10 minute read
Combatting signalling failures
CLIVE KESSELL Combatting
SIGNALLING FAILURES
Signalling failures have always had the ability to cause delay to train services and, whilst modern signalling technology is designed to be more reliable, when failures do occur they can be much more significant as the systems are complex, often involving software as well as hardware components.
In such circumstances, the local technicians can struggle to understand the nature of the fault and to apply the right diagnostics. Technical support from specialists, often the original suppliers, has to be brought in to assist.
A recent failure of the Ansaldo system between Cheadle Hulme and Crewe lasted for three days, with the line being closed for that period. Network Rail was left with a large bill in compensation for the delay to trains. And, of course, passengers were badly inconvenienced, which didn’t help the ‘Putting Passengers First’ programme.
Rail Engineer has been following the progress of a system intended to minimise the effects of such failures and three previous articles have been published. Firstly in issue 129 (July 2015) when the project was known as COMPASS – Combined Positioning Alternative Signalling System, secondly in issue 155 (September 2017) when a new name – Degraded Mode Working System (DMWS) was introduced – and thirdly in issue 162 (April 2018), describing the results from a conceptual demonstration being tested on the Hertford Loop test track.
The results from the latter were deemed successful and Network Rail is proceeding with an operational trial between Castle Cary and Westbury on the West of England main line. Chris Fulford, who has been the lead engineer on the project for some time, gave a report of progress to the IRSE London & SE section recently and has since given more details to Rail Engineer.
Problems to be overcome
Signalling failures take many forms – loss of the signalling power supply, cable theft or damage, track circuit or axle counter failure, loss of communication between the interlocking and external equipment, component failures, control panel failures, plus several others. Some recent improvements to signalling reliability have already been made – the use of intelligent infrastructure, more resilient power supplies and better cable management.
However, failures still occur, and it can take a long time to set up current degraded mode working methods, now generally known as Emergency Special Working. The aim of DMWS is to reduce this time of, typically, three hours to 15-20 minutes.
The objective for DMWS is to independently monitor the position of points and the status of ground frames along a particular route, to disconnect these elements from the normal interlocking and, once satisfied that the track ahead is safe to proceed, to send an Authority to Move (AtM) to the driver for a specific distance ahead via the screen on the cab GSM-R radio.
Components required
For DMWS to work successfully, it will need a train-borne facility, an infrastructure element and robust instructions and procedures. All of these were demonstrated at the conceptual Hertford loop trial.
The train-borne equipment is relatively easy as DMWS facilities can be incorporated in the latest GSM-R mobile from Siemens – the V4 model, which already includes an LTE 4G capability and GPS, has considerable processing power within it. The rollout of this radio to all traction units was described in issue 172 (March 2019).
Building in the DMWS requirements is relatively straight forward, the only addition hardware being a GPS aerial on the train. Siemens is the sole supplier for the whole of the UK fleets and has the contract to develop software for DMWS.
The infrastructure elements are more complicated but will be designed to use as many COTS (commercial off the shelf) products as possible, with some bespoke software in the central equipment. At each location where signalling failures could cause massive disruption, trackside equipment, known as Inhibit Detect Repeat (IDR), will be provided. This will monitor the status and position of points and ground frame releases and, when activated, will disconnect the control of these elements from the local interlocking. The IDR also inhibits control of points and ground frames and will suppress TPWS transmitters in the affected area to avoid tripping the train.
A national central system will be equipped with COTS servers, PCs and the DMWS application software, which will be controlled by local DMWS workstations in the signalling centres.
To connect the subsystems together, use will be made of the GSM-R network, in combination with the FTNx IP-based digital transmission nationwide network.
Once initiated, DMWS will capture the GPS co-ordinates from the train in order that an AtM can be issued. Whilst GPS is not sufficiently accurate to determine which track a train is on, it is sufficiently accurate for DMWS, which only needs to show distance to go to the end of the AtM. GPS need not show a train’s track, as this would be known if the system fails and DMWS cannot change the lie of points.
Level crossings will not be monitored, so DMWS will not know their state. This must be conveyed to the system by the signaller, who will confirm the status. Once enabled, DMWS will transmit its outputs to RADAR (the intelligent infrastructure database), to SIEM (the security platform) and to the RDG train location system. SMS will be used for the sending and receiving of messages and commands with data being sent over GPRS.
Since GSM-R is an open system, an independent authentication and verification process is required to protect against cyber attacks.
How does it work?
When a signalling failure occurs, a train will be stopped at a red signal. If the area has the DMWS facility, the DMWS zone for its operation will be identified by the signaller. The appropriate zone will then be selected, which may have more than one block section and will include an overlap, the length of which is predetermined according to the foreseen risk.
Once satisfied that inputs from DMWS confirm the status of points or ground frames, the signaller will offer an AtM to the train, which is in the form of an electronic token to give the train permission to proceed from signal xxxx to signal yyyy, displayed on the GSM-R screen.
