Add to collection(s) Add to saved
  1. Social Science
  2. Law

NCN5 Issue 86 Addendum to the GSM-R failures risk assessment

advertisement 
NCN5 Issue 86
Addendum to the GSM-R failures risk
assessment
1
Contents
1 Introduction ........................................................................................................................................ 6
2 Objectives .......................................................................................................................................... 6
3 Scope ................................................................................................................................................. 6
4 Approach ........................................................................................................................................... 7
4.1 Type of decision ......................................................................................................................... 7
4.2 Decision criteria .......................................................................................................................... 7
5 Timing of planned GSM-R network outages ..................................................................................... 7
5.1 Methodology ............................................................................................................................... 7
5.2 Results........................................................................................................................................ 8
5.3 Conclusion ................................................................................................................................ 11
6 Use of unregistered GSM-R to pass a signal at danger .................................................................. 11
6.1 Methodology ............................................................................................................................. 11
6.2 Results...................................................................................................................................... 12
6.3 Conclusion ................................................................................................................................ 12
7 Use of SPT versus unregistered GSM-R radio ............................................................................... 12
7.1 Methodology ............................................................................................................................. 12
7.2 Results...................................................................................................................................... 12
7.3 Conclusion ................................................................................................................................ 16
8 Comparison of track circuits versus axle counters .......................................................................... 17
8.1 Methodology ............................................................................................................................. 17
8.2 Results...................................................................................................................................... 18
8.3 Conclusion ................................................................................................................................ 19
9 Conclusions summary ..................................................................................................................... 20
Appendix A Glossary .......................................................................................................................... 22
Appendix B References ...................................................................................................................... 23
Appendix C Detailed methodology for analysing GSM-R network outages ....................................... 24
Appendix D Safety risk comparison of SPT versus unregistered GSM-R .......................................... 26
Appendix E Results tables for axle counter analysis .......................................................................... 26
2
Issue Record
Issue
Date
Comments
1
31 May 2013
Draft for steering group comment
1.1
11 July 2013
Consideration of OG comments
1.2
16 July 2013
Consideration of Paul Ashton comments
3
Executive summary
This report is an addendum to the previous risk assessment in response to NCN5 Issue 86,
examining GSM-R failures. During the course of the previous risk assessment the following
questions were raised:
 When should planned outages of the GSM-R network (for maintenance, upgrades etc) take place
in order to minimise risk?
 Can the signaller still authorise the driver of a train with an unregistered GSM-R cab radio to pass
a signal at danger?
 Is it safer to use a signal post telephone (SPT) or an unregistered GSM-R cab radio for driversignaller communications for trains detained at signals at danger where cab secure radio (CSR)
or registered GSM-R communications are not available?
 Do the conclusions of the GSM-R failure response risk assessment still apply if track circuits were
to be replaced with axle counters?
This report aims to answer these questions. The study looked at each of the four questions
separately as a different method was required to answer each. All decisions taken are consistent
with the Taking Safe Decisions process.
When should planned outages take place?
The timings of planned outages that minimise safety losses are:
 For outages expected to take a day or more and not of immediate necessity, the 25/26 December.
 For outages expected to take a day or more, begin on a Sunday.
 For outages expected to take up to 6 hours, begin at midnight.
To determine the optimal time for planned outages the following factors should also be considered:

The use of GSM-R in ERTMS operations.

The use of GSM-R in possessions.

Local variations.

Cab registration requirements at start of service.
Can the signaller authorise the driver of a train with an unregistered GSM-R cab radio
to pass a signal at danger?
Assuming that there is the same level of communication clarity when using unregistered GSM-R as
when using the National Radio Network (NRN) or the public mobile phone network (GSM), it is
acceptably safe for signallers to give permission to train drivers to pass signals at danger using
unregistered GSM-R communications when CSR/registered GSM-R are unavailable.
Is it safer to use an SPT or an unregistered GSM-R cab radio?
Assuming that there is the same level of communication clarity when using unregistered GSM-R as
when using the National Radio Network (NRN) or the public mobile phone network (GSM), it is
acceptably safe for signallers to give permission to train drivers to pass signals at danger using
unregistered GSM-R communications when CSR/registered GSM-R are unavailable. Comparison of
both safety and performance risk conclude that it is better for a driver detained at a signal at danger,
4
to contact the signaller using an unregistered GSM-R than to use an SPT. This conclusion is thought
to be robust to changes in the assumed parameter values.
Do the conclusions of the GSM-R failures risk assessment equally apply to axle
counter areas?
Yes. The conclusions still hold true under the assumption that all track circuits are replaced with axle
counters for passenger trains.
5
1 Introduction
In response to the 5th Network Change Notice (NCN5) Issue 86 on GSM-R issued by Network Rail,
the majority of train operators raised the concern:
There are no national rules that make clear whether a train can go into service if unable to
register (particularly for DOO(P)); this presents a major potential performance impact if not
resolved.
Therefore RSSB undertook a risk assessment study to examine what a failure is with respect to the
GSM-R radio system, with the objective to inform proposals for changes to Railway Group
Standards.
The findings of this risk assessment were issued as a final report on 9 October 2012 entitled NCN5
Issue 86: Risk assessment of GSM-R failures [Ref: 01].
During the course of these initial investigations a number of further questions were raised which were
not answered by the original scope of work. These questions were:
 When should planned outages of the GSM-R network (for maintenance, upgrades etc) take place
in order to minimise risk?
 Can the signaller still authorise the driver of a train with an unregister GSM-R cab radio to pass a
signal at danger?
 Is it safer to use a signal post telephone (SPT) or an unregistered GSM-R cab radio for driversignaller communications for trains detained at signals at danger where cab secure radio (CSR)
or registered GSM-R communications are not available?
 Do the conclusions of the GSM-R failure response risk assessment still apply if track circuits were
to be replaced with axle counters?
This report was commissioned by the GSM-R Programme to inform potential changes to operating
practices, the Rule Book and other supporting standards.
2 Objectives
The purpose of this study is to answer the questions above and identify where proposals for changes
to the Rule Book and other standards-related materials are needed.
