, S. A. Khan and K. Araki, "Towards the safety properties of moving block railway interlocking system," International Journal of Innovative Computing Information and Control, vol. 8, no. 8, pp. 5677-5690, 2012

work page 2012
[3]

Security analysis of urban railway systems: the need for a cyber -physical perspective,

B. Chen, C. Schmittner, Z. Ma, W. G. Temple, X. Dong, D. Jones and W. H. Sanders, "Security analysis of urban railway systems: the need for a cyber -physical perspective," in International Conference on Computer Safety, Reliability, and Security, 2014

work page 2014
[4]

Connected Cars - Threats, Vulnerabilities and their Impact,

S. Strobl, D. Hofbauer, C. Schmittner, S. Maksuti, M. Tauber and J. Delsing, "Connected Cars - Threats, Vulnerabilities and their Impact," in 1st IEEE International Conference on Industrial Cyber -Physical Systems (ICPS 2018), 2018

work page 2018
[5]

A case study of FMVEA and CHASSIS as safety and security co-analysis method for automotive cyber-physical systems,

C. Schmittner, Z. Ma, E. Schoitsch and T. Gruber, "A case study of FMVEA and CHASSIS as safety and security co-analysis method for automotive cyber-physical systems," in 1st ACM Workshop on Cyber- Physical System Security, 2015

work page 2015
[6]

Towards Trustworthy End -to-end Communication in Industry 4.0,

A. Bicaku, S. Maksuti, S. Palkovits-Rauter, M. Tauber, R. Matischek, C. Schmittner, G. Mantas, M. Thron and J. Delsing, "Towards Trustworthy End -to-end Communication in Industry 4.0," in 15th IEEE International Conference on Industrial Informatics (INDIN 2017), 2017

work page 2017
[7]

SECCRIT: Secure Cloud Computing for High Assurance Services,

R. Bless, D. Hutchison, M. Schnöller, P. Smith and M. Tauber, "SECCRIT: Secure Cloud Computing for High Assurance Services," ERCIM News, no. 95, 2013

work page 2013
[8]

Critical Services in the Cloud: Understanding Security and Resiliene Risks,

T. Hecht, P. Smith and M. Schöller, "Critical Services in the Cloud: Understanding Security and Resiliene Risks," in IEEE 6th International Workshop on Reliable Networks Design and Modeling (RNDM), 2014

work page 2014
[9]

On the Cost of Security Compliance in Information Systems,

D. Hofbauer, I. Ivkic, S. Maksuti, A. Aldrian and M. Tauber, "On the Cost of Security Compliance in Information Systems," in 10th International Multi -Conference on Complexity, Informatics and Cybernetics (IMCIC 2019), 2019

work page 2019
[10]

Brandstetter, S

M. Brandstetter, S. Sommer and M. Schmidberger, Die Funktion verdeckter Kommunikation. Impulse für eine Technikfolgenabschätzung zur Steganographie, Wien/München: LIT- Verlag, 2010

work page 2010
[11]

Railway Applications - The Specification and Demonstration of Reliability, Availability, Maintainability And Safety (RAMS) - Part 1: Generic Rams Process,

DIN EN 50126, "Railway Applications - The Specification and Demonstration of Reliability, Availability, Maintainability And Safety (RAMS) - Part 1: Generic Rams Process," 2000

work page 2000
[12]

Railway Applications - Communication, Signalling And Processing Systems - Software for Railway Control and Protection Systems,

DIN EN 50128, "Railway Applications - Communication, Signalling And Processing Systems - Software for Railway Control and Protection Systems," 2012

work page 2012
[13]

Progress with railway interoperability in the European Union,

European Union Agency for Railways, "Progress with railway interoperability in the European Union," Publications Office of the European Union, Luxembourg, 2016

work page 2016
[14]

EURO -INTERLOCKING - Project Declaration,

N. König and C. de Courcey -Bayley, "EURO -INTERLOCKING - Project Declaration," 1999

work page 1999
[15]

The reference architectural model industrie 4.0 (rami 4.0),

M. Hankel and B. Rexroth, "The reference architectural model industrie 4.0 (rami 4.0)," ZVEI, 2015

work page 2015
[16]

Industrial internet reference architecture,

S. Lin, B. Miller, J. Durand, R. Joshi, P. Didier and A. Chigani, "Industrial internet reference architecture," Industrial Internet Consortium (IIC), Tech. Rep., 2015

work page 2015
[17]

Digital twin- driven product design, manufacturing and service with big data,

F. Tao, J. Cheng, Q. Qi, M. Zhang, H. Zhang and F. Sui, "Digital twin- driven product design, manufacturing and service with big data," The International Journal of Advanced Manufacturing Technology, vol. 94, no. 9-12, 2018

work page 2018
[18]

