On the morning of 20 October 2017, information on temporary speed restrictions (TSRs) was not sent by the signalling system to four trains running on the Cambrian Coast line in Gwynedd, North Wales.
This line is controlled using ETCS (European Train Control System) in-cab signalling. It is the first line in the UK to use this system which relies on information being sent between the train and the control centre by radio. Traditional lineside signals and signs are replaced by movement authorities transmitted to trains. These movement authorities include maximum permitted speeds which are displayed to the train driver and used for automatic supervision of train speed.
No accident resulted in the drivers not being notified about the TSRs, but a train approached a level crossing at 80km/h (50mph), significantly exceeding the temporary speed restriction of 30km/h (19mph) needed to give adequate warning time for level crossing users.
The Rail Accident Investigation Branch (RAIB) launched an investigation into the circumstances of this failure and has now released its report.
RAIB found that the temporary speed restriction data was not uploaded during an automated signalling computer restart the previous evening, but a display screen incorrectly showed the restrictions as being loaded for transmission to trains. An independent check of the upload was needed to achieve safety levels given in European standards and the system designer, Ansaldo STS (now part of Hitachi STS), intended that this would be provided by signallers checking the display.
However, a suitable method of assuring that the correct data was provided to the display had not been clearly defined in the software design documentation prepared by Ansaldo STS and the resulting software product included a single point of failure which affected both the data upload and signallers’ display functions. The system safety justification was presented in a non-standard format based on documentation from another project still in development at the time of the Cambrian ERTMS commissioning and which, before completion, made changes that unintentionally mitigated the single point of failure later exhibited on the Cambrian system.
Network Rail and the Independent Safety Assessor (Lloyd’s Register Rail, now Ricardo Rail/Ricardo Certification) were required to review the design documentation but did not identify the lack of clear definition in design documents and were not aware of the changes made during the development of the other project.
Recommendations
The RAIB report makes a number of recommendations.
Network Rail, aided by the wider rail industry, should improve its safety assurance process for high-integrity software-based systems, improve safety learning from failures of such systems and develop a process to capture the data needed to understand these failures.
Hitachi STS (formerly Ansaldo STS) should review its safety assurance processes in the light of the learning from this investigation and should provide a technical solution for the Cambrian lines that avoids the need for signallers to verify automatically uploaded speed restrictions.
In addition, the report lays out learning points that cover train drivers reporting inconsistencies in information provided to them; the need for independent safety assessors to understand the scope of checks undertaken by other bodies and to apply extra vigilance if documents form part of a non-standard process; the importance of clients undertaking their client role when procuring high integrity software; and achieving the specified level of safety when implementing temporary speed restrictions in ERTMS.
Chief Inspector’s comment
Simon French, the chief inspector of rail accidents at RAIB, said: “The pilot installation of the European Rail Traffic Management System (ERTMS) on the Cambrian lines has provided valuable experience for engineers and operators of how this system might perform when it is extended to other parts of the national network in the UK. Much of this experience has been positive, but there have been some incidents which have led to disruption to services and some, including the events covered by this investigation, which were potentially dangerous.
“The lessons that have come out of this investigation are important ones for the railway industry. It is fundamental that the process of digital design is robust enough to ensure that software-based systems are of the necessary integrity. In this case, the people operating the railway did not know that there was anything amiss. Digital railways need to detect when they have failed and report this to those who need to know – in this case the signallers.
“The safety of a digital system can be difficult to assess. A system is often made up of a number of ‘black boxes’ which perform particular tasks. It can be hard to know how each of these boxes really works or to fully understand their potential failure modes – particularly when the box has been bought ‘off-the-shelf’ or imported from another application entirely. Once our black boxes have been plugged together, do we really know how they will interact with each other, and with the human operator? Digital systems don’t often breakdown – safety critical failures tend to be related to the way they are designed or the way that design has been translated into a working system.
“So, assessing the safety of digital systems is often seen as ‘tricky’ or ‘too difficult’. That doesn’t mean that we shouldn’t try to master the problem. Existing industry guidance helps us by breaking the problem down into distinct steps: specification; definition of requirements; design, checking and testing; and validation against the original specification and requirements.
“How does the industry know whether it has got this process of safety assurance right? Is it fit for purpose as we move into the digital age? We are recommending that the industry comes together to develop a safety assurance procedure for its role as a client for high-integrity software-based systems. This will involve learning from other industries and co-operation between many different bodies.
“The railway industry must not shrink from the challenges that this will present, as it will be vital for establishing and maintaining public confidence in the digital railway of the future.”
Be the first to comment