3 Scope
The scope of this study relates to the working of GSM-R voice and messaging capability, separate to
the ERTMS (speed/location) data functionality. It applies to all trains (passenger, empty coaching
stock, freight) on Network Rail managed infrastructure but excludes the use of GSM-R for shunting
purposes. It covers all forms of driver-signaller communications from the train cab and from the
lineside.
The assessments undertaken are with respect to Siemens version 2 of the cab mobile GSM-R
software on the GSM-R network provided by Network Rail. That is, the assessment does not take
into account future potential radio functions or operating scenarios, such as roaming onto the public
mobile network.
The assessments are also undertaken with respect to the current set up, positioning and distribution
of SPTs and do not take into account any potential repositioning which may be being planned.
6
4 Approach
The approach follows the principles set out in Taking Safe Decisions [Ref: 02]. Decision criteria are
applied based on comparing the safety, performance and other benefits/disbenefits for the options
analysed aiming to minimise risk levels so far as is reasonably practicable..
4.1 Type of decision
As for the initial project in [Ref: 01] the approach to this study is to consider the safety risks (and,
where applicable, other factors such as performance) in order to inform improvements to the Rule
Book and other supporting standards. The results of the assessment will then be used to inform the
wider GSM-R project stakeholder representatives to gain consensus on the strategic approach and
industry response required.
4.2 Decision criteria
The study looked at each of the four questions separately as a different method was required to
answer each. The criteria used to evaluate the response options for each question are explained in
the methodology for each question. All decisions taken are consistent with the Taking Safe
Decisions process.
Consideration of each question now follows in turn.
5 Timing of planned GSM-R network outages
5.1 Methodology
To calculate the optimal timing for planned outages of the GSM-R network two sets of data were
analysed. The first of these data sets was injury data from the Safety Management Information
System (SMIS) showing the distribution of fatalities and weighted injuries (FWI) by time of day and
day of week. The second data set was derived from timetable data from the Train Service Database
(TSDB) and showed traffic volumes by time of day. This allowed the performance impacts of
network outages to be compared for different times/days.
The optimal times for network outages were identified to be where the safety and performance risk
are minimised.
5.1.1 Limitations
Note that there are a number of factors have not been taken into account in this analysis which may
impact the results:
 Demands on the GSM-R system from the initial registration of cab radios at the beginning of daily
operations.
 The use of radio in possessions.
 The dependency of ERTMS systems on the GSM-R network.
 Variations between different routes – the analysis represents the results from the national
perspective.
7
5.1.2 SMIS data analysis
Event data (including injury severity, time of occurrence and event type) for the period 1 July 2002 to
30 June 2012 was extracted from SMIS. From this data the average risk that could be mitigated by
GSM-R was calculated (see Appendix C for details).
The mitigatable risk was then analysed to understand how it varies by:
 Hour of day
 Day of week
 On key days of the year - such as Christmas, Boxing and New Year’s Day - compared to the rest
of the year.
Options for minimising safety risk from radio network outages were identified from the risk
distributions.
5.1.3 TSDB data analysis
1
Train timetable information from the TSDB for the period 17 May 2009 to 09 December 2009 was
analysed to derive the distribution of train distances travelled by hour of day, as shown in Figure 1.
It has not been possible to undertake timetable analysis by day of week from the available
information. It is well understood that Sunday has the least train km of the seven days of the week.
5.2 Results
The results are presented by time of day, by day of week and key days in the year.
5.2.1 Distribution of risk across a typical day
Figure 1 and Figure 2 shows the distributions of train km travelled and radio mitigatable risk over time
respectively for the average day.
1
This was the only timetable data available in a readily usable form at the time of the study.
8
Figure 1: Average train km by loading, type and time of day
Passenger (crush loaded)
Passenger (low loaded)
Passenger (peak loaded)
ECS train km
Passenger (off-peak loaded)
Freight train km
100000
Train km (per hour)
90000
80000
70000
60000
50000
40000
30000
20000
10000
0
Hour of day
Figure 1 shows that:
 There are significantly fewer train km travelled between midnight and 0600 than at any other time
of the day.
 The busiest hours of the day in terms of train km travelled are between 0700 and 1900. Train
loading is heaviest around the morning and evening peaks (0700-1000 and 1600-1900): this is
when most passengers are travelling.
Figure 2: The distribution of risk by hour of day
Average
All Events
Radio Mitigable Events
Proportion of average hourly safety risk
10%
9%
8%
7%
6%
5%
4%
3%
2%
1%
0%
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Hour of Day
9
Figure 2 shows:
 The smoother blue line shows the distribution of whole rail network risk with time. The red line
shows the distribution over time of risk mitigatable by radio. The higher the value of the red line,
the more important radio availability is at that time as there is more potential for risk avoidance.
 Overall the distribution of radio mitigatable risk by time of day roughly correlates with the number
of passengers on the network at any one time. It is intuitive that many elements of train accident
risk are correlated with traffic volume and train loading.
 There are low levels of risk from 0100 to 0700. This is likely to be due to the reduction in services
(and the fact that few people are travelling) on the rail network at this time.
 However, there are higher levels of radio mitigatable risk from 1800 to 0100 despite a reduction in
traffic volume into the late evening. This is due in part to an increase in trespass and vandalism
2
events at these times which are understood to be partially mitigatable through radio use .
5.2.2 Distribution of risk across a typical week
Figure 3 shows the distribution of radio mitigatable risk over time for the average week. Again:
 The smoother blue line shows the distribution of whole rail network risk with time.
 The red line shows the distribution over time of risk mitigatable by radio. The higher the value of
the red line, the more important radio availability is at that time as there is more potential for risk
avoidance.
Figure 3: The distribution of risk by day of week
All Events
Radio Mitigable Events
Average
Proportion of average weekly safety risk
23%
21%
19%
17%
15%
13%
11%
9%
7%
5%
Monday
Tuesday
Wednesday
Thursday
Day of Week
2
Friday
Saturday
Sunday
This assumes that the proportion of risk mitigatable by radio is independent of time of day. There is a
possibility that this is not the case as, for example, trespassers will be more difficult to see when it is dark and
therefore there it will be less likely that they will be seen and a warming will be transmitted to train drivers. There
is insufficient information available to be able to remove this assumption.
