Cambrian line 20 Oct 2017: loss of ERTMS speed restrictions. RAIB report released

[Chris M]

The RAIB have today (21 Feb 2018) announced they are investigating the loss of temporary speed restriction information on drivers' in-cab displays.

During the morning of Friday 20 October 2017, a train driver travelling on the Cambrian coast line in North Wales reported that long standing temporary speed restrictions were not indicated on their in-cab display. As signalling staff at the control centre in Machynlleth investigated this report, they became aware that this failure applied to several trains under their control. The temporary speed restrictions were required on the approach to level crossings so that people crossing the line had sufficient warning of an approaching train.

The Cambrian lines were equipped in 2011 with a pilot installation of the European Rail Traffic Management System (ERTMS), a form of railway signalling. ERTMS removes the need for signals along the track by transmitting data directly to the train. This data is used to display movement authorities and other information such as temporary and permanent speed restrictions, on a screen in front of the driver.

Subsequent investigation found that the signalling system stopped transmitting temporary speed restriction data after a routine shutdown and restart at around 23:10 hrs the previous evening. The signallers had no indication of an abnormal condition and signalling control centre displays showed these restrictions as being applied correctly.

The RAIB has decided to undertake an independent investigation because to date, the signalling system supplier has not identified the cause of the failure. It is possible that finding the cause would have been assisted by downloading of suitable data from the signalling system before it was restarted during correction of the failure.

An additional procedure, since introduced at the control centre, is intended to identify and avoid any recurrence of the failure.

The RAIB investigation will consider:

• the geographic extent of the failure and the effect it had on the safety of railway operations
• why trains were permitted to operate without information about temporary speed restrictions
• practices for the gathering of data needed for investigation before restarting computer based signalling systems after a potentially unsafe failure

 

[Bletchleyite]

Oooh, that's nasty.

 

[Gareth Marston]

The joys of the digital railway.......

 

[daikilo]

Oooh, that's nasty.

Maybe not as, as happened in this case, drivers will simply not get the warning they were expecting but will anyway be cautious. However, finding a bug after several years of operation is not clever, and suggests something else happened in between which was not adequately tested.

 

[Bletchleyite]

Maybe not as, as happened in this case, drivers will simply not get the warning they were expecting but will anyway be cautious. However, finding a bug after several years of operation is not clever, and suggests something else happened in between which was not adequately tested.

FWIW, this does highlight a possible issue with full automation - this kind of issue in an automated system not able to "sanity check" the instructions being given could kill someone.

 

[Muzer]

Rather concerning incident. Makes me quite suspicious of the quality of their software that this could have happened presumably without any logging that might help determine what went wrong (since the supplier hasn't been able to find the bug).

 

[dgl]

Wasn't the kit supplied by Ansaldo STS (now part of Hitachi) and didn't they have problems with the kit from the start.
The train side of the business was certainly not known for quality.

 

[Bletchleyite]

Wasn't the kit supplied by Ansaldo STS (now part of Hitachi) and didn't they have problems with the kit from the start.
The train side of the business was certainly not known for quality.

Hitachi may sort things out, but prior to their takeover if I was running any tender for anything I would look to find a way to exclude them, so poor a reputation they have.

 

[meolebrace]

Approaching level crossings is worrying but temp restrictions even more so. If 70mph temp reduced to 25mph round a bend could end in catastrophe.

Hitachi have got to fix it.

 

[theironroad]

I did take a few gulps when I read this email this morning.

Luckily no one was injured at any of the crossings.

Also, it was also fortunate that the driver noticed the discrepancy, (the tsrs were long standing), something which wouldn't have been possible if the speed restriction had been put in overnight.

So all in all, good it's happening now at the early stages of ertms so that it can be sorted now before it's rolled out on a wider scale, otherwise in certain scenarios I wouldn't like to guess the consequences.

 

[moggie]

Wrong side system failure unprotected is what this constitutes. In conventional signalling that's about as bad as it gets short of collision.
That's why driver route knowledge is vital no matter how they dumb the cab information down.

 

[Mathew S]

Wrong side system failure unprotected is what this constitutes. In conventional signalling that's about as bad as it gets short of collision.
That's why driver route knowledge is vital no matter how they dumb the cab information down.

Can I ask (as someone with limited knowledge of signalling in general and ERTMS in particular)...
1. What is 'wrong side system failure'?
2. What you mean by dumbing down cab information?