Before any movement takes place, the signaller and driver will have a voice conversation to confirm their mutual understanding. If in ETCS territory, marker board identifications will replace the signal numbers.
Once satisfied, the driver may proceed and the GSM-R screen will show a ‘distance to go’ countdown derived from the GPS position of the train. As the final signal is approached, an alert is given to the signaller so that the exit signal can be cleared. If that final signal shows a proceed aspect, then the train can continue without stopping.
For the first train through the DMWS section, a speed limit of 15mph over points and crossings will be imposed with a maximum speed of 50mph for subsequent trains. Should a train fail to stop at the end of the zone, assuming a red aspect is displayed, then TPWS will trip the train. If the train overruns an AtM limit within the zone, then this will be detected and the signaller and driver will receive an emergency alarm to stop the train.
Whilst the train TPWS equipment will remain active, there will be no active train stops in the DMWS zone. Readers who require greater detail should refer to the DMWS Demonstration article in issue 162.
It must be emphasised that DMWS is not an automated process, nor does it pretend to be an alternative signalling system. It will not make decisions, as these will only be taken by the driver and signaller in consultation with each other.
Approval, safety and security
As can be imagined, obtaining approval for the system will be a lengthy process. The Common Safety Method (CSM) will apply and an Assessment Body (AsBo) and Independent Safety Assessor (ISA) will be appointed. Suppliers must be ISO 9001 registered and system integrator and sub-system suppliers will need to provide a safety case.
Network Rail will manage the operational system assurance trials and will be assisted by Mott Macdonald and the internal Signalling Innovations Group to develop the design standards and practices.
The SIL has been determined from first principles and SIL2 will be the maximum required. In this, the connections to the point-operating and TPWS-suppression circuits are the most critical.
DMWS is nonetheless a signalling asset, so its integration into existing circuitry is within the same discipline. As such, the assets will be included in the Signalling Maintenance standards, likely to be a risk-based exercise but taking account of opportunities for remote condition monitoring and associated diagnostics.
In time, RSSB will produce a rail industry standard to define the interfaces between track and train, together with the requirements for the control system. Security monitoring will be required to protect, as far as reasonably possible, any intrusion from hackers or other external attempts to gain access.
DMWS is not seen as an interoperable system so Network Rail and the TOCs/ FOCs will apply their own safety management systems. The ORR is keeping a keen interest on developments.
Procurement
Since Network Rail is a public sector body, the procurement process has to be strictly governed, but an attempt to introduce a different contracting approach is being tried for the trackside equipment. One single supplier – Siemens – is being contracted for the train-borne equipment, as it already has the contract to supply the train radios on to which DMWS operations will be grafted.
Altran has already been chosen to be the system integrator and supplier of the central equipment. The partnership with others to provide an innovative solution is all important.
Network Rail will take on the Systems Authority role, but sub system suppliers will be the design authority for the prototypes.
Reflections, constraints and future prospects
The early aspirations in 2011 for the COMPASS project had to be scaled back, being regarded as ‘too far, too soon’. A system to see if trackside point monitoring could be achieved was planned for trial on the ECML in 2012, but, in the end, it did not take place. More focussed R&D work commenced with the DMWS feasibility study in 2015, followed by a system simulation and then the conceptual demonstration on the Hertford loop in 2018.
From these, the business case has been established with the intention of covering all operating scenarios, but with the requirement to use as much existing equipment as possible and avoidance of an over-engineered solution. An interim generic safety case was accepted in March 2019, with authority granted in June 2019 for the building of a prototype system together with the operational trial on the West of England route, expected to be brought into use towards the end of 2022.
DMWS applications are intended for lines equipped with track circuit block or ETCS but not for the remaining routes operated by absolute block or for single lines. It is assessed that 25 per cent of the rail infrastructure will be suitable and by default, 100 per cent of the trains will be equipped. It is estimated that DMWS will be used about 200 times per year, thus potentially saving many delay minutes and millions of pounds of consequential compensation payments.
The Castle Cary to Westbury trial will have limitations, as it cannot wait for a signalling failure to occur, nor is it likely to involve service trains. As such, test trains will be run at night on a scenario-based failure. An industry working group is established with trade union involvement, where human factor aspects will be allimportant. The reliability of DMWS will be key to ongoing deployment.
As to the future, one must perhaps look back to the COMPASS aspirations. Certainly, the monitoring of level crossings was envisaged, but this will not be pursued as either they work or an attendant is required. More significantly, the system was seen as being able to instruct a set of points to be moved if these were wrong for the route of the train. Since this would raise the SIL level, it would make the system unaffordable, so will not be pursued.
Finally, one cannot help but comment that 11 years from the original COMPASS concept to an operational trial is a very long time for something that is promoted as being simple to commission with very significant financial benefits. Admittedly, the first four years were pure R&D and only from 2015 has any serious work commenced.
It does make one wonder, however, whether all the planning, regulatory and safety requirements have become a minefield of bureaucracy and need to be streamlined.