How does ETCS signal recognition AI interact with the primary RBC radio-based MA system?

Camera-based signal recognition AI is a supplementary layer during ETCS Level NTC transition operation where the train operates in conventional signalling territory not yet covered by RBC MA boundaries. The primary RBC radio-based ETCS system is not a rendered-image AI and is not exposed to pixel adversarial injection. The camera AI supplements the STM by visual cross-checking in mixed-mode transition zones; its adversarially corrupted output can override STM-based speed restrictions during the transition interval.

What is the IEC 62280 framework for railway communication network security?

IEC 62280 covers communication-layer security for safety-critical railway transmissions (message authentication, replay protection, ETCS packet integrity under EN 50159) but does not address AI adversarial robustness for camera-AI components within ETCS onboard or wayside systems. CENELEC EN 50128 SIL 4 certification proves software correctness against the ETCS specification but not adversarial ML robustness for rendered-image AI components.

Can Glyphward scan ultrasound B-scan renders as well as optical images for track inspection AI?

Yes. Glyphward's pipeline processes any rendered image — grayscale or false-color ultrasound B-scans, phased-array volume renders, and RGB inspection camera frames — through the same adversarial pixel injection detection engine. Track inspection B-scan renders (Sperry Rail EURAIL-350, Deutsche Bahn UniMoS) are fed to defect classification AI in the same rendered-image format that Glyphward scans before AI classification. Apply the scan gate to the B-scan render before the defect classification network receives it.

ETCS / ERTMS Level 3 signal recognition AI · Positive Train Control AI · platform screen door safety AI · track geometry inspection AI · CENELEC EN 50129

Prompt injection in railway signalling AI

Q: Why does railway signalling AI use threshold 35?

Threshold 35 reflects mass-casualty potential (SPAD collisions historically 4-25 fatalities) and the CENELEC EN 50129 fail-safe principle: failing closed means applying emergency brake at a signal actually showing Green — a train delay, not a safety event. The operational cost of a false positive is asymmetrically lower than the false negative consequence (SPAD with collision), at timescales where human correction is not feasible before the safety consequence occurs.

Q: How does PSD camera AI adversarial injection differ from conventional PSD sensor failure?

Conventional PSD pressure-sensitive edge sensors fail to a safe state (fail-to-open or system out of service) under systematic failure modes addressed by EN 50128 SIL 2. Adversarial camera AI injection is a distinct failure mode: PSD control software and pressure sensors operate correctly, but the camera AI falsely reports clear gap, allowing door-close before PSD-obstruction contact. The pressure sensor then becomes the last barrier — potentially below its minimum detection threshold for small-diameter obstructions.

Global rail networks carried approximately 4.5 billion passenger journeys in 2025 under regulatory frameworks built on the fundamental principle of fail-safe signalling — the requirement that a failure in any signalling component must result in the most restrictive safe state (typically a stop signal), not an unsafe clearance. The European Train Control System (ETCS), standardised under the European Rail Traffic Management System (ERTMS) by ERA (European Union Agency for Railways) Regulation 2016/919 and deployed across the EU’s TEN-T core network corridors, enforces this fail-safe principle through a certified software architecture governed by CENELEC EN 50128 (Software for Railway Control and Protection Systems) at Safety Integrity Level 4 (SIL 4) — the highest software safety level in the CENELEC railway standards family. In the United States, the Federal Railroad Administration’s Positive Train Control (PTC) mandate under 49 USC 20157 (Rail Safety Improvement Act 2008) required deployment on Class I railroads’ main lines carrying passengers or toxic-by-inhalation hazardous materials by December 2020, with PTC enforced under FRA 49 CFR Part 236 Subpart I. Artificial intelligence is being progressively integrated into the railway signalling domain across four distinct applications: ETCS/ERTMS Level 3 camera-based lineside signal state recognition as a supplementary input to radio block centre (RBC) movement authority computation, PTC onboard signal recognition camera AI for supplementary lineside signal state verification, metro platform screen door (PSD) safety vision AI for platform edge monitoring, and automated track geometry and defect inspection AI for infrastructure maintenance. Each application processes rendered images — signal state camera frames, depth camera visualizations, and inspection scan renders — at AI classification boundaries within safety-critical railway operating environments where fail-safe requirements are mandated by CENELEC EN 50126 (Reliability, Availability, Maintainability and Safety — RAMS), EN 50128 (software safety), EN 50129 (safety-related electronic systems), and IEC 62280 (railway communication network security).