I can see - of course - why route knowledge is so important, just trying to get my head around how this works.

Thanks in advance

 

[Bletchleyite]

Can I ask (as someone with limited knowledge of signalling in general and ERTMS in particular)...
1. What is 'wrong side system failure'?

In a more generalised sense, this is where a system failure has occurred, is not readily apparent that it has occurred, and has failed in such a way that the failure is dangerous. It's the opposite of "failing safe".

An example might be a road junction with traffic lights where a fault caused all of the sets of lights to show green at the same time, thereby causing all the traffic to believe it has right of way, and thereby, in short order, almost certainly causing a serious collision. The "right side failure" with a set of traffic lights is for them to go dark (or all red, for that matter), which means nobody has the right of way, and drivers proceed with caution aware of this being the case. (All red is irritating because it causes delay while people try to work out if it is actually a failure, but is no less safe than blank).

 

[Alteran Ancient]

2. What you mean by dumbing down cab information?

ERTMS, simply put, is designed to simplify the functionaility of the signalling on the driver's side - instead of actively observing signals and speed signs, ERTMS consolidates all this information as a digital read-out in the cab. This is all very good until there is a failure of some description - in this case, a failure where safety information became unavailable and did not fail in such a way that would be deemed as "safe".

My interpretation is that having these systems in place is valuable, but does not render proper driver training and route knowledge obsolete. Automated systems can help protect against human errors, but aren't infallible - likewise, human ingenuity can also protect against automation failure.

 

[theageofthetra]

Approaching level crossings is worrying but temp restrictions even more so. If 70mph temp reduced to 25mph round a bend could end in catastrophe.

Hitachi have got to fix it.

Who signed it off as being safe to use?

 

[Mathew S]

In a more generalised sense, this is where a system failure has occurred, is not readily apparent that it has occurred, and has failed in such a way that the failure is dangerous. It's the opposite of "failing safe".

An example might be a road junction with traffic lights where a fault caused all of the sets of lights to show green at the same time, thereby causing all the traffic to believe it has right of way, and thereby, in short order, almost certainly causing a serious collision. The "right side failure" with a set of traffic lights is for them to go dark (or all red, for that matter), which means nobody has the right of way, and drivers proceed with caution aware of this being the case. (All red is irritating because it causes delay while people try to work out if it is actually a failure, but is no less safe than blank).

ERTMS, simply put, is designed to simplify the functionaility of the signalling on the driver's side - instead of actively observing signals and speed signs, ERTMS consolidates all this information as a digital read-out in the cab. This is all very good until there is a failure of some description - in this case, a failure where safety information became unavailable and did not fail in such a way that would be deemed as "safe".

My interpretation is that having these systems in place is valuable, but does not render proper driver training and route knowledge obsolete. Automated systems can help protect against human errors, but aren't infallible - likewise, human ingenuity can also protect against automation failure.

Thank you both, that's very useful

 

[greatkingrat]

Is this any different to a normal physical TSR sign, falling over / being stolen / painted over by vandals etc?

 

[theageofthetra]

Wrong side system failure unprotected is what this constitutes. In conventional signalling that's about as bad as it gets short of collision.
That's why driver route knowledge is vital no matter how they dumb the cab information down.

Yes and someone signed this off.

 

[eman_resu]

Is this any different to a normal physical TSR sign, falling over / being stolen / painted over by vandals etc?

Probably not, but I wonder does the ERTMS provide any type of over speed protection, derived from the TSR's inputted into the system?

Simply put, the provision of TSR information is an integral part of the ERTMS system, to lose that visibility, with no alerts to operators (and no defined failure reason or resolution from the manufacturer) would surely warrant an in-depth investigation....

 

[theageofthetra]

Probably not, but I wonder does the ERTMS provide any type of over speed protection, derived from the TSR's inputted into the system?

Simply put, the provision of TSR information is an integral part of the ERTMS system, to lose that visibility, with no alerts to operators (and no defined failure reason or resolution from the manufacturer) would surely warrant an in-depth investigation....

Does it pick up ESR's?

 

[DJames]

Wasn't the kit supplied by Ansaldo STS (now part of Hitachi) and didn't they have problems with the kit from the start.
The train side of the business was certainly not known for quality.

I'm not sure about the train side, but the old T69 trams on the Midland Metro made by AnsaldoBreda weren't the most reliable things ever, and the wiring was apprently quoted as being like spaghetti, if I'm remembering right.

