NCN5 Issue 86 Risk assessment of GSM-R failures
advertisement
NCN5 Issue 86
Risk assessment of GSM-R failures
Contents
Executive summary ................................................................................................................................3
1 Introduction ..........................................................................................................................................6
2 Objectives ............................................................................................................................................6
3 Scope ..................................................................................................................................................6
4 Approach .............................................................................................................................................7
4.1 The nature of the decision.......................................................................................................... 7
4.2 Decision criteria .......................................................................................................................... 8
5 Risk assessment methodology............................................................................................................9
5.1 Task 1: kick off meeting ............................................................................................................. 9
5.2 Task 2: review background information ..................................................................................... 9
5.3 Task 3: investigate non-registered cab-radios ........................................................................... 9
5.4 Task 4: determine other functional failures and potential mitigations ...................................... 10
5.5 Task 5: risk assessment........................................................................................................... 11
6 Results.............................................................................................................................................. 15
6.1 Understanding the context of the safety benefits ..................................................................... 15
6.2 Understanding the causes and consequences of failures ....................................................... 16
6.3 Understanding the safety benefit for each response option .................................................... 18
6.4 Understanding the operational delay for each response option .............................................. 19
6.5 Optimising the response .......................................................................................................... 20
7 Discussion ........................................................................................................................................ 28
7.1 The definition of a defective GSM-R fixed cab radio................................................................ 28
7.2 What action should be taken if the fixed cab radio is defective? ............................................. 28
7.3 Can a train enter service if the registration fails? ..................................................................... 29
7.4 What action should be taken if the radio network fails? ........................................................... 29
8 Sensitivity analysis ........................................................................................................................... 30
9 Conclusions ...................................................................................................................................... 31
10 Items for consideration ................................................................................................................... 31
10.1 Review of Railway Group Standards and other supporting documents ................................ 31
10.2 Further analysis ...................................................................................................................... 31
10.3 Further process mitigations for consideration ........................................................................ 32
Appendix A Glossary ........................................................................................................................... 33
Appendix B Documents reviewed ....................................................................................................... 35
1
Appendix C Workshop attendees ........................................................................................................ 38
Appendix D Workshop guidewords ..................................................................................................... 39
Appendix E Workshop outputs ............................................................................................................ 42
Appendix F Call success probabilities ................................................................................................. 57
Appendix G Functional loss scenarios ................................................................................................ 61
Appendix H Mapping of operational delay to functional losses ........................................................... 63
Appendix I Modelling assumptions ...................................................................................................... 65
Appendix J Hazardous events mitigated by GSM-R radio .................................................................. 68
Appendix K Safety benefits ................................................................................................................. 69
Appendix L Operational delays ............................................................................................................ 75
Appendix M Functional loss scenario comparisons ............................................................................ 81
Appendix N Observation scenario comparisons ................................................................................. 85
Appendix O Benefit cost ratios ............................................................................................................ 89
Appendix P Sensitivity analysis ........................................................................................................... 95
Issue record
Issue
Date
Comments
0
6 August 2012
Draft for internal comment
1
10 August 2012
Draft for steering group comment
2
24 September 2012
Incorporating steering group comments
3
9 October 2012
Amendment to tables in Appendix K
2
Executive summary
In response to the 5th Network Change Notice (NCN5) on GSM-R issued by Network Rail, the
majority of Train Operators raised the concern:
There are no national rules that make clear whether a train can go into service if unable to register
(particularly for DOO(P)); this presents a major potential performance impact if not resolved.
Therefore RSSB undertook a risk assessment study to examine what a failure is with respect to the
GSM-R radio system, with the objective to inform proposals for changes to Railway Group
Standards. Specifically the study considers:
• What is the definition of a defective cab radio?
• What actions should be taken if train fixed radio fails?
• Can a train enter service if it is unable to register (a journey)?
• What actions should be taken if the network fails?
This report was commissioned by the GSM-R Programme to inform potential changes to the Rule
Book and supporting Railway Group Standards.
Approach and methodology
The approach follows the principles set out in Taking Safe Decisions [Ref: 29] and applies decision
criteria based on benefit-cost ratios (BCRs) and changes in absolute risk levels. Positive BCRs with
a value greater than or equal to one suggest that a measure is reasonably practicable.
The study was completed through document review and a series of workshops to identify the
potential failure cases and associated impacts on the GSM-R system. This then fed into a safety and
operational delay risk assessment. The safety risk assessment builds upon the same framework that
was used for the Assessing the risk from the loss of the NRN frequency spectrum in 2012 study
[Ref: 2], where the benefits of cab radio were assessed using the latest Safety Risk Model version 7
data [Ref: 20] and Call Success Probability. The risk assessment also considers four different train
types: intercity, suburban, suburban driver only operation with passengers (DOO(P)) and freight.
The risk assessment considered five different response options:
0. Continue in service. Trains continue in service regardless of radio problems. This is
considered to be the base case.
1. Cancel trains. Taking trains out of service when faced with either a cab radio or network failure.
2. Hand/transportable. As with response 2, but picking up a hand/transportable radio at the next
available location
3. Reduce speed. As with response 2, but trains travel at a reduced speed (taken to be 60mph).
4. Delayed reduced speed. As with response 4, but the speed limit is applied after four hours if
the problem still exists.
Typically the different observations seen by the driver on the cab radio do not map directly to distinct
failures. That is it is not always clear if it is a cab radio or a radio network issue. Therefore the risk
assessment considers both the impacts for the functional losses (based on known causes of failure)
and potential outcomes based on the driver’s observations (based on unknown causes of failure).
3
Results
The risk assessment identified the most likely functional loss scenario to be a single unregistered
radio (temporary – that is the cab radio eventually does register and correlate with the GSM-R
system). However, the most likely observations (of failures) on the cab radio is Searching for
networks or GSM-R GB (which most commonly occurs as a result of a small radio network failure
and can affect multiple trains), followed by Registration failed – Lead Driver (which most commonly
occurs as a result of a single unregistered cab radio).
For all the response options considered, except using hand/transportables (response 2), the
operational delays significantly dominate the safety benefits. That is the positive BCRs calculated
were significantly less than one.
What is the definition of a defective cab radio?
The analysis has shown that if a cab radio displays a ‘fatal’ fault code (such as Failure XX, MT fatal,
Cab Radio Flt, EPROM/RAM Flt and not a warning, as defined in Ref 4) or a blank screen then it
should be considered defective. Failing on demand when the display shows GSM-R GB or
Searching for networks is most likely to be caused by a network issue, however if the problem
persists for a particular cab radio throughout its journey and no fault can be found with the network it
should be treated as a defective cab radio – for example the antenna could have detached. Not
being able to register a journey is not considered to be a cab radio failure, as it still offers call and
radio emergency call (REC) functionality.
What actions should be taken if a fixed cab radio fails?
The safety benefit attributed to GSM-R cab radio against a base case of no radio being available at
all is about 1.7FWI/year, or the equivalent of around £0.40 per journey on average (based on the
current VPF). Should a cab radio fail (see above), for all the responses except, continue with
hand/transportable (response 2) the BCRs calculated are significantly less than one. That is the
delay costs associated with measures are grossly disproportionate to the safety benefits when
compared against the base case of continuing in service. It should be noted that this risk
assessment has not considered the costs providing hand/transportables.
These conclusions apply when the functional loss is known, and when it is unknown but assumed
based on the driver’s observation to all train types (including DOO(P)).
Although it may be reasonable to continue in service with a defective radio, it does impact on both
safety and operations. Therefore it is of interest to continue maintaining both radios and DSD/PA
links to a working standard and reasonable to suggest that trains do not leave a maintenance depot
with a defective radio.
Can a train enter service with an unregistered cab radio?
The safety disbenefit of all cab radios being unregistered (but with call and REC available) is
estimated to be around 0.03FWI/year or around an average of £0.01 per journey (based on the
current value of preventing a fatality (VPF)). The cost of taking a train out of service (response 1) or
reducing its speed (responses 3 and 4) as a response to registration failure is far greater than the
safety benefits (that is the BCRs are significantly less than one) making these options not reasonably
practicable.
4
Network failure
The results from the risk analysis show that, as with the cab radio defects, the operational delays
significantly dominate the safety benefits – the BCRs are significantly less than one. Cancelling
trains (response 1) and running at reduced speed (responses 3 and 4) are not considered to be
reasonably practicable. Provision of hand/transportable (response 2) in the case of network failure
will offer no additional benefit over continuing in service, since the hand/transportable would also not
work.
The response recommended on the basis of this risk assessment is to continue in service. However,
GSM-R provides safety and operational benefits so should be restored as soon as possible after a
failure. The industry therefore needs to decide whether it is appropriate to impose limits on the
‘continue in service’ option.
The conclusions are in general the same for all train types (including DOO(P)).
Overall conclusions
A defective cab radio is considered to be one that displays Failure XX, MT Fatal, Cab Radio Flt,
EPROM/RAM Flt or a blank screen. Other displays may also indicate a cab radio defect but require
further diagnosis, for example, persistent failure throughout its journey (with confirmation that the
network is working).
For all the response options considered, ranging from continuing as normal regardless of no radio to
cancelling trains the operational delays significantly dominate the safety benefits.
Continuing as normal (the base case) and continuing with the use of hand/transportables (response
2) minimise the operational delays but accrue a small amount of safety disbenefit. The other
responses analysed are not considered to be reasonably practicable. The analysis did not consider
the costs of providing hand/transportables.
However, GSM-R provides safety and operational benefits so it is important that equipment is
properly maintained. It seems reasonable therefore to prevent a train from entering service from a
maintenance depot if it has a defective cab radio.
The analysis shows it is reasonable for a train to enter or stay in service even if it is unable to register
(for all train types).
For network failures, the response recommended on the basis of this risk assessment is also to
continue in service (for all train types, including DOO(P)). Hand/transportables would provide no
additional benefit in this situation. However, for the reasons stated above, the industry therefore
needs to decide whether it is appropriate to impose limits or constraints on the ‘continue in service’
option.
The conclusions are considered robust to changes in the key assumptions.
Items for further consideration
It is proposed that the Rule Book, specifically module TW5, Railway Group Standard GO/RT3437
and Rail Industry Approved Code of Practice GO/RC3537 are reviewed with respect to the findings of
this risk assessment, and appropriate proposal for change prepared.
The report also lists some areas for further investigation, relating to GSM-R failures.
5
1 Introduction
In response to the 5th Network Change Notice (NCN5) on GSM-R issued by Network Rail, the
majority of Train Operators raised the concern:
There are no national rules that make clear whether a train can go into service if unable to register
(particularly for DOO(P)); this presents a major potential performance impact if not resolved.
The Rule Book module TW5 [Ref: 33] states that a train should not enter service with a defective
radio, or enter service from a depot with a defective public address (PA). GO/RT3437 [Ref: 22]
requires each train operator to have in place a defective on-train equipment contingency plan, which
describes the action to be taken if on-train equipment becomes defective when:
• Entering service either from a maintenance depot or from elsewhere
• Already in service
A workshop was held on 27 January 2011 to determine a way forward and establish principles for
operational rules. Two actions arose from the workshop for RSSB to:
• Consider the degree to which these principles should be captured, possibly in the GSM-R
Operational Concept.
• Develop proposals for changes to Railway Group Standards (RGS) to reflect these principles
including in particular an understanding of the risk from running trains without REC functionality
and extended running without registration.
Therefore RSSB undertook a study to examine what a failure is with respect to the GSM-R radio
system and what action should be taken if it is deemed to have failed.
This report was commissioned by the GSM-R Programme to inform potential changes to the Rule
Book and supporting standards.
2 Objectives
The purpose of the study is through the assessment of safety and operational risks to produce
proposals for changes to the Rule Book and other standards-related materials so that there are clear
national rules on whether and how a train can enter (or continue in) service in the event of failures
within the GSM-R system (trackside and on-board). Specifically it aims to answer:
• What is the definition of a defective cab radio?
• Can a train enter service if it is unable to register (a journey)?
• What actions should be taken if the network fails?
• What actions should be taken if train fixed radio fails?
3 Scope
The scope of this study relates to degraded working of GSM-R voice and messaging capability,
separate to the ERTMS (speed/location) data functionality. It includes both failures of GSM-R
equipment on board trains (as referred to in Rule Book Module TW5 [Ref: 33], GO/RT3437 [Ref: 22]
and GO/RC3537 [Ref: 23]) and failures of the GSM-R infrastructure (not included in RGS). It applies
to all trains (passenger, empty coaching stock, freight) on Network Rail managed infrastructure but
6
excludes the use of GSM-R for shunting purposes. It considers its use during and on completion of
the national migration to GSM-R from other methods of radio communications.
The assessments undertaken are with respect to Siemens version 2 of the cab mobile GSM-R
software on the GSM-R network provided by Network Rail. That is, the assessment does not take
into account future potential radio functions or operating scenarios, such as roaming onto the public
mobile network, but does take into account the potential for public mobile network interference.
4 Approach
4.1 The nature of the decision
To answer the questions on how GSM-R radio failures should be treated, the decision making
framework from Taking Safe Decisions [Ref: 29] has been followed. Firstly, it is important to
understand the scope of the decision to be made.
The decision can be viewed from three different perspectives.
Should a train be taken out of service if the GSM-R radio is considered defective. This lies to the left
of the decision taking spectrum (Figure 1, purple). Here, rules are significant in guiding the decision,
as to whether defective on train equipment (DOTE) plans are implemented or not. This decision is
made by front line staff, in relatively short timescales and implemented immediately.
What response is taken, is decided by senior management through the development of the contents
of the DOTE, it determined by senior management within a train operating company. This decision is
made over longer timescales, taking into consideration wider knowledge of the GSM-R radio system,
and ultimately shared with the infrastructure manager. This decision lies towards the middle of the
decision taking spectrum (Figure 1, green).
The third perspective, is a more strategic one, and lies to the right of the decision taking spectrum
(Figure 1, red). This is the decision as how the industry should manage GSM-R failures, and in
particular what the Rules and guidance should contain to support the development of company
DOTEs. Here the decision is made by the industry, that is, at a national level, by senior management
representatives, Good practice plays a large part in influencing the decision, but there is recognition
that the decision is complex and therefore requires analysis (strategic, targeted, qualitative and
quantitative) to guide it.
It is this latter perspective that this study aims to support. As such the approach to this study is to
consider the risks (both quantitative and qualitative elements) in order inform improvements to the
Rule Book and other Railway Group Standards. The results of the assessment will then be used to
inform the wider GSM-R project stakeholder representatives to gain consensus on the strategic
approach and industry response required.
7
Figure 1: The nature of the decision
WHERE WILL THE
DECISION BE TAKEN?
Front-line
WHO SHOULD TAKE THE
DECISION?
Worker
HOW MANY
ORGANISATIONS OWN
THE RISK?
METHOD OF
IMPLEMENTATION?
Senior Manager
Board
Shared by many
organisations
Shared by two organisations
None
Local
Regional
National
Extensive
Considerable
Limited
None
Technology or way of working
is already in use
Technology or way of working
is understood
Seconds to minutes
Days to weeks
Weeks to months
Months to years
Immediate action
Memo or instruction
Business case
Company policy
OPERATIONAL
EXPERIENCE OF THE
ISSUE/PROBLEM?
TIME BETWEEN SCOPING
AND TAKING THE
DECISION?
Local Manager
Owned by one
organisation
HOW MUCH
CONSULTATION?
EXPERIENCE OF THE
TECHNOLOGY?
Management
Technology or way of working
is mature
Technology or way of
working is novel
Qualitative analysis
Rules and good practice
4.2 Decision criteria
To assess which mitigation or response option is the most appropriate the following comparisons
have been made:
• The change in safety benefit and operational delay for each response option relative to continuing
operations regardless of the state of the radio. The calculation of benefit-cost ratios indicates
whether the response is appropriate. Positive benefit-cost ratios support the implementation of a
mitigation option. Ideally the proposed mitigation should produce a ratio of greater than one
(taking into consideration of sensitivities). Where the ratio is significantly less than one, the option
is not considered to be reasonably practicable.
• The change in safety benefit for each response option relative to absolute risk levels, and overall
benefit provided by GSM-R and its predecessors: CSR and NRN. This provides context in terms
of the magnitude of change.
8
5 Risk assessment methodology
The risk assessment comprised five tasks:
• Task 1: kick-off meeting
• Task 2: review background information
• Task 3: investigate non-registered cab radios
• Task 4: determine other functional failures and potential mitigations
• Task 5: safety and operational risk assessment
5.1 Task 1: kick off meeting
A kick-off meeting was held on the 18 January 2012 to discuss the approach and to come to a clear
understanding of the study objectives. The meeting was attended by representatives from RSSB,
Network Rail and ATOC. The meeting also provided a chance for the study team to collect and
source relevant background information that was to be considered in task 2.
5.2 Task 2: review background information
Documents identified during task 1 were reviewed for their applicability for the study along with a
number of sources of background information that had already been gathered. All document types
were considered and the study team obtained and reviewed the following:
• Existing local and national operational rules (eg for Strathclyde)
• Previous risk assessments (eg NXEA risk assessment)
• The GSM-R operational concept (version 1)
• Contingency plans for TOCs
• Requirements specification
• Flow chart processes for signallers
A full list of documents included in the review is given in Appendix B.
All documents were reviewed for relevant failure scenarios (both for registration and network failure,
from the driver and signaller perspectives), failure rates, current mitigations or practices implemented
on recognition of a failure or fault.
This information was used to identify and consolidate factors that would be considered in the later
tasks, specifically the scope and layout of the workshops and risk assessment analysis.
5.3 Task 3: investigate non-registered cab-radios
Since the initial question arising for this study is: ‘Can a train enter service if it is unable to register?’
the first part of the investigative workshops focused solely on registration failures. Other failures of
the cab radio and the radio network were investigated separately.
A HAZOP style workshop was held on 14 March 2012 to identify aspects of the GSM-R that would
lead to a registration failure along with the current mitigations for each cause and the impact on
performance. The workshop was attended by technical experts (Appendix C) representing risk
assessment, signalling, train driving and radio network capabilities.
The process for each workshop approach followed the flow chart in Figure 2.
9
Figure 2: Workshop approach
1. Review
factors/guide
lists
2. Identify
causes of
failure
3. Identify
funcational
failures
4. Identify
mitigation
5.
Consideration
of failure rates
Repeat for each cause
Repeat for each registration failure view
The attendees were asked to consider the causes and sub-causes of each failure, listing all the
possible impacts on the functionality of the cab radio and give their views on potential failure rates.
