ncn5 issue 86 risk assessment of gsm-r failures

NCN5 Issue 86 Risk assessment of GSM-R failures

Contents Executive summary ................................................................................................................................3

1 Introduction ..........................................................................................................................................6

2 Objectives ............................................................................................................................................6

3 Scope ..................................................................................................................................................6

4 Approach .............................................................................................................................................7

4.1 The nature of the decision .......................................................................................................... 7

4.2 Decision criteria .......................................................................................................................... 8

5 Risk assessment methodology............................................................................................................9

5.1 Task 1: kick off meeting ............................................................................................................. 9

5.2 Task 2: review background information ..................................................................................... 9

5.3 Task 3: investigate non-registered cab-radios ........................................................................... 9

5.4 Task 4: determine other functional failures and potential mitigations ...................................... 10

5.5 Task 5: risk assessment ........................................................................................................... 11

6 Results .............................................................................................................................................. 15

6.1 Understanding the context of the safety benefits ..................................................................... 15

6.2 Understanding the causes and consequences of failures ....................................................... 16

6.3 Understanding the safety benefit for each response option .................................................... 18

6.4 Understanding the operational delay for each response option .............................................. 19

6.5 Optimising the response .......................................................................................................... 20

7 Discussion ........................................................................................................................................ 28

7.1 The definition of a defective GSM-R fixed cab radio................................................................ 28

7.2 What action should be taken if the fixed cab radio is defective? ............................................. 28

7.3 Can a train enter service if the registration fails? ..................................................................... 29

7.4 What action should be taken if the radio network fails? ........................................................... 29

8 Sensitivity analysis ........................................................................................................................... 30

9 Conclusions ...................................................................................................................................... 31

10 Items for consideration ................................................................................................................... 31

10.1 Review of Railway Group Standards and other supporting documents ................................ 31

10.2 Further analysis ...................................................................................................................... 31

10.3 Further process mitigations for consideration ........................................................................ 32

Appendix A Glossary ........................................................................................................................... 33

Appendix B Documents reviewed ....................................................................................................... 35

1

Appendix C Workshop attendees ........................................................................................................ 38

Appendix D Workshop guidewords ..................................................................................................... 39

Appendix E Workshop outputs ............................................................................................................ 42

Appendix F Call success probabilities ................................................................................................. 57

Appendix G Functional loss scenarios ................................................................................................ 61

Appendix H Mapping of operational delay to functional losses ........................................................... 63

Appendix I Modelling assumptions ...................................................................................................... 65

Appendix J Hazardous events mitigated by GSM-R radio .................................................................. 68

Appendix K Safety benefits ................................................................................................................. 69

Appendix L Operational delays ............................................................................................................ 75

Appendix M Functional loss scenario comparisons ............................................................................ 81

Appendix N Observation scenario comparisons ................................................................................. 85

Appendix O Benefit cost ratios ............................................................................................................ 89

Appendix P Sensitivity analysis ........................................................................................................... 95

Issue record

Issue Date Comments

0 6 August 2012 Draft for internal comment

1 10 August 2012 Draft for steering group comment

2 24 September 2012 Incorporating steering group comments

3 9 October 2012 Amendment to tables in Appendix K

2

Executive summary In response to the 5th Network Change Notice (NCN5) on GSM-R issued by Network Rail, the majority of Train Operators raised the concern:

There are no national rules that make clear whether a train can go into service if unable to register (particularly for DOO(P)); this presents a major potential performance impact if not resolved.

Therefore RSSB undertook a risk assessment study to examine what a failure is with respect to the GSM-R radio system, with the objective to inform proposals for changes to Railway Group Standards. Specifically the study considers:

• What is the definition of a defective cab radio? • What actions should be taken if train fixed radio fails? • Can a train enter service if it is unable to register (a journey)? • What actions should be taken if the network fails?

This report was commissioned by the GSM-R Programme to inform potential changes to the Rule Book and supporting Railway Group Standards.

Approach and methodology

The approach follows the principles set out in Taking Safe Decisions [Ref: 29] and applies decision criteria based on benefit-cost ratios (BCRs) and changes in absolute risk levels. Positive BCRs with a value greater than or equal to one suggest that a measure is reasonably practicable.

The study was completed through document review and a series of workshops to identify the potential failure cases and associated impacts on the GSM-R system. This then fed into a safety and operational delay risk assessment. The safety risk assessment builds upon the same framework that was used for the Assessing the risk from the loss of the NRN frequency spectrum in 2012 study [Ref: 2], where the benefits of cab radio were assessed using the latest Safety Risk Model version 7 data [Ref: 20] and Call Success Probability. The risk assessment also considers four different train types: intercity, suburban, suburban driver only operation with passengers (DOO(P)) and freight.