TL;DR

Railway ETCS/ERTMS signal recognition AI, PTC signal camera AI, platform screen door safety vision AI, and track geometry inspection AI all process rendered images at AI classification boundaries within CENELEC SIL 4 and FRA Part 236 environments. Adversarially crafted images can suppress speed restrictions, generate phantom movement authorities, disable platform safety functions, and mask track defects — at a threshold of 35 across all railway signalling AI contexts, reflecting the safety-critical rail operating environment with mass-casualty potential. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in railway signalling AI

1. ETCS/ERTMS Level 3 AI lineside signal state recognition

ETCS Level 3 — the highest ERTMS deployment level, currently under active deployment on Network Rail’s East Coast Digital Programme (ECDP), Infrabel’s Belgian railway network, and DB Netz’s German high-speed network — operates without lineside signals in its full implementation, relying on radio communication between the Radio Block Centre (RBC) and onboard train units to transmit Movement Authorities (MAs) and speed profiles. However, during the transition period from conventional national signalling systems to full ETCS Level 3 coverage, mixed-mode operation — where ETCS trains operate in an environment that also has conventional lineside colour-light or semaphore signals — requires AI-assisted signal state recognition cameras that read the lineside signal aspects (Green/Clear, Yellow/Caution, Double Yellow/Preliminary Caution, Red/Danger) and translate them into ETCS-compatible speed restriction commands for the onboard ATP (Automatic Train Protection) system. Alstom ATLAS, Siemens Trainguard, Hitachi ATACS, and Thales ETCS onboard units have incorporated camera-based signal recognition AI precisely for this transition-period use case. The camera-based signal recognition AI processes rendered image frames from forward-facing cab cameras — color images of the railway track ahead with the lineside signal unit in frame — through a convolutional network that classifies the displayed signal aspect and maps it to the appropriate ETCS in-cab display speed command.

An adversarial perturbation on the cab camera frame — a structured pixel modification that shifts the apparent colour distribution of a Red/Danger signal aspect toward the Green/Clear spectral range — can cause the ETCS signal recognition AI to misclassify a stop signal as a clear proceed indication, generating an ETCS in-cab movement authority that directs the ATP system to maintain or increase train speed past a signal at danger. ATP override of a stop signal (SPAD — Signal Passed at Danger) is the primary cause of railway collision in inadequately protected environments; on a bi-directional single-track line or a route where a following movement has been authorised on the same track section, an adversarially induced SPAD that generates a forward movement authority creates a head-on or rear-end collision risk. The Paddington rail disaster (1999), Ladbroke Grove collision, and Grayrigg derailment (2007) were all investigated by RAIB (Rail Accident Investigation Branch) with findings that referenced signal recognition failures and ATP gap coverage as causal factors; ETCS Level 2/3 deployment is the EU’s primary structural response to the systemic SPAD risk in European rail networks, with ERA Regulation 2016/919 mandating ETCS on the TEN-T core network by 2030. Adversarial injection into the AI signal recognition layer that supplements ETCS operation during the transition period targets the precise safety function that ETCS was designed to enforce.