 

[theageofthetra]

I'm not sure about the train side, but the old T69 trams on the Midland Metro made by AnsaldoBreda weren't the most reliable things ever, and the wiring was apprently quoted as being like spaghetti, if I'm remembering right.

Isn't that the same lot who built a set of trains for Denmark(?) That were so bad they never entered squadron service?.

 

[DJames]

Isn't that the same lot who built a set of trains for Denmark(?) That were so bad they never entered squadron service?.

You're thinking of Fyra, which was a high speed line from the Netherlands to Belgium, with the trains built by AnsaldoBreda. They did enter regular service, but got suspended due to technical issues, and then full on cancelled due to reliability and safety concerns.

"Engineers of NS also subjected two partial trains to a standardised test, known as a stofkamanalyse (English: fine-toothed comb test) in which they respectively scored 1157 and 2019 penalty points. The usual limit for approval of a train is 10 points." - That says it all, really.

 

[theageofthetra]

You're thinking of Fyra, which was a high speed line from the Netherlands to Belgium, with the trains built by AnsaldoBreda. They did enter regular service, but got suspended due to technical issues, and then full on cancelled due to reliability and safety concerns.

"Engineers of NS also subjected two partial trains to a standardised test, known as a stofkamanalyse (English: fine-toothed comb test) in which they respectively scored 1157 and 2019 penalty points. The usual limit for approval of a train is 10 points." - That says it all, really.

Who signed this firm off as being suitable or insisted they got the contract over others? Must be something/one very corrupt.

There was definitely a serious issue with some Danish stock they supplied & didn't a set of their trams in Gothenberg get taken out of service due to corrosion. I also believe their CEO was arrested at some point too.

 

[WatcherZero]

Most likely is human error, whoever was performing the routine system restart accidentally wiped the data, as RAIB correctly points out there should have been a process to check after restarts by the operator to see the data was still there and the system was operating normally.

 

[LNW-GW Joint]

Hitachi may sort things out, but prior to their takeover if I was running any tender for anything I would look to find a way to exclude them, so poor a reputation they have.

Who signed it off as being safe to use?

​

The Cambrian system appears to have ex-Ansaldo kit at lineside, and Hitachi kit on board the trains.
Hitachi on-board ETCS has also now been approved by NR on class 800s, after testing on the Hertford North line.
I think the GW lineside stuff is from Alstom, and the Thameslink ATO is from Siemens.
http://www.railwaygazette.com/news/...d_list[]=hitachi&sword_list[]=etcs&no_cache=1

The formal Authorisation to Place in Service was issued following the successful completion of trials on the Cambrian line, which runs from Shrewsbury to Aberystwyth and Pwllheli. Hitachi onboard ETCS equipment had been fitted to a Class 37 diesel locomotive in 2013 for a series of trials which confirmed that it could operate successfully with the lineside ETCS supplied by Ansaldo STS, now also part of Hitachi Rail Europe.

 

[ComUtoR]

Is this any different to a normal physical TSR sign, falling over / being stolen / painted over by vandals etc?

Falling over/Missing in part/Vandalised would all be noticed. There would be physical evidence that a Driver would see. These tend to be reported quite frequently. Completely missing is different as it would appear that the restriction has been lifted (unless SPATEd) However, if just the signage was removed/stolen then there would still be the presence of AWS. I couldn't tell you if ERTMS has an AWS warning for a TSR

 

[axlecounter]

Wouldn’t make much sense having to place AWS in ERTMS territory. And unless the UK has some weird peculiar specification, there surely isn’t no other protection than that offered by ERTMS.

Most likely is human error, whoever was performing the routine system restart accidentally wiped the data, as RAIB correctly points out there should have been a process to check after restarts by the operator to see the data was still there and the system was operating normally.

That’s what I think too.

 

[carriageline]

But the RAIB report says the signallers indications showed the speeds as being correctly applied. So to me that says the RBC (Radio Block Center) was not transmitting the revised/amended speed profiles to the trains. Essentially ignoring there was a slower speed on it

 

[theageofthetra]

Falling over/Missing in part/Vandalised would all be noticed. There would be physical evidence that a Driver would see. These tend to be reported quite frequently. Completely missing is different as it would appear that the restriction has been lifted (unless SPATEd) However, if just the signage was removed/stolen then there would still be the presence of AWS. I couldn't tell you if ERTMS has an AWS warning for a TSR

Don't forget there are areas where you won't get the AWS siren.