RTM - RailTopoModel,

International Union of Railways, "RTM - RailTopoModel," 2019. [Online]. Available: https://www.railtopomodel.org/en/. [Accessed 25 02 2019]

work page 2019
[19]

DB Netze PlanPro,

Deutsche Bahn AG, "DB Netze PlanPro," 2017. [Online]. Available: https://fahrweg.dbnetze.com/fahrweg- de/unternehmen/dienstleister/PlanPro. [Accessed 25 02 2019]

work page 2017
[20]

IDMVU Schlussbericht,

S. von der Ruhren and B. Weidner, "IDMVU Schlussbericht," 2014

work page 2014
[21]

IFC Infra(structure),

IFC Infrastructure, "IFC Infra(structure)," [Online]. Available: http://ifcinfra.com/. [Accessed 18 09 2018]

work page 2018
[22]

The SysML modelling language,

M. Hause, "The SysML modelling language," Fifteenth European Systems Engineering Conference, vol. 9, pp. 1-12, 2006

work page 2006
[23]

Available: https://www.adoxx.org/live/home

BOC Asset Management GmbH, "ADOxx," [Online]. Available: https://www.adoxx.org/live/home. [Accessed 26 02 2019]

work page 2019
[24]

Eclipse Modeling Framerowrk (EMF),

Eclipse Foundation, "Eclipse Modeling Framerowrk (EMF)," [Online]. Available: https://www.eclipse.org/modeling/emf/. [Accessed 26 02 2019]

work page 2019
[25]

Towards Flexible and Secure End -to-End Communication in Industry 4.0,

S. Maksuti, A. Bicaku, M. Tauber, S. Palkovits-Rauter, S. Haas and J. Delsing, "Towards Flexible and Secure End -to-End Communication in Industry 4.0," in 15th IEEE International Conference on Industrial Informatics (INDIN), 2017

work page 2017

[1] [1]

Rio Tinto operates first fully -autonomous test train,

Railway Gazette, "Rio Tinto operates first fully -autonomous test train," 2017 10 02. [Online]. Available: https://www.railwaygazette.com/news/single-view/view/rio-tinto- operates-first-fully-autonomous-test-train.html. [Accessed 05 02 2019]

work page 2017

[2] [2]

Towards the safety properties of moving block railway interlocking system,

N. A. Zafar, S. A. Khan and K. Araki, "Towards the safety properties of moving block railway interlocking system," International Journal of Innovative Computing Information and Control, vol. 8, no. 8, pp. 5677-5690, 2012

work page 2012

[3] [3]

Security analysis of urban railway systems: the need for a cyber -physical perspective,

B. Chen, C. Schmittner, Z. Ma, W. G. Temple, X. Dong, D. Jones and W. H. Sanders, "Security analysis of urban railway systems: the need for a cyber -physical perspective," in International Conference on Computer Safety, Reliability, and Security, 2014

work page 2014

[4] [4]

Connected Cars - Threats, Vulnerabilities and their Impact,

S. Strobl, D. Hofbauer, C. Schmittner, S. Maksuti, M. Tauber and J. Delsing, "Connected Cars - Threats, Vulnerabilities and their Impact," in 1st IEEE International Conference on Industrial Cyber -Physical Systems (ICPS 2018), 2018

work page 2018

[5] [5]

A case study of FMVEA and CHASSIS as safety and security co-analysis method for automotive cyber-physical systems,

C. Schmittner, Z. Ma, E. Schoitsch and T. Gruber, "A case study of FMVEA and CHASSIS as safety and security co-analysis method for automotive cyber-physical systems," in 1st ACM Workshop on Cyber- Physical System Security, 2015

work page 2015

[6] [6]

Towards Trustworthy End -to-end Communication in Industry 4.0,

A. Bicaku, S. Maksuti, S. Palkovits-Rauter, M. Tauber, R. Matischek, C. Schmittner, G. Mantas, M. Thron and J. Delsing, "Towards Trustworthy End -to-end Communication in Industry 4.0," in 15th IEEE International Conference on Industrial Informatics (INDIN 2017), 2017

work page 2017

[7] [7]

SECCRIT: Secure Cloud Computing for High Assurance Services,

R. Bless, D. Hutchison, M. Schnöller, P. Smith and M. Tauber, "SECCRIT: Secure Cloud Computing for High Assurance Services," ERCIM News, no. 95, 2013

work page 2013

[8] [8]