The risk assessment considered five different response options:

0. Continue in service. Trains continue in service regardless of radio problems. This is considered to be the base case.

1. Cancel trains. Taking trains out of service when faced with either a cab radio or network failure. 2. Hand/transportable. As with response 2, but picking up a hand/transportable radio at the next

available location 3. Reduce speed. As with response 2, but trains travel at a reduced speed (taken to be 60mph). 4. Delayed reduced speed. As with response 4, but the speed limit is applied after four hours if

the problem still exists.

Typically the different observations seen by the driver on the cab radio do not map directly to distinct failures. That is it is not always clear if it is a cab radio or a radio network issue. Therefore the risk assessment considers both the impacts for the functional losses (based on known causes of failure) and potential outcomes based on the driver’s observations (based on unknown causes of failure).

3

Results

The risk assessment identified the most likely functional loss scenario to be a single unregistered radio (temporary – that is the cab radio eventually does register and correlate with the GSM-R system). However, the most likely observations (of failures) on the cab radio is Searching for networks or GSM-R GB (which most commonly occurs as a result of a small radio network failure and can affect multiple trains), followed by Registration failed – Lead Driver (which most commonly occurs as a result of a single unregistered cab radio).

For all the response options considered, except using hand/transportables (response 2), the operational delays significantly dominate the safety benefits. That is the positive BCRs calculated were significantly less than one.

What is the definition of a defective cab radio?

The analysis has shown that if a cab radio displays a ‘fatal’ fault code (such as Failure XX, MT fatal, Cab Radio Flt, EPROM/RAM Flt and not a warning, as defined in Ref 4) or a blank screen then it should be considered defective. Failing on demand when the display shows GSM-R GB or Searching for networks is most likely to be caused by a network issue, however if the problem persists for a particular cab radio throughout its journey and no fault can be found with the network it should be treated as a defective cab radio – for example the antenna could have detached. Not being able to register a journey is not considered to be a cab radio failure, as it still offers call and radio emergency call (REC) functionality.

What actions should be taken if a fixed cab radio fails?

The safety benefit attributed to GSM-R cab radio against a base case of no radio being available at all is about 1.7FWI/year, or the equivalent of around £0.40 per journey on average (based on the current VPF). Should a cab radio fail (see above), for all the responses except, continue with hand/transportable (response 2) the BCRs calculated are significantly less than one. That is the delay costs associated with measures are grossly disproportionate to the safety benefits when compared against the base case of continuing in service. It should be noted that this risk assessment has not considered the costs providing hand/transportables.

These conclusions apply when the functional loss is known, and when it is unknown but assumed based on the driver’s observation to all train types (including DOO(P)).

Although it may be reasonable to continue in service with a defective radio, it does impact on both safety and operations. Therefore it is of interest to continue maintaining both radios and DSD/PA links to a working standard and reasonable to suggest that trains do not leave a maintenance depot with a defective radio.

Can a train enter service with an unregistered cab radio?

The safety disbenefit of all cab radios being unregistered (but with call and REC available) is estimated to be around 0.03FWI/year or around an average of £0.01 per journey (based on the current value of preventing a fatality (VPF)). The cost of taking a train out of service (response 1) or reducing its speed (responses 3 and 4) as a response to registration failure is far greater than the safety benefits (that is the BCRs are significantly less than one) making these options not reasonably practicable.

4

Network failure

The results from the risk analysis show that, as with the cab radio defects, the operational delays significantly dominate the safety benefits – the BCRs are significantly less than one. Cancelling trains (response 1) and running at reduced speed (responses 3 and 4) are not considered to be reasonably practicable. Provision of hand/transportable (response 2) in the case of network failure will offer no additional benefit over continuing in service, since the hand/transportable would also not work.

The response recommended on the basis of this risk assessment is to continue in service. However, GSM-R provides safety and operational benefits so should be restored as soon as possible after a failure. The industry therefore needs to decide whether it is appropriate to impose limits on the ‘continue in service’ option.

The conclusions are in general the same for all train types (including DOO(P)).

Overall conclusions

A defective cab radio is considered to be one that displays Failure XX, MT Fatal, Cab Radio Flt, EPROM/RAM Flt or a blank screen. Other displays may also indicate a cab radio defect but require further diagnosis, for example, persistent failure throughout its journey (with confirmation that the network is working).

For all the response options considered, ranging from continuing as normal regardless of no radio to cancelling trains the operational delays significantly dominate the safety benefits.

Continuing as normal (the base case) and continuing with the use of hand/transportables (response 2) minimise the operational delays but accrue a small amount of safety disbenefit. The other responses analysed are not considered to be reasonably practicable. The analysis did not consider the costs of providing hand/transportables.

However, GSM-R provides safety and operational benefits so it is important that equipment is properly maintained. It seems reasonable therefore to prevent a train from entering service from a maintenance depot if it has a defective cab radio.