Each failure focussed on what the driver would observe on the GSM-R screen and the results
recorded in a spreadsheet visible to all attendees (Appendix C) throughout the process. Examples of
the screen displays discussed include:
• ‘Registration failed’ – specifically for registration failure causes
• ‘Searching for networks please wait’ – usually for causes due to network failure
• ‘GSM-R GB’ – centred around failures that the driver would not be aware of
For the full set of potential displays see Ref: 6.
Guidewords (Appendix D) were provided to help steer the group into discussing the relevant
observations and impacts that would help create the risk assessment later on in the study.
During the workshop, additional personnel were identified with sources of information to help with
failure rate data and impacts on GSM-R functionality that was uncertain.
5.4 Task 4: determine other functional failures and potential mitigations
In this task, each of the other system components that could affect the GSM-R radio’s performance
were discussed and reviewed as a continuation from the registration failures workshop.
Three all-day workshops were held, based on the different components of the GSM-R system:
• Workshop 1: Thursday 5 April 2012, base station sub-system
• Workshop 2: Thursday 12 April 2012, national switching sub-system and first pass FTS
• Workshop 3: Wednesday 25 April 2012, on-board train equipment and finalising FTS
The methodology was of a similar vein to the registration failures workshop, namely capturing each
possible type of failure in a spreadsheet. The structure of the workshops is illustrated in the diagram
in Figure 3 with the numbering describing which workshop the component was discussed in.
10
Figure 3: Workshop scopes
1
2
2/3
3
As before, the briefing note for each workshop was supplemented with a list of guidewords so that all
responses would be consistent and aid in the evaluation in task 5, and details of people or
documents to consult were recorded where answers could not be found within the workshop.
The outputs from the workshops are given in Appendix E.
5.5 Task 5: risk assessment
For the risk assessment, the safety risk and operational delay implications for each failure type were
evaluated in terms of FWI per year and delay minutes per year respectively, assuming complete
fitment and roll-out of GSM-R radio across GB. The risk assessment also includes the impacts of
potential miscommunication from an unregistered phone and the benefits to the driver from the
DSD/PA link, if the driver became incapacitated.
An overview of the methodology is given in Figure 4. It follows the principle that by working out the
least safety or operational risk for a given known failure (or functionality loss), when the source of the
failure is potentially unknown (that is, based on observation of the cab-mobile), a response can be
chosen based on the weighted likely outcomes. So that if the driver observes searching for
networks, but has no other information, the responses considered are evaluated by assessing their
impact on each functionality loss scenario and weighting them by the relative likelihood of each
scenario given the message observed.
The risk assessment builds upon the same framework that was used for the Assessing the risk from
the loss of the NRN frequency spectrum in 2012 study [Ref: 2], where the benefits of cab radio were
assessed using the Safety Risk Model version 7 data [Ref: 20] and Call Success Probability. Call
Success Probability is defined as the probability of successfully stopping a train to avoid an accident,
by means of alerting the driver. That is:
where:
πΆπππ ππ’ππππ π ππππππππππ‘π¦ = π΄π£πππππππππ‘π¦ × πΆππ£πππππ × πΈπππππ‘ππ£ππππ π
• Availability is defined as the system availability, based on the cab radio functioning.
11
• Coverage is determined for each system as a percentage based on the availability of the network.
• Effectiveness is estimated as a probability of being able to stop other potentially affected trains and
is based on the time taken to contact the controlling signaller via the GSM-R radio system.
The values calculated for availability, coverage and effectiveness are given in Appendix F.
Figure 4: Risk assessment overview
Calculate the
safety benefit
for each
functionality
loss and
operational
response
scenario
Calculate the
operational
delay for
each
functionaliity
loss and
operational
response
scenario
Identify the
optimum
response for
each
functionality
loss scenario
Calculate the
overall safety
benefit and
operational
delay for
each
observation
Identify
optimum
responses for
observations
where the
cause is
unknown
5.5.1 Potential consequences
The failure consequences were taken from the results of the workshops and were summarised and
placed into groups of functionality loss scenarios (see Appendix G for definitions):
• Single cab radio failure
• Small radio network failure
• Medium radio network failure
• Large radio network failure
• Single unregistered cab radio - temporary
• Single unregistered cab radio - permanent
• Multiple uncorrelated cab radios (TD.net outage)
• Multiple uncorrelated cab radios (TD feed outage)
• DSD/PA link unavailable
• Single radio terminal failure
• Multiple radio terminal failure
• Driver:driver radio communication only
For example, a single cab radio failure would only affect the cab radio itself but could result in no
receiving or making calls throughout its planned journey whereas a single radio terminal failure would
affect all trains in the area it was servicing.
To calculate the frequency of each functionality loss scenario, data was taken from the outputs from
the workshops and expert judgement is applied where necessary. The registration failure rates were
taken from weekly reports of attempts made by drivers to register the radio where the outcomes were
recorded. The most recent data (February-April 2012) was preferred for applicability and was scaled
up to calculate functionality loss estimates per year when GSM-R is fully rolled out. Other failure
rates were also gathered from previous documents that evaluated the GSM-R testing phase from the
12
trials on the Strathclyde network. The full calculations for the failure rates are contained within risk
model developed for the study (safety disbenefit model v4.15.xls).
5.5.2 Potential mitigations
To work out what the optimum response should be for a particular observation/functionality loss, five
different potential responses were identified:
5. Continue in service. The train continues in service as normal regardless of the radio fault. If
deemed to be cab mobile related, at the end of the day the train is sent to the maintenance depot
for repair. If deemed to be network-related it is assumed that this is fixed at the end of the day.
This is considered to be the base case for the risk analysis.
6. Cancel trains. Where only one train reports an issue, if at the start of the journey the train does
not enter service. If part way through the journey it continues to the next suitable location, where
the passengers are detrained. The train is then sent as empty coaching stock (ECS) to the
maintenance depot for repair. Where multiple trains are reporting issues it is more likely to be a
network related issue, in which case, trains are not permitted to pass through the affected area.
The trains terminate at the nearest suitable location before the fault.
7. Hand/transportable. The train enters or continues in service to the next location where a
hand/transportable radio can be picked up. The train then continues until it is scheduled to reach
the maintenance depot, where the fault is repaired. This response only provides benefit where
the fault lies with the cab-mobile; there is no mitigation against network based faults.
1
8. Reduce speed. This is as per response 2 but trains travel at a reduced speed (taken to be
2
60mph ), reducing the potential consequences for collisions. Where the cause is deemed to be
cab-mobile related the speed is reduced for all journeys where the affected cab is in the lead.
Where the cause is deemed to be network related, the speed is reduced through the affected
section of route. It is assumed that network based faults are fixed at the end of the day.
9. Delayed reduced speed. This is as per response 4, except trains continue at normal speeds for
3
up to four hours from when the fault was first identified. After which, it is considered that an
emergency timetable is introduced and the speed can be reduced to 60mph with minimal
disruption.
The safety benefit is calculated from the risk per kilometre where there would be no radio available or
reduced radio capability. For example, a single cab failure could be removed from service and taken
to the nearest suitable location or maintenance depot for repair. The total risk is then calculated by
scaling it over the distance the train would have to travel without a functional radio. The change in
risk for each response is calculated relative to the base case: continuing in service. The change in
risk, or safety benefit, is converted from fatalities and weighted injuries to a monetary value using the
value of preventing a fatality (VPF) – see Appendix I for the value used.
1
The idea of running at reduced speed stems from the review of good practice completed in the Risk
assessment of the Interim Voice Radio System (IVRS) [Ref: 38].
2
TPWS overspeed sensors are typically set between 40mph and 60mph, a lower speed limit will therefore lower
the effectiveness of TPWS. Results from Ref 38 show that reducing the speed to below 60mph was not justified
because the disruption to service was excessive compared to the additional safety benefits..
3
A four hour planning period is considered [Ref 38] to give the infrastructure controller an opportunity to assess
and repair the fault, whilst trains running at linespeed.
13
The results are calculated for four characteristic types of train journey: intercity, suburban, suburban
DOO(P) and freight as the circumstances surrounding the train’s location, journey length and other
route characteristics (such as radio use) are different.
5.5.3 Operational delays
Alongside safety impacts, the loss of radio functionality also contributes to operational delays. Types
of delay that could be incurred were identified to be:
A. Delays are accrued in the event that a radio is required to help ease other operational disruptions
eg stop at signal/failed signalling but no radio is available on-board train.
B. Full (at start of journey) or part (mid-way through journey) cancellation of trains, plus full
cancellation of their subsequent journeys. Part cancellation assumed to be 25 equivalent delay
minutes. Full cancellation assumed to be 50 equivalent delay minutes.
C. Delays accrued to obtain hand/transportable.
D. Delays accrued from running at reduced speed.
E. Part cancellation of trains, through a particular section.
F. Delays from rerouting call, initial call goes to nominated rather than controlling signaller.
G. Delays from the signaller not being able to contact a member of on board staff.
H. Delays from the driver not being able to contact the controlling signaller at all.
Each functional loss scenario was mapped to the applicable delays to enable the appropriate
operational disbenefit to be calculated (Appendix H). Delay minutes are converted to a monetary
value by multiplying by a typical cost of delay per minute for each train type (estimated from TRUST
data).
The list of operational delays, above, represents the current practice of use. Although not considered
in the modelling it is noted that train radios may be used more in the future to advise passengers of
disruption, creating a greater dependence. Also with possible reductions in the number of signal post
telephones (SPTs) the opportunity for alternative communication may be limited, increasing
operational delays.
The list of modelling assumptions for this task is provided in Appendix I.
5.5.4 Optimisation of results
The potential mitigation responses were compared against each functional loss scenario to calculate
a benefit-cost ratio (BCR). For the purposes of this analysis and following the principles laid out in
Taking Safe Decisions [Ref: 38], the benefits are considered to be the change in safety benefit for the
response option relative to the base case – continuing in service, plus the avoided cost of accidents.
The avoided cost of accidents is assumed to be of similar magnitude to the monetary value of the
safety benefit. The costs are taken to be the cost of operational delays incurred relative to continuing
in service. To simplify the analysis the costs used here to not include the costs of implementation
(such as purchasing and maintaining hand/transportables) or operational costs such as (additional
staff or overtime). It is recognised therefore that the costs used in the analysis may be an
underestimate of actual costs.
Annual costs and benefits were used with no discounting applied since the lifetime of the measure is
taken to the instance when the response would be applied.
14
The benefits and costs for each functional loss scenario were used to compile likely results for each
observation state of the cab-radio.
Where assumptions were made or uncertainty exists in the key data used to calculate the safety
benefit or operational delay, sensitivity analysis was carried out to determine the robustness of the
results.
The BCRs calculated were then considered with respect to the criteria outlined in section 4.2. That is
to make a qualitative and quantitative comparison of changes in safety benefit against cost of
mitigation to determine whether the responses are reasonably practicable.
6 Results
The results of the analysis are split into five themes:
• Understanding the context of the safety benefits
• Understanding the causes and consequences of failures
• Understanding the safety benefit for each response option
• Understanding the operational delay for each response option
• Optimising the response
Each of these is presented in turn.
6.1 Understanding the context of the safety benefits
The total risk from the railway in Great Britain is estimated to be 140.9 FWI/year [Ref: 20]. The total
safety benefit that GSM-R radio is considered to provide is around 1.7 FWI/year, for passengers and
freight trains (Table 1) – that is the anticipated increase in risk across the network if all cab radios
were taken away. This is through GSM-R radio facilitating REC, urgent (yellow button) calls to/from
the signaller calls and the DSD/PA link. A list of key hazardous events where GSM-R radio is
considered to provide some benefits is included in Appendix J.
This benefit is reduced by some 0.03 FWI/year (to around 1.68 FWI/year) if all cab radios were
unregistered. That is an increase due to potential miscommunications and increased average times
to contact the right signaller/driver.
The benefit from the DSD/PA link to Suburban DOO(P), freight and ECS trains is considered to be
around 0.005 FWI/year. This is the benefit associated with providing an incapacitated driver with
assistance quicker than if no DSD/PA link were provided.
Table 1: The safety benefit from GSM-R radio (against a base case of no radio)
Case
Passenger trains (incl
ECS) FWI/year
Freight trains FWI/yr
Total safety benefit
FWI/year
GSM-R fully working
1.49
0.22
1.71
GSM-R unregistered
1.47
0.21
1.68
DSD/PA link only
0.004
0.001
0.005
15
6.2 Understanding the causes and consequences of failures
Frequencies were estimated for different likely functional loss scenarios based on data from the
reports reviewed, expert judgement and calculations (full calculations can be found in the risk model
developed for this study – safety disbenefit model v4.15.xls). These were mapped to the different
observation scenarios identified during the workshops.
Table 2: Functional loss scenario frequencies
Multiple radio terminal
failure
Driver:Driver radio
communication only
7
Single radio terminal
failure
1493
DSD/PA link unavailable
0.02
Multiple uncorrelated cab
radios (TD feed outage)
0.08
Multiple uncorrelated cab
radios (TD.net outage)
335*
Single unregistered cab
radio - permanent
Large radio network
failure
0.012
Single unregistered cab
radio - temporary
Medium radio network
failure
Searching for
Small radio network
failure
Observation
Single cab radio failure
Outcomes (events/year)
299
120
5
0.005
120
5
networks
GSM-R GB
Blank screen
4
0.03
91
Registration -
23779
247
0.009
0.87
4.3
0.009
0.87
lead driver
Registration duplicate
Registration -
100
PA
Failure/fault
597
code
Total
2181
342
0.11
0.02
23779
252
0.02
1.7
399
In the case of searching for networks, a small network failure (taken to be BTS outage) is has been
estimated to occur 335 times per year, however on this basis it is likely to affect (and therefore be
observable by the drivers of) 32,426 train journeys per year. Although the rate of failure should be
considered as a frequency when the cause is known, the number of observable cases should be
used to calculate the likelihood of consequence when the cause is unknown (see section 6.5.2). This
4
See discussion in paragraph below table on the sensitivity of GSM-R GB displaying versus searching for
networks.
16
is based on the assumption that the cab radio displays searching for networks whenever the network
signal is too weak to make a call. However, in reality there is some delay in switching from GSMRGB and searching for networks and vice versa where this signal is still strong enough to recognise
the network but not to connect a call. This is considered further in the sensitivity analysis (Appendix
P).
The most likely observation is Searching for networks/GSM-R GB, followed by Registration – lead
driver. Registration – duplicate is considered to be the least likely observation (based on
assumptions identified during the workshops on version 2 of the GSM-R software).
Using these estimated frequencies it is possible to calculate the likelihood of a particular outcome,
given a particular observation. These are shown in Table 3.
Table 3: Functional loss scenario probabilities by observation
Blank screen
-7
0.78
4x10
-4
0.004
2x10
-5
8x10
0.99
- lead driver
Registration
- duplicate
Registration
0.003
Driver:Driver radio
communication only
Multiple uncorrelated cab
radios (TD feed outage)
Multiple uncorrelated cab
radios (TD.net outage)
0.06
-7
0.01
4x10
0.83
0.002
4x10
-5
0.17
1
- PA
code
0.16
-4
1
Registration
Failure/fault
Single unregistered cab
radio - permanent
Single unregistered cab
radio - temporary
Large radio network
failure
Medium radio network
failure
0.999
Multiple radio terminal
failure
GSM-R GB
4x10
Single radio terminal
failure
for networks
DSD/PA link unavailable
Searching
Small radio network
failure
Observation
Single cab radio failure
Outcomes (probability per observation)
1
17
2x10
-6
6.3 Understanding the safety benefit for each response option
The safety benefit per event by functional loss scenario for intercity type trains is shown in Table 4
relative to the base case of continuing in service. Intercity type trains are shown for illustration
purposes only, for other train type results see Appendix K. All options demonstrate a safety benefit
against some functional loss scenarios. The response with the largest safety benefit by functional
loss scenario is highlighted in green. Running at reduced speed (responses 3) shows the largest
safety benefit. This is because running at a lower speed reduces the consequences of some
hazardous events (such as collisions and derailments).
Table 4: Safety benefit by function loss scenario relative to continuing in service, for intercity type trains
Change in safety benefit (£/event)
Response
Functional loss
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Single cab radio failure
1
2
5
3
Small radio network outage
1
0
3
2
980
0
2,900
1,600
3,700
0
11,000
6,200
0
0
<1
0
<1
<1
1
0
56
0
10,000
5,700
1
0
230
130
DSD/PA link unavailable
<1
0
5
3
Single radio terminal failure
5
0
42
23
Multiple radio terminal failure
28
0
240
130
1,300
0
11,000
5,900
Medium radio network outage
Large radio network outage
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
Driver:driver communications only
18
Large radio network outage has the greatest impact on safety levels, and therefore the biggest
change in risk between continuing in service and the response options. This is perhaps not
surprising given it represents no radio functionality for all trains on the network.
No safety benefit is shown for the functional loss of the DSD/PA link from cancelling trains (response
1) or picking up a hand/transportable (response 2) for intercity trains as the other members of train
crew are assumed to mitigate the situation. This is not the case for the suburban DOO(P) and freight
train types (see appendices K.1.3 and K.1.4).
6.4 Understanding the operational delay for each response option
The potential operational delays per event by functional loss scenario for intercity type trains (for
illustration purposes only) are shown in Table 5 (for other train types see Appendix L) relative to the
base case – continuing in service. These represent the monetary value of delays associated with the
different response scenarios. A negative operational delay represents a saving relative to the base
case – continuing in service. For intercity trains, suburban and suburban-DOO(P) majority of
functional loss scenarios incur a cost of delay compared to the continuing in service. The exceptions
being using a hand/transportable (response 2) to mitigate a single cab radio failure – where
performance savings can be made, or where running with hand/transportables or delayed reduced
speed (response 4) offer no additional delays to the base case – continuing in service. These
responses create the least amount of operational delay for each functional loss scenario and are
highlighted in green in Table 5. Cancelling trains (response 1) and reducing speed immediately
(response 3) create the most operational delays (highlighted in red).
For freight trains, cancelling trains (response 1) creates the most operational delays. The other
responses offer little difference (due to the general lower speed of freight trains to other services)
from the base case – continuing in service.
