Railway signalling AI: how adversarial pixel injection makes a Red signal appear Green — and why SIL 4 certification does not protect against it

The railway AI perception stack

The European Train Control System (ETCS) is the signalling backbone of 110,000 kilometres of European rail network, with Levels 1 through 3 defining the degree of automation in Movement Authority transmission and train position reporting. Under ETCS Level 2 — the most widely deployed configuration on high-speed lines — the Radio Block Centre (RBC) grants Movement Authorities digitally over GSM-R or GPRS radio to the onboard European Vital Computer (EVC). The EVC enforces speed supervision, braking curves, and signal protection automatically. The driver retains operational control but the EVC provides a safety net that triggers automatic emergency braking if the driver fails to respond to a Stop signal or exceeds the permitted speed.

What changed in the 2020s is the introduction of AI into the perception layer. Computer Vision Signal Recognition (CVSR) systems — deployed by Deutsche Bahn's Digitale Schiene Deutschland programme on its ICE high-speed fleet and evaluated by Network Rail on its UK mainline fleet — use forward-facing cameras and a deep neural network to classify trackside signal aspects: the combination of lit indicators (Red, Yellow, Green) on the signal head. The classification output supplements the digital RBC Movement Authority with a visual cross-check, and in ETCS Level 3 (moving block) scenarios where lineside signal heads still exist as fallback, CVSR output feeds directly into position determination. Alstom's ATLAS CVSR and Wabtec's LOCOTRONICS Vision system are both SIL 4-certified under CENELEC EN 50129 — the same safety integrity level as the core EVC software that enforces speed supervision.

The AI pipeline processes raw camera frames: 2D RGB image tensors in which pixel intensities encode the visual scene ahead of the train. At 200 km/h, a signal head enters the camera field-of-view approximately 1,200 metres ahead. The signal aspect must be classified within the first 400–600 metres of detection range to provide the required braking margin. The neural network outputs a classification (Red / Yellow / Green / Approach) with a confidence score, at frame rates of 25–60fps. This classification is the CVSR contribution to the EVC's Movement Authority picture.

What SIL 4 actually certifies

CENELEC EN 50129:2018 — and its parent standard IEC 61508:2010, from which it derives the SIL framework — defines two classes of failures that the safety integrity level is designed to address:

Random hardware failures are stochastic component failures governed by failure rate models: bit flips from cosmic ray ionisation, capacitor degradation, solder joint fatigue, transistor threshold drift. SIL 4 sets a tolerable hazard rate (THR) of ≤10−9 failures per hour for these random failures — roughly one safety-critical failure per 100,000 years of continuous operation. This is addressed through hardware redundancy, diverse redundancy (two physically different implementations of the same function), and diagnostic self-test coverage.

Systematic failures are deterministic defects in software design or hardware design that produce incorrect outputs from specified inputs under specified conditions. A software bug that causes the CVSR to misclassify Yellow as Green under a specific lighting angle is a systematic failure. IEC 61508 addresses systematic failures through formal specification (mathematically rigorous requirements), formal verification (Coq, Isabelle, or B-method proof of correctness against the specification), comprehensive testing, and rigorous development process measures independently assessed by a Notified Body. SIL 4 requires the highest available rigor level: formal methods are mandatory, not optional.

Adversarial ML attacks are neither. An adversarial example is a structured perturbation of the input — a pattern of pixel modifications crafted by an adversary using the gradient of the neural network's loss function — that causes a correct, formally verified, systematically defect-free classifier to produce an incorrect output with high confidence. The CVSR neural network that is formally proven to produce correct outputs for all inputs in its specification domain can be caused to misclassify Red as Green by an adversarially crafted input that was never part of the specification domain. IEC 61508:2010 Clause 6.1 Note 4 is explicit: the standard does not address malicious or unauthorised action. This is not a failure of IEC 61508 — it was published before adversarial ML existed as a field. It is a gap that AI deployment in SIL 4 railway roles has introduced without a corresponding update to the certification framework.