Critical Services in the Cloud: Understanding Security and Resiliene Risks,

T. Hecht, P. Smith and M. Schöller, "Critical Services in the Cloud: Understanding Security and Resiliene Risks," in IEEE 6th International Workshop on Reliable Networks Design and Modeling (RNDM), 2014

work page 2014

[9] [9]

On the Cost of Security Compliance in Information Systems,

D. Hofbauer, I. Ivkic, S. Maksuti, A. Aldrian and M. Tauber, "On the Cost of Security Compliance in Information Systems," in 10th International Multi -Conference on Complexity, Informatics and Cybernetics (IMCIC 2019), 2019

work page 2019

[10] [10]

Brandstetter, S

M. Brandstetter, S. Sommer and M. Schmidberger, Die Funktion verdeckter Kommunikation. Impulse für eine Technikfolgenabschätzung zur Steganographie, Wien/München: LIT- Verlag, 2010

work page 2010

[11] [11]

Railway Applications - The Specification and Demonstration of Reliability, Availability, Maintainability And Safety (RAMS) - Part 1: Generic Rams Process,

DIN EN 50126, "Railway Applications - The Specification and Demonstration of Reliability, Availability, Maintainability And Safety (RAMS) - Part 1: Generic Rams Process," 2000

work page 2000

[12] [12]

Railway Applications - Communication, Signalling And Processing Systems - Software for Railway Control and Protection Systems,

DIN EN 50128, "Railway Applications - Communication, Signalling And Processing Systems - Software for Railway Control and Protection Systems," 2012

work page 2012

[13] [13]

Progress with railway interoperability in the European Union,

European Union Agency for Railways, "Progress with railway interoperability in the European Union," Publications Office of the European Union, Luxembourg, 2016

work page 2016

[14] [14]

EURO -INTERLOCKING - Project Declaration,

N. König and C. de Courcey -Bayley, "EURO -INTERLOCKING - Project Declaration," 1999

work page 1999

[15] [15]

The reference architectural model industrie 4.0 (rami 4.0),

M. Hankel and B. Rexroth, "The reference architectural model industrie 4.0 (rami 4.0)," ZVEI, 2015

work page 2015

[16] [16]

Industrial internet reference architecture,

S. Lin, B. Miller, J. Durand, R. Joshi, P. Didier and A. Chigani, "Industrial internet reference architecture," Industrial Internet Consortium (IIC), Tech. Rep., 2015

work page 2015

[17] [17]

Digital twin- driven product design, manufacturing and service with big data,

F. Tao, J. Cheng, Q. Qi, M. Zhang, H. Zhang and F. Sui, "Digital twin- driven product design, manufacturing and service with big data," The International Journal of Advanced Manufacturing Technology, vol. 94, no. 9-12, 2018

work page 2018

[18] [18]

RTM - RailTopoModel,

International Union of Railways, "RTM - RailTopoModel," 2019. [Online]. Available: https://www.railtopomodel.org/en/. [Accessed 25 02 2019]

work page 2019

[19] [19]

DB Netze PlanPro,

Deutsche Bahn AG, "DB Netze PlanPro," 2017. [Online]. Available: https://fahrweg.dbnetze.com/fahrweg- de/unternehmen/dienstleister/PlanPro. [Accessed 25 02 2019]

work page 2017

[20] [20]

IDMVU Schlussbericht,

S. von der Ruhren and B. Weidner, "IDMVU Schlussbericht," 2014

work page 2014

[21] [21]

IFC Infra(structure),

IFC Infrastructure, "IFC Infra(structure)," [Online]. Available: http://ifcinfra.com/. [Accessed 18 09 2018]

work page 2018

[22] [22]

The SysML modelling language,

M. Hause, "The SysML modelling language," Fifteenth European Systems Engineering Conference, vol. 9, pp. 1-12, 2006

work page 2006

[23] [23]

Available: https://www.adoxx.org/live/home

BOC Asset Management GmbH, "ADOxx," [Online]. Available: https://www.adoxx.org/live/home. [Accessed 26 02 2019]

work page 2019

[24] [24]

Eclipse Modeling Framerowrk (EMF),

Eclipse Foundation, "Eclipse Modeling Framerowrk (EMF)," [Online]. Available: https://www.eclipse.org/modeling/emf/. [Accessed 26 02 2019]

work page 2019

[25] [25]

Towards Flexible and Secure End -to-End Communication in Industry 4.0,

S. Maksuti, A. Bicaku, M. Tauber, S. Palkovits-Rauter, S. Haas and J. Delsing, "Towards Flexible and Secure End -to-End Communication in Industry 4.0," in 15th IEEE International Conference on Industrial Informatics (INDIN), 2017

work page 2017