RAIB: soft­ware caused Cam­brian speed re­stric­tion fail­ure

Rail (UK) - - News -

Soft­ware known as GEST, which is used to ap­ply speed re­stric­tions on the Euro­pean Rail Traf­fic Man­age­ment Sys­tem (ERTMS)fit­ted Cam­brian Coast Line, was the route cause of a fail­ure to ap­ply tem­po­rary speed re­stric­tions on the line on Oc­to­ber 19/20 2017.

The Rail Ac­ci­dent In­ves­ti­ga­tion Branch (RAIB) has is­sued an in­terim re­port into an in­ci­dent on Oc­to­ber 20 2017, when a driver re­ported to his con­trol­ling sig­naller that the max­i­mum per­mit­ted speed shown on his in-cab dis­play was not tak­ing tem­po­rary speed re­stric­tions into ac­count.

It had fol­lowed a re­set of the sig­nalling sys­tem at Machyn­l­leth at 2300 on Oc­to­ber 19, in which data re­lat­ing to tem­po­rary speed re­stric­tions failed to reload from the sup­port sys­tem to the sig­nalling con­trol sys­tem.

The first three trains of Oc­to­ber 20 passed the miss­ing re­stric­tions with­out any driv­ers re­port­ing them. Dur­ing at­tempts to ap­ply the re­stric­tions, the sig­nalling sys­tem’s sup­plier (An­saldo STS) ad­vised a tech­ni­cian to ‘cleanse’ data from the sig­nalling sys­tem with all tem­po­rary speed re­stric­tion data man­u­ally en­tered into the sys­tem. No ac­tion was taken to down­load copies of the event log from the GEST sys­tem.

In its in­ves­ti­ga­tions into the cause of the in­ci­dent, An­saldo STS had to re­verse-en­gi­neer the GEST sys­tem (de­vel­oped in Spain for the Madrid to Lerida high-speed line some years be­fore) to un­der­stand how it op­er­ates. It then con­structed a replica sys­tem sim­i­lar to that in­stalled in the Machyn­l­leth con­trol cen­tre, in a lab­o­ra­tory in France.

Engi­neers then ran dif­fer­ent test sce­nar­ios in a bid to em­u­late the fail­ure which oc­curred in Wales. The tests con­cluded that the cause of fail­ure ex­ists solely within the GEST sys­tem.

In Au­gust 2018, An­saldo STS suc­cess­fully re-cre­ated a con­di­tion which mim­ics the fail­ure of Oc­to­ber 19/20 2017. It is con­tin­u­ing to test for other sim­i­lar fail­ures, and to de­ter­mine whether data gen­er­ated by those sim­u­lated fail­ures matches the data cap­tured be­fore the data ‘cleanse’.

With the in­ves­ti­ga­tion con­tin­u­ing, RAIB is con­sid­er­ing the de­gree of cer­tainty that can be placed in An­saldo STS’ ini­tial find­ings, how the cor­rect op­er­a­tion of GEST and its com­puter in­ter­faces were mon­i­tored within the over­all sys­tem, and why this did not de­tect the ab­sence of tem­po­rary speed re­stric­tion data and the data avail­able to sig­nalling staff in­di­cat­ing the loss of safe­ty­crit­i­cal data pro­vided by the GEST ter­mi­nal.

RAIB is also ex­am­in­ing: how sys­tem de­sign­ers in­tended to man­age the risk of loss of data re­lat­ing to tem­po­rary speed re­stric­tions, and why the safety val­i­da­tion process did not iden­tify this po­ten­tial fail­ure mode; whether Euro­pean and in­dus­try stan­dards ad­e­quately cover the man­age­ment of in­ter­faces with other sys­tems; the loss of di­ag­nos­tic data in safety-crit­i­cal soft­ware sys­tems; the re­port­ing of such fail­ures; les­sons learned from pre­vi­ous sim­i­lar in­ci­dents in­volv­ing high-in­tegrity soft­ware­based sys­tems; and cir­cum­stances re­sult­ing in the long-term re­ten­tion of tem­po­rary speed re­stric­tions and some driv­ers not re­port­ing their ab­sence on the in-cab dis­play.

The fi­nal re­port will in­clude rec­om­men­da­tions to re­duce the like­li­hood and/or con­se­quences of sim­i­lar events oc­cur­ring in the fu­ture.

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.