2. Positive Train Control signal recognition camera AI

US Positive Train Control (PTC) implementations on Class I railroads — Union Pacific’s ITCS (Incremental Train Control System), BNSF’s I-ETMS (Interoperable Electronic Train Management System), CSX Transportation’s ACSES/ITCS, and Amtrak’s ACSES (Advanced Civil Speed Enforcement System) on the Northeast Corridor — are primarily radio-communication and GPS-based systems that receive wayside signal state information from the PTC back-office server via 220MHz radio communication. However, supplementary signal recognition camera AI has been deployed by several Class I railroads as a crew override detection system — a safety layer that cross-checks the onboard engineer’s throttle and brake actions against the current PTC movement authority and the visually displayed wayside signal aspect to detect situations where a crew member may be attempting to override PTC intervention. The signal recognition camera AI processes images from forward-facing locomotive cameras (Federal Railroad Administration FRA-required Forward Facing Camera Rule, 49 CFR Part 229 Subpart F, effective May 2023 for passenger equipment and July 2025 for freight) to classify the visible wayside signal aspect and compare it against the PTC-computed authority.

An adversarial perturbation on the forward-facing camera image processed by the PTC signal recognition AI — a pixel modification that suppresses the Red/Stop indication and renders the signal as a Yellow/Approach — can cause the supplementary signal recognition AI to report a less restrictive signal state to the PTC crew override detection system, preventing the PTC system from flagging the discrepancy between the crew’s action and the actual signal state. The 2016 Hoboken Terminal crash (NJ Transit locomotive engineer fatigue event), the 2008 Chatsworth collision (Metrolink engineer texting, 25 fatalities), and the 2005 Glendale collision all involved crew action failures in situations where PTC would have intervened; the FRA’s PTC mandate explicitly cited these incidents in 49 CFR Part 236 Subpart I. Adversarial injection into the PTC signal recognition AI cross-check layer does not disable PTC itself — the primary radio-based PTC system continues operating — but it removes the secondary verification layer that was added precisely to catch crew override attempts and human factor errors in PTC-equipped territory.

3. Metro platform screen door safety vision AI

Metro and rapid transit systems with platform screen doors (PSDs) — London Underground (PSD at Jubilee, Northern, Victoria, and Elizabeth Lines), Singapore MRT (full-height PSDs throughout the entire network), Hong Kong MTR, Paris Métro Lines 1 and 14, Shanghai Metro, and New York City Transit (partial-height platform edge barriers on canopy-platform sections) — deploy safety vision AI systems that monitor the gap between the PSD and the train carriage edge to detect obstructions (persons, luggage, or items caught in the gap) before PSD closure command and before train departure authorisation is issued to the driver or automatic train operation (ATO) system. The PSD safety AI processes camera frames from platform-mounted cameras monitoring the train-platform gap — optical RGB cameras for daytime operation and IR camera arrays for lighting-invariant detection — through a person/object detection network that classifies the gap region as clear or obstructed. The PSD safety AI output directly inhibits or permits the PSD door-close command; a misclassification of an obstructed gap as clear allows the PSDs to close on a person or object partially in the gap, with train departure authorised against an obstructed PSD state.

An adversarial perturbation on the platform camera frame — a structured pixel modification that suppresses the bounding box detection of a person whose torso or limb is partially in the gap between the PSD and the train door — can cause the PSD safety AI to classify the gap as clear and permit PSD closure, resulting in a person-trapped-in-doors event. London Underground has recorded 22 “person trapped in door” events in 2024 (RAIB Annual Report 2025) across PSD-equipped and conventional-door lines; the PSD safety vision AI was deployed precisely to eliminate the residual gap-monitoring gap that exists between the PSD sensor strips (pressure-sensitive edges) and full visual coverage of the train-PSD gap. Adversarial injection that disables the camera AI gap classification removes the primary visual safety layer, leaving only the pressure-sensitive PSD edge sensors as the remaining detection mechanism — a mechanism that does not detect small-diameter objects (a child’s arm) caught at the edge of the gap.