10
Figure 3 shows that:
 There is a noticeable peak in radio mitigatable risk on Saturdays. Further investigation showed
that this is caused by a higher occurrence of trespass and vandalism type events on Saturdays
compared to other days of the week.
 There is a reduction in risk on Sundays. This is likely due to the reduction in services on the rail
network on Sundays.
5.2.3 Risk on key days of year
The full ten year data set of recorded safety incidents was used to undertake analysis of safety risk
by days of the year.
3
For radio mitigatable risk there is an average daily FWI of 0.003 and an extremely large amount of
day to day variation. However, there are insufficient data points to highlight any meaningful days for
proposed network outages. Therefore the assumption has been made that radio mitigatable risk is
proportional to overall risk.
For all network risk over ten years there is an average of 0.95 FWI per day with a large amount of
day to day variation. Due to this variation it is not possible to give reasons for the majority of the
extreme values with the only explicable deviations from the man being Christmas Day and Boxing
Day. Therefore it is concluded that:
 There are no days of the year where safety risk can be expected to be consistently higher than
average.
 Christmas Day and Boxing Day are the only days of the year where the network safety risk can be
expected to be consistently lower than average.
5.3 Conclusion
The timings of planned outages that minimise safety losses are:
 For outages expected to take a day or more and not of immediate necessity, the 25/26 December.
 For urgent outages expected to take a day or more, begin on a Sunday.
 For urgent outages expected to take up to 6 hours, begin at midnight.
It is worth noting that there appears to be an increase in trespass events during the evening and at
weekends.
To determine the optimal time for planned outages the factors discussed in section 5.1.1 should also
be considered.
6 Use of unregistered GSM-R to pass a signal at danger
6.1 Methodology
To assess whether signallers can give permission to drivers to pass a signal at danger where they
are communicating via an unregistered GSM-R cab radio, this study has undertaken a review of the
Rule Book module S4 [Ref 3]. This review has looked at what the current rules are in comparative
situations and whether the use of unregistered GSM-R radio would also apply.
3
Equivalent to just over 1 fatality or 10 major injuries or 200 minor RIDDOR reportable injuries or 1000 minor
non-RIDDOR reportable injuries per year
11
The decision criteria applied is that unregistered GSM-R radio would be considered acceptable for
use in these situations if it does not present an increase in safety or performance risk.
6.2 Results
The Rule Book module S4 already permits communications to take place using NRN and GSM
communications, stating:
“If you do not have GSM-R or CSR, or if it cannot be used, you must contact the signaller by mobile
phone or NRN radio, if available using the telephone number shown on the plate.”
Currently in module S4 it is not stated anywhere that it is not acceptable for permission for moving a
train to be granted using NRN radio or mobile phone.
No reasons have been identified to expect lower levels of service from an unregistered GSM-R than
from either NRN or mobile phone provided the same communication protocol is followed (to ensure
that a clear understanding is reached). Therefore it can be considered acceptably safe to use an
unregistered GSM-R for the same communication purposes as NRN radio or mobile phones.
6.3 Conclusion
Assuming that there is the same level of communication clarity when using unregistered GSM-R as
when using the National Radio Network (NRN) or the public mobile phone network (GSM), it is
acceptably safe for signallers to give permission to train drivers to pass signals at danger using
unregistered GSM-R communications when CSR/registered GSM-R are unavailable.
7 Use of SPT versus unregistered GSM-R radio
7.1 Methodology
To answer whether it is safer to use an SPT or an unregistered GSM-R cab radio for driver-signaller
communications (for example when a train is detained at a red signal) where CSR registered GSM-R
communications are not available, the risk from using and SPT and an unregistered GSM-R radio
have been compared.
To estimate the risk, the hazards associated with each communication method were identified and
quantified (in terms of frequency and severity) using data from SMIS (January 2001-December 2011)
and the Safety Risk Model [Ref 5]. The SMIS data were filtered to capture only events that referred
to the use of SPTs.
The question refers to the ‘safer option’ and so the analysis for this question initially looked at the
safety risk comparison between the two options.
Secondly, to satisfy the requirements of Taking Safe Decisions (TSD), qualitative assessment of the
performance risk has also been undertaken using a set of simple assumptions. There has been no
calculation of benefit cost ratios (BCRs) as the safety and performance comparisons both came to
the same conclusions.
7.2 Results
7.2.1 Hazard identification
The hazards identified fall into two categories: those associated with accessing an SPT, and those
associated with miscommunication between signaller and driver.
12
The potential hazards are summarised in Table 1.
Other factors which are not considered for this study include the costs of accident clean-up, SPT
maintenance and driver rehabilitation following incidents.
To answer the question of which method of communication is to be preferred therefore lies in the
balance between the safety and performance costs from accessing the SPTs and the change in the
same from train accidents due to miscommunication when using an unregistered GSM-R cab radio
or SPT.
Table 1: Benefits and costs comparison for communication options
Option
Factors
Safety
SPT use
Unregistered GSM-R use
Base case train accident
(collision/derailment) risk due to
miscommunication.
Base case train accident risk due to
miscommunication.
Additional train accident risk due to increased
chance of miscommunication eg from
misrouting of call and signaller being unclear
of where train driver is calling from.
 Risk to drivers whilst accessing SPTs:

Train driver slips, trips and falls.

Train driver struck by another train.

Train driver injured when
boarding/alighting train.

Train driver electric shock.
 Train driver affected by
fumes/smoke/asphyxiation/ drowning.
Performance
Delay time from drivers accessing SPTs.
7.2.2 Safety risk from SPT access
The risk to drivers (and other train crew) resulting from leaving the train cab to access the SPT has
been calculated from 11 years of SMIS data records (Table 2). In these 11 years there have been
171 injuries. None of these injuries were fatalities, the last driver fatality associated with accessing a
SPT occurred in 1995. Work has been undertaken to remove or protect the highest risk SPTs.
13
Table 2: Train driver injuries from accessing SPTs
Year
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
Average
Injuries
/year
26
10
21
16
13
17
9
17
16
13
13
16
FWI
/year
0.03
0.02
0.22
0.13
0.03
0.02
0.02
0.03
0.03
0.03
0.24
0.07
FWI
/event
0.001
0.002
0.011
0.008
0.001
0.001
0.002
0.002
0.002
0.002
0.02
0.005
There are no discernible trends in this data and some variation. The 11 year average values of 16
events per year and 0.07 FWI per year are taken as representative of the annual event frequency
and annual risk to train drivers from having to access SPTs.
