Report 17/2019 Loss of safety critical signalling data on Cambrian Coast line

Image of the Machynlleth control centre

Image of the Machynlleth control centre

R172019_191219_Cambrian_Coast_line

Summary

On the morning of 20 October 2017, four trains travelled over the Cambrian Coast line, Gwynedd, while temporary speed restriction data was not being sent to the trains by the signalling system. No accident resulted but a train approached a level crossing at 80 km/h (50 mph), significantly exceeding the temporary speed restriction of 30 km/h (19 mph) needed to give adequate warning time for level crossing users.

The line has been operated since 2011 using a pilot installation of the European Rail Traffic Management System (ERTMS) which replaces traditional lineside signals and signs with movement authorities transmitted to trains. These movement authorities include maximum permitted speeds which are displayed to the train driver and used for automatic supervision of train speed.

The temporary speed restriction data was not uploaded during an automated signalling computer restart the previous evening, but a display screen incorrectly showed the restrictions as being loaded for transmission to trains. An independent check of the upload was needed to achieve safety levels given in European standards and the system designer, Ansaldo STS (now part of Hitachi STS), intended that this would be provided by signallers checking the display. A suitable method of assuring that the correct data was provided to the display had not been clearly defined in the software design documentation prepared by Ansaldo STS and the resulting software product included a single point of failure which affected both the data upload and signallers’ display functions. The system safety justification was presented in a non-standard format based on documentation from another project still in development at the time of the Cambrian ERTMS commissioning and which, before completion, made changes that unintentionally mitigated the single point of failure later exhibited on the Cambrian system. Network Rail and the Independent Safety Assessor (Lloyd’s Register Rail, now Ricardo Rail/Ricardo Certification) were required to review the design documentation but did not identify the lack of clear definition in design documents and were not aware of the changes made during the development of the other project.

Recommendations

The investigation makes five recommendations. Network Rail, aided by the wider rail industry, should improve its safety assurance process for high integrity software-based systems and improve safety learning from failures of such systems, and develop a process to capture the data needed to understand these failures. Hitachi STS (formerly Ansaldo STS) should review its safety assurance processes in the light of the learning from this investigation, and should provide a technical solution for the Cambrian lines that avoids the need for signallers to verify automatically uploaded speed restrictions.

Learning points cover train drivers reporting inconsistencies in information provided to them; the need for Independent Safety Assessors to understand the scope of checks undertaken by other bodies and to apply extra vigilance if documents form part of a non-standard process; the importance of clients undertaking their client role when procuring high integrity software; and achieving the specified level of safety when implementing temporary speed restrictions in ERTMS.

Simon French, Chief Inspector of Rail Accidents said:

“The pilot installation of the European Rail Traffic Management System (ERTMS) on the Cambrian lines has provided valuable experience for engineers and operators of how this system might perform when it is extended to other parts of the national network in the UK. Much of this experience has been positive, but there have been some incidents which have led to disruption to services and some, including the events covered by this investigation, which were potentially dangerous.

“The lessons that have come out of this investigation are important ones for the railway industry. It is fundamental that the process of digital design is robust enough to ensure that software-based systems are of the necessary integrity. In this case, the people operating the railway did not know that there was anything amiss. Digital railways need to detect when they have failed and report this to those who need to know – in this case the signallers.

“The safety of a digital system can be difficult to assess. A system is often made up of a number of ‘black boxes’ which perform particular tasks. It can be hard to know how each of these boxes really works or to fully understand their potential failure modes – particularly when the box has been bought ‘off-the-shelf’ or imported from another application entirely. Once our black boxes have been plugged together, do we really know how they will interact with each other, and with the human operator? Digital systems don’t often breakdown – safety critical failures tend to be related to the way they are designed or the way that design has been translated into a working system.

“So, assessing the safety of digital systems is often seen as ‘tricky’ or ‘too difficult’. That doesn’t mean that we shouldn’t try to master the problem. Existing industry guidance helps us by breaking the problem down into distinct steps: specification; definition of requirements; design, checking and testing; and validation against the original specification and requirements.

“How does the industry know whether it has got this process of safety assurance right? Is it fit for purpose as we move into the digital age? We are recommending that the industry comes together to develop a safety assurance procedure for its role as a client for high integrity software-based systems. This will involve learning from other industries and co-operation between many different bodies. The railway industry must not shrink from the challenges that this will present, as it will be vital for establishing and maintaining public confidence in the digital railway of the future.”

Notes

  1. The sole purpose of RAIB investigations is to prevent future accidents and incidents and improve railway safety. RAIB does not establish blame, liability or carry out prosecutions.

  2. RAIB operates, as far as possible, in an open and transparent manner. While our investigations are completely independent of the railway industry, we do maintain close liaison with railway companies and if we discover matters that may affect the safety of the railway, we make sure that information about them is circulated to the right people as soon as possible, and certainly long before publication of our final report.

/Public Release. View in full here.