Report 17/2019: Loss of safety critical signalling data on the Cambrian Coast line
Loss of safety critical signalling data on the Cambrian Coast line, 20 October 2017.
Summary
On the morning of 20 October 2017, four trains travelled over the Cambrian Coast line, Gwynedd, while temporary speed restriction data was not being sent to the trains by the signalling system. No accident resulted but a train approached a level crossing at 80 km/h (50 mph), significantly exceeding the temporary speed restriction of 30 km/h (19 mph) needed to give adequate warning time for level crossing users.
The line has been operated since 2011 using a pilot installation of the European Rail Traffic Management System (ERTMS) which replaces traditional lineside signals and signs with movement authorities transmitted to trains. These movement authorities include maximum permitted speeds which are displayed to the train driver and used for automatic supervision of train speed.
The temporary speed restriction data was not uploaded during an automated signalling computer restart the previous evening, but a display screen incorrectly showed the restrictions as being loaded for transmission to trains. An independent check of the upload was needed to achieve safety levels given in European standards and the system designer, Ansaldo STS (now part of Hitachi STS), intended that this would be provided by signallers checking the display. A suitable method of assuring that the correct data was provided to the display had not been clearly defined in the software design documentation prepared by Ansaldo STS and the resulting software product included a single point of failure which affected both the data upload and signallers’ display functions. The system safety justification was presented in a non-standard format based on documentation from another project still in development at the time of the Cambrian ERTMS commissioning and which, before completion, made changes that unintentionally mitigated the single point of failure later exhibited on the Cambrian system. Network Rail and the Independent Safety Assessor (Lloyd’s Register Rail, now Ricardo Rail/Ricardo Certification) were required to review the design documentation but did not identify the lack of clear definition in design documents and were not aware of the changes made during the development of the other project.
Recommendations
The investigation makes five recommendations. Network Rail, aided by the wider rail industry, should improve its safety assurance process for high integrity software-based systems and improve safety learning from failures of such systems, and develop a process to capture the data needed to understand these failures. Hitachi STS (formerly Ansaldo STS) should review its safety assurance processes in the light of the learning from this investigation, and should provide a technical solution for the Cambrian lines that avoids the need for signallers to verify automatically uploaded speed restrictions.
Learning points cover train drivers reporting inconsistencies in information provided to them; the need for Independent Safety Assessors to understand the scope of checks undertaken by other bodies and to apply extra vigilance if documents form part of a non-standard process; the importance of clients undertaking their client role when procuring high integrity software; and achieving the specified level of safety when implementing temporary speed restrictions in ERTMS
Response to recommendations:
- RAIB will periodically update the status of recommendations as reported to us by the relevant safety authority or public body
- RAIB may add comment, particularly if we have concerns regarding these responses.