4. Automated track geometry and defect inspection AI

Automated track inspection vehicles — Network Rail’s New Measurement Train (NMT), Deutsche Bahn’s Gleismesswagen (GMW), SNCF’s IRIS 320, and Amtrak’s Amtrak Test Train on the Northeast Corridor — deploy AI-based track geometry analysis and rail defect detection systems that process ultrasound B-scan images (for internal rail head defect detection) and high-resolution visual camera arrays (for surface defect, ballast, and fastener condition inspection). The track geometry AI classifies defects from rendered ultrasound B-scan images — false-color visualizations of subsurface rail cross-sections with internal defects (transverse defects, detail fractures, head checks, shelling) appearing as high-reflectance regions in the rendered scan — and visual inspection images (surface defects, missing rail clips, ballast voids, sleeper cracks). The AI classification output drives the track maintenance work order generation system that schedules speed restrictions (emergency speed restriction — ESR) and maintenance possessions (track access for repair).

An adversarial perturbation on the rendered ultrasound B-scan image — a pixel modification that suppresses the high-reflectance signature of a developing transverse defect in the rail head — can cause the track inspection AI to classify the defect-present rail section as clear, preventing the ESR and maintenance work order that would allow the defect to be repaired before propagation to a rail break. The 2002 Potters Bar derailment (19 injuries, 7 fatalities — RAIB Report), 2001 Great Heck rail crash (10 fatalities), and 2000 Hatfield derailment (4 fatalities — caused by a known gauge corner cracking defect in a rail section that had been identified for replacement) all involved track maintenance failures; the Hatfield crash specifically involved a known rail defect in a section that the operator (Railtrack) had identified for replacement but had not treated urgently enough — an exact analogue of an adversarially masked inspection result that prevents urgent treatment classification. Network Rail’s Track Inspection Manual (NR/SP/TRK/001) and FRA Track Safety Standards (49 CFR Part 213) establish the inspection frequency requirements and defect severity classifications that govern when ESRs are imposed; adversarial injection that corrupts the AI classification output inserts a false-negative at the precise point in the inspection data workflow where maintenance prioritisation decisions are made.

Integration: railway signalling AI image scanning with Glyphward pre-scan gate

The Glyphward scan gate for railway signalling AI belongs at the rendered image ingestion boundary before each AI classification step — before ETCS/ERTMS signal recognition AI processes the cab camera frame, before PTC cross-check AI processes the forward-facing camera image, before PSD safety AI processes the platform camera frame, and before track inspection AI processes the rendered ultrasound scan image. Threshold 35 across all railway signalling AI contexts reflects mass-casualty potential and the fail-safe architecture requirement that characterises railway safety systems under CENELEC EN 50129. The implementation uses JSONL audit logging referencing EN 50129, IEC 62280, and FRA 49 CFR Part 236.

import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# All railway signalling AI contexts: threshold 35
# CENELEC EN 50129 SIL 4 fail-safe requirement and FRA 49 CFR Part 236 apply.
RAILWAY_AI_THRESHOLD = 35


class RailwaySignallingAIContext(Enum):
    ETCS_SIGNAL_RECOGNITION    = "etcs_signal_recognition"   # ETCS cab camera signal AI
    PTC_SIGNAL_CROSSCHECK      = "ptc_signal_crosscheck"     # PTC forward camera cross-check AI
    PLATFORM_SCREEN_DOOR       = "platform_screen_door"      # PSD gap safety vision AI
    TRACK_GEOMETRY_INSPECTION  = "track_geometry_inspection" # Ultrasound / visual track defect AI


class AdversarialRailwayImageError(Exception):
    """Raised when Glyphward detects adversarial pixel content in a railway
    signalling AI image above threshold 35 (CENELEC EN 50129 SIL 4).