19
Table 5: Operational delays by function loss scenario relative to continuing in service, for intercity train
types
Operational delays (£/event)
Response
Functional loss
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Single cab radio failure
10,000
-280
73,000
42,000
Small radio network outage
180,000
0
48,000
27,000
Medium radio network outage
2,700,000
0
41,000,000
23,000,000
Large radio network outage
57,000,000
0
160,000,000
88,000,000
1,600
0
640
0
12,000
540
18,000
0
61,000,000
0
160,000,000
88,000,000
640,000
0
3,500,000
2,000,000
DSD/PA link unavailable
12,000
0
73,000
43,000
Single radio terminal failure
180,000
0
310,000
170,000
Multiple radio terminal failure
600,000
0
3,500,000
2,000,000
59,000,000
0
160,000,000
88,000,000
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
Driver:driver communications only
6.5 Optimising the response
On comparison of the magnitude of the safety benefit to the operational delay, the monetary value of
operational delay greatly exceeds the safety benefit in all cases; ranging from being a hundred to
several million times larger than the monetary value of safety benefit. This is highlighted in both
Figure 5 and Figure 6 – in all charts the safety benefit is hardly noticeable.
6.5.1 When the type of functional loss is known
The least delays are accrued in general by the base case (continuing in service) and when running
with a hand/transportable (responses 2) (see Figure 5). This is because these options are the same
20
Figure 5: Comparison of safety benefit and operational delay for each functional loss scenario and response option (1-4), intercity type trains
ο§ Operational delay (£k/year)
ο§ Safety benefit (£k/year)
Single cab radio failure
-£200,000
-£160,000
-£120,000
-£80,000
4
4
4
3
3
3
2
2
2
1
1
1
-£40,000
£
£40,000
-£80,000
-£60,000
Large radio network outage
-£3,000
-£2,500
-£2,000
-£1,500
-£1,000
-£2,500
-£2,000
-£1,500
-£1,000
-£30,000
-£20,000
-£10,000
-£20,000
£
£20,000
-£5,000
-£4,000
-£2,000
-£1,000
4
3
3
3
2
2
2
1
1
1
£
£500
-£40,000
-£30,000
-£20,000
£
-£10,000
£
£1,000
£
£1,000
Single unregistered cab radio - permanent
4
-£500
-£500
-£3,000
4
£10,000
-£5,000
-£3,000
-£4,000
Multiple uncorrelated cab radios (TD feed outage)
-£2,000
-£1,000
PA unavailable
4
4
4
3
3
3
2
2
2
1
1
1
£
£500
-£7,000
-£6,000
-£5,000
Single radio terminal failure
-£40,000
-£40,000
Single unregistered cab radio - temporary
Multiple uncorrelated cab radios (TD.net outage)
-£3,000
Medium radio network outage
Small radio network outage
-£4,000
-£3,000
-£2,000
-£1,000
£
£1,000
-£35,000 -£30,000 -£25,000 -£20,000 -£15,000 -£10,000
Multiple radio terminal failure
-£5,000
£
Driver:driver communications only
4
4
4
3
3
3
2
2
2
1
1
1
£
£10,000
-£20,000
-£15,000
-£10,000
-£5,000
Note: Safety benefit is plotted on the above charts, the magnitude is so much smaller than the cost of delays that it is hard to be seen.
21
£5,000
£
£5,000
-£800
-£700
-£600
-£500
-£400
-£300
-£200
-£100
£
£100
but with the hand/transportable providing some benefit when the cab radio is the cause of the loss of
functionality (but delays being incurred to pick up the device).
Continuing as normal for a fixed time period then reducing the speed (response 4) is the next
preferable option in terms of delay in some cases. In these instances it offers a compromise
between continuing as normal, and reducing the speed. The time limit also encourages the problem
to be fixed in a timely manner and not continue unconditionally. It should be noted, however, this is
not the only option for encouraging problems to not continue unconditionally.
However, in the case of other functional loss scenarios, cancelling train (response 1) may offer some
benefits in terms of minimising delays compared with the options to reduce speed. That is, the
delays accrued on route with response 4 may exceed the equivalent delay minutes for part/full
cancellation of a train.
In the case of freight trains, running at reduced speed (response 4) appears to be a good continuing
in service, however, this is a symptom of the characteristics of freight operations, in that the average
speed of freight trains is below the reduced speed limit considered (60mph), and therefore no delay
or safety impacts are considered for this train type when the speed limit is introduced.
The benefit-cost ratios (BCRs) are calculated for the intercity train types are shown in Table 6.
Intercity train types are shown for illustration purposes only. For other train types see Appendix O.
All of the BCR (where there is a difference from the base case, that is, not equal to zero), where
positive, are significantly less than one. Three cases for intercity train types have negative BCRs.
Those that are highlighted in red in Table 6 represent cases where there is a safety disbenefit and
operational cost associated with the functional loss scenario and the particular response. For
example, using a hand/transportable instead of a permanently unregistered cab radio may increase
risk due to the differences in performance between the two different radios. Those scenarios
highlighted in red are considered not to be practicable.
The BCR highlighted in green, is also negative. However this is because the safety benefit is
positive and there are potential operational delay savings (compared to the base case of continue in
service) from using a hand/transportable (response 2) when a single cab radio is known to have
failed. Thus there is a good indication that this option is practicable, subject to any other costs
associated with the provision of hand/transportables (not included in this assessment) not
outweighing the operational delay savings.
22
Table 6: Benefit-cost ratios for each response option by functional loss scenario, for intercity train types
BCR
Response
Functional loss
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Single cab radio failure
2.8 x 10-4
-1.1 x 10-2
1.4 x 10-4
1.4 x 10-4
Small radio network outage
1.2 x 10-5
0
1.4 x 10-4
1.4 x 10-4
Medium radio network outage
7.2 x 10-4
0
1.4 x 10-4
1.4 x 10-4
Large radio network outage
1.3 x 10-4
0
1.4 x 10-4
1.4 x 10-4
0
0
1.3 x 10-4
0
4.3 x 10-7
-9.2 x 10-6
1.3 x 10-4
0
1.8 x 10-6
0
1.3 x 10-4
1.3 x 10-4
3.9 x 10-6
0
1.3 x 10-4
1.3 x 10-4
DSD/PA link unavailable
-3.5 x 10-5
0
1.3 x 10-4
1.3 x 10-4
Single radio terminal failure
5.7 x 10-5
0
2.7 x 10-4
2.7 x 10-4
Multiple radio terminal failure
9.4 x 10-5
0
1.3 x 10-4
1.3 x 10-4
Driver:driver communications only
4.3 x 10-5
0
1.3 x 10-4
1.3 x 10-4
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
6.5.2 When the type of functional loss is unknown
Not all the cab radio observations provide direct insight into the cause of the problem and therefore
the expected functional loss. Taking into account the likely failure rates and how the functional
losses may appear to the driver (in the absence of any other information), the weighted average
consequences have been estimated.
In terms of the observation scenarios, the potential annual safety benefits in £ per year relative to the
base case (continuing in service) are given in Table 7. All response options demonstrate some
safety benefit relative to continuing in service. Again, reduce speed (response 3 – highlighted in
green) offers the greatest safety benefit due to the less severe consequences of some hazardous
events (such as collisions and derailments). However, this response may not be practical from a
23
timetable perspective, given the delays passed on to subsequent trains and journeys will affect
network capacity.
GSMR-GB displaying and failing on demand shows the greatest potential safety benefit per year
from each response due to a combination of both assuming full functionality loss and the calculated
failure frequency. However, as discussed previously full functionality loss may not always be the
case as GSM-R GB can also be caused by temporary loss of network signal (see Appendix P).
Table 7: Safety benefit by observation scenario, for intercity type trains
Safety benefit (£/year)
Response
Observation
Searching for networks
1 Cancel
2 Hand/trans
portable
3 Reduced speed
4 Delayed
reduced speed
550
<1
1,700
920
2,700
2,200
15,000
8,700
130
140
470
270
Registration - lead driver
2
<1
1,600
160
Registration - duplicate
2
<1
290
160
Registration - PA
<1
0
470
270
Failure/fault
820
890
3,100
1,800
GSM-R GB
Blank screen
The least amount of a safety benefit is achieved (for all response options) against registration
failures (lead driver, duplicate, PA), this is due to the low impact nature of the failures. That is, the
cab radio still retains call and REC functionality.
In the case of delay minutes accrued when considering a response based on an observation (Table
8), running at reduced speed (response 3) and cancelling trains (response 1) generate the most
operational delays for intercity train types (shaded in red) relative the base case – continuing in
service. Whereas continuing with hand/transportable (response 2) offers the least delays (shaded in
green), and in some cases potential operational delay savings. When the radio has failed on
demand and is displaying GSM-R GB has the potential for the biggest operational losses – the figure
below is based largely on cab radio failures and does not include the effects from network signal (see
Appendix P for sensitivity analysis).
Similar results are generated for suburban and suburban-DOO(P) train types. For freight trains,
cancelling trains (response 1) generated the most operational delays – this is an artefact of freight
trains not being affected by the measures that impose speed restrictions.
24
Table 8: Operational delays by observation scenario, intercity train types
Operational delays (£/year)
Response
Observation
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Searching for networks
64,000,000
-3
23,000,000
13,000,000
GSM-R GB
43,000,000
-410,000
190,000,000
110,000,000
910,000
-25,000
6,600,000
3,900,000
Registration - lead driver
41,000,000
130,000
24,000,000
2,500,000
Registration - duplicate
1,100,000
2,300
4,600,000
2,500,000
Registration - PA
1,200,000
0
7,300,000
4,300,000
Failure/fault
6,000,000
-170,000
43,000,000
25,000,000
Blank screen
For intercity (Figure 6), suburban (K.2.2) and suburban DOO(P) (K.2.3) train types the base case and
continue with a hand/transportable (response 2) appear to be the optimum cases. In some cases
there is no difference between the two options. This is where the cause is more likely to be network
related and therefore the hand/transportable provides no benefit.
25
Figure 6: Comparison of safety benefit and operational delay (purple) for each observation scenario and response option (1-4), intercity type trains
ο§ Operational delay (£k/year)
ο§ Safety benefit (£k/year)
Searching for networks
-£80,000
-£60,000
-£40,000
-£20,000
GSM-R GB
4
4
4
3
3
3
2
2
2
1
1
1
£
£20,000
-£200,000
-£150,000
Registration - lead driver
-£50,000
-£40,000
-£30,000
-£20,000
-£50,000
-£100,000
-£5,000
-£4,000
-£3,000
-£2,000
£
-£1,000
3
3
2
2
2
1
1
1
£
£10,000
£
£10,000
-£5,000
-£4,000
-£3,000
-£2,000
1
Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see
26
-£1,000
£1,000
Registration - PA
3
-£10,000
-£10,000
-£6,000
4
2
-£20,000
-£7,000
4
3
-£30,000
£50,000
4
4
-£40,000
£
Registration - duplicate
Failure/fault
-£50,000
Blank screen
£
£1,000
-£8,000 -£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000
£
£1,000
All of the positive BCR (where there is a difference from the base case, that is, not equal to zero) are
significantly less than one (see Table 9) for intercity train types. There are seven cases where the
BCR has been estimated to be negative.
Those that are highlighted in red in Table 9 Error! Not a valid bookmark self-reference.represent
cases where there is a safety disbenefit and operational cost associated with the observation
scenario and the particular response. For example, using a hand/transportable instead of a cab
radio that displayed a registration failure may increase the risk due to the differences in performance
between the two different radios. Those scenarios highlighted in red are considered not to be
practicable.
The BCRs highlighted in green, are also negative. However this is because the safety benefit is
positive and there are potential operational delay savings (compared to the base case of continue in
service) from using a hand/transportable (response 2) for observation scenarios where cab radio
failure is possible. Thus there is a good indication that this option is practicable, subject to any other
costs associated with the provision of hand/transportables (not included in this assessment)
outweighing the operational delay savings.
Table 9: Benefit-cost ratios for each response option by cab radio observation, for intercity train types
BCR
Response
Observation
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Searching for networks
1.7 x 10-5
-1.1 x 10-2
1.4 x 10-4
1.4 x 10-4
GSM-R GB
1.3 x 10-4
-1.1 x 10-2
1.6 x 10-4
1.6 x 10-4
Blank screen
2.8 x 10-4
-1.1 x 10-2
1.4 x 10-4
1.4 x 10-4
Registration - lead driver
1.1 x 10-7
-9.2 x 10-6
1.3 x 10-4
1.3 x 10-4
Registration - duplicate
2.8 x 10-6
-9.2 x 10-6
1.3 x 10-4
1.3 x 10-4
Registration - PA
-3.5 x 10-5
0
1.3 x 10-4
1.3 x 10-4
Failure/fault
2.8 x 10-4
-1.1 x 10-2
1.4 x 10-4
1.4 x 10-4
27
7 Discussion
7.1 The definition of a defective GSM-R fixed cab radio
When the cab radio displays Radio Failure XX, MT Fatal or a blank screen then it is certain that the
cab radio will not function properly and that the fault lies with the cab radio. This is the only
observation case when the driver can be certain that the cab radio is defective. Other displays such
as Warning XX are non-service affecting and should not be considered as defects.
If the cab radio is displaying searching for networks it is likely to be due to a network related problem,
which could clear on moving the train. However if the problem persists for a particular cab radio
through its journey or the signaller is able to confirm that the train lies within a fully operational part of
the GSM-R network, then it is likely that the problem is associated with the train’s antenna. In this
case the cab radio should be considered as defective. To help with the diagnosis of the problem and
potentially speed up the repair of network issues, drivers should contact the signaller and report the
issue at the first convenient opportunity, even if the radio subsequently displays GSM-R GB.
If the cab radio displays an error on registration (registration – lead driver/duplicate/PA) there could
be an issue with the network or the information being entered. Either way the cab-radio should still
have call and REC functionality and is therefore not considered an on-train defect.
If the cab radio fails on demand whilst displaying GSM-R GB it could be due to a cab fault or network
issue. Without further diagnosis or failure symptoms being observed by other network users it is
difficult to determine the cause. If the train continues its journey and the problem in the cab persists
it is likely it is a cab radio defect. However, if on moving the train the problem remedies itself it is
likely to be a network issue.
Although this analysis helps with a definition for a defective cab radio, it does not necessarily mean
that a train with a defective cab-radio should be withdrawn from service (see subsequent
conclusions).
7.2 What action should be taken if the fixed cab radio is defective?
Regardless of the definition of a defective cab radio, the results from the risk analysis show that for
all response cases considered, in terms of monetary equivalent values, the cost of operational delays
dominates the cost of the safety benefits. That is the safety benefit from GSM-R cab radio is
estimated to be around 1.7 FWI/year (based on current use and practices), or equivalent to around
£3million/year (based on the VPF). With some 7 million train journeys/year, this gives an average
safety benefit around £0.40/journey. This is significantly less than the cost of cancelling a train
journey, estimated to be around £800 to £6000, dependent on the type of journey.
For all the responses except, continue with hand/transportable (response 2) the BCRs calculated are
significantly less than one. That is the delay costs associated with the measures are grossly
disproportionate (in some cases over a hundred times greater) to the safety benefits when compared
against the base case of continuing in service. This applies to both when the functional loss is
known and unknown but based upon the driver’s observation.
Although it may be reasonable to continue in service with a defective radio, it does impact on both
safety and operations. Therefore it is of interest to continue maintaining both radios and DSD/PA
links to a working standard and reasonable to suggest that trains do not leave a maintenance depot
28
for service with a defective radio (as currently required by the rules with a PA system). This is similar
to requirements for other defective on-train equipment such as headlamps, taillights and warning
horns.
The conclusions over what to do when a fixed radio fails are the same for all train types, despite
having slightly different magnitudes of result. This includes services where the driver is on his own
(suburban DOO(P) and freight). The results of the risk assessment show that although the DSD/PA
provides some benefit (0.005FWI/year across all trains) this is also dwarfed the cost of cancelling a
train. However, it is recognised that the radio and DSD/PA link provide additional security and
comfort benefits for the driver not included in this risk assessment. Also, in the future the PA link
may be used by operations centres to provide passengers with information relating to their journey,
placing a greater dependence on the PA link. Therefore should the radio or PA link fail on a DOO(P)
train, the operating company may choose to implement additional measures (such as provision of
hand/transportable, a public mobile phone or an additional member of staff to travel on board the
train) to compensate.
7.3 Can a train enter service if the registration fails?
The workshops identified that if a cab radio fails to register a journey properly there is a reduction in
call success – that is a call may route to the wrong signaller (the REC will still function). In the event
that proper communication protocols are not followed this could lead to errors in train movements.
For example, permission could be given to pass a signal at danger, because the signaller has
misunderstood which driver he is speaking to. Based on the current rates of miscommunication
leading to a movement accident, operating all cab radios unregistered is estimated to reduce the
safety benefit by around 0.03FWI/year, or around £50,000/year (based on the VPF). Again, with
some 7 million train journeys/year, the average safety benefit/journey is estimated to be less than
£0.01.
The cost of taking a train out of service (response 1) or reducing its speed (responses 3 and 4) to
compensate is far greater than the safety benefits (that is the BCRs are significantly less than one)
making these options not reasonably practicable.
Running with an unregistered cab radio could be further mitigated by training drivers to be aware that
it is more likely for a call to be routed to the wrong signaller and thus of the need to place greater
importance on the communications protocol to ensure a clear understanding of who is involved in a
call (see 10.2 Further analysis).
The conclusions are the same for all train types, despite having slightly different magnitudes of
operational delays.
7.4 What action should be taken if the radio network fails?
Network failures have the potential to extend from a few kilometres of track up to the whole network,
affecting both trains entering service and those already in service. The results from the risk analysis
show that, as with the cab radio defects, the operational delays significantly dominate the safety
benefits – the BCRs are significantly less than one. Cancelling trains (response 1) or running at
reduced speed (responses 3 and 4) increase the operational delay the most whilst minimising the
risk. However, due to the magnitude of the costs being grossly disproportionate to the safety
benefits, they are not considered reasonably practicable. In the case of network failures provision of
hand/transportables (response 2) will provide no additional benefit, since the hand/transportable also
would not work.
29
In the event that there is a total network failure or significant network outage (multiple terminal
failures etc), cancelling of all trains would cause chaos for passengers. This would be detrimental to
both safety (in terms of passenger overcrowding and assaults) and rail industry reputation, and
generally is not considered acceptable by rail industry representatives.
Therefore, the response recommended on the basis of this risk assessment is to continue in service.
However, GSM-R provides safety and operational benefits so should be restored as soon as possible
after a failure. The industry therefore needs to decide whether it is appropriate to impose limits or
constraints on the ‘continue in service’ option. Imposing restrictions after a four-hour time limit
(response 4) was one of the responses considered by this risk assessment but it may not be practical
to implement.
The conclusions are in general the same for intercity, suburban and suburban DOO(P) trains, despite
having slightly different magnitudes of result. Freight trains are less influenced by speed reductions
due to the lower average speeds at which they travel.
8 Sensitivity analysis
Sensitivity analysis was carried out on the risk modelling (see Appendix P), focussing on the key
assumptions.