7.2.3 Safety risk from miscommunication
The SRM (v7) estimates a total 358 FWI per year (including suicides) on the mainline network of
which around 0.098 FWI per year are a result of miscommunications leading to train accidents.
Under SPT communications the signaller knows which SPT the driver is calling from and hence what
signal the train is at. When using a registered GSM-R cab mobile, the signaller knows which train is
calling and therefore can see the location of the train on the signalling panel. However, this is not
true when the train is unregistered. Therefore there is greater reliance on communicating this
information clearly when using an unregistered GSM-R cab radio (and hence, a possibility for
miscommunication).
Assuming that the likelihood of miscommunication via SPT and a registered GSM-R cab radio are
the same, based on the results of the previous study [Ref: 01] there is around 23% increase in
likelihood of a miscommunication from an unregistered GSM-R cab radio.
7.2.4 Comparison of safety risk
The above parameters and others required for the safety risk assessment are summarised in Table 3
14
Table 3: Parameters used for safety risk assessment
Parameter
Value
Derivation / Assumptions
Robustness / Sensitivity
Annual risk from train
accidents due to
miscommunication
between driver and
signaller when train is
authorised to pass a
signal at danger
0.098
FWI
SRMv7. It is assumed this figure
relates to communication by CSR
and SPT. It may overestimate the
risk somewhat as it contains an
element of risk due to other types of
miscommunication (e.g. relating to
TSRs, location of track problems
etc.)
The SRM is a mature model and its
outputs are widely used in risk
assessment work.
The conclusions are reasonably
robust: it would have to
underestimate the true risk by an
order of magnitude to materially
affect the conclusions.
Annual frequency of
train accidents due to
miscommunication
between driver and
signaller when train is
authorised to pass a
signal at danger
0.047
As above.
As above
Annual risk to drivers
from using SPTs
0.07
FWI
SMIS injury data 2001-2011. No
trend in data so 10-year average
considered a reasonable estimate
of personal injury risk from using
SPTs. No fatality component so
may underestimate the true level of
risk somewhat.
Similar to above, SMIS is a mature
system and widely used in risk
assessment work.
Conclusions are robust to this value
as:

it would have to be
overestimating the risk for
conclusions to change
 it is expected to be an
underestimation due to no
fatality component.
Annual number of
times drivers
communicate with
signallers when
detained at a signal at
danger
340,000
Expert judgement (ref. email from
Roger Badger) [2% of seventeen
million red signal encounters per
year]
This value may not be correct but
the conclusions are not sensitive to
this value; it cancels out from both
the SPT and the unregistered-GSMR safety estimations.
Annual number of
times drivers use SPTs
100,000
Derived from the figure above and
the estimate that 30% of the
network over the period 2001-2011
was not equipped with CSR (so
driver needed to use SPT). Drivers
will sometimes use SPTs in other
situations, but the primary use is
when detained at a signal at
danger.
This is thought to be a large
overestimation as it makes the
assumption that all signals have an
SPT available for use.
Conclusions are robust to this
value:

it would have to be larger for the
result to be changed
 it is already thought to be bigger
than the true value.
Increase in
miscommunication risk
when using
unregistered GSM-R
radio compared with
registered GSM-R or
SPT
23%
Estimated in previous phase of
work.
15
Conclusions are thought to be
robust to this value as it would have
to increase by an order of
magnitude before bringing the
results into question.
7.2.5 Safety risk per driver-signaller communication
7.2.5.1 SPT case
Train driver uses SPT to contact signaller when detained at a signal at danger:
 Safety risk from train accident due to miscommunication = 0.098 FWI / 340 000 = 2.9 x 10 FWI
per communication
-7
 Safety risk to driver from accidents while accessing the SPT = 0.07 FWI / 100 000 = 7.0 x 10
FWI per communication
-7
 Total safety risk for SPT case = 2.9 x 10 + 7.0 x 10 = 9.9 x 10 FWI per communication
-7
-7
-7
7.2.5.2 Unregistered GSM-R case
Train driver uses unregistered GSM-R to contact signaller when detained at a signal at danger:
 Safety risk from train accident due to miscommunication = 1.23 x 0.098 FWI / 340,000 = 3.5 x 10
FWI per communication
-7
7.2.5.3 Net difference in risk
This is the difference between the SPT case and the unregistered GSM-R case:
 Net difference in risk = 9.9 x 10 - 3.5 x 10 = 6.3 x 10 FWI per communication
-7
-7
-7
Therefore the analysis estimates that the reduction in risk from a driver remaining in his cab (and not
being exposed to hazards associated with boarding/alighting to the track and moving around the
trackside environment to access an SPT) exceeds the increase in train accident risk that results from
a greater likelihood of communication error between driver and signaller when using an unregistered
cab radio. The conclusion is fairly robust to changes in the assumed parameter values.
Therefore, if a driver is detained at a signal at danger, it is better in terms of overall safety risk for
them to contact the signaller using an unregistered GSM-R than to use an SPT.
7.2.6 Consideration of performance
This section considers the potential performance risks/costs under the two communication methods.
Assuming that the:
 Time required for communication over SPT or unregistered GSM-R is the same on average.
 Time required to access a SPT is greater than the time required to access unregistered GSM-R.
There is a performance cost associated with drivers accessing an SPT which does not exist for the
unregistered GSM-R case. Therefore, if a driver is detained at a signal at danger, it is better in terms
of overall performance risk for them to contact the signaller using an unregistered GSM-R than to use
an SPT.
7.3 Conclusion
Comparisons of both safety risk and performance risk both conclude that it is better for a driver
detained at a signal at danger, to contact the signaller using an unregistered GSM-R than to use an
SPT. This conclusion is thought to be robust to changes in the assumed parameter values.
16
8 Comparison of track circuits versus axle counters
8.1 Methodology
The GSM-R failure response study [Ref: 01] concluded that, given a failure of GSM-R, the most cost
effective operational response was to continue running trains in the normal manner. This is because
the safety disbenefits are heavily outweighed by the operational benefits of continuing services. This
section of the study investigates whether these conclusions remain valid if all track circuits were to be
replaced with axle counters.