    Consequence if not raised: SPAD (Signal Passed at Danger) movement
    authority generated, PSD closed on obstruction, or track defect masked.
    Railway fail-safe principle requires most-restrictive safe state on error.
    """

    def __init__(self, scan_id: str, score: int,
                 context: RailwaySignallingAIContext,
                 train_id: str, location: str,
                 flagged_region: dict | None = None) -> None:
        self.scan_id = scan_id
        self.score = score
        self.context = context
        self.train_id = train_id
        self.location = location
        self.flagged_region = flagged_region
        super().__init__(
            f"Adversarial railway signalling AI image: "
            f"context={context.value} score={score} "
            f"train={train_id} location={location} scan_id={scan_id}"
        )


async def scan_railway_signal_image(
    image_bytes: bytes,
    context: RailwaySignallingAIContext,
    train_id: str,
    location: str,
    milepost: float | None,
    frame_timestamp: str,
    client: httpx.AsyncClient,
) -> dict:
    """Scan a railway signalling AI image for adversarial pixel content.

    Fail-safe contract: any exception (AdversarialRailwayImageError or
    httpx.HTTPStatusError) must result in the most-restrictive safe state
    for the context — per CENELEC EN 50129 SIL 4 fail-safe requirement.

    Args:
        image_bytes: Cab camera frame (ETCS), forward-facing camera (PTC),
            platform camera (PSD), or ultrasound scan render (track inspection).
        context: RailwaySignallingAIContext identifying the AI pipeline.
        train_id: Train number or unit identifier.
        location: TIPLOC, NLC, or track location identifier.
        milepost: Track milepost (decimal miles or km), if available.
        frame_timestamp: ISO 8601 image capture timestamp.
        client: Shared httpx.AsyncClient for connection reuse.

    Returns:
        Glyphward scan result dict.

    Raises:
        AdversarialRailwayImageError: if score exceeds threshold 35.
        httpx.HTTPStatusError: on Glyphward API error (fail-closed to safe state).
    """
    image_hash = hashlib.sha256(image_bytes).hexdigest()
    payload = {
        "image": base64.b64encode(image_bytes).decode(),
        "source": f"railway_ai:{context.value}:{train_id}:{location}",
        "metadata": {
            "train_id": train_id,
            "location": location,
            "milepost": milepost,
            "frame_timestamp": frame_timestamp,
            "image_sha256": image_hash,
            "context": context.value,
        },
    }
    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json=payload,
        timeout=3.0,  # Tight timeout: railway ATP requires sub-second response
    )
    resp.raise_for_status()
    result = resp.json()

    await _write_railway_scan_audit(
        image_hash=image_hash,
        scan_id=result["scan_id"],
        score=result["score"],
        context=context,
        train_id=train_id,
        location=location,
        milepost=milepost,
        frame_timestamp=frame_timestamp,
        flagged=result["score"] > RAILWAY_AI_THRESHOLD,
    )

    if result["score"] > RAILWAY_AI_THRESHOLD:
        raise AdversarialRailwayImageError(
            scan_id=result["scan_id"],
            score=result["score"],
            context=context,
            train_id=train_id,
            location=location,
            flagged_region=result.get("flagged_region"),
        )
    return result


async def _write_railway_scan_audit(
    *, image_hash: str, scan_id: str, score: int,
    context: RailwaySignallingAIContext, train_id: str,
    location: str, milepost: float | None, frame_timestamp: str, flagged: bool,
) -> None:
    record = {
        "ts": datetime.now(timezone.utc).isoformat(),
        "scan_id": scan_id,
        "image_sha256": image_hash,
        "context": context.value,
        "score": score,
        "threshold": RAILWAY_AI_THRESHOLD,
        "flagged": flagged,
        "train_id": train_id,
        "location": location,
        "milepost": milepost,
        "frame_timestamp": frame_timestamp,
        "regulatory_refs": [
            "CENELEC EN 50126 (Railway RAMS)",
            "CENELEC EN 50128 (Railway Control Software, SIL 4)",
            "CENELEC EN 50129 (Railway Safety-Related Systems)",
            "IEC 62280 (Railway Communication Network Security)",
            "ERA Regulation 2016/919 (ETCS/ERTMS interoperability)",
            "FRA 49 CFR Part 236 Subpart I (Positive Train Control)",
            "FRA 49 CFR Part 229 Subpart F (Forward Facing Camera Rule)",
        ],
    }
    audit_path = Path("/var/log/glyphward/railway_signal_ai_scan_audit.jsonl")
    audit_path.parent.mkdir(parents=True, exist_ok=True)
    with audit_path.open("a") as fh:
        fh.write(json.dumps(record) + "\n")