• The cost of delays
• The rate of reactionary delay incurred
• The version of the cab radio software
• The number of BTSs
• The number of registrations per day
• The split between searching for networks and GSM-R GB with network issues
• Failure rates
The sensitivity analysis shows that the conclusions are robust with respect to the cost of delays and
the rate of reactionary delay for intercity, suburban and suburban DOO(P) train types. For freight,
cancelling trains may be a better option for some functional losses, when operating in areas with
potential for significant reactionary delays.
With respect to the cab radio software, the conclusions are considered robust with respect to the
increased likelihood of Registration – duplicate with Siemens version 1E, when compared to the
assumed version 2.
The sensitivity analysis also showed that the conclusions are robust with respect to the number of
BTS, the number of registrations per day and failures. As in all cases where the cost of delays was
grossly disproportionate to the safety benefits, they remain so for the sensitivity test scenarios.
A similar conclusion was drawn for testing the sensitivity of the split between searching for networks
and GSM-R GB for network issues. However, the sensitivity analysis also showed that it is
significant uncertainty that GSM-R GB signifies a cab radio failure without further diagnosis. That is,
if a cab radio fails on demand whilst displaying GSM-R GB it may be due to a network issue.
30
9 Conclusions
A defective cab radio is considered to be one that displays Failure XX, MT Fatal, Cab Radio Flt,
EPROM/RAM Flt or a blank screen. Other displays may also indicate a cab radio defect but require
further diagnosis, for example, persistent failure throughout its journey (with confirmation that the
network is working).
For all the response options considered, ranging from continuing as normal regardless of no radio to
cancelling trains the operational delays significantly dominate the safety benefits.
Continuing as normal (the base case) and continuing with the use of hand/transportables (response
2) minimise the operational delays but accrue a small amount of safety disbenefit. The other
responses analysed are not considered to be reasonably practicable because the additional delay
costs are disproportionate to the safety disbenefits (for all train types, including suburban DOO(P)).
The analysis did not consider the costs of providing hand/transportables.
However, GSM-R provides safety and operational benefits so it is important that equipment is
properly maintained. It seems reasonable therefore to prevent a train from entering service from a
maintenance depot if it has a defective cab radio.
The analysis shows it is reasonable for a train to enter or stay in service even if it is unable to register
(for all train types). That is, none of the responses considered were demonstrated to be reasonably
practicable to mitigate registration issues.
For network failures, the response recommended on the basis of this risk assessment is also to
continue in service (for all train types, including DOO(P)). Hand/transportables would provide no
additional benefit in this situation. However, for the reasons stated above, the industry therefore
needs to decide whether it is appropriate to impose limits or constraints on the ‘continue in service’
option.
The conclusions are considered robust to changes in the key assumptions.
10 Items for consideration
10.1 Review of Railway Group Standards and other supporting documents
It is proposed that the Rule Book, specifically module TW5, Railway Group Standard GO/RT3437
and Rail Industry Approved Code of Practice GO/RC3537 are reviewed with respect to the findings of
this risk assessment, and appropriate proposal for change prepared. The proposed changes should
reflect that:
• Registration failures are not considered to be defects
• Trains can stay and enter service with a defective cab radio
• Trains can stay and enter service with a defective radio network.
However to encourage the recovery of faults it is suggested that a train does not enter service from a
maintenance depot with a defective radio. This is similar practice already applied to other on-train
equipment such as headlamps and warning horns.
10.2 Further analysis
During the completion of this study, further related areas of analysis have been identified to be of
interest. These have not been included in this analysis but will be investigated later:
31
• When should planned outages of the network (for maintenance, upgrades etc) take place to
minimise risk?
• Whether or not there is need to get agreement from TOCS for the planned outage times chosen
or that they and the signallers can just be informed?
• Can the signaller still authorise the driver of an unregistered cab radio to pass a signal at danger?
• Whether it is safer to use an SPT or an unregistered cab radio to contact the signaller?
10.3 Further process mitigations for consideration
During the workshops some ideas were generated on how errors could be reduced when using
GSM-R. These included:
• Providing repeater plates where the signal is not visible at registration – this would avoid
excessive use of the wildcard
• After observing a registration failed – lead driver and being instructed by the signaller to use the
wildcard, the driver could contact the signaller again to confirm that the radio was registered with
the correct headcode.
• Monitoring cell pick-ups to help reduce the number of misrouted calls.
• Reinforcing during training the need to place greater importance on the communications protocol
to ensure a clear understanding of who is involved in a call when using an unregistered cab.
32
Appendix A Glossary
ATOC
Association of Train Operating Companies
BSC
Base station controller
BSS
Base station sub-system
BTS
Base transceiver station
DOO
Driver only operation
DOO(P)
Driver only operation (Passenger)
DOTE
Defective on-train equipment
DSD
Driver safety device
ECS
Empty coach stock
ERTMS
European Rail Traffic Management System
FTN
Fixed telephone network
FTS
Fixed terminal system
FWI
Fatalities and weight injuries
GSC
Ground switching centre
GSM-R
Global system for mobile communications - Railways
HAZOP
Hazard and operability
LAC
Location area code
NCN5
5 Network change notice
NSS
Network switching system
NXEA
National Express East Anglia (train operating franchise)
REC
Railway emergency call
PA
Public address
RGS
Railway Group Standards
RSSB
Rail Safety & Standards Board
th
33
SPT
Signal post telephone
TD
Train describer
TEC
Telecomm Engineering Centre
TOC
Train operating company
TPWS
Train Protection Warning System
VPF
Value of preventing a fatality
34
Appendix B Documents reviewed
This appendix contains the references for the documents reviewed as part of task 2 and subsequent
documents received and considered in later tasks.
1.
GSM-R/FTN Programme Cab Handportable estimated usage, NR/AM/SA/REP/00241. Issue A01,
Network Rail, May 2012.
2.
Assessing the risk from the loss of the NRN frequency spectrum in 2012, RSSB, April 2012.
3.
Trains Required to be Taken Out of Service as a Result of Defective On-train Equipment. Train
Operator’s Contingency Plan, CP 3437, Issue 7, Arriva Trains Wales, January 2012.
4.
HMI Design Requirements Specification for Network Rail GSM-R Cab Radio – “Version 2”, Issue 9.0B
Draft, Siemens, 20 December 2011.
5.
Using GSM-R in Great Britain Briefing Note - Changes to the Siemens GSM-R Cab Radio (Version 2),
GSMR/FTN/TRG/BN/03, Issue 1.2, Network Rail, 14 December 2011.
6.
GSM-R user procedures (cab radio) Procedures for using the Siemens GSM-R cab radio (Version 2), NSGSM-R-OPS-0514, Issue 6.1, RSSB, December 2011.
7.
Voice Communication System FTS Failure Modes, Effects and Criticality Analysis (FMECA),
04A05E606.24, Issue 2.5, Frequentis, 19 October 2011.
8.
AM Amendments module, GE/RT8000/AM Rule Book, Issue 13, September 2011.
9.
CMv1E – CMv2 Requirements Summary, Issue 1, R Hill, 2 September 2011.
10.
GSM-R System Resilience, version 2, E Nix & T Foulkes, 16 June 2011.
11.
National Control Instructions Procedure for the Planned Response to GSM-R System Failures, Issue 4, 4
June 2011.
12.
Human Factors Railway Emergency Call Study, Issue 2, RSSB, 2 June 2011.
13.
Cab Radio Reliability Time Truncated Test Results, GSMR/RWG, Issue 2, Network Rail, May 2011.
14.
GSM-R Network Observed Reliability during Operational Trial, GSMR/RWG, Issue 2, Network Rail, May
2011.
15.
NWR GSM-R Core Network System Definition, NWR/NE/DD/025055, Version 8.00, Kapsch CarrierCom,
25 March 2011.
16.
Amendments to SMS9.3 Defective On-Train Equipment Contingency Plan, NXEC9.3, Issue 7, East
Coast, 30 December 2010.
17.
GSM-R (IVRS) Radio system Handbook, RS/520, Issue 1, RSSB, December 2010.
35
18.
National GSM-R Radio Project Hazard Identification Workshop Report Multiple Signallers in RECs,
A305/GSM-R/IMP/Dxxx, Issue 1, Network Rail, 12 November 2010
19.
National Control Instructions and Approved Code of Practice Section 2.1 Communications,
NR/L3/OCS/043/2.1, Issue 2, 5 June 2010.
20.
Risk Profile Bulletin, Table B1, Version 7, RSSB, August 2010
21.
Contingency Plan & Matrix for Trains with Defective On-train Equipment, SM0901, Issue 6, First Great
Western, June 2010.
22.
Defective On-Train Equipment, GO/RT3437, Issue 6, June 2010.
23.
Recommendations for Defective On-train Equipment, GO/RC3537, Issue 4, June 2010.
24.
GSM-R Signallers Fixed Terminal User Guide, Issue 1, Network Rail, June 2010.
25.
GSM-R Emergency Call Risk Assessment, RSSB, 8 January 2010.
26.
GSM-R Strathclyde Trial Objectives Close out Report, NR/EE/REP/00181, Issue A02, Network Rail,
December 2009.
27.
FTN & GSM-R GSM-R Trial for Pilot Route A (PA05/03377/T) – Critical Review Report, CCMS:6866706,
Issue 3.3, Network Rail, 12 June 2009.
28.
GSM-R Strathclyde Operational Trial Reliability and Maintainability Demonstration Plan, Issue 4.1,
Network Rail, June 2009.
29.
Taking Safe Decisions -how Britain’s railways take decisions that affect safety, RSSB, 2009.
30.
Using GSM-R in Great Britain Procedures for using the Frequentis GSM-R fixed terminal Appendix 4:
Amendments, FTN&GSMR/PM/MAN/002, Issue 2, Network Rail, 28 October 2008.
31.
Preparation and movement of trains General, GE/RT8000/TW1 Rule Book, Issue 8, October 2008.
32.
Cab secure radio (CSR) Handbook, RS/516, Issue 1, June 2008.
33.
Preparation and movement of trains Defective or isolated vehicles and on-train equipment,
GE/RT8000/TW5 Rule Book, Issue 3, April 2008.
34.
Using GSM-R in Great Britain Procedures for using the Frequentis GSM-R fixed terminal Appendix 3:
General Instructions, FTN&GSMR/PM/MAN/002, Issue 3, Network Rail, 22 October 2007.
35.
GSM-R Reliability, Availability & Maintainability (RAM) Study, A305/GSM-R/124, Issue 4, Network Rail,
August 2007.
36.
GSM-R Cab Mobile, Great Britain Open Interface Requirements, GE/RT8082, Issue 1, July 2007.
36
37.
UK Application of GSM-R The Operational Concept, Issue 1, RSSB, 14 December 2006.
38.
Risk Assessment of Failure of the Interim Voice Radio System (IVRS), RSSB, February 2006.
39.
Train Radio Systems for Voice and Related Messaging Communications, GE/RT8080, Issue 1, December
2003.
40.
Requirements for GSM-R Voice Radio System, GE/RT8081, Issue 1, December 2003.
41.
Safety Risk Assessment for the National GSM-R Radio Network Project, A305/GSM-R/IMP/D057, Issue
2, Network Rail, 7 November 2003.
42.
Flowchart process for signallers.
43.
Ops Controller LAC Map
37
Appendix C Workshop attendees
Attendee
Job title and organisation
Workshop
Registration
1 BSS
2 NSS/FTS
Yes
3 FTS/On-board equipment
Ed Nix
Senior NSS Design Engineer, Network Rail
Yes
Neil Ramsey
Senior Programme Manager, Network Rail
Yes
Yes
Chris Fulford
GSMR Operations Advisor, ATOC
Yes
Yes
Rob Hill
Senior FTS Design Engineer, Network Rail
Yes
Paul Ashton
Operational Rules Specialist, Network Rail
Yes
Keith Fox
Operations Specialist, RSSB
Yes
Yes
Yes
Yes
Jay Heavisides
Senior Risk Analyst, RSSB
Yes
Yes
Yes
Yes
Will Clayton
Risk Analyst, RSBB
Yes
Yes
Yes
Yes
David Griffin
Senior Risk Analyst, RSSB
Yes
Yes
Yes
38
Yes
Yes
Appendix D Workshop guidewords
D.1 Registration observations
Observer
View
Driver
‘Registration failed’
‘Registration failed – Duplicate’
‘Registration failed – PA’
Wrong headcode returned
No headcode returned
Signaller
D.2 GSM-R Functions
Initiator
Function
Driver
A) Point-to-point call to controlling signaller
B) Urgent point-to-point call to controlling signaller
(yellow button)
C) Railway emergency group call (red button)
D) Non-operational calls
E) Driver safety device activation alarm
F) Standing at signal text message
Device registration
Signaller initiation
G) Point-to-point call to driver
H) Urgent point-to-point call (yellow button)
I) PA announcements
J) General broadcast voice calls to local area
K) Non-emergency group voice calls
L) Railway emergency group call (red button
M) Operational text(‘Wait’, ‘Contact signaller’)
Other
N) Voice recording
O) Coverage
39
D.3 Influencing factors: frequency
Parameter
Deviation
Migration
During
Post
Network outage
Planned
Unplanned
Point of journey
Leaving depot
Start of journey
Mid journey
End journey
Turnaround
Splitting/joining units
D.4 Influencing factors: consequence
Parameter
Deviation
Alternative communication method
Handportables
Transportables
CSR
NRN
IVRS
Signal post telephones
Public mobile phone
Train type
Non-DOO
DOO(P)
Freight
ECS
Track type
Single
Double
Multiple
40
Parameter
Deviation
Train speed
Slow (<15mph)
Medium (15-75mph)
Fast (>75mph)
Line type
Rural
Sub-urban
Mainline
Train frequency
Low frequency
High frequency
Journey time/distance
Short
Medium
Long
D.5 Potential responses
Option group
Response
No replacement equipment available
Suspend service at point of failure until fixed.
Send straight to depot for fixing.
Continue to next point of call, then suspend service
until fixed.
Continue to next point of call, detrain passengers and
operate ECS until fixed/replaced.
Continue to end of journey, then to depot/fix.
Continue to end of day/final journey to depot/fix
Replacement equipment available (awaiting outputs
Await arrival of handportable/transportable
from NRN switch off study)
Continue to next point of call to collect
handportable/transportable
Continue to end of journey/next hub to collect
handportable/transportable
Rely on SPTs
41
Appendix E Workshop outputs
The notes in this appendix represent the outputs after completion of the workshops. That is they represent a fixed point in time during the study. Data
gathering and analysis was completed after the workshops to finalise the failure rates. Calculations for such can be found in the risk model developed for this
study (safety disbenefit model v4.12.xls).
E.1 Cab-registrations
The letters in the column Impact of failure are based on function guidewords listed in the table in Appendix D.2.
42
Observation
Cause of
Sub-cause of
failure
failure
Distinction
Impact of failure
Mitigation
Failure rate
Influences
1. Registration
1.1 Driver input
1.1.1 Driver error
Entered data is
A, B, E, F) Yes - no longer
Current: Driver
Jim Carney (NR) -
During
failed - lead
incorrect
driver
registration
(misread)
visible on display
calling the controlling signaller
retries. Call
breakdown of
migration -
but the nominated one
signaller if still fails.
registration
more likely to
Signaller checks
statistics
enter wrong
headcode
A, B, C, E, F) Calling identity is
code and gives
headcode and
wildcard (wrong
be unaware of it
headcode) Verbal
through pre-
C) Nominated signaller has
communication
registration
control of REC
protocol may lead
process
G, H, I) Can only be done using
to recognition of
(wildcard)
unit number and there will be a
error and the
delay to call
signaller will know
the unit number and not the
headcode
the train headcode
K) Will not function without
from either ARS or
headcode
train list
M) Can only be done using unit
New: Driver would
number and there will be a delay
contact the
to call - contact signaller only
signaller once
(check that it can be done using
registration
CT3)
complete to check
headcode
1.1.2 Driver error
As 1.1.1
As 1.1.1
As 1.1.1.
(input error)
43
Observation
Cause of
Sub-cause of
failure
failure
Distinction
Impact of failure
Mitigation
Failure rate
1. Registration
1.2 Driver input
1.2.1 Driver error
Entered data is
As above for 1.1.1
Current: Driver
Jim Carney (NR) -
failed - lead
incorrect
driver
location code
(misread)
visible on display
retries. Call
breakdown of
signaller if still fails.
registration
Signaller checks
statistics
Performance delay impact
(continued)
code and gives
wildcard (right
headcode). Verbal
communication
protocol may lead
to recognition of
error.
1.2.2 Driver error
As 1.2.1
As 1.1.1
Speak to signaller
As 1.1.1
1.2.4 Signal
Visit signal to
As 1.1.1
identity not visible
check plate
(input error)
1.2.3 Missing
alias plate
New: Provide
signal repeater
plates
44
Influences
Observation
Cause of
Sub-cause of
failure
failure
Distinction
Impact of failure
Mitigation
1. Registration
1.3 Train
1.3.1 Signaller
Speak to signaller
As 1.1.1
Current: Driver
failed - lead
description not
has not entered
retries. Call
driver
associated with
TD
signaller if still fails.
(continued)
berth
Failure rate
Influences
None
Signaller checks
TD and inserts
code
1.3.2 Late entry
Speak to signaller
As 1.1.1
As above (1.3.1)
by automatic
coding insertion
1.4 Train
1.4.1 TD.Net
Speak to signaller
As above for 1.1.1 but for
Current: Use
Increased
describer failure
failure (national)
(may not know
multiple trains
wildcard
registration failure
rate due to
there is a failure)
possible
duplication
1.4.2 Local TD
failure
Speak to signaller
As above for 1.4.1 but for trains
Current: Use
Increased
in local area
wildcard
registration failure
rate due to
possible
duplication
(smaller risk than
1.4.1)
45
Observation
Cause of
Sub-cause of
failure
failure
Distinction
Impact of failure
Mitigation
Failure rate
Influences
1. Registration
1.5 Cell not
1.5.1 Train on
Speak to signaller
As above for 1.1 but for single
Current: Use
Dependent on
Initial increase
failed - lead
associated with
driver
berth
unexpected cell
(use wildcard)
train and definitely contacting
wildcard
location - see Jim
during
Carney
migration.
nominated signaller (not
(continued)
controlling)
1.5.2 BSS failure
See 1.8
See 1.8
1.6.1 Failure on
Use alternative
As above for 1.4.1
demand
means to contact
(see 1.8)
1.6 NSS failure
signaller
1.7 FTS failure
1.7.1 Failure on
Signaller may
demand
already be aware
As above for 1.4.2
- use alternative
means for contact
1.8 BSS failure
1.8.1 Interference
Use alternative
As above for 1.4.2 - more
means to contact
localised
signaller
46
New: Monitor cell
pick-ups
Observation
Cause of
Sub-cause of
failure
failure
2. Registration
2.1 Three trains
2.1.1
failed -
already in
wildcard - worse
duplicate
service with the
case correlation
same 8 digit
attempted every 3
code
minutes
2. Registration
2.2 NSS failure
Distinction
Impact of failure
Mitigation
Failure rate
As per 1.1
Current: Use
Minimal
2.2.1
Influences
Current: log as
failed -
fault as unable to
duplicate
register
(continued)
3. Registration
failure - PA
3.1 BSS failure
3.1.1 Interference
None for driver,
Current: Contact
Jim Carney (NR) -
More likely to
on uplink
yes for signaller
I) Not available
signaller to
breakdown of
cause problems
dependent on
determine uplink or
registration
whilst on the
contact
downlink. Does not
statistics. Reduce
move (during
matter if non-
by factor of 100 for
migration)
DOO(P)
v2?
