Independent report

Summary of learning - 9. Wrong side failures of signalling - v1. May 2023

Published 22 May 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/summary-of-learning-9-wrong-side-failures-of-signalling-v1-may-2023/summary-of-learning-9-wrong-side-failures-of-signalling-v1-may-2023

1. Purpose of this summary

The purpose of this document is to provide a repository of some of the most important areas of learning identified in RAIB’s investigations to date, cross-referenced to relevant reports. It therefore provides a reference source for those looking to understand real-world railway safety issues and potential control measures.

When preparing this document, RAIB has selected those issues which:

  • have recurred in different RAIB investigations
  • have still to be fully addressed
  • could be a factor in the cause of a fatal accident

RAIB is aware that many of the issues raised have already been the subject of actions by duty holders when responding to RAIB recommendations, or are in the process of being addressed. The inclusion of a topic in this document should not be taken to mean that no action has been taken in response to relevant recommendations. However, its inclusion indicates that RAIB is of the view that the issue still needs to be actively managed by duty holders.

The current status of each recommendation made by RAIB can be checked by reference to the Index of RAIB recommendations, and details of the actions taken are published by ORR.

It is not the purpose of this document to quantify the risk associated with each of the identified safety issues. Readers seeking to understand the overall risk of harm associated with various dangerous events should refer to RSSB’s Annual Safety Performance Report. This presents historical information on actual harm caused, and estimates of risk based on extensive modelling.

2. Overview

The high level of safety expected of train movements can be delivered by train control and signalling systems only when the integrity of those systems can be assured.

The tragic accident at Clapham Junction in 1988 occurred when a train driver received a proceed aspect at a signal which should have been at danger. This resulted in a collision with a preceding train which should have been protected by the signal. The incorrect proceed aspect was shown because inadequate working practices during a resignalling project had resulted in a loose, uninsulated redundant wire remaining close to, and eventually coming into contact with, other circuitry. As a result of this accident 35 people lost their lives and the subsequent public inquiry led to major changes being made to signalling design, installation and testing processes. These processes remain in place today.

Despite this, RAIB has investigated six incidents where the integrity of a train control system has been compromised by an incorrect application of the design standards or testing processes that were introduced to improve safety as a result of the Clapham Junction accident.

Aftermath of the 1988 accident at Clapham Junction (Christopher Pillitz / Alamy Stock Photo).

Aftermath of the 1988 accident at Clapham Junction (Christopher Pillitz / Alamy Stock Photo).

These include the collision at London Waterloo (RAIB report 19/2018), the serious operating irregularity at Cardiff East Junction (RAIB report 15/2017), the derailment at Dalwhinnie (RAIB report 10/2022) and the ongoing RAIB investigation into a wrong side signalling failure at Wingfield.

As well as more established train control systems, modern railway systems are increasingly dependent on software, which needs to be developed to a high standard to meet railway safety requirements. RAIB has investigated the loss of safety-critical data on the Cambrian lines and concluded that errors made during the development of the software-based signalling system had not been identified by the safety assurance process. Concerns relating to the safety assurance of a software product were also a factor in a collision at Hockham Road level crossing, which resulted in serious injuries to the crossing user.

The events described in this summary of learning resulted from people taking actions which were inconsistent with the processes in which they had been assessed as competent. If these processes had been followed, the events would have been prevented.

RAIB found no evidence that the staff and organisations involved in any of these events lacked a commitment to safety. However, these events reiterate how important it is for the railway to retain its corporate memory and not forget the important lessons learnt from previous accidents, such as Clapham. This deep-seated knowledge is vital to maintaining safety and the industry is at risk of repeating the errors of the past if this memory is not constantly maintained as staff retire or move into other roles.

3. Important areas for safety learning

The areas of significant concern to RAIB fall into the three main themes described below.

3.1 Assurance of software products

Software is becoming increasingly common in safety-critical functions across the railway industry. This includes on‑board train systems, train control and signalling systems and trackside infrastructure. It is vitally important that the railway industry fully understands its role in the assurance of these critical software-based products from the earliest stages of the procurement process.

During its investigation into a collision at Hockham Road level crossing (RAIB report 04/2017), RAIB found that Network Rail had not come to a clear understanding with the manufacturer of a software-based level crossing warning system as to how the system met the required safety integrity level. After an internal review of the safety assurance documentation supplied as part of the procurement process, and having assessed the risks, Network Rail decided to decommission the system while improvements were made.

The level crossing system was intended to display green or red lights to road users to warn them when it was unsafe to cross. Decommissioning the warning system meant that users were required to telephone the signaller for permission to cross, and this was a factor which led to a collision between a tractor and train at the crossing in 2016.

Damage to the train involved in the collision at Hockham Road in 2016.

Damage to the train involved in the collision at Hockham Road in 2016.

During the investigation into the 2017 loss of safety-critical signalling data on the Cambrian Coast line (RAIB report 17/2019), RAIB found that Network Rail and the Independent Safety Assessor had been required to review the design documentation during the procurement of a pilot signalling system for the Cambrian lines in North Wales.

