RAIB: software caused Cambrian speed restriction failure
Software known as GEST, which is used to apply speed restrictions on the European Rail Traffic Management System (ERTMS)fitted Cambrian Coast Line, was the route cause of a failure to apply temporary speed restrictions on the line on October 19/20 2017.
The Rail Accident Investigation Branch (RAIB) has issued an interim report into an incident on October 20 2017, when a driver reported to his controlling signaller that the maximum permitted speed shown on his in-cab display was not taking temporary speed restrictions into account.
It had followed a reset of the signalling system at Machynlleth at 2300 on October 19, in which data relating to temporary speed restrictions failed to reload from the support system to the signalling control system.
The first three trains of October 20 passed the missing restrictions without any drivers reporting them. During attempts to apply the restrictions, the signalling system’s supplier (Ansaldo STS) advised a technician to ‘cleanse’ data from the signalling system with all temporary speed restriction data manually entered into the system. No action was taken to download copies of the event log from the GEST system.
In its investigations into the cause of the incident, Ansaldo STS had to reverse-engineer the GEST system (developed in Spain for the Madrid to Lerida high-speed line some years before) to understand how it operates. It then constructed a replica system similar to that installed in the Machynlleth control centre, in a laboratory in France.
Engineers then ran different test scenarios in a bid to emulate the failure which occurred in Wales. The tests concluded that the cause of failure exists solely within the GEST system.
In August 2018, Ansaldo STS successfully re-created a condition which mimics the failure of October 19/20 2017. It is continuing to test for other similar failures, and to determine whether data generated by those simulated failures matches the data captured before the data ‘cleanse’.
With the investigation continuing, RAIB is considering the degree of certainty that can be placed in Ansaldo STS’ initial findings, how the correct operation of GEST and its computer interfaces were monitored within the overall system, and why this did not detect the absence of temporary speed restriction data and the data available to signalling staff indicating the loss of safetycritical data provided by the GEST terminal.
RAIB is also examining: how system designers intended to manage the risk of loss of data relating to temporary speed restrictions, and why the safety validation process did not identify this potential failure mode; whether European and industry standards adequately cover the management of interfaces with other systems; the loss of diagnostic data in safety-critical software systems; the reporting of such failures; lessons learned from previous similar incidents involving high-integrity softwarebased systems; and circumstances resulting in the long-term retention of temporary speed restrictions and some drivers not reporting their absence on the in-cab display.
The final report will include recommendations to reduce the likelihood and/or consequences of similar events occurring in the future.