(stuck, retry and
driver intervention)
3.1.2 Interference
No impact - driver unaware so
on downlink
possible performance delay
47
E.2 Base station sub-system
Observation
Cause of
failure
Sub-cause of
failure
Distinction
Impact of failure
Recovery
Geographical size
of failure
Duration of failure
Failure rate
Influences
1. Searching
networks please wait
1.1 BTS or
repeater
failure (local)
1.1.1 Antenna and
feeder damage
Catastrophic (specific)
alarm to TEC
No service available
whilst display is
'Searching
networks'
Attempts to search for
networks ('Searching
networks' displayed).
Attaches to nearest
cell but might not be
on the correct route.
4-8km of track
effected or less
depending on
whether adjacent
cells fill in eg West
Coast Mainline
Contact Paul
Strachan for target
fix time and actuals
Contact Paul Strachan for
target fix time and actuals
As system is better
understood, recovery rates
will improve.
Noncatastrophic possible alarm
The antenna
system takes
approximately 24
hours to repair
The mean time between
antenna failures is 131400
hours ie 15 years, so
assume 0.07 failures per
antenna year
If occurs at start of journey,
train will not be able to
register - if this is the first
train to report this problem
signaller may not be aware
1.1.2 Antenna realignment (partial
failure)
Driver reports
intermittent
coverage audible and
visual in cab
alarm
As 1.1.1 or 4.1.1
Driver reports failures
to control. Aids
subsequent trains
Maybe slightly better
than 1.1.1 due to only
partial loss
1.1.3 Power loss
(specific)
alarm to TEC
As 1.1.1
Opportunity to rectify
upon receiving alarm.
Back up power supply
for 6 hours
4-8km of track
effected or less
depending on
whether adjacent
cells fill in eg West
Coast Mainline
Contact Paul
Strachan for target
fix time and actuals
Contact Paul Strachan for
target fix time and actuals
as above
1.1.4 Air
conditioning failure
High temp
alarm to TEC
As 1.1.1
Opportunity to rectify
upon receiving alarm.
Contact Paul
Strachan for target
fix time and actuals
Contact Paul Strachan for
target fix time and actuals
as above
1.1.5 BTS or
repeater electronics
hardware
(specific)
alarm to TEC
As 1.1.1
Opportunity to rectify
upon receiving alarm.
4-8km of track
effected or less
depending on
whether adjacent
cells fill in eg West
Coast Mainline
Maybe slightly better
than 1.1.1 if only
partial loss
Indicates a BTS
repeater failure
takes
approximately 12
hours to repair
The mean time between
repeater failures is 50000
hours ie 5.7 years, so
assume 0.175 failures per
BTS per year
as above
Indicates 5.9km gap
in service
Notes
as above
1.1.6 Cell BTS
configuration error
None - nondetectable
No P2P or REC
calls
System
commissioning
procedures
4-8km of track
effected or less
depending on
whether adjacent
cells fill in eg West
Coast Mainline
Indicates a BTS
MUX failure takes
approximately 12
hours to repair
The mean time between
MUX failures is 1384000
hours ie 158 years, so
assume 0.00633 failures
per year
as above
1.1.7 Loss of REB
due to
damage/vandalism
Alarm to TEC
As 1.1.1
Replace REB
4-8km of track
effected
ask Paul Strachan
for contacts
ask Paul Strachan for
contacts
as above
Check for contingency plans
Ed to confirm % of joint REB
sites
48
Observation
Cause of
failure
Sub-cause of
failure
Distinction
Impact of failure
Recovery
Geographical size
of failure
Duration of failure
Failure rate
Influences
Notes
1.2 Multi
BTS failure
1.2.1 FTN
transmission failure
(specific)
alarm to TEC
from BTS and
FTN
As 1.1.1, but may
also impact
availability of SPT
and LX T
Opportunity to rectify
upon receiving alarm.
Easier to identify as
an infrastructure
failure by the signaller
through driver
observation. Requires
2 breaks in ring to
reduce functionality
Single chain - 30km
Entire ring - hundreds
of km
FTN (single chain)
failure takes
approximately 4
hours to repair
The mean time between
FTN failures is 36730 hours
ie 4.19 years, so assume
0.238 failures per year
During migration adding
additional rings may lead to
accidental severance
Is transmission failure to do
with a single site? Speak to
Ian Burrows
A fixed terminal
core failure takes 2
hours
A fixed terminal core failure
is 63800 hours ie 7.28
years, so assume 0.137
failures per year.
Migrate services onto
backup BSC (manual
disaster recovery BSC)
All BTS connected to
BSC - approx 1/9th of
network
2 hours for disaster
recovery to be
implemented - TBC
The mean time between
BSC failures is > 1000000
hours. Use worst case ie
114.155 years, so assume
0.0876 failures per year
Possible problems during
software upgrades to BSC.
No planned outage of BSC
due to constant demand
There are 2380 BTS across
10 BSCs, each BTS covers
5.9km therefore ring failure =
2380/10*5.9 = 1400 km
1.2.2 BSC
failure/damage
TEC receives
(specific)
critical alarm
As 1.1.1
(Check transmission
backgrounds)
Confirmed from
RAM study
1.2.3 NSS failure see later workshops
1.2.4 FTN to NSS
failure (maybe
common to 1.2.1)
Can lead to 1.2.1 or
1.2.2
As 1.2.1
Driver identifies
problems and is fed
back into system
design
No specific mitigation
for the driver to detect
this problem at the
present time.
1.3 Cell
inaccessible
1.3.1 Route
configuration
None
As 1.1.1 or 4.1.1
1.4 RF
interference
1.4.1 PLMN 2G
(public network) 900Mhz
None
Reduction of call
quality on the
downlink whilst
travelling 3040mph, otherwise
may not notice.
Problems more
severe when
stationary and will
continue to be
affected until the
voice traffic on the
PLMN has dropped.
It can take 20
seconds-2 minutes for
the mobile to re-attach
to GSM-R GB but may
need a reset. If the
driver sees a mast,
moving the train away
from the mast may
help reduce
interference.
Somewhere between
1.2.1 and 1.2.2
1 in 70 years per km of
track, although maybe on
increase due to possibility
of cable theft
Only applies during
migration
Unable to tell for
certain at this stage.
Units 20-50m from
the interference
source will be more
affected. But it is
likely that it affects a
particular train at a
time rather than a
whole cell.
Most likely to be an
issue for the train
antenna than a BSS.
Actions such as
moving the train
forward slightly or
using the cab mobile
at the other end of the
train have been
suggested when at a
station.
49
20 seconds to 2
minutes for the train
to locate the correct
mobile, once
interference has
reduced. Longer if
the mobile is 'stuck'
and needs
resetting.
Approx 600 EGSM-R
failures in Germany in 3
years ie 300/year.
Alternatively, there were 5
recorded interference
failures on the GB network
over a period of 1 year.
Assuming that: only 20% of
the network is currently
rolled out (x 5), the
impending switch-on of
Vodafone's additional
mobile network increases
interference (x2) and other
PLMN follow suit (x2)
equates to around 100
failures per year for the UK.
May effect migration and
could increase impact if
more mobile networks switch
on.
Suggestions have been to
add stronger BSSs at
stations where most of the
impact lies and create a
more compatible cab mobile.
Filters can concentrate the
reception into the mobile, but
is costly to set up and
sometimes unreliable. One
option is to introduce
equipment which records
interference and replays it to
show where in interruptions
have been and therefore
could be in future.
Future strategy between NR
and mobile networks unclear.
Difficult to predict rate of
interference due to the
continuing introduction of
more PLMN.
Observation
Cause of
failure
2. PA call in
progress
N/A
3. Fatal error
N/A
4 GSM-R GB
4.1 BTS
failure
Sub-cause of
failure
Distinction
Impact of failure
1.4.2 PLMN 3G 900Mhz band
Assumed none
Yet to determine
1.4.3 Broadband
noise
1.4.4 Other train
antenna (repeaters)
Assumed none
Yet to determine
Assumed none
Yet to determine
Recovery
Geographical size
of failure
Duration of failure
Failure rate
Influences
May allow PA calls in normal
operation - depending on
rules surrounding process
4.1.1 Cell BTS
configuration error
Failure on
demand
No P2P or REC
calls but gives
impression that
system is working
to user
Driver would only be
aware if attempting to
use radio
low
Recognised that this may
happen eg rollout of 3G
technology - data TBC
A BTS repeater
failure takes
approximately 12
hours to repair
Mean time between BTS
core failure is 148600
hours. Use worst case ie
16.96 years, so assume
0.059 failures per year
Misrouted calls caused by
cab-mobile attaching to cells
on adjacent routes (in the
future) may be managed
though experience and
including trains on actual and
adjacent route cell train list.
Downside of this approach is
that it will increase the size of
the REC and therefore
potential delays in the event
of an emergency. For the
purposes of the assessment
it will be assumed that the
calls may be misrouted.
2 hours for disaster
recovery to be
implemented
Mean time between BSC
failures is > 1000000
hours. Use worst case ie
114.155 years, so assume
0.0876 failures per year
Possible poor
quality calls,
increased possibility
of misrouted calls.
Risk of no
coverage. Poor
speech quality at
one end between
the driver and the
signaller
4.2 Multi
BTS failure
Notes
4.1.2 BSC failure likely to be a
configuration issue
TEC receives
unique critical
alarm
If connection made
to non-designated
cell registration may
fail without use of
wildcard
As above
Migrate services onto
backup BSC (manual
disaster recovery BSC)
All BTS connected to
BSC - approx 1/9th of
network
50
Possible problems during
software upgrades to BSC.
No planned outage of BSC
due to constant demand
Observation
Cause of
failure
Sub-cause of
failure
Distinction
Impact of failure
Recovery
Geographical size
of failure
Duration of failure
Failure rate
Influences
4.1.3 FTN failure
Alarm to TEC
from BTS and
FTN
As above
Opportunity to rectify
upon receiving alarm.
Easier to identify as
an infrastructure
failure by the signaller
through driver
observation. Requires
2 breaks in ring to
reduce functionality
Single chain - 30km
Entire ring - hundreds
of km
as above
Approx 90% would show a
'Searching please wait'
display
During migration adding
additional rings may lead to
accidental severance
(Check transmission
backgrounds)
Notes
Mean time between FTN
failures is 36730 hours ie
4.19 years, so assume
0.238 failures per year
A fixed terminal core failure
is 63800 hours ie 7.28
years, so assume 0.137
failures per year.
4.3 Wrong
cell
accessible
1.4.1 As 1.3.1
None
As 1.1.1 or 4.1.1
Driver identifies
problems and is fed
back into system
design
4-8km of track
effected or less
depending on
whether adjacent
cells fill in eg West
Coast Mainline
Only applies during
migration
E.3 FTS sub-system
Observation
Cause of failure
Sub-cause of
failure
Distinction
Impact of failure
Recovery
Geographical
size of failure
Duration of
failure
Failure
rate
1.
Registration
failed
1.1 TD.Net
failure
1.1.1 Train
describer failure area failed
Apparent to the
signaller of the area
affected that the TD
has failed
Registration will fail when location code is
entered, signaller will know and issue
wildcard (apart from within areas without
TD available).
Signaller will inform drivers
and ops control. Ops control
will contact the train
operators.
Local to one
signal box/TD
area
Speak to Paul
Strachan
Speak to
Paul
Strachan
Ed to clarify that this is
the correct recovery
procedure.
Risk of misrouting due to no ELDA from a
shared cell.
FTS can be told that the TD
data is not available ie
become a non-TD area. This
accepts location code without
checking
Ed to talk to Rob Hill
for failures that would
cause all trains in train
list to de-correlate
Driver error in registering will not be
picked up and will be accepted when the
wildcard is used.
1.1.2
Transmission to
or from TD.Net
fails
1.1.3 TD.Net
overall failure
Local functionality
for the signaller but
no link to TD.Net
As above except signaller will be
unaware unless the train list is checked.
Trains will de-correlate.
As above + duplicate
connection used in case one
fails
As above
As above
As above
Trains de-correlated
nationally in train list
National network failure
Do not validate the TD. Will
not be able to detect driver
entering the wrong info
Whole country
As above
As above
51
Influences
Notes
Observation
Cause of failure
Sub-cause of
failure
Distinction
Impact of failure
Recovery
Geographical
size of failure
Duration of
failure
Failure
rate
Influences
1.1.4 General
changes in TD
Misrouting calls
As above for 1.1.1
Monitoring for paging by TEC
Local to cell
as above
as above
After rollout is complete
1.2 TD Bridge
failure
1.2.1 As per
TD.Net failure
as above
as above
Both bridges would need to
fail - replicate bridge on auto
start-up
as above
as above
1.3 Complete
FTS failure - loss
of site
1.3.1 Air con
failure
Possible loss of all systems except REC
(would receive the call on other trains but
not signaller). Communication possible
between drivers but no signaller
Switching over
would take
approx. 4
hours
as above
1.3.2 Loss of
power
DC power failure: Shut down of switch ie
no calls, registration possible
as above
as above
DC and AC has two feeds so
some redundancy
Notes
Hot weather
AC failure: no registration, outgoing calls
ok, no communication
1.4 Routing
Server failure
1.5 Management
server failure
2. GSM-R GB
1.3.3 Fire
Possible loss of all systems except REC
(would receive the call on other trains but
not signaller). Communication possible
between drivers but no signaller
as above
as above
1.3.4 Vandalism
Worst case - Possible loss of all systems
except REC (would receive the call on
other trains but not signaller).
Communication possible between drivers
but no signaller
as above
as above
1.3.5 Terrorism
As above
as above
as above
1.4.1 Power
outage
Unable to register
Duplicated on auto start-up
as above
as above
1.4.2 Hardware
failure
1.4.3 Software
failure
1.5.1
As above
As above
as above
as above
As above
As above
as above
as above
Signallers unable to logon, record new
message
as above
as above
No calls or messages possible between
drivers and signallers
as above
as above
Call routing not possible ie no call
functionality to the signaller
Speak to Paul
Strachan
Speak to
Paul
Strachan
1.6 GSC failure
1.6.1 Hardware
failure
2.1 ELDA failure
2.1.1 Routing
server
Signaller would be
made aware whilst
recording new
messages
Immediate failure
52
Rob to confirm
Observation
Cause of failure
Sub-cause of
failure
Distinction
Impact of failure
Recovery
2.1.2 TD.Net,
TD.Bridge failure
Gradual failure over
time as data
becomes out of date
Misrouted calls eg calls going to the
nominated and not controlling signaller
2.2 IMUX failure
2.2.1 Hardware
failure
Warning on fixed
terminal. Future: log
out after 20 mins
Up 15 fixed terminals will lose their
function which may not be in the same
signal box ie lose call functionality
Possibility of role sharing with
another signaller
2.3 ISDN failure
2.3.1 Hardware
failure
1 terminal failure
2.4 Fixed
terminal failure
2.4.1 Touch
screen unit failure
Blank screen/ nonresponsive screen
2.4.2 Audio
module failure
Duration of
failure
Failure
rate
Influences
Notes
as above
as above
Depends on
diversity of FTs
fed
as above
as above
Depends where IMUX is
based in terms of single
or multi panel signal box
functionality
Rob to investigate
Share role with another
signaller in the same box
1 signaller's
position
as above
as above
Only available in multi
panel signal box
Are there any single
points of failure for
multiple fixed terminals
1 terminal failure
Share role with another
signaller in the same box
1 signaller's
position
as above
as above
Only available in multi
panel signal box
Are there any single
points of failure for
multiple fixed terminals
Signaller cannot be
heard/hear
May impact communications if both
hands free and handset fails
Use other mode
1 signaller's
position
as above
as above
2.4.3 NTBA box
failure
As 2.2
Similar to IMUX failure but would only
affect 1 terminal
Share role with another
signaller in the same box
1 signaller's
position
as above
as above
Recovery is dependent
on single or multi panel
signal box
2.5 Signal box
power failure
2.5.1
Blank screen
All terminals in signal box will fail
UPS would provide backup
1 signaller's
position
as above
as above
Dependant on single or
multi panel signal box
2.6 GSC failure
2.6.1 Hardware
failure
Failure on demand driver unaware
Registration possible, but no calls can be
made between drivers and signallers.
Existing calls will be dropped.
Driver initiated REC will stop trains, but
the signaller will not be aware.
Signaller initiated REC will not stop
trains.