Deploy scan_railway_signal_image at each railway signalling AI image ingestion boundary: before ETCS signal recognition AI (threshold 35), before PTC signal cross-check AI (threshold 35), before PSD gap safety AI (threshold 35), and before track geometry inspection AI (threshold 35). On AdversarialRailwayImageError or any Glyphward API error: fail-closed to the most-restrictive safe state — ETCS: apply Red/Danger speed profile (emergency brake); PTC: revert to radio-based authority without camera cross-check; PSD: inhibit PSD door-close command; track inspection: classify the rail section as defect-present pending human re-inspection. The fail-safe-to-most-restrictive-state requirement is mandatory under CENELEC EN 50129 Section 7 and is the structural principle that distinguishes railway safety AI from other critical-infrastructure AI contexts. Get early access

Related questions

Why does railway signalling AI use threshold 35 — the same as ATC and surgical AI — rather than the higher threshold of 40 used for maritime and ICS AI?

Threshold 35 for railway signalling AI reflects two structural properties. First, mass-casualty potential: an adversarially induced SPAD on a passenger railway in PTC-equipped territory removes the last automated safety barrier between a train and a wrong-line movement, a head-on collision, or a rear-end collision — events that historically produced fatality counts of 4–25+ per incident (Chatsworth 2008: 25, Great Heck 2001: 10, Hatfield 2000: 4). Second, the fail-safe architecture principle of CENELEC EN 50129 — the most-restrictive-safe-state requirement — makes a false positive at threshold 35 operationally acceptable: failing closed on an ETCS signal recognition scan means applying emergency brake at a Red signal that is actually Green, which causes a train delay but not a safety event. The operational cost of a false positive (a train stopping unnecessarily at a signal it has wrongly scan-quarantined) is asymmetrically lower than the consequence of the false negative (a SPAD with resulting collision). This same consequence-asymmetry logic drove the equivalent threshold choice for ATC (missed conflict alert: multi-fatality collision) and surgical robotics (adversarial bile duct suppression: intraoperative injury). The maritime and ICS contexts use threshold 40 because their adversarial injection consequences are either lower-magnitude (ICS quality gate) or supplemented by redundant human watchkeeping (maritime bridge officer). Railway signalling AI, like ATC and surgical AI, operates at timescales where human correction of an AI-induced error is not feasible before the safety consequence occurs.

How does ETCS signal recognition AI interact with the primary ETCS radio-based movement authority system?

ETCS Level 2 and Level 3 are radio-block-centre (RBC) based systems that transmit movement authorities (MAs) to onboard European Vital Computer (EVC) units via GSM-R or 5G-R radio. The MA specifies the end-of-authority (EoA) — the point to which the train is authorised to proceed — and the speed profile along the authorised route. The camera-based signal recognition AI does not replace or override the primary RBC-based MA; it is a supplementary layer used during ETCS Level NTC (National Train Control) transition operation, where the train is operating in conventional signalling territory not yet covered by the RBC MA boundary. In this mixed-mode transition zone, the onboard ETCS unit’s STM (Specific Transmission Module) reads the national signalling system’s trackside balises and conventional signal aspects to generate speed commands; the camera-based AI supplements the STM by providing a visual cross-check on the signal aspect at locations where the STM balise data is ambiguous or unavailable. The adversarial injection surface is specifically in this supplementary camera AI layer — the primary RBC-based ETCS system is not a rendered-image-based AI and is not exposed to pixel-level adversarial injection. However, the supplementary camera AI’s output enters the ETCS EVC speed supervision function as an additional speed command input; an adversarially corrupted camera AI output that instructs the EVC to apply a less restrictive speed profile than the signal state warrants can override the STM-based restriction during the mixed-mode transition interval.