The analysis shows it is reasonable for a train to enter or stay in service even if it is unable to register (for all train types).

For network failures, the response recommended on the basis of this risk assessment is also to continue in service (for all train types, including DOO(P)). Hand/transportables would provide no additional benefit in this situation. However, for the reasons stated above, the industry therefore needs to decide whether it is appropriate to impose limits or constraints on the ‘continue in service’ option.

The conclusions are considered robust to changes in the key assumptions.

Items for further consideration

It is proposed that the Rule Book, specifically module TW5, Railway Group Standard GO/RT3437 and Rail Industry Approved Code of Practice GO/RC3537 are reviewed with respect to the findings of this risk assessment, and appropriate proposal for change prepared.

The report also lists some areas for further investigation, relating to GSM-R failures.

5

1 Introduction In response to the 5th Network Change Notice (NCN5) on GSM-R issued by Network Rail, the majority of Train Operators raised the concern:

There are no national rules that make clear whether a train can go into service if unable to register (particularly for DOO(P)); this presents a major potential performance impact if not resolved.

The Rule Book module TW5 [Ref: 33] states that a train should not enter service with a defective radio, or enter service from a depot with a defective public address (PA). GO/RT3437 [Ref: 22] requires each train operator to have in place a defective on-train equipment contingency plan, which describes the action to be taken if on-train equipment becomes defective when:

• Entering service either from a maintenance depot or from elsewhere • Already in service

A workshop was held on 27 January 2011 to determine a way forward and establish principles for operational rules. Two actions arose from the workshop for RSSB to:

• Consider the degree to which these principles should be captured, possibly in the GSM-R Operational Concept.

• Develop proposals for changes to Railway Group Standards (RGS) to reflect these principles including in particular an understanding of the risk from running trains without REC functionality and extended running without registration.

Therefore RSSB undertook a study to examine what a failure is with respect to the GSM-R radio system and what action should be taken if it is deemed to have failed. This report was commissioned by the GSM-R Programme to inform potential changes to the Rule Book and supporting standards.

2 Objectives The purpose of the study is through the assessment of safety and operational risks to produce proposals for changes to the Rule Book and other standards-related materials so that there are clear national rules on whether and how a train can enter (or continue in) service in the event of failures within the GSM-R system (trackside and on-board). Specifically it aims to answer:

• What is the definition of a defective cab radio? • Can a train enter service if it is unable to register (a journey)? • What actions should be taken if the network fails? • What actions should be taken if train fixed radio fails?

3 Scope The scope of this study relates to degraded working of GSM-R voice and messaging capability, separate to the ERTMS (speed/location) data functionality. It includes both failures of GSM-R equipment on board trains (as referred to in Rule Book Module TW5 [Ref: 33], GO/RT3437 [Ref: 22] and GO/RC3537 [Ref: 23]) and failures of the GSM-R infrastructure (not included in RGS). It applies to all trains (passenger, empty coaching stock, freight) on Network Rail managed infrastructure but

6

excludes the use of GSM-R for shunting purposes. It considers its use during and on completion of the national migration to GSM-R from other methods of radio communications.

The assessments undertaken are with respect to Siemens version 2 of the cab mobile GSM-R software on the GSM-R network provided by Network Rail. That is, the assessment does not take into account future potential radio functions or operating scenarios, such as roaming onto the public mobile network, but does take into account the potential for public mobile network interference.

4 Approach

4.1 The nature of the decision

To answer the questions on how GSM-R radio failures should be treated, the decision making framework from Taking Safe Decisions [Ref: 29] has been followed. Firstly, it is important to understand the scope of the decision to be made.

The decision can be viewed from three different perspectives.

Should a train be taken out of service if the GSM-R radio is considered defective. This lies to the left of the decision taking spectrum (Figure 1, purple). Here, rules are significant in guiding the decision, as to whether defective on train equipment (DOTE) plans are implemented or not. This decision is made by front line staff, in relatively short timescales and implemented immediately.

What response is taken, is decided by senior management through the development of the contents of the DOTE, it determined by senior management within a train operating company. This decision is made over longer timescales, taking into consideration wider knowledge of the GSM-R radio system, and ultimately shared with the infrastructure manager. This decision lies towards the middle of the decision taking spectrum (Figure 1, green).

The third perspective, is a more strategic one, and lies to the right of the decision taking spectrum (Figure 1, red). This is the decision as how the industry should manage GSM-R failures, and in particular what the Rules and guidance should contain to support the development of company DOTEs. Here the decision is made by the industry, that is, at a national level, by senior management representatives, Good practice plays a large part in influencing the decision, but there is recognition that the decision is complex and therefore requires analysis (strategic, targeted, qualitative and quantitative) to guide it.