Attempts will be made to get
it fixed. If total failure, the
system at Stoke may be
used.
as above
as above
53
Geographical
size of failure
Check with tech (1st
floor) or Rob to check
if all signal boxes
connected to UPS
E.4 On-board train equipment
Observation
Cause of failure
Sub-cause of
failure
Distinction
Impact of failure
Recovery
Geographical
size of failure
Duration of
failure
Failure rate
Influences
1. Searching
networks please
wait
1.1 Broken antenna
1.1.1 Loose
connector
Driver checks other cab radio
- if functional, fault is
identified. Most likely a
network failure if both do not
function
No functionality. Can preregister
None - fault reported
1 cab radio
Throughout
service for 1
cab
Awaiting
reliability
figures
Identified at
any point in the
journey
1.1.2 Degradation
as above
as above
as above
as above
as above
as above
as above
2.1 DCP failure
2.1.1 Loss of
connection between
DCP and radio unit
No screen at power up
No call functionality as buttons
will not work
1 cab
Contact Brian
Sowbry at
Siemens
Identified at
any point in the
journey
2.2 Loss of connection
2.2.1 Lack of power
to screen, hardware
fault
No screen at power up
1 cab
as above
2.3 Loss of power
2.3.1 Lack of power
to screen
No screen at power up
Call functionality available
although screen remains blank
and unable to tell who is
calling
No call functionality
Contact
Brian
Sowbry at
Siemens
as above
UPS will take over if available
1 cab
as above
as above
as above
2.3.2 MCB failure
MCB switch set to off
No call functionality until reset
Driver resets
1 cab
as above
as above
as above
2.4 Screen failure
2.4.1 Hardware fault
No screen at power up
1 cab
as above
as above
as above
2.5 Driver key/cab
active
2.5.1 Loose
connection
None
Call functionality available
although screen remains blank
and unable to tell who is
calling
No functionality
Alternative method to power
up radio (not commonly
known)
1 cab
as above
as above
as above
2.5.2 Hardware
failure
None
No functionality
Alternative method to power
up radio (not commonly
known)
1 cab
as above
as above
as above
2.5.3 Faulty key
switching
arrangement
None
No functionality
Alternative method to power
up radio (not commonly
known)
1 cab
as above
as above
as above
3.1.1 Various
Unique fault code
No critical functionality loss
Fault is logged and service is
continued
1 cab
No actual
failure
n/a
2. Blank
3. Warning (fault)
3.1 See Appendix R NRCR HMI Design
spec. (Siemens)
54
Notes
as above
Ask Ed for 'SIM
card incomplete'
fault code and
warning 02
Observation
Cause of failure
Sub-cause of
failure
Distinction
Impact of failure
Recovery
Geographical
size of failure
Duration of
failure
Failure rate
Influences
4. Failure
4.1 See Appendix R NRCR HMI Design
spec. (Siemens)
4.1.1 Various
Unique fault code
No call functionality
None during service
1 cab
Throughout
service
Can happen
start or midjourney
5. Cab radio flt
5.1 Communications
failure between DCP
and cab radio unit
5.1.1
Single fault message
No functionality - could receive
REC, but no outgoing calls
None during service
1 cab
Throughout
service
Contact
Brian
Sowbry at
Siemens
Contact
Brian
Sowbry at
Siemens
6. Battery low
6.1 See 3.1
6.1.1
7. EPROM/RAM
flt
8.1 MT fatal
7.1 See 5.1
7.1.1
8.1 Brick fault
8.1.1
No functionality
Reboot by driver or selfreboot may overcome this
error
Failure in both
cabs (if shared
brick)
Throughout
service
9. GSM-R GB
9.1 Screen freeze
9.1.1 Screen failure
No functionality when calls
are attempted and screen
does not change
Speak to Siemens
Reset may fix it
1 cab
9.2 Handset failure
9.2.1 PTT failure
Could hear messages but
cannot be heard or vice versa
Only affects RECs
Handset test
1 cab
9.2.2 Pickup failure
Could hear messages but
cannot be heard or vice versa
Affects all calls
Handset test
1 cab
as above
9.2.3 Speaker
failure
Difficult to hear/cannot hear
Volume dropped on
loudspeaker, handset speaker
does not work so may not be
able to hear calls coming
through
Handset test
1 cab
as above
9.2.4 Cradle switch
failure
Cannot hear loudspeaker
May not be aware of calls
coming through as all are
directed to the handset
Handset test
1 cab
as above
9.3.1 Loose
connection
Maintenance testing
If driver is incapacitated, it will
not be detected
1 cab
as above
9.3.2 Hardware
failure
Maintenance testing
If driver is incapacitated, it will
not be detected
1 cab
as above
9.4.1 Loose
connection
Failure on demand
PA not available (signaller)
PA menu test
1 cab
Throughout
service
as above
9.4.2 Hardware
failure
Failure on demand
PA not available (signaller)
PA menu test
1 cab
Throughout
service
as above
9.3 DSD connector
failure
9.4 PA connector failure
55
Contact
Brian
Sowbry at
Siemens
Contact
Brian
Sowbry at
Siemens
Throughout
service
as above
Can happen
start or midjourney
Notes
Observation
Cause of failure
Sub-cause of
failure
Distinction
Impact of failure
Recovery
Geographical
size of failure
9.5 DCP stuck buttons
9.5.1 Lack of
maintenance, wear
and tear
Failure on demand
Depends on button concerned
Alternative means of
contacting signaller ie tries
other buttons (yellow, red, call
signaller, phonebook), go to
other cab
1 cab
56
Duration of
failure
Failure rate
as above
Influences
Notes
Appendix F Call success probabilities
The availability, coverage and effectiveness calculations are contained within the risk model developed for the study (safety disbenefit model v4.12.xls).
F.1 Intercity trains types
Speed
Normal
Reduced (60mph)
Consequence scenario
Availability
Broadcasting
Receiving
Coverage
Effectiveness
Coverage
Effectiveness
Call Success
Probability
GSM-R cab mobile - base case (as per NRN)
0.9999
1.0000
0.9447
1.000
0.9603
0.952
No radio
0.0000
1.0000
0.0000
1.000
0.0000
0.000
Unregistered radio
0.9999
1.0000
0.9338
1.000
0.9411
0.937
DSD/PA link unavailable
0.9999
1.0000
0.9447
1.000
0.9603
0.952
Driver:Driver communication only
0.9998
1.0000
0.4254
1.000
0.8320
0.629
GSM-R registered handportable
0.9900
0.9650
0.9439
1.000
0.9603
0.926
CSR
0.9998
1.0000
0.9176
1.000
0.9073
0.912
NRN
0.9994
0.9000
0.8910
1.000
0.8761
0.839
No radio
0.0000
1.0000
0.0000
1.000
0.0000
0.000
Unregistered radio
0.9999
1.0000
0.9338
1.000
0.9411
0.937
DSD/PA link unavailable
0.9999
1.0000
0.9447
1.000
0.9603
0.952
Driver:Driver communication only
0.9998
1.0000
0.4254
1.000
0.8320
0.629
57
F.2 Suburban train types
Speed
Normal
Reduced (60mph)
Consequence scenario
Availability
Broadcasting
Receiving
Coverage
Effectiveness
Coverage
Effectiveness
Call Success
Probability
GSM-R cab mobile - base case (as per NRN)
0.9999
1.0000
0.9493
1.0000
0.9628
0.956
No radio
0.0000
1.0000
0.0000
1.0000
0.0000
0.000
Unregistered radio
0.9999
1.0000
0.9383
1.0000
0.9435
0.941
DSD/PA link unavailable
0.9999
1.0000
0.9493
1.0000
0.9628
0.956
Driver:Driver communication only
0.9998
1.0000
0.4265
1.0000
0.8342
0.630
GSM-R registered handportable
0.9900
0.9650
0.9484
1.0000
0.9628
0.930
CSR
0.9998
1.0000
0.9237
1.0000
0.9128
0.918
NRN
0.9994
0.9000
0.8971
1.0000
0.8821
0.844
No radio
0.0000
1.0000
0.0000
1.0000
0.0000
0.000
Unregistered radio
0.9999
1.0000
0.9383
1.0000
0.9435
0.941
DSD/PA link unavailable
0.9999
1.0000
0.9493
1.0000
0.9628
0.956
Driver:Driver communication only
0.9998
1.0000
0.4265
1.0000
0.8342
0.630
58
F.3 Suburban DOO(P) train types
Speed
Normal
Reduced (60mph)
Consequence scenario
Availability
Broadcasting
Receiving
Coverage
Effectiveness
Coverage
Effectiveness
Call Success
Probability
GSM-R cab mobile - base case (as per NRN)
0.9999
1.0000
0.9493
1.0000
0.9628
0.956
No radio
0.0000
1.0000
0.0000
1.0000
0.0000
0.000
Unregistered radio
0.9999
1.0000
0.9383
1.0000
0.9435
0.941
DSD/PA link unavailable
0.9999
1.0000
0.9493
1.0000
0.9628
0.956
Driver:Driver communication only
0.9998
1.0000
0.4265
1.0000
0.8342
0.630
GSM-R registered handportable
0.9900
0.9650
0.9484
1.0000
0.9628
0.930
CSR
0.9998
1.0000
0.9237
1.0000
0.9128
0.918
NRN
0.9994
0.9000
0.8971
1.0000
0.8821
0.844
No radio
0.0000
1.0000
0.0000
1.0000
0.0000
0.000
Unregistered radio
0.9999
1.0000
0.9383
1.0000
0.9435
0.941
DSD/PA link unavailable
0.9999
1.0000
0.9493
1.0000
0.9628
0.956
Driver:Driver communication only
0.9998
1.0000
0.4265
1.0000
0.8342
0.630
59
F.4 Freight train types
Speed
Normal
Reduced (60mph)
Consequence scenario
Availability
Broadcasting
Receiving
Coverage
Effectiveness
Coverage
Effectiveness
Call Success
Probability
GSM-R cab mobile - base case (as per NRN)
0.9999
1.0000
0.8604
1.0000
0.9302
0.895
No radio
0.0000
1.0000
0.0000
1.0000
0.0000
0.000
Unregistered radio
0.9999
1.0000
0.8270
1.0000
0.9118
0.869
DSD/PA link unavailable
0.9999
1.0000
0.8604
1.0000
0.9302
0.895
Driver:Driver communication only
0.9998
1.0000
0.4120
1.0000
0.8057
0.609
GSM-R registered handportable
0.9900
0.9650
0.8578
1.0000
0.9302
0.870
CSR
0.9998
1.0000
0.7591
1.0000
0.7322
0.745
NRN
0.9994
0.9000
0.6777
1.0000
0.6723
0.641
No radio
0.0000
1.0000
0.0000
1.0000
0.0000
0.000
Unregistered radio
0.9999
1.0000
0.8270
1.0000
0.9118
0.869
DSD/PA link unavailable
0.9999
1.0000
0.8604
1.0000
0.9302
0.895
Driver:Driver communication only
0.9998
1.0000
0.4120
1.0000
0.8057
0.609
60
Appendix G Functional loss scenarios
These functional loss scenarios were identified following the completion of the workshops.
Functional loss
scenario
Consequence
Scope
Single cab radio
No radio (receiving and broadcasting).
One cab.
No radio (receiving and broadcasting).
All trains passing through
failure
Small radio network
failure
a small section of the
network. Assumed to be
the equivalent of a BTS
outage.
Medium radio
No radio (receiving and broadcasting).
network failure
All trains passing through
a medium section of the
network. Assumed to be
the equivalent of a BSC
outage.
Large radio network
No radio (receiving and broadcasting)
failure
All cabs. Assumed to
occur if Stoke and Didcot
not working.
Single unregistered
Cab radio functions but communication may not be to the
Assumed to be one cell
cab radio -
controlling signaller. This reduces the effectiveness of
for one cab (radio
temporary
urgent communications to the signaller. REC still works.
correlated on reaching
new cell).
Single unregistered
Cab radio functions but communication may not be to the
cab radio -
controlling signaller. This reduces the effectiveness of
permanent
urgent communications to the signaller. REC still works.
Multiple
Cab radio functions but communication may not be to the
uncorrelated cab
controlling signaller. This reduces the effectiveness of
radios (TD.net
urgent communications to the signaller. REC still works.
All journeys for one cab.
All cabs.
outage)
Multiple
Cab radio functions but communication may not be to the
All cabs through the
uncorrelated cab
controlling signaller. This reduces the effectiveness of
affected signaller’s area.
radios (TD feed
urgent communications to the signaller. REC still works.
outage)
DSD/PA link
Cab radio functions but signaller cannot use PA on-board
unavailable
train. DSD alarm not received by signaller
61
One cab.
Functional loss
scenario
Consequence
Scope
Single radio terminal
Cab radio functions but communication may not be available
All cabs through the
failure
to the controlling signaller. This reduces the effectiveness of
affected signaller’s area.
calls from the driver, as alternative routes of communication
are required. Signallers cannot contact drivers. Driver
initiated REC works but recovery is slower. SPTs still work
Multiple radio
Cab radio functions but communication may not be available
All cabs through the
terminal failure
to the controlling signaller. This reduces the effectiveness of
affected signallers’ areas.
calls from the driver as alternative routes of communication
Assumed to affect 15
are required. Signallers cannot contact drivers. Driver
signallers.
initiated REC works but recovery is slower. SPTs still work.
Driver:driver
Cab radio functions but no communication available to any
All cabs through the
communication only
signaller via radio. Driver initiated REC works but recovery is
affected areas.
slower. SPTs still work.
62
Appendix H Mapping of operational delay to functional losses
Functionality loss scenario
Response
0 Continue
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
in service
trains
portable
speed
reduced
speed
Single cab failure
A, G
A, B
A, C, G
A, D, G
A, D, G
Small network failure (BTS outage)
A, G
A, E
A, G
A, D, G
A, D, G
Medium network failure (BSC outage)
A, G
A, E
A, G
A, D,G
A, D, G
Large network failure (total outage)
A, G
A, B
A, G
A, D, G
A, D, G
Single registered cab - temporary
F
B, F
F
D, F
F
Single registered cab - permanent
F
B, F
F
D, F
F
Multiple uncorrelated cab (TD.net
F
B, F
F
D, F
D, F
F
E, F
F
D, F
D, F
G
B, G
G
D, G
D, G
Single terminal failure
G, H
E, G, H
G, H
D, G, H
D, G, H
Multiple terminal failure
G, H
E, G, H
G, H
D, G, H
D, G, H
G
B, G
G
D, G
D, G
outage)
Multiple uncorrelated cab (TD feed
outage)
DSD/PA link unavailable
Driver:driver communication only*
*Does not affect calls from SPTs
Where:
A.
Delays are accrued in the event that a radio is required to help ease other operational
disruptions eg stop at signal/failed signalling but no radio is available on-board train.
B.
Full (at start of journey) or part (mid-way through journey) cancellation of trains, plus full
cancellation of their subsequent journeys. Part cancellation assumed to be 25 equivalent delay
minutes. Full cancellation assumed to be 50 equivalent delay minutes.
C.
Delays accrued to obtain hand/transportable.
D.
Delays accrued from running at reduced speed.
E.
Part cancellation of trains, through a particular section.
63
F.
Delays from rerouting call, initial call goes to nominated rather than controlling signaller.
G.
Delays from the signaller not being able to contact a member of on board staff.
H.
Delays from the driver not being able to contact the controlling signaller at all.
64
Appendix I Modelling assumptions
The following assumptions were included in the risk modelling.
I.1 Philosophical assumptions
• SPTs are available at every signal and therefore the average distance between signals is
0.66miles.
• The type of train detection does not impact the frequency or consequences of GSM-R radio
failure.
• Only one approaching train is at risk of hitting the wreckage of a previous accident.
• 50% likelihood of the driver of an affected cab radio being the one to initiate a REC or call.
Simillarly 50% likelihood of the driver of an affected cab radio being the one to receive a REC or
call.
• The train broadcasting a REC is stationary (this is a simplification for the calculations).
• In-cab radio is Siemens version2.
• The same network strength coverage is needed for both red and yellow button calls.
• Cab/network faults occur halfway through the operating day, half-way through the current journey.
• Network problems are fixed at the end of the day.
• There is always a rolling stock technician at each available location in order to install a
transportable.
• Reduction in speed only benefits passenger/ECS trains ie not freight (as the average speed is
below the reduced speed limit (taken to be 60mph).Reduction in speed only benefits hazard
events where speed is considered a factor of the consequences ie includes derailments and
collisions but not train fires, explosions etc. The effect of the speed reduction is based on the
average speed before the reduction relative to the average speed after the reduction (as
estimated from timetable analysis).
• When using an unregistered cab radio, the radio does not mitigate against collisions/derailments
due to miscommunication.
• If the cab radio is unregistered the DSD and PA link still works.
• Part/full cancellation of trains do not incur reactionary delays.
• Each train service type model is made up of only trains of the same type.
• The strength of signal from a BTS decays at a rate proportional to the inverse square of the
distance from the BTS.
• Response 3 uses the results (availability and coverage) of the NRN study [Ref: 2] for a GSM-R
registered handportable.
• The number of hours before a speed restriction is put in place (response 5) is 4 hours.
• The knock-on risk from delays such as overcrowding at stations, passenger loadings on trains,
assaults has not been included in the assessment as a simplification (timescales of the project)
and due to uncertainty in previous estimates for other projects.
• Cancelling a train removes all risk from that train
I.2 Numerical assumptions
These are based on both data (D) and expert judgement (E).
65
• Part cancellation is taken to be 25 equivalent delay minutes. Full cancellation is taken to be 50
equivalent delay minutes.
• There are 2380 BTS and 9 BSC on the GSM-R network (D).
• There are 673 signallers working at any one time (taken from the number of terminals) (D)
• The average distance of track covered by a signaller is 23km (the average track km per signaller)
(D).
• The probability that a driver initiated yellow button call goes to the wrong signaller is 0.1 (E) – this
is considered conservative.
• The probability that the train latches onto the wrong base station is 0.02 (E).
• The times to contact signallers agreed for the NRN study [Ref: 2] equally apply and in addition:
• It takes 30 minutes for help to arrive via a single line (E).
• It takes 5 minutes to receive and setup a hand/transportable at an available station (E).
• It takes an additional 2 minutes to contact a signaller via an SPT or platform phone (E).
• Reactionary delay is 3 times the primary delay (D).
• There are 31,073,000 track metres (D).
• 488,217,472 passenger train km, 45,839,064 freight train km, 22,379,000 ECS train km (D).
• The proportion of track that is single track (weighted by train miles) is 0.069 (D).
• The rate at which a DOO(P) service has needed help via the PA link is once every 10 years (D).
• The additional safety benefit the DSD/PA link provides to the driver is 0.04 FWI/event (E).
• There are 18 operational hours per day, and 363.25 operational days per year (D).
• The value of preventing a fatality (VPF) is £1,763,000 per FWI (D).
• Driver reaction time to apply brakes is 5 seconds, the brake build-up time is 2 seconds (E).
• The minimum strength required for cab mobile is -101dBm, the optimum strength for a cab mobile
is -98dBm (D).
• The probability of the faulty cab being used to return the train to the maintenance depot is 0.5 (E).
• The number of signallers affected by a multiple terminal outage or TD.net feed problem is 15 (E).
I.3 Train type assumptions
These are based on both data (D) and expert judgement (E).