The benefit-cost ratios (BCRs) from the previous study were based on the current exposure of trains
to track circuits and axle counters. This revision has updated these BCRs to reflect a situation where
all track circuits have been replaced with axle counters. To do this it was necessary to be able to
quantify the differences in safety and performance resulting from the use of axle counters in place of
track circuits.
The main differences between track circuit areas and axle counter areas in terms of risk are:
 Axle counters are claimed to have greater reliability than track circuits [Ref: 07]. Therefore axle
counter areas should have fewer delay minutes and less safety risk resulting from the failure of
train detection than track circuit areas.
 Track circuits detect some broken rails, thereby potentially reducing derailment risk.
 Areas using track circuits for train detection allow the use of track circuit operating clips (TCOCs).
TCOCs are used to protect trains which have had an accident (that is a primary
collision/derailment) from potential oncoming trains (leading to a secondary collision). In axle
counter areas TCOCs have no benefit. Therefore axle counter areas are expected to have a
higher probability of secondary collisions occurring, given a primary event, than track circuited
areas.
These differences are addressed as follows:
 The effect described in the first two bullets is likely to reduce the frequency of certain types of train
accidents, and increase the frequency of others, in areas with axle counters. With a slightly
different baseline risk to the track circuit case, the risk reduction achieved by GSM-R is likely to be
proportionately slightly different. However, this effect is likely to be very small and has not been
taken into account in the analysis.
 The larger change – which potentially increases the benefits of GSM-R – is the increased risk
from secondary collisions in the absence of track circuits. The impact of axle counters on the
BCR therefore is modelled by the change in safety benefit associated with the increased
frequency of secondary collisions. The expected increase in secondary collision frequency is
assumed to have no impact upon operational delay minutes.
The current exposure of trains to each train detection method is unknown. Nor has the effectiveness
of TCOCs to prevent secondary collisions been previously quantified. Therefore, the approach taken
to evaluate the impact of replacing track circuits with axle counters has been to consider a - heavily
exaggerated - worst case scenario. Then if the conclusions of the previous study hold true for this
worst case scenario, it can be concluded with confidence that they hold for the less severe, actual
situation.
For this study the worst case scenario is one in which GSM-R is the only way for a failed train in an
axle counter area to be protected from other trains. In this instance, if GSM-R fails then the worst
17
case scenario is that there will be a secondary train collision for every primary collision or derailment
event.
8.1.1 Analysis Steps
The steps followed to evaluate the BCRs for the worst case scenario are:
 Calculate a risk multiplier for each collision/derailment:
 Incorporate the multiplier in the safety risk inputs to the GSM-R failures model [Ref :01] and
consider the results.
8.1.2 Decision Criteria
Decision criteria for this question are the same as those used for the original risk assessment work
on GSM-R [Ref: 01] which stated;
“To assess which mitigation or response option is the most appropriate the following
comparisons have been made:

The change in safety benefit and operational delay for each response option relative
to continuing operations regardless of the state of the radio. The calculation of
benefit-cost ratios indicates whether the response is appropriate. Positive benefit-cost
ratios support the implementation of a mitigation option. Ideally the proposed
mitigation should produce a ratio of greater than one (taking into consideration of
sensitivities). Where the ratio is significantly less than one, the option is not
considered to be reasonably practicable.

The change in safety benefit for each response option relative to absolute risk levels,
and overall benefit provided by GSM-R and its predecessors: CSR and NRN. This
provides context in terms of the magnitude of change.”
8.2 Results
8.2.1 Calculation of risk multipliers
The hazardous events with secondary collision components are:
 train-train collisions
 train derailments
 train collision with road vehicle on level crossing
Only a subset of the level crossing types involve road vehicles and only a fraction of collisions on
level crossings result in an adjacent line being blocked. For simplicity, and because it contributes to
the exaggerated nature of the worst case scenario, the level crossing safety risk multiplier is taken as
equal to the train derailment safety risk multiplier (Table 4).
18
Table 4: Safety risk multipliers
Train Accident type
Safety risk multiplier
Collision between two passenger trains
5.3
Collision between a passenger and non-passenger train
5.0
Collision between two non-passenger trains
5.9
Derailment of passenger train
32
Derailment of non-passenger train
214
Further detail of safety risk multipliers is given in Appendix D.
8.2.2 Benefit-cost ratio results
The application of these multipliers in the GSM-R failure model results in an increase in safety
disbenefit for all failure modes and train types analysed. This increase in safety disbenefit is not
sufficiently large to change the conclusions of the GSM-R failure response study. This is because
the increase in safety risk is not sufficient for it to outweigh the magnitude operational disbenefits
previously calculated.
The change in the BCR is no more than a factor of 25 for passenger operations and 70 for freight
operations. Because of the extent to which performance dominated safety in the initial assessment
of BCRs, these factors do not affect the conclusions.
For passenger trains all BCR values remain less than one meaning that the best response for
passenger trains when GSM-R fails remains to allow trains to continue in service.
For freight trains all BCRs also remain less than one. The initial assessment concluded that in some
circumstances it may be preferred to cancel freight trains than to allow them to operate without
GSM-R. The result for this assessment therefore has the same finding: it could be acceptable for
freight trains to operate without GSM-R, but there may be circumstances where cancelling services
may be preferred.
Extended results are given in Appendix E.
8.3 Conclusion
This study concludes that the findings of the GSM-R failure response study are still valid if all track
circuits were replaced with axle counters. Specifically, quoting from the original report:
“For all the response options considered, ranging from continuing as normal
regardless of no radio to cancelling trains the operational delays significantly dominate
the safety benefits.
Continuing as normal (the base case) and continuing with the use of
hand/transportables (response 2) minimise the operational delays but accrue a small
amount of safety disbenefit. The other responses analysed are not considered to be
reasonably practicable. The analysis did not consider the costs of providing
hand/transportables.
However, GSM-R provides safety and operational benefits so it is important that
equipment is properly maintained. It seems reasonable therefore to prevent a train
from entering service from a maintenance depot if it has a defective cab radio.