What is the IEC 62280 regulatory framework for railway communication network security in ETCS environments?

IEC 62280 (Railway Applications — Communication, Signalling and Processing Systems — Security for Railway Communication Networks) is the primary railway-sector cybersecurity standard, structured in two parts: IEC 62280-1 (General concepts and principles, 2014) and IEC 62280-2 (Safety-related data communication within closed transmission systems, 2014). IEC 62280 addresses the communication security requirements for safety-critical railway data transmissions — including ETCS packet transmission integrity (EN 50159 Profiles), GSM-R radio communication security, and the authentication and integrity requirements for MA and speed profile transmissions between RBC and onboard EVC. IEC 62280 covers communication-layer security (message authentication, replay protection, integrity checking) but does not address AI component adversarial robustness within the ETCS onboard or wayside systems. ETCS software certification under CENELEC EN 50128 SIL 4 addresses software correctness — proof that the software implements the ETCS specification correctly — but not adversarial ML robustness for AI components that process rendered images. The ERA ERTMS Technical Specifications for Interoperability (TSI CCS, updated 2023 under Commission Regulation EU 2023/1695) include cybersecurity requirements under the NIS2 Directive framework for critical infrastructure, but without specific adversarial ML provisions. A Glyphward pre-scan gate fills this gap at the rendered image boundary.

How does platform screen door safety AI adversarial injection differ from conventional PSD sensor failure modes?

Conventional PSD safety systems rely on pressure-sensitive rubber edge profiles along the full height of the PSD leaf — when the door edge contacts an obstruction during closing, the pressure sensor detects the resistance force and triggers door re-opening (the “obstacle detection on closing” function). This mechanical/electrical safety function is independent of computer vision AI and operates at the physical contact layer. Camera-based PSD safety vision AI adds a pre-contact detection layer — it detects obstructions in the gap region before PSD closure is commanded, preventing contact between the PSD and the obstruction entirely rather than detecting it after contact. Conventional PSD sensor failure modes — sensor drift, cable fault, moisture ingress — are systematic failures that produce a defined safe-state output (fail-to-open, or door system taken out of service) and are addressed by CENELEC EN 50128 SIL 2 certified PSD control software. Adversarial camera AI injection is a distinct failure mode: the PSD control software and pressure sensors operate correctly, but the camera AI classification falsely reports a clear gap, allowing the door-close command to proceed. The PSD pressure sensor then becomes the last safety barrier — detecting the obstruction only after PSD-obstruction contact has already occurred. For small-diameter obstructions (a child’s wrist, a passenger’s thin leg) at the edge of the PSD, the pressure sensor may not detect the contact at the threshold required to trigger re-opening, because the contact force is below the minimum detection threshold defined in EN 50129 Annex A for PSD obstacle detection performance.

Can Glyphward scan ultrasound B-scan images as well as optical camera images for track inspection AI?

Yes. Glyphward’s multimodal scanning engine processes any image format — including grayscale ultrasound B-scan renders, false-color phased-array ultrasound volume renders, and high-resolution RGB inspection camera frames — through the same adversarial pixel injection detection pipeline. Railway track ultrasound inspection systems (Sperry Rail International EURAIL-350 ultrasound cars, Deutsche Bahn UniMoS platform) render B-scan images as false-color 2D cross-section visualizations where pixel colour encodes reflectance amplitude at each depth position in the rail head cross-section. These rendered B-scan images are processed by track defect classification AI using convolutional networks trained on annotated historical B-scan datasets — the same rendered-image-input architecture as other AI classification contexts. An adversarial perturbation that modifies the false-color amplitude encoding of a developing transverse defect in the rendered B-scan is directly detectable by a Glyphward scan of the rendered B-scan image, in the same way that a perturbation in a medical CT scan is detected in a clinical imaging AI scan gate context. The scan gate should be applied to the rendered B-scan visualization — the same format-independent image boundary that receives the adversarial injection attack — before the defect classification network receives the render as input.