Assumption
Intercity
Suburban
Suburban
DOO(P)
Freight
Cost of delay (£/minute)
117 (D)
35 (D)
35 (D)
17 (D)
Distance between needs to
contact the signaller (miles)
400 (E)
50 (E)
50 (E)
60 (E)
National journeys per day
2580 (D)
8302 (D)
8472 (D)
865 (D)
Journeys per day on a typical
route
127 (D)
144 (D)
144 (D)
10 (E)
Journeys per day per train set
4 (D/E)
14.4 (D/E)
14.4 (D/E)
2 (D/E)
66
Assumption
Intercity
Suburban
Suburban
DOO(P)
Freight
Typical journey lengths (km)
169 (D)
58 (D)
60 (D)
66 (D)
Average journey lengths to next
available location (km)
42 (D/E)
15 (D/E)
15 (D/E)
33 (E)
Average journey lengths to next
suitable locations (km)
23 (D/E)
8 (D/E)
8 (D/E)
33 (E)
Average journey lengths to
maintenance depot (km)
64 (D/E)
22 (D/E)
22 (D/E)
33 (E)
67
Appendix J Hazardous events mitigated by GSM-R radio
This appendix includes a list of the hazardous events modelled in the Safety Risk Model version 7
[Ref: 20] that are considered to be partially mitigated by GSM-R radio.
HET-01
Collision between two passenger trains resulting from a: passenger train Cat A SPAD; runaway
train; misrouted train; or WSF
HET-02
Collision between a passenger train and non-passenger train resulting from a: passenger train Cat
A SPAD; runaway train; misrouted train; or WSF
HET-03
Collision between two non-passenger trains resulting from a: non-passenger train Cat A SPAD;
runaway train; misrouted train; or WSF
HET-04
Collision of train with object (not resulting in derailment)
HET-10
Passenger train collision with road vehicle on level crossing
HET-11
Non-passenger train collision with road vehicle on level crossing
HET-12
Derailment of passenger train
HET-13
Derailment of non-passenger train
HET-17
Fire on passenger train
HEM-01
Passenger injury during evacuation following stopped train (not at a platform)
HEM-12
MOP (trespasser) struck/crushed by train while on tracks at station
HEM-14
Workforce (not infrastructure worker) struck/crushed by train
HEM-25
MOP (trespasser) struck/crushed by train while on railway infrastructure not at station
HEN-13
Passenger fall from platform onto track (no electric shock nor struck by train)
HEN-67
MOP (non-trespasser) fall from platform onto track (no electric shock nor struck by train)
68
Appendix K Safety benefits
K.1 Safety benefits by function loss scenario
The response options with the greatest safety benefit are highlighted in green.
K.1.1 Intercity
Safety benefit (£/event)
Response
Functional loss
1 Cancel trains
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Single cab radio failure
1
2
5
3
Small radio network outage
1
0
3
2
980
0
2,900
1,600
3,700
0
11,000
6,200
0
0
<1
0
<1
>-1
1
0
56
0
10,000
5,700
1
0
230
130
>-1
0
5
3
Single radio terminal failure
5
0
42
23
Multiple radio terminal failure
28
0
240
130
1,300
0
11,000
5,900
Medium radio network outage
Large radio network outage
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
DSD/PA link unavailable
Driver:driver communications only
69
K.1.2 Suburban train types
Safety benefit (£/event)
Response
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
trains
portable
speed
reduced speed
Single cab radio failure
2
2
3
2
Small radio network outage
1
0
2
<1
290
0
420
230
3,200
0
4,700
2,600
0
0
<1
0
<1
>-1
<1
0
51
0
4,300
2,400
1
0
97
54
>-1
0
3
2
Single radio terminal failure
5
0
20
11
Multiple radio terminal failure
25
0
100
55
1,100
0
4,500
2,500
Functional loss
Medium radio network outage
Large radio network outage
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
DSD/PA link unavailable
Driver:driver communications only
70
K.1.3 Suburban DOO(P) train types
Safety benefit (£/event)
Response
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
trains
portable
speed
reduced speed
Single cab radio failure
2
2
7
5
Small radio network outage
1
0
4
2
300
0
1,000
570
3,300
0
11,000
6,300
0
0
<1
0
<1
>-1
<1
0
51
0
11,000
6,100
1
0
240
140
>-1
>-1
6
5
Single radio terminal failure
5
0
50
28
Multiple radio terminal failure
27
0
250
140
1,200
0
11,000
6,200
Functional loss
Medium radio network outage
Large radio network outage
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
DSD/PA link unavailable
Driver:driver communications only
71
K.1.4 Freight train types
Safety benefit (£/event)
Response
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
trains
portable
speed
reduced speed
Single cab radio failure
<1
<1
0
0
Small radio network outage
<1
0
0
0
Medium radio network outage
500
0
0
0
4,800
0
0
0
0
0
0
0
>-1
0
0
0
140
0
0
0
3
0
0
0
DSD/PA link unavailable
0
0
0
0
Single radio terminal failure
<1
0
0
0
Multiple radio terminal failure
35
0
0
0
1,500
0
0
0
Functional loss
Large radio network outage
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
Driver:driver communications only
72
K.2 Safety benefits by observation scenario
K.2.1 Intercity type trains
Safety benefit (£/year)
Response
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
550
<1
1,700
920
2,700
2,200
15,000
8,700
130
140
470
270
Registration - lead driver
2
>-1
1,600
160
Registration - duplicate
2
>-1
290
160
Registration - PA
-20
0
470
270
Failure/fault
820
890
3,100
1,800
1 Cancel
Functional loss
Searching for networks
GSM-R GB
Blank screen
K.2.2 Suburban train types
Safety benefit (£/year)
Response
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
450
<1
680
380
3,300
2,600
7,600
5,000
160
160
240
180
Registration - lead driver
2
>-1
580
68
Registration - duplicate
1
>-1
120
68
Registration - PA
-7
0
250
180
1,000
1,000
1,600
1,200
Functional loss
Searching for networks
GSM-R GB
Blank screen
Failure/fault
1 Cancel
73
K.2.3 Suburban DOO(P) train types
Safety benefit (£/year)
Response
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
470
<1
1,600
910
3,500
2,600
19,000
13,000
170
160
600
440
Registration - lead driver
2
>-1
1,500
170
Registration - duplicate
1
>-1
310
170
Registration - PA
-1
-12
640
460
1,100
1,100
3,900
2,800
1 Cancel
Functional loss
Searching for networks
GSM-R GB
Blank screen
Failure/fault
K.2.4 Freight train types
Safety benefit (£/year)
Response
Functional loss
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Searching for networks
150
<1
0
0
GSM-R GB
400
330
0
0
Blank screen
10
20
0
0
Registration - lead driver
3
0
0
0
Registration - duplicate
4
0
0
0
Registration - PA
0
0
0
0
Failure/fault
67
130
0
0
74
Appendix L Operational delays
The response options with the most operational delays are highlighted in red. The response options
with the least operational delays are highlighted in green. Values are presented as costs. Negative
values therefore represent an operational delay saving relative to the base case – continue in
service.
L.1 Operational delay by functional scenario
L.1.1 Intercity train types
Operational delay (£/year)
Response
Functional loss
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Single cab radio failure
22,000,000
-600,000
160,000,000
92,000,000
Small radio network outage
63,000,000
0
16,000,000
9,100,000
290,000
0
4,300,000
2,400,000
1,000,000
0
2,800,000
1,600,000
37,000,000
0
15,000,000
0
2,900,000
140,000
4,600,000
0
1,100,000
0
2,800,000
1,500,000
(TD feed outage)
1,100,000
0
6,200,000
3,400,000
DSD/PA link unavailable
4,700,000
0
29,000,000
17,000,000
Single radio terminal failure
22,000,000
0
38,000,000
21,000,000
Multiple radio terminal failure
3,000,000
0
18,000,000
9,800,000
270,000
0
730,000
400,000
Medium radio network outage
Large radio network outage
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
Driver:driver communications only
75
L.1.2 Suburban train types
Operational delay (£/year)
Response
Functional loss
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Single cab radio failure
21,000,000
-5,700,000
38,000,000
27,000,000
Small radio network outage
21,000,000
0
3,600,000
2,000,000
Medium radio network outage
56,000
0
290,000
160,000
Large radio network outage
220,000
0
540,000
300,000
120,000,000
0
3,000,000
0
3,200,000
34,000
300,000
0
290,000
0
540,000
300,000
270,000
0
1,200,000
660,000
DSD/PA link unavailable
5,000,000
0
6,900,000
5,200,000
Single radio terminal failure
6,200,000
0
8,300,000
4,600,000
Multiple radio terminal failure
400,000
0
3,400,000
1,900,000
Driver:driver communications only
61,000
0
140,000
78,000
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
76
L.1.3 Suburban DOO(P) train types
Operational delay (£/year)
Response
Functional loss
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Single cab radio failure
-21,000,000
5,900,000
-39,000,000
-28,000,000
Small radio network outage
-21,000,000
0
-3,600,000
-2,000,000
Medium radio network outage
-78,000
0
-290,000
-160,000
Large radio network outage
-220,000
0
-540,000
-300,000
-110,000,000
0
-3,000,000
0
-3,200,000
-34,000
-310,000
0
-290,000
0
-540,000
-300,000
-270,000
0
-1,200,000
-660,000
DSD/PA link unavailable
-5,000,000
0
-7,100,000
-5,300,000
Single radio terminal failure
-6,200,000
0
-8,300,000
-4,600,000
Multiple radio terminal failure
-400,000
0
-3,400,000
-1,900,000
Driver:driver communications only
-61,000
0
-140,000
-78,000
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
77
L.1.4 Freight train types
Operational delay (£/year)
Response
Functional loss
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Single cab radio failure
620,000
-17,000
0
0
Small radio network outage
710,000
0
0
0
Medium radio network outage
41,000
0
0
0
Large radio network outage
120,000
0
0
0
1,800,000
0
0
0
210,000
21,000
0
0
140,000
0
0
0
140,000
0
0
0
DSD/PA link unavailable
340,000
0
0
23,000
Single radio terminal failure
230,000
0
0
0
Multiple radio terminal failure
230,000
0
0
0
Driver:driver communications only
31,000
0
0
0
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
78
L.2 Operational delay by observation scenario
L.2.1 Intercity train types
Operational delay (£/year)
Response
1 Cancel
Observation
2 Hand/trans
portable
3 Reduced speed
4 Delayed
reduced speed
Searching for networks
64,000,000
-3
23,000,000
13,000,000
GSM-R GB
43,000,000
-410,000
190,000,000
110,000,000
910,000
-25,000
6,600,000
3,900,000
Registration - lead driver
41,000,000
130,000
24,000,000
2,500,000
Registration - duplicate
1,100,000
2,300
4,600,000
2,500,000
Registration - PA
1,200,000
0
7,300,000
4,300,000
Failure/fault
6,000,000
-170,000
43,000,000
25,000,000
Blank screen
L.2.2 Suburban train types
Operational delay (£/year)
Response
Observation
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Searching for networks
21,000,000
-33
4,400,000
2,500,000
GSM-R GB
25,000,000
-3,900,000
43,000,000
29,000,000
870,000
-240,000
1,600,000
1,100,000
120,000,000
34,000
4,100,000
480,000
330,000
580
870,000
480,000
Registration - PA
1,300,000
0
1,700,000
1,300,000
Failure/fault
5,700,000
-1,600,000
10,000,000
7,500,000
Blank screen
Registration - lead driver
Registration - duplicate
79
L.2.3 Suburban DOO(P) train types
Operational delay (£/year)
Response
1 Cancel
Observation
2 Hand/trans
portable
3 Reduced speed
4 Delayed
reduced speed
Searching for networks
21,000,000
-34
4,400,000
2,500,000
GSM-R GB
24,000,000
-4,000,000
44,000,000
30,000,000
860,000
-250,000
1,600,000
1,200,000
120,000,000
34,000
4,100,000
480,000
330,000
580
870,000
480,000
Registration - PA
1,300,000
0
1,800,000
1,300,000
Failure/fault
5,600,000
-1,600,000
11,000,000
7,700,000
Blank screen
Registration - lead driver
Registration - duplicate
L.2.4 Freight train types
Operational delay (£/year)
Response
Observation
Searching for networks
GSM-R GB
Blank screen
Registration - lead driver
Registration - duplicate
Registration - PA
Failure/fault
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
-870,000
<1
0
0
-1,200,000
-12,000
0
-17,000
-26,000
-730
0
0
-2,200,000
-21,000
0
0
-140,000
-360
0
0
-85,000
0
0
-5,700
-170,000
-4,800
0
0
1 Cancel
80
Appendix M Functional loss scenario comparisons
M.1 Intercity train types
ο§ Operational benefit (£k/year) ο§ Safety benefit (£k/year)
Single cab radio failure
-£200,000
-£160,000
-£120,000
-£80,000
4
4
4
3
3
3
2
2
2
1
1
1
-£40,000
£
£40,000
-£80,000
-£60,000
Large radio network outage
-£3,000
-£2,500
-£2,000
-£1,500
-£1,000
-£2,500
-£2,000
-£1,500
-£1,000
-£30,000
-£20,000
-£10,000
-£20,000
£
£20,000
-£5,000
-£3,000
-£2,000
-£1,000
4
3
3
3
2
2
2
1
1
1
£
£500
-£40,000
-£30,000
-£20,000
-£10,000
£1,000
£
£10,000
-£5,000
-£4,000
-£3,000
Multiple uncorrelated cab radios (TD feed outage)
-£2,000
-£1,000
£
£1,000
PA unavailable
4
4
4
3
3
3
2
2
2
1
1
1
£
£500
-£7,000
-£6,000
-£5,000
-£4,000
-£3,000
-£2,000
-£1,000
£
£1,000
-£35,000 -£30,000 -£25,000 -£20,000 -£15,000 -£10,000
Multiple radio terminal failure
-£5,000
4
4
3
3
3
2
2
2
1
1
1
£10,000
-£20,000
-£15,000
-£10,000
-£5,000
Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see
81
£
£5,000
Driver:driver communications only
4
£
£
Single unregistered cab radio - permanent
4
-£500
-£500
-£4,000
4
Single radio terminal failure
-£40,000
-£40,000
Single unregistered cab radio - temporary
Multiple uncorrelated cab radios (TD.net outage)
-£3,000
Medium radio network outage
Small radio network outage
£
£5,000
-£800
-£600
-£400
-£200
£
£200
M.2 Suburban train types
ο§ Operational benefit (£k/year) ο§ Safety benefit (£k/year)
Single cab radio failure
-£40,000
-£30,000
-£20,000
Small radio network outage
-£10,000
4
4
4
3
3
3
2
2
2
1
1
1
£
£10,000
-£25,000
-£20,000
Large radio network outage
-£600
-£500
-£400
-£300
-£200
-£500
-£400
-£300
-£200
-£8,000
-£6,000
-£4,000
-£5,000
£
£5,000
-£350
-£300
-£250
-£200
-£150
-£100
-£50
4
3
3
3
2
2
2
1
1
1
£
£100
-£100,000
-£140,000
-£60,000
-£20,000
£20,000
-£3,500
-£3,000
-£2,500
-£2,000
Multiple uncorrelated cab radios (TD feed outage)
-£1,500
-£1,000
-£500
4
4
3
3
3
2
2
2
1
1
1
£
£100
-£1,400
-£1,200
-£1,000
-£800
-£600
-£400
-£200
£
£200
-£8,000 -£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000
Multiple radio terminal failure
4
4
3
3
3
2
2
2
1
1
1
£2,000
-£4,000 -£3,500 -£3,000 -£2,500 -£2,000 -£1,500 -£1,000
Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see
82
£
£500
£
£1,000
£
£20
Driver:driver communications only
4
£
£50
PA unavailable
4
-£100
£
Single unregistered cab radio - permanent
4
-£100
-£2,000
-£10,000
4
Single radio terminal failure
-£10,000
-£15,000
Single unregistered cab radio - temporary
Multiple uncorrelated cab radios (TD.net outage)
-£600
Medium radio network outage
-£500
£
£500
-£160
-£140
-£120
-£100
-£80
-£60
-£40
-£20
M.3 Suburban DOO train types
ο§ Operational benefit (£k/year) ο§ Safety benefit (£k/year)
Single cab radio failure
-£50,000
-£40,000
-£30,000
-£20,000
Small radio network outage
4
4
3
3
3
2
2
2
1
1
1
-£10,000
£
£10,000
-£25,000
Large radio network outage
-£600
-£500
-£400
-£300
-£200
-£500
-£400
-£300
-£200
-£8,000
-£6,000
-£4,000
-£10,000
£
-£5,000
£5,000
-£350
-£300
-£250
-£200
-£150
-£100
-£50
4
3
3
3
2
2
2
1
1
1
£
£100
-£120,000 -£100,000 -£80,000
-£60,000
-£40,000
-£20,000
£
£20,000
-£3,500
-£3,000
-£2,500
-£2,000
Multiple uncorrelated cab radios (TD feed outage)
-£1,500
-£1,000
-£500
4
4
3
3
3
2
2
2
1
1
1
£
£100
-£1,400
-£1,200
-£1,000
-£800
-£600
-£400
-£200
£
£200
-£8,000 -£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000
Multiple radio terminal failure
4
4
3
3
3
2
2
2
1
1
1
£2,000
-£4,000 -£3,500 -£3,000 -£2,500 -£2,000 -£1,500 -£1,000
Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see
83
£
£500
£
£1,000
£
£20
Driver:driver communications only
4
£
£50
PA unavailable
4
-£100
£
Single unregistered cab radio - permanent
4
-£100
-£2,000
-£15,000
4
Single radio terminal failure
-£10,000
-£20,000
Single unregistered cab radio - temporary
Multiple uncorrelated cab radios (TD.net outage)
-£600
Medium radio network outage
4
-£500
£
£500
-£160
-£140
-£120
-£100
-£80
-£60
-£40
-£20
M.4 Freight train types
ο§ Operational benefit (£k/year) ο§ Safety benefit (£k/year)
Single cab radio failure
-£700
-£600
-£500
-£400
-£300
-£200
Small radio network outage
4
4
4
3
3
3
2
2
2
1
1
1
-£100
£
£100
-£800
-£700
Large radio network outage
-£140
-£100
-£120
-£80
-£60
-£40
-£140
-£120
-£100
-£80
-£60
-£40
-£600
-£200
-£150
-£100
-£50
-£400
-£300
-£200
-£100
£
£100
-£50
-£40
-£30
-£20
£
-£10
£10
Single unregistered cab radio - permanent
4
4
4
3
3
3
2
2
2
1
1
1
-£20
£
£20
-£2,000
-£20
-£1,500
-£500
-£1,000
£
-£250
-£200
Multiple uncorrelated cab radios (TD feed outage)
-£150
-£100
-£50
£
PA unavailable
4
4
4
3
3
3
2
2
2
1
1
1
£
£20
-£160
-£140
-£120
Single radio terminal failure
-£250
-£500
Single unregistered cab radio - temporary
Multiple uncorrelated cab radios (TD.net outage)
-£160
Medium radio network outage
-£100
-£80
-£60
-£40
-£20
£
£20
-£400
-£350
Multiple radio terminal failure
-£300
-£250
-£200
-£150
-£100
-£50
Driver:driver communications only
4
4
4
3
3
3
2
2
2
1
1
1
£
£50
-£250
-£200
-£150
-£100
Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see
84
-£50
£
£
£50
-£35
-£30
-£25
-£20
-£15
-£10
-£5
£
£5
Appendix N Observation scenario comparisons
N.1 Intercity train types
ο§ Operational benefit (£k/year) ο§ Safety benefit (£k/year)
GSM-R GB
Searching for networks
-£80,000
-£60,000
-£40,000
-£20,000
4
4
4
3
3
3
2
2
2
1
1
1
£
£20,000
-£200,000
-£150,000
Registration - lead driver
-£50,000
-£40,000
-£30,000
-£20,000
-£50,000
-£100,000
-£5,000
-£4,000
-£3,000
-£2,000
-£1,000
£
3
3
2
2
2
1
1
1
£
£10,000
£
£10,000
-£5,000
-£4,000
-£3,000
-£2,000
1
Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see
85
-£1,000
£1,000
Registration - PA
3
-£10,000
-£10,000
-£6,000
4
2
-£20,000
-£7,000
4
3
-£30,000
£50,000
4
4
-£40,000
£
Registration - duplicate
Failure/fault
-£50,000
Blank screen
£
£1,000
-£8,000 -£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000
£
£1,000
N.2 Suburban train types
ο§ Operational benefit (£k/year) ο§ Safety benefit (£k/year)
Searching for networks
-£25,000
-£20,000
-£15,000
GSM-R GB
4
4
4
3
3
3
2
2
2
1
1
1
-£5,000
-£10,000
£
£5,000
-£50,000
-£40,000
Registration - lead driver
-£140,000
-£60,000
-£100,000
-£30,000
-£20,000
-£2,000
-£1,500
-£500
3
3
2
2
2
1
1
1
£20,000
-£1,000
-£800
-£600
-£400
1
£2,000
£4,000
Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see
86
-£200
£
£500
£
£500
Registration - PA
3
2
£
-£1,000
4
-£20,000
-£2,000
£10,000
4
3
-£4,000
£
4
4
-£6,000
-£10,000
Registration - duplicate
Failure/fault
-£12,000 -£10,000 -£8,000
Blank screen
£
£200
-£2,000
-£1,500
-£1,000
-£500
N.3 Suburban DOO(P) train types
ο§ Operational benefit (£k/year) ο§ Safety benefit (£k/year)
Searching for networks
-£25,000
-£20,000
-£15,000
-£10,000
GSM-R GB
4
4
4
3
3
3
2
2
2
1
1
1
-£5,000
£
£5,000
-£50,000
-£40,000
Registration - lead driver
-£140,000
-£100,000
-£60,000
-£30,000
-£20,000
-£2,000
-£1,500
-£500
3
3
2
2
2
1
1
1
£20,000
-£1,000
-£800
-£600
-£400
1
£2,000
£4,000
Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see
87
-£200
£
£500
£
£500
Registration - PA
3
2
£
-£1,000
4
-£20,000
-£2,000
£10,000
4
3
-£4,000
£
4
4
-£6,000
-£10,000
Registration - duplicate
Failure/fault
-£12,000 -£10,000 -£8,000
Blank screen
£
£200
-£2,000
-£1,500
-£1,000
-£500
N.4 Freight train types
ο§ Operational benefit (£k/year) ο§ Safety benefit (£k/year)
Searching for networks
-£1,000
-£800
-£600
-£400
GSM-R GB
4
4
4
3
3
3
2
2
2
1
1
1
-£200
£
£200
-£1,400
-£1,200
-£1,000
Registration - lead driver
-£2,500
-£2,000
-£1,500
-£1,000
-£800
-£600
£200
-£30
-£25
-£20
-£15
-£10
-£5
£
£5
Registration - PA
4
3
3
3
2
2
2
1
1
1
£
-£500
£500
-£160
-£140
-£120
-£100
-£80
2
1
-£50
£
4
3
-£100
-£200
4
4
-£150
-£400
Registration - duplicate
Failure/fault
-£200
Blank screen
£
£50
Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see
88
-£60
-£40
-£20
£
£20
-£100
-£80
-£60
-£40
-£20
£
Appendix O Benefit cost ratios
BCRs highlighted in green are negative but show potential for safety benefits and operational delay
savings.