The system employed a software-based control system which transmitted the movement authority, including maximum permitted speed, by GSM-R radio to trains. The temporary speed restriction data was not uploaded during an automated signalling computer restart, resulting in incorrectly displayed data being loaded for transmission. A suitable method of assuring that the correct data was provided to the display had not been clearly defined in the design documentation and the resulting software included a single point of failure which affected both the data upload and display functions.

RAIB also found that the system safety justification was presented in a non-standard format based on documentation from another project still in development at the time of the Cambrian line commissioning. This other project subsequently made changes that mitigated the single point of failure described above, although these were not implemented on the Cambrian system.

The reviews of the system safety justification undertaken by Network Rail and by an Independent Safety Assessor did not identify the unclear assurance definitions in design documents, and neither were aware of the changes made during the development of the other project to address the potential failure.

As a result of this failure, on the morning of 20 October 2017, four trains travelled over the Cambrian Coast line in North Wales while temporary speed restriction data was not being sent to the trains by the signalling system. This included one train which approached a level crossing significantly exceeding the temporary speed restriction needed to give adequate warning time for level crossing users.

Operating floor at Cambrian line signalling control centre.

Operating floor at Cambrian line signalling control centre.

3.2 Signalling project commissioning processes

Signalling renewals are complex and require strict controls to be in place to avoid failures being imported into the signalling system. Design controls require that drawings are produced for all new work, including intermediate stages of complex commissioning projects.

This requirement was not followed at Cardiff East Junction (RAIB report 15/2017) where the design had not included all of the redundant equipment to be decommissioned. This resulted in a passenger train being signalled on a route with an unsecured set of points following a return of the line to operation in 2016.

Uncontrolled wiring was added to enable testing of signalling equipment during a staged commissioning at London Waterloo (RAIB report 19/2018), without the safeguards required by Network Rail signalling works testing standards. This wiring was added to overcome a problem that was encountered while testing modifications to the signalling system. The problem arose because the test equipment design process had not allowed for alterations being made to the signalling system after the test equipment was designed. The uncontrolled wiring remained in place when the line was returned to service resulting in a passenger train being diverted away from its intended route by a set of points which were no longer interlocked by the signalling system in 2017. This resulted in a low-speed collision between the passenger train and a stationary engineering train.

Overview of the station an accident at Waterloo in 2017 (courtesy of Jamie Squibbs).

Overview of the station an accident at Waterloo in 2017 (courtesy of Jamie Squibbs).

The actions of staff in both incidents were inconsistent with the behaviour expected of licenced testers and the competence management processes operated by Network Rail. In addition, some of the contractors had not addressed the full requirements of the roles responsible for the design, testing and commissioning of the work.

3.3 Maintenance renewals

Signalling equipment, and its interfaces, require maintenance throughout its lifecycle. When routine maintenance or an arising failure requires equipment to be replaced on a like-for-like basis, the processes differ from those required for resignalling projects. These processes are less complex and reflect the need for simple changeovers to be undertaken quickly and efficiently, often at the site of the equipment concerned.

Although maintenance replacements have a simpler method of working, the processes and culture must remain robust. Tasks intended to control the risk of errors, such as correlation checks, component examination and post-work testing, must be completed in accordance with the relevant instruction.

At Dalwhinnie (RAIB report 10/2022) in 2021, unwanted electrical connections were retained inside a point machine following its replacement nine months earlier. These connections were intended to allow the machine to be adapted for different operational environments.

The need to alter the internal wiring of the machine for its intended usage was not identified when the renewal work was planned, nor did the prescribed checks required as part of a like-for-like replacement process identify the wiring discrepancy. The last opportunity to identify the wiring error during testing before the points were handed back was not effective because it was interrupted and testing work was overlooked.

Derailment of a train at Dalwhinnie in 2021.

Derailment of a train at Dalwhinnie in 2021.

RAIB is currently investigating a wrong side signalling failure at Wingfield, Derbyshire, which occurred on 26 October 2022. The signal, which was passed at red, had been disconnected and reconnected the previous night as part of planned track maintenance work. The equipment was placed back into service after the work with a fault. This caused a wrong side failure, with the signal’s red and yellow aspects being displayed incorrectly.

4. Rail industry’s strategic safety groups

Relevant rail industry groups working in this field include the High-Integrity systems group, the purpose of which is to establish and share best practice in software applied to railway applications. In addition, RSSB and Network Rail have prepared a new rail industry standard (RIS-0745-CCS ‘Client Safety Assurance of High Integrity Software-Based Systems for Railway Applications’ which sets out requirements and guidance for the role of the client in managing safety assurance of high integrity software-based systems used in railway applications.

5. Relevant RAIB publications

  • Collision between a train and tractor at Hockham Road user worked crossing, Thetford, 10 April 2016 (report 04/2017)
  • Serious irregularity at Cardiff East Junction, 29 December 2016 (report 15/2017)
  • Collision at London Waterloo, 15 August 2017 (report 19/2018)
  • Loss of safety critical signalling data on the Cambrian Coast line, 20 October 2017 (report 17/2019)
  • Wrong side signalling failure and derailment at Dalwhinnie, Badenoch and Strathspey, 10 April 2021 (report 10/2022)
  • Investigation into a wrong side signalling failure at Wingfield, Derbyshire, 26 October 2022 (investigation ongoing)
Back to top