The asymmetric risk that makes adversarial injection dangerous

Railway safety engineering is built on the principle of fail-to-safe, also called most-restrictive-safe-state. When the CVSR is uncertain — when confidence is below threshold, or the signal head is partially obscured, or lighting conditions are outside the training distribution — the correct response is to treat the signal as Red and trigger the automatic braking curve. This is the asymmetric safety architecture:

• False positive (Green classified as Red): Train applies emergency brakes unnecessarily. Passengers are jolted. The service is delayed. Operations control calls the driver. The driver performs a track-side visual inspection and resumes. Operationally costly; not a safety event.
• False negative (Red classified as Green): Train management system receives a permissive Movement Authority where none should exist. The EVC does not apply the braking curve for the occupied block ahead. The protection that would prevent entry into an occupied section is removed. On a single-track section, this is a potential head-on collision. At a converging junction, a potential side collision. At a red protecting temporary track work, a potential derailment at speed.

The fail-to-safe principle eliminates false-positive risk entirely — a system that defaults to Red when uncertain cannot be caused to pass a Red signal by making it uncertain. But adversarial injection attacks do not create uncertainty. They create a confident incorrect classification. A well-crafted adversarial perturbation of a Red-signal camera frame — a structured pixel pattern that shifts the pixel values toward the feature space that the CVSR classifier associates with Green — causes the model to output Green with confidence above its classification threshold. The fail-to-safe threshold rule does not trigger. The EVC receives what looks like a valid, high-confidence Green classification and updates the Movement Authority accordingly.

This is the same structural gap identified in autonomous aviation: the ACAS Xu formally verified collision avoidance system is proven correct over its DNN policy, but the proof assumes correct state inputs from the EO/IR camera pipeline. An adversarial injection upstream of the verified DNN corrupts the inputs the proof assumes are correct. In railway, SIL 4 formal verification assumes the CVSR receives a physically honest camera frame. An adversarial injection breaks that assumption.

The attack vector: what a CVSR adversarial frame looks like

A practical adversarial attack on a CVSR pipeline does not require physical access to the camera or the train. The attack surface is the input to the neural network — the rendered camera frame — which an adversary can influence through several mechanisms:

Lineside display injection: Trackside digital display infrastructure (maintenance information displays, level crossing warning systems, track worker protection displays) that is network-connected and within the forward camera field-of-view can be compromised to inject adversarial pixel patterns into the scene captured by the train's forward camera. The pattern appears on the display as seemingly random digital noise but is crafted to perturb the CVSR's classification of the signal head visible in the same frame.

Synthetic frame injection in the data bus: On trains where the forward camera feed is transmitted over an onboard IP network (as in modern rolling stock where camera management systems centralise video streams), a man-in-the-middle attack on the camera data bus can inject adversarially perturbed frames before they reach the CVSR compute node. This requires a foothold on the onboard network — a meaningful attack complexity bar, but one explicitly within the threat model of IACS cybersecurity frameworks including IEC 62443 and the NIS2 Directive for critical infrastructure.

Adversarial sticker on the signal head: Physical adversarial patches — printable sticker patterns that cause misclassification when placed within a signal head's visual field — have been demonstrated in the academic literature against traffic sign recognition systems (Eykholt et al., 2018; Brown et al., 2017). The same class of attack applies to railway signal heads: a small physical patch placed on or near the signal housing that, under the CVSR camera's sensor characteristics and the geometric view from an approaching train, generates a pixel pattern in the forward camera frame that shifts the classification from Red to Green. The patch does not need to look adversarial to a human observer — only to the specific convolutional filter activations of the CVSR neural network.

All three mechanisms produce the same artefact: a camera frame in which the Red signal head's pixel representation is perturbed by a structured pattern that causes the CVSR classifier to output Green with high confidence. Unlike a random sensor failure — which the SIL 4 hardware reliability analysis models and mitigates through redundancy — this is an intentional, structured, adversary-controlled injection that falls outside the scope of any IEC 61508 analysis.

The same gap in the US Positive Train Control framework

US Positive Train Control under 49 CFR Part 236 subpart I enforces signal aspects and speed restrictions through GPS positioning combined with back-office data from the PTC server — not through forward-camera CVSR. However, Class I railroads including BNSF (equipped by Wabtec) and Union Pacific are evaluating AI-based cab signal supplementation using forward-camera visual signal recognition as Class I railroads move toward autonomous train operation under FRA research programmes.

The 49 CFR §236.1033 cybersecurity requirements mandate a Cyber Security Plan covering network authentication, access control, and software integrity for PTC systems. The plan requirements follow NIST SP 800-82 industrial control system security guidance and NIS2-equivalent sector requirements. What they do not address is adversarial ML robustness for AI components — a gap the FRA's draft APTA PR-CS-S-002 (AI/ML Security for Rail Control Systems) is expected to close, but which has no finalised regulatory requirement as of mid-2026.