BCRs highlighted in red are negative but show potential for safety disbenefits as well as operational
delay costs.
O.1 Functional loss scenarios
O.1.1 Intercity type trains
BCR
Response
Functional loss
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Single cab radio failure
2.8 x 10-4
-1.1 x 10-2
1.4 x 10-4
1.4 x 10-4
Small radio network outage
1.2 x 10-5
0
1.4 x 10-4
1.4 x 10-4
Medium radio network outage
7.2 x 10-4
0
1.4 x 10-4
1.4 x 10-4
Large radio network outage
1.3 x 10-4
0
1.4 x 10-4
1.4 x 10-4
0
0
1.3 x 10-4
0
4.3 x 10-7
-9.2 x 10-6
1.3 x 10-4
0
1.8 x 10-6
0
1.3 x 10-4
1.3 x 10-4
3.9 x 10-6
0
1.3 x 10-4
1.3 x 10-4
DSD/PA link unavailable
-3.5 x 10-5
0
1.3 x 10-4
1.3 x 10-4
Single radio terminal failure
5.7 x 10-5
0
2.7 x 10-4
2.7 x 10-4
Multiple radio terminal failure
9.4 x 10-5
0
1.3 x 10-4
1.3 x 10-4
Driver:driver communications only
4.3 x 10-5
0
1.3 x 10-4
1.3 x 10-4
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
89
O.1.2 Suburban train types
BCR
Response
1 Cancel
2 Hand/trans
portable
3 Reduced
speed
4 Delayed
reduced speed
Single cab radio failure
3.7 x 10-4
-1.3 x 10-3
3.1 x 10-4
3.1 x 10-4
Small radio network outage
3.5 x 10-5
0
3.1 x 10-4
3.1 x 10-4
Medium radio network outage
1.1 x 10-3
0
3.1 x 10-4
3.1 x 10-4
Large radio network outage
5.1 x 10-4
0
3.1 x 10-4
3.1 x 10-4
0
0
2.8 x 10-4
0
1.2 x 10-7
-1.1 x 10-5
2.8 x 10-4
0
6.2 x 10-6
0
2.8 x 10-4
2.8 x 10-4
1.5 x 10-5
0
2.8 x 10-4
2.8 x 10-4
DSD/PA link unavailable
-1.1 x 10-5
0
2.8 x 10-4
2.7 x 10-4
Single radio terminal failure
1.9 x 10-4
0
5.8 x 10-4
5.8 x 10-4
Multiple radio terminal failure
6.1 x 10-4
0
2.9 x 10-4
2.9 x 10-4
Driver:driver communications only
1.7 x 10-4
0
2.9 x 10-4
2.9 x 10-4
Functional loss
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
90
O.1.3 Suburban-DOO(P) train types
BCR
Response
Functional loss
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Single cab radio failure
3.9 x 10-4
-1.3 x 10-3
7.4 x 10-4
7.4 x 10-4
Small radio network outage
3.6 x 10-5
0
7.4 x 10-4
7.4 x 10-4
Medium radio network outage
8.2 x 10-4
0
7.4 x 10-4
7.4 x 10-4
Large radio network outage
5.3 x 10-4
0
7.4 x 10-4
7.4 x 10-4
0
0
7.1 x 10-4
0
1.2 x 10-7
-4.3 x 10-5
7.1 x 10-4
0
6.2 x 10-6
0
7.1 x 10-4
7.1 x 10-4
1.5 x 10-5
0
7.1 x 10-4
7.1 x 10-4
DSD/PA link unavailable
-1.6 x 10-6
0
7.1 x 10-4
6.9 x 10-4
Single radio terminal failure
2.1 x 10-4
0
1.4 x 10-3
1.4 x 10-3
Multiple radio terminal failure
6.7 x 10-4
0
7.2 x 10-4
7.2 x 10-4
Driver:driver communications only
1.8 x 10-4
0
7.2 x 10-4
7.2 x 10-4
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
91
O.1.4 Freight train types
BCR
Response
Functional loss
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Single cab radio failure
7.9 x 10-4
-5.5 x 10-2
0
0
Small radio network outage
4.6 x 10-5
0
0
0
Medium radio network outage
2.6 x 10-3
0
0
0
Large radio network outage
1.4 x 10-3
0
0
0
0
0
0
0
-8.5 x 10-6
0
0
0
3.6 x 10-5
0
0
0
8.1 x 10-5
0
0
0
0
0
0
0
Single radio terminal failure
4.5 x 10-4
0
0
0
Multiple radio terminal failure
1.5 x 10-3
0
0
0
Driver:driver communications only
4.6 x 10-4
0
0
0
Single unregistered cab radio temporary
Single unregistered cab radio permanent
Multiple uncorrelated cab radios
(TD.net outage)
Multiple uncorrelated cab radios
(TD feed outage)
DSD/PA link unavailable
92
O.2 Observation scenarios
O.2.1 Intercity train types
BCR
Response
1 Cancel
Observation
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Searching for networks
1.7 x 10-5
-1.1 x 10-2
1.4 x 10-4
1.4 x 10-4
GSM-R GB
1.3 x 10-4
-1.1 x 10-2
1.6 x 10-4
1.6 x 10-4
Blank screen
2.8 x 10-4
-1.1 x 10-2
1.4 x 10-4
1.4 x 10-4
Registration - lead driver
1.1 x 10-7
-9.2 x 10-6
1.3 x 10-4
1.3 x 10-4
Registration - duplicate
2.8 x 10-6
-9.2 x 10-6
1.3 x 10-4
1.3 x 10-4
Registration - PA
-3.5 x 10-5
0
1.3 x 10-4
1.3 x 10-4
Failure/fault
2.8 x 10-4
-1.1 x 10-2
1.4 x 10-4
1.4 x 10-4
O.2.2 Suburban train types
BCR
Response
1 Cancel
2 Hand/trans
portable
3 Reduced
speed
4 Delayed
reduced speed
Searching for networks
4.3 x 10-5
-1.3 x 10-3
3.1 x 10-4
3.1 x 10-4
GSM-R GB
2.7 x 10-4
-1.3 x 10-3
3.6 x 10-4
3.5 x 10-4
Blank screen
3.7 x 10-4
-1.3 x 10-3
3.1 x 10-4
3.1 x 10-4
Registration - lead driver
2.7 x 10-8
-1.1 x 10-5
2.8 x 10-4
2.8 x 10-4
Registration - duplicate
8.7 x 10-6
-1.1 x 10-5
2.8 x 10-4
2.8 x 10-4
Registration - PA
-1.1 x 10-5
0
2.8 x 10-4
2.7 x 10-4
Failure/fault
3.7 x 10-4
-1.3 x 10-3
3.1 x 10-4
3.1 x 10-4
Observation
93
O.2.3 Suburban DOO(P) train types
BCR
Response
1 Cancel
Observation
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Searching for networks
4.4 x 10-5
-1.3 x 10-3
7.4 x 10-4
7.4 x 10-4
GSM-R GB
2.9 x 10-4
-1.3 x 10-3
8.7 x 10-4
8.4 x 10-4
Blank screen
3.9 x 10-4
-1.3 x 10-3
7.4 x 10-4
7.4 x 10-4
Registration - lead driver
2.8 x 10-8
-4.3 x 10-5
7.1 x 10-4
7.1 x 10-4
Registration - duplicate
8.7 x 10-6
-4.3 x 10-5
7.1 x 10-4
7.1 x 10-4
Registration - PA
-1.6 x 10-6
0
7.1 x 10-4
6.9 x 10-4
Failure/fault
3.9 x 10-4
-1.3 x 10-3
7.4 x 10-4
7.4 x 10-4
O.2.4 Freight train types
BCR
Response
Observation
1 Cancel
2 Hand/trans
3 Reduced
4 Delayed
portable
speed
reduced speed
Searching for networks
3.5 x 10-4
-5.5 x 10-2
0
0
GSM-R GB
6.8 x 10-4
-5.5 x 10-2
0
0
Blank screen
7.9 x 10-4
-5.5 x 10-2
0
0
Registration - lead driver
2.9 x 10-6
0
0
0
Registration - duplicate
5.6 x 10-5
0
0
0
0
0
0
0
7.9 x 10-4
-5.5 x 10-2
0
0
Registration - PA
Failure/fault
94
Appendix P Sensitivity analysis
P.1 The cost of delays
The assumed costs of delay per minute impacts the disproportionality between safety benefits and
operational delays. The average delay minutes were calculated from a sample of TRUST data (for
30 December 2011 – 1 January 2012, some 493,000 entries), and are shown in Table 10.
Table 10: Sensitivity of cost per delay minute (for cab radio defects and cancelling trains)
Train type
Average delay
cost
£/minute
Delay cost required to achieve operational delay:safety
benefit ratio
£/minute
10:1
5:1
1:1
Intercity
117
0.05
0.03
<0.01
Suburban
35
<0.01
<0.01
<0.01
Suburban DOO(P)
35
<0.01
<0.01
<0.01
Freight
17
0.10
0.05
0.01
The costs per delay minute required to make the cost of operational delay a similar magnitude to the
safety disbenefits (that is to remove the grossly disproportionate argument) are significantly lower,
and unrealistic. Therefore the conclusions are not considered to be sensitive to the assumed cost of
delays.
P.2 The rate of reactionary delay incurred
The rate of reactionary delay was estimated from analysis completed for the REC risk assessment
[Ref: 25]. For different locations such as Cheddington, Dovey Junction, Clapham Junction,
Strathclyde, the delays per minute for the affected train (the source of the primary delay) were
calculated relative to the delays incurred to following trains (the reactionary delay). For both Dovey
Junction and Cheddington the reactionary delay was estimated to be equivalent to the primary delay.
For Clapham Junction, the reactionary delay was estimated to be around three times the primary
delay, whereas for Strathclyde, the reactionary delay was estimated to be around nine times that of
the primary. As such the mid value of three was taken for the generating the risk assessment
results, and sensitivity analysis completed for reactionary delay being one and nine times the primary
delay.
The sensitivity analysis shows that for intercity, suburban and suburban DOO(P), continuing service
with a hand/transportable (response 3) or without (response 2), remain the best options in all cases.
However, in locations where the reactionary delay could be nine times the primary, cancelling trains
(response 1) offers some reduction in benefit over reduced speed (response 4) and delayed reduced
speed (response 5) for some functional loss scenarios (such as single cab radio failures and large
radio network outages). This is because no reactionary delay is assumed in the model where trains
are part or fully cancelled. Conversely, in locations where the reactionary delay could be equal to the
primary, cancelling trains (response 1) appears worse for some functional loss scenarios than
delayed reduced speed (response 5).
95
For freight type trains the results are not particularly sensitive to reactionary delay. The exceptions
being:
• single cab radio failures, which in areas of nine times reactionary delay using a
hand/transportable helps becomes the least operationally costly option
• multiple radio terminal failures and driver:driver communications only, which in areas of nine time
reactionary delay, the cost of cancelling trains (response 1) becomes the most favourable
response.
P.3 The version of the cab radio software
It was assumed at the start of the risk assessment study that the version of the cab radio software
would be Siemens version 2. However, it may be some time before all existing users are upgraded
to this version. One of the key differences of this version, compared to version 1E, is that the
observation scenario Registration –duplicate is virtually eradicated.
If version 1E were considered instead, this would change the frequency of cab radios not being able
to register a journey, and increase the estimated cost per year due to GSM-R radio registration
issues. Although it changes the frequency, it does so to both safety benefit and operational delays,
and as the error does not impact the consequences, it does not change the balance between
preferred response options.
P.4 The number of base transceiver stations (BTSs)
The initial design for the GSM-R system included the provision of 2380 BTSs. However, as rollout
and commissioning is undertaken, this number may increase to improve network reliability. As such
the risk assessment was also run with 3000 BTS to account for the potential increase.
The impact of more BTS means a greater likelihood of a BTS failure but with now with lesser
consequences as the blackspots created by a failed BTS will be smaller. As such change in risk is
small and does not impact the conclusions of the study.
P.5 The number of registrations
The risk assessment was based on full GSM-R rollout for current levels of operations; that is around
20,000 registrations (or train journeys) per day. However, once GSM-R rollout is complete the level
of operations may have increased. To test the effects of this the model was also run with 25%
increase on train journeys, and therefore registrations.
The increase in registrations, also gives proportionally an increase in failed registrations, cab radios
and trains affected by network failures. Thus in this sensitivity test the safety benefit increases for
each of the response options considered. However, the operational delay associated with each
response option also increases and as before where it was grossly disproportionate to the safety
benefits it remains so. Therefore the conclusions of this study are not considered to be sensitive to
the number of registrations.
P.6 How network signal fluctuations are observed by the driver
An initial assumption made during the development of the model was that when the cab radio loses
the network signal it displays searching for networks. However, there is a transition period between
losing the signal completely and when the strength of the signal is not strong enough to make a call.
In the case of the latter, the cab radio may still display GSM-R GB. It is unclear what proportion of
96
instances where the signal is reduced will display GSM-R GB rather than searching for networks. So
sensitivity analysis has been carried out assuming 50% and 90% of the time the cab radio may
display GSM-R GB.
The effect of this switch does not affect the overall conclusions about whether the response options
considered are reasonably practicable. This is because both the safety benefit and operational
delays change in proportion with the change in frequency.
However, what does change is when GSM-R GB is displayed and the cab radio fails on demand that
the likelihood of the cause being due to a cab radio defect is reduced (from 71% to 8%, at the 50%
split between GSM-R GB and searching for networks and to 5% at the 90% split between GSM-R GB
and searching for networks). Therefore the display of GSM-R GB cannot be concluded as a cab
defect without further diagnosis.
P.7 The GSM-R cab radio and network failure rates
There is a degree of uncertainty associated with the failure rates used to calculate both the risk and
operational delays. Where possible the rates were estimated with data recorded from routes already
using GSM-R or design estimates. However as more experience of the system is obtained these
rates may change.
Therefore sensitivity analysis was carried out for +/- 10% change in cab radio failure rates and
+/- 10% change in network failure rates. As shown with previous sensitivity tests, this leads to
proportionate changes in both safety benefit and operational delays for each of the response options
considered. Therefore although the absolute levels of risk and operational delays change for each
response option considered, where the costs of delays were grossly disproportionate to the safety
benefit they remain so. Therefore the conclusions of this study with respect to response options are
not considered to be affected by errors in the failure rates.
97