19
The analysis shows it is reasonable for a train to enter or stay in service even if it is
unable to register (for all train types).
For network failures, the response recommended on the basis of this risk assessment
is also to continue in service (for all train types, including DOO(P)).
Hand/transportables would provide no additional benefit in this situation. However, for
the reasons stated above, the industry therefore needs to decide whether it is
appropriate to impose limits or constraints on the ‘continue in service’ option.
The conclusions are considered robust to changes in the key assumptions. “
As these findings are for the worst case scenario it holds that they are equally valid and likely to be
more strongly justified for the actual case.
This highly exaggerated worst case scenario assumes no benefit from other mitigation measures (eg
SPTs) as an additional method of communication. As the conclusions for the original study hold for
this worst case scenario, the conclusions are not dependent on these mitigations (eg level of SPT
fitment).
9 Conclusions summary
This report concludes that:
 The timings of planned outages that minimise safety losses are:
 For outages expected to take a day or more and not of immediate necessity, the 25/26
December.
 For outages expected to take a day or more, begin on a Sunday.
 For outages expected to take up to 6 hours, begin at midnight.
To determine the optimal time for planned outages the factors discussed in 5.1.1 should also be
considered.
 Assuming that there is the same level of communication clarity when using unregistered GSM-R
as when using the National Radio Network (NRN) or the public mobile phone network (GSM), it is
acceptably safe for signallers to give permission to train drivers to pass signals at danger using
unregistered GSM-R communications when CSR/registered GSM-R are unavailable.
 Comparison of both safety risk and performance risk/costs conclude that it is better for a driver
detained at a signal at danger, to contact the signaller using an unregistered GSM-R than to use
an SPT. This conclusion is thought to be robust to changes in the assumed parameter values.
 That the findings of the GSM-R failure response study are still valid if all track circuits were
replaced with axle counters. Specifically, quoting from the original report:
“For all the response options considered, ranging from continuing as normal
regardless of no radio to cancelling trains the operational delays significantly dominate
the safety benefits.
Continuing as normal (the base case) and continuing with the use of
hand/transportables (response 2) minimise the operational delays but accrue a small
amount of safety disbenefit. The other responses analysed are not considered to be
reasonably practicable. The analysis did not consider the costs of providing
hand/transportables.
20
However, GSM-R provides safety and operational benefits so it is important that
equipment is properly maintained. It seems reasonable therefore to prevent a train
from entering service from a maintenance depot if it has a defective cab radio.
The analysis shows it is reasonable for a train to enter or stay in service even if it is
unable to register (for all train types).
For network failures, the response recommended on the basis of this risk assessment
is also to continue in service (for all train types, including DOO(P)).
Hand/transportables would provide no additional benefit in this situation. However, for
the reasons stated above, the industry therefore needs to decide whether it is
appropriate to impose limits or constraints on the ‘continue in service’ option.
The conclusions are considered robust to changes in the key assumptions. “
21
Appendix A Glossary
CSR
Cab Secure Radio
ERTMS
European Rail Traffic Management System
FWI
Fatalities and weighted injuries
GSM-R
Global system for mobile communications - Railways
HE
Hazardous event
NCN5
5th Network change notice
NRN
National Radio Network
RPB
Risk Profile Bulletin
RSSB
Rail Safety & Standards Board
SMIS
Safety Management Information System
SPT
Signal post telephone
SRM
Safety Risk Model
TCOC
Track Circuit Operation Clip
TSDB
Train Service Database
22
Appendix B References
This appendix contains the references for the documents reviewed as part of task 2 and subsequent
documents received and considered in later tasks.
1.
NCN5 Issue 86: Risk Assessment of GSM-R failures RSSB, 9 October 2012
2.
Taking Safe Decisions -how Britain’s railways take decisions that affect safety, RSSB, 2009.
3.
Trains or shunting movements detained, or vehicles left, on running lines, GE/RT8000/S4 Rule
Book, Issue 3, October 2008
4.
Injury data from the Safety Management Information System (SMIS) extracted 5 October 2012.
5.
Risk Profile Bulletin, Table B1, Version 7, RSSB, August 2010
6.
Email from Roger badger to Jay Heavisides dated 09-04-13
7
Axle Counters vs. Track Circuits – Safety in Track Vacancy Detection and Broken Rail Detection,
B. Kozol & D. Thurston,
http://www.arema.org/files/library/2010_Conference_Proceedings/Axle_Counters_vs_Track_Circ
uits-Safety_in_Track_Vacancy_Detection_and_Broken_Rail_Detection.pdf
23
Appendix C Detailed methodology for analysing GSM-R network outages
Data was extract from SMIS for the period 1 July 2002 to 30 June 2012. This included:
 Hazard event description
 Injury severity
 Time and date of occurrence
In some cases the event data were recorded at a specific date but with no time entered. As such the
timing appeared to occur at midnight. These events were excluded from the data set so that the
distribution of events with time was not skewed.
The previous study [Ref 1] identified hazardous events (HE) that were considered mitigatable by
GSM-R radio. Table 5 lists those HEs from the Safety Risk Model (SRM) [Ref 5] that are in part
considered mitigatable from GSM-R.
Table 5: Hazardous events mitigatable by GSM-R radio
HE
Code
Proportion of
risk mitigatable
by radio
HE Description
HET-01
Collision between two passenger trains resulting from a: passenger train Cat A
SPAD; runaway train; misrouted train; or WSF
10 to 20%
HET-02
Collision between a passenger train and non-passenger train resulting from a:
passenger train Cat A SPAD; runaway train; misrouted train; or WSF
10 to 20%
HET-03
Collision between two non-passenger trains resulting from a: non-passenger
train Cat A SPAD; runaway train; misrouted train; or WSF
10 to 20%
HET-04
Collision of train with object (not resulting in derailment)
HET-10
Passenger train collision with road vehicle on level crossing
5 to 20%
HET-11
Non-passenger train collision with road vehicle on level crossing
5 to 20%
HET-12
Derailment of passenger train
4 to 20%
HET-13
Derailment of non-passenger train
4 to 20%
HET-17
Fire on passenger train
3%
HEM-01
Passenger injury during evacuation following stopped train (not at a platform)
40%
HEM-12
MOP (trespasser) struck/crushed by train while on tracks at station
2%
HEM-14
Workforce (not infrastructure worker) struck/crushed by train
20%
HEM-25
MOP (trespasser) struck/crushed by train while on railway infrastructure not at
station
2%
HEN-13
Passenger fall from platform onto track (no electric shock nor struck by train)
2%
HEN-67
MOP (non-trespasser) fall from platform onto track (no electric shock nor struck
by train)
4%
2%
The consequences per recorded event were multiplied by the proportion of risk considered
mitigatable by radio. This gives a measure of risk profile in fatalities and weighted injuries (FWI) that
could be mitigated by GSM-R being provided.