The practical implication is identical to the European CENELEC EN 50129 situation: a Class I railroad that deploys forward-camera CVSR as a supplementary signal aspect input to its PTC onboard unit has no regulatory requirement to demonstrate adversarial robustness of that AI component, and no standard technical measure that the current PTC certification framework requires it to implement. The full technical analysis of CVSR adversarial surfaces under CENELEC EN 50129 and 49 CFR Part 236 covers both regulatory frameworks in detail, including the specific Glyphward threshold for fail-safe-aligned railway AI contexts.

Connecting to the broader critical infrastructure AI threat landscape

Railway signalling is one of several critical infrastructure AI domains where the adversarial ML attack surface is structurally decoupled from the existing safety certification framework. The same pattern appears in ICS/SCADA AI for continuous-process industries: industrial vision inspection AI in IEC 62443 OT environments is certified to functional safety standards (IEC 61511, ISO 13849) that were not designed to address adversarial perturbation of AI inputs. It appears in surgical robotics: the da Vinci 5 Firefly NIR AI operates in a closed-loop actuator environment where the FDA SaMD framework's substantial equivalence pathway does not require adversarial robustness testing. It appears in autonomous aviation: ACAS Xu's Reluplex-verified DNN policy is conditionally correct given honest sensor inputs that the adversary can corrupt upstream of the proof boundary.

The common structure across all these systems:

1. A safety-critical AI component processes images at an input boundary that is accessible to structured adversarial manipulation.
2. The existing safety certification standard was designed for systematic and random failures, not intentional adversarial perturbations.
3. The fail-safe or redundancy architecture addresses uncertain outputs — it does not protect against high-confidence incorrect outputs generated by adversarial injection.
4. The consequence of a false-negative adversarial classification is irreversible within the system's actuation latency window.

Railway signalling AI adds a fifth element to this pattern: the certification gap is currently being codified into law, because ETCS-certified CVSR products are being deployed on revenue service trains in Europe under the existing EN 50129 framework, with the adversarial ML gap explicitly unaddressed in the standard. The certification framework will catch up — CENELEC TC9X has adversarial ML on its revision agenda for EN 50129:2028 — but deployed systems are running under the current framework now.

What a Glyphward pre-scan gate provides for CVSR pipelines

The Glyphward API integrates into the CVSR pipeline between the camera frame buffer and the signal aspect classifier neural network. For each forward-camera frame in which a signal head has been detected by the first-stage object detector, the raw frame (or the detected signal head crop, depending on integration depth) is submitted to Glyphward's adversarial detection endpoint before the aspect classifier runs. Glyphward returns a risk score (0–100) in 8–15ms on GPU-equipped onboard compute (Nvidia Jetson AGX Orin-class hardware, which matches the edge compute profile of modern rail onboard systems).

At the recommended railway threshold of 35, a flagged frame triggers a safe-state response: the CVSR pipeline discards the frame's classification output, does not update the Movement Authority contribution from that frame, increments the anomaly counter, and logs the event with a timestamped risk record to the onboard security event log. If three or more consecutive frames are flagged (default N=3, configurable), the CVSR subsystem alerts the cab display and restricts its contribution to Movement Authority until the anomaly clears — falling back to RBC-provided Movement Authority exclusively, the same behaviour as CVSR unavailability due to camera degradation or tunnel passage.

The threshold of 35 is intentional. In railway, the most-restrictive-safe-state principle dictates that a false positive by the pre-scan gate — flagging a legitimate camera frame as adversarial — is less costly than a false negative (passing an adversarial frame to the classifier). A Glyphward flag at threshold 35 causes a minor CVSR input interruption; a miss at threshold 35 allows a potential Red-to-Green misclassification through. The threshold calibration reflects the same asymmetric consequence profile that governs the railway safety architecture as a whole.

The scan gate also generates the operational security monitoring record needed for two regulatory purposes: the CENELEC EN 50129 Appendix B safety case evidence package (demonstrating that a specific, identified risk — adversarial ML input to CVSR — has a deployed technical measure), and the 49 CFR §236 Cyber Security Plan operational monitoring section (demonstrating continuous monitoring of AI components for security anomalies). Free tier — 10 scans/day, no card required — is the fastest way to integrate the gate and generate the first evidence log.