24
The distribution of the mitigatable risk profile was then explored by:
 Hour of day
 Day of week
 Day of year
25
Appendix D Safety risk comparison of SPT versus unregistered GSM-R
These risk multipliers are considered to be for a worst case scenario; all events result in a secondary
collision. That is the consequences are independent of any additional mitigation measure being
present, such as provision of SPTs.
Table 6: Collision event risk multiplier
Collision Events Risk
Risk increase multiplier if all events have secondary
collisions
HET-01
HET-02P
HET-02NP
HET-03
5.28
4.02
5.27
5.88
Table 7: Derailment event risk multiplier
Derailment Event Risk
Risk increase multiplier if all events have
secondary collisions
HET-12
HET-13
EP
HET-13
FTP
HET-13
FTF
HET-13
POS
31.9
324.31
191.77
230.34
880.37
Appendix E Results tables for axle counter analysis
The five response options are:
1. Continue in service. The train continues in service as normal regardless of the radio fault. If
deemed to be cab mobile related, at the end of the day the train is sent to the maintenance depot
for repair. If deemed to be network-related it is assumed that this is fixed at the end of the day.
This is considered to be the base case for the risk analysis.
2. Cancel trains. Where only one train reports an issue, if at the start of the journey the train does
not enter service. If part way through the journey it continues to the next suitable location, where
the passengers are detrained. The train is then sent as empty coaching stock (ECS) to the
maintenance depot for repair. Where multiple trains are reporting issues it is more likely to be a
network related issue, in which case, trains are not permitted to pass through the affected area.
The trains terminate at the nearest suitable location before the fault.
3. Hand/transportable. The train enters or continues in service to the next location where a
hand/transportable radio can be picked up. The train then continues until it is scheduled to reach
the maintenance depot, where the fault is repaired. This response only provides benefit where
the fault lies with the cab-mobile; there is no mitigation against network based faults.
4. Reduce speed. This is as per response 2 but trains travel at a reduced speed (taken to be
60mph), reducing the potential consequences for collisions. Where the cause is deemed to be
cab-mobile related the speed is reduced for all journeys where the affected cab is in the lead.
Where the cause is deemed to be network related, the speed is reduced through the affected
section of route. It is assumed that network based faults are fixed at the end of the day.
5. Delayed reduced speed. This is as per response 4, except trains continue at normal speeds for
up to four hours from when the fault was first identified. After which, it is considered that an
emergency timetable is introduced and the speed can be reduced to 60mph with minimal
disruption.
26
The results are shown below. Tables show benefit cost ratios for the worst case axle counter
scenario. Larger values are better, values greater than one are better than for continue in service
option.
Table 8: BCR values for intercity services
Response
BCR compared to leaving trains in service
(per year)
Functional loss
1
2
3
4
Single cab radio failure
6.8 x 10-4
-1.3 x 10-1
3.5 x 10-3
3.5 x 10-3
Small radio network outage
1.4 x 10-4
0
3.5 x 10-3
3.5 x 10-3
Medium radio network outage
8.3 x 10-3
0
3.5 x 10-3
3.5 x 10-3
Large radio network outage
1.5 x 10-3
0
3.5 x 10-3
3.5 x 10-3
Single unregistered cab radio - temporary
0
0
3.2 x 10-3
0
Single unregistered cab radio - permanent
-3.0 x 10-5
-6.7 x 10-5
3.2 x 10-3
0
Multiple uncorrelated cab radios (TD.net outage)
1.4 x 10-5
0
3.2 x 10-3
3.2 x 10-3
Multiple uncorrelated cab radios (TD feed outage)
2.9 x 10-5
0
3.2 x 10-3
3.2 x 10-3
PA unavailable
-3.5 x 10-5
0
3.2 x 10-3
3.2 x 10-3
Single radio terminal failure
6.5 x 10-4
0
6.7 x 10-3
6.7 x 10-3
Multiple radio terminal failure
1.1 x 10-3
0
3.3 x 10-3
3.3 x 10-3
Driver:driver communications only
5.0 x 10-4
0
3.3 x 10-3
3.3 x 10-3
Response
BCR compared to leaving trains in service
(per year)
Observation
1
2
3
4
Searching for networks
2.0 x 10-4
-1.3 x 10-1
3.5 x 10-3
3.5 x 10-3
GSM-R GB
6.4 x 10-4
-1.3 x 10-1
4.1 x 10-3
4.1 x 10-3
Blank screen
6.8 x 10-4
-1.3 x 10-1
3.5 x 10-3
3.5 x 10-3
Registration - lead driver
-1.5 x 10-6
-6.7 x 10-5
3.2 x 10-3
3.2 x 10-3
Registration - duplicate
1.9 x 10-5
-6.7 x 10-5
3.2 x 10-3
3.2 x 10-3
Registration - PA
-3.5 x 10-5
0
3.2 x 10-3
3.2 x 10-3
Failure/fault
6.8 x 10-4
-1.3 x 10-1
3.5 x 10-3
3.5 x 10-3
Table 9: BCR values for Suburban train services
Response
Functional loss
BCR compared to leaving trains in service (per year)
1
2
3
4
Single cab radio failure
2.9 x 10-3
-1.3 x 10-2
7.7 x 10-3
7.7 x 10-3
Small radio network outage
3.4 x 10-4
0
7.7 x 10-3
7.7 x 10-3
Medium radio network outage
1.0 x 10-2
0
7.7 x 10-3
7.7 x 10-3
Large radio network outage
5.0 x 10-3
0
7.7 x 10-3
7.7 x 10-3
0
0
7.1 x 10-3
0
Single unregistered cab radio - temporary
27
Response
Functional loss
BCR compared to leaving trains in service (per year)
1
2
3
4
Single unregistered cab radio - permanent
-6.7 x 10-6
-6.6 x 10-5
7.1 x 10-3
0
Multiple uncorrelated cab radios (TD.net
outage)
6.4 x 10-5
0
7.1 x 10-3
7.1 x 10-3
Multiple uncorrelated cab radios (TD feed
outage)
1.5 x 10-4
0
7.1 x 10-3
7.1 x 10-3
PA unavailable
-1.1 x 10-5
0
7.1 x 10-3
6.9 x 10-3
Single radio terminal failure
1.9 x 10-3
0
1.5 x 10-2
1.5 x 10-2
Multiple radio terminal failure
5.9 x 10-3
0
7.3 x 10-3
7.3 x 10-3
Driver:driver communications only
1.6 x 10-3
0
7.3 x 10-3
7.3 x 10-3
Response
Observation
BCR compared to leaving trains in service (per year)
1
2
3
4
Searching for networks
4.2 x 10-4
-1.3 x 10-2
7.7 x 10-3
7.7 x 10-3
GSM-R GB
2.2 x 10-3
-1.3 x 10-2
8.9 x 10-3
8.6 x 10-3
Blank screen
2.9 x 10-3
-1.3 x 10-2
7.7 x 10-3
7.7 x 10-3
Registration - lead driver
7.5 x 10-8
-6.6 x 10-5
7.1 x 10-3
7.1 x 10-3
Registration - duplicate
8.9 x 10-5
-6.6 x 10-5
7.1 x 10-3
7.1 x 10-3
Registration - PA
-1.1 x 10-5
0
7.1 x 10-3
6.9 x 10-3
Failure/fault
2.9 x 10-3
-1.3 x 10-2
7.7 x 10-3
7.7 x 10-3
Table 10: BCR values for DOO(P) services
Response
Functional loss
BCR compared to leaving trains in service (per year)
1
2
3
4
Single cab radio failure
3.0 x 10-3
-1.3 x 10-2
1.8 x 10-2
1.8 x 10-2
Small radio network outage
3.4 x 10-4
0
1.8 x 10-2
1.8 x 10-2
Medium radio network outage
7.7 x 10-3
0
1.8 x 10-2
1.8 x 10-2
Large radio network outage
5.0 x 10-3
0
1.8 x 10-2
1.8 x 10-2
Single unregistered cab radio - temporary
0
0
1.8 x 10-2
0
Single unregistered cab radio - permanent
-6.9 x 10-6
-1.0 x 10-4
1.8 x 10-2
0
Multiple uncorrelated cab radios (TD.net
outage)
6.4 x 10-5
0
1.8 x 10-2
1.8 x 10-2
Multiple uncorrelated cab radios (TD feed
outage)
1.5 x 10-4
0
1.8 x 10-2
1.8 x 10-2
PA unavailable
-1.6 x 10-6
0
1.8 x 10-2
1.7 x 10-2
Single radio terminal failure
1.9 x 10-3
0
3.6 x 10-2
3.6 x 10-2
Multiple radio terminal failure
6.0 x 10-3
0
1.8 x 10-2
1.8 x 10-2
Driver:driver communications only
1.6 x 10-3
0
1.8 x 10-2
1.8 x 10-2
28
Response
BCR compared to leaving trains in service (per year)
Observation
1
2
3
4
Searching for networks
4.2 x 10-4
-1.3 x 10-2
1.8 x 10-2
1.8 x 10-2
GSM-R GB
2.3 x 10-3
-1.3 x 10-2
2.2 x 10-2
2.1 x 10-2
Blank screen
3.0 x 10-3
-1.3 x 10-2
1.8 x 10-2
1.8 x 10-2
Registration - lead driver
7.1 x 10-8
-1.0 x 10-4
1.8 x 10-2
1.8 x 10-2
Registration - duplicate
8.8 x 10-5
-1.0 x 10-4
1.8 x 10-2
1.8 x 10-2
Registration - PA
-1.6 x 10-6
0
1.8 x 10-2
1.7 x 10-2
Failure/fault
3.0 x 10-3
-1.3 x 10-2
1.8 x 10-2
1.8 x 10-2
Table 11: BCR values for freight train operations
Response
BCR compared to leaving trains in service (per year)
1
2
3
4
Single cab radio failure
5.5 x 10-2
-3.9
0
0
Small radio network outage
3.2 x 10-3
0
0
0
Medium radio network outage
1.8 x 10-1
0
0
0
Large radio network outage
1.0 x 10-1
0
0
0
Single unregistered cab radio - temporary
0
0
0
0
Single unregistered cab radio - permanent
-5.8 x 10-4
0
0
0
Multiple uncorrelated cab radios (TD.net
outage)
2.4 x 10-3
0
0
0
Multiple uncorrelated cab radios (TD feed
outage)
5.5 x 10-3
0
0
0
0
0
0
0
Single radio terminal failure
3.1 x 10-2
0
0
0
Multiple radio terminal failure
1.0 x 10-1
0
0
0
Driver:driver communications only
3.2 x 10-2
0
0
0
Functional loss
PA unavailable
Response
Observation
BCR compared to leaving trains in service (per year)
1
2
3
4
Searching for networks
2.5 x 10-2
-3.9
0
0
GSM-R GB
4.8 x 10-2
-3.9
0
0
Blank screen
5.5 x 10-2
-3.9
0
0
Registration - lead driver
2.0 x 10-4
0
0
0
Registration - duplicate
3.8 x 10-3
0
0
0
0
0
0
0
5.5 x 10-2
-3.9
0
0
Registration - PA
Failure/fault
29
Related documents
Sig-Fig and Calculations Practice
Sig-Fig and Calculations Practice
Addition - Standard Form Resources
Addition - Standard Form Resources
Standard Form
Standard Form
Measurements and Calculations
Measurements and Calculations
Lecture 33
Lecture 33
Chemistry 100
Chemistry 100
Homework 4 - Sites at Lafayette
Homework 4 - Sites at Lafayette
Data on initial instantaneous rates of reaction for five experiments
Data on initial instantaneous rates of reaction for five experiments
Download
advertisement