It is this latter perspective that this study aims to support. As such the approach to this study is to consider the risks (both quantitative and qualitative elements) in order inform improvements to the Rule Book and other Railway Group Standards. The results of the assessment will then be used to inform the wider GSM-R project stakeholder representatives to gain consensus on the strategic approach and industry response required.

7

Figure 1: The nature of the decision

4.2 Decision criteria

To assess which mitigation or response option is the most appropriate the following comparisons have been made:

• The change in safety benefit and operational delay for each response option relative to continuing operations regardless of the state of the radio. The calculation of benefit-cost ratios indicates whether the response is appropriate. Positive benefit-cost ratios support the implementation of a mitigation option. Ideally the proposed mitigation should produce a ratio of greater than one (taking into consideration of sensitivities). Where the ratio is significantly less than one, the option is not considered to be reasonably practicable.

• The change in safety benefit for each response option relative to absolute risk levels, and overall benefit provided by GSM-R and its predecessors: CSR and NRN. This provides context in terms of the magnitude of change.

WHERE WILL THE DECISION BE TAKEN?

HOW MANY ORGANISATIONS OWN THE RISK?

HOW MUCH CONSULTATION?

OPERATIONALEXPERIENCE OF THE ISSUE/PROBLEM?

EXPERIENCE OF THE TECHNOLOGY?

TIME BETWEEN SCOPING AND TAKING THE DECISION?

METHOD OF IMPLEMENTATION?

WHO SHOULD TAKE THE DECISION?

Rules and good practiceQualitative analysis

Front-line Management

Worker Local Manager Senior Manager Board

Owned by one organisation Shared by two organisations Shared by many

organisations

None Local Regional National

Extensive Considerable Limited None

Technology or way of working is mature

Technology or way of working is novel

Technology or way of working is already in use

Technology or way of working is understood

Seconds to minutes Months to yearsDays to weeks Weeks to months

Immediate action Company policyMemo or instruction Business case

8

5 Risk assessment methodology The risk assessment comprised five tasks:

• Task 1: kick-off meeting • Task 2: review background information • Task 3: investigate non-registered cab radios • Task 4: determine other functional failures and potential mitigations • Task 5: safety and operational risk assessment

5.1 Task 1: kick off meeting

A kick-off meeting was held on the 18 January 2012 to discuss the approach and to come to a clear understanding of the study objectives. The meeting was attended by representatives from RSSB, Network Rail and ATOC. The meeting also provided a chance for the study team to collect and source relevant background information that was to be considered in task 2.

5.2 Task 2: review background information

Documents identified during task 1 were reviewed for their applicability for the study along with a number of sources of background information that had already been gathered. All document types were considered and the study team obtained and reviewed the following:

• Existing local and national operational rules (eg for Strathclyde) • Previous risk assessments (eg NXEA risk assessment) • The GSM-R operational concept (version 1) • Contingency plans for TOCs • Requirements specification • Flow chart processes for signallers

A full list of documents included in the review is given in Appendix B.

All documents were reviewed for relevant failure scenarios (both for registration and network failure, from the driver and signaller perspectives), failure rates, current mitigations or practices implemented on recognition of a failure or fault.

This information was used to identify and consolidate factors that would be considered in the later tasks, specifically the scope and layout of the workshops and risk assessment analysis.

5.3 Task 3: investigate non-registered cab-radios

Since the initial question arising for this study is: ‘Can a train enter service if it is unable to register?’ the first part of the investigative workshops focused solely on registration failures. Other failures of the cab radio and the radio network were investigated separately.

A HAZOP style workshop was held on 14 March 2012 to identify aspects of the GSM-R that would lead to a registration failure along with the current mitigations for each cause and the impact on performance. The workshop was attended by technical experts (Appendix C) representing risk assessment, signalling, train driving and radio network capabilities.

The process for each workshop approach followed the flow chart in Figure 2.

9

Figure 2: Workshop approach

The attendees were asked to consider the causes and sub-causes of each failure, listing all the possible impacts on the functionality of the cab radio and give their views on potential failure rates. Each failure focussed on what the driver would observe on the GSM-R screen and the results recorded in a spreadsheet visible to all attendees (Appendix C) throughout the process. Examples of the screen displays discussed include:

• ‘Registration failed’ – specifically for registration failure causes • ‘Searching for networks please wait’ – usually for causes due to network failure • ‘GSM-R GB’ – centred around failures that the driver would not be aware of

For the full set of potential displays see Ref: 6.

Guidewords (Appendix D) were provided to help steer the group into discussing the relevant observations and impacts that would help create the risk assessment later on in the study.

During the workshop, additional personnel were identified with sources of information to help with failure rate data and impacts on GSM-R functionality that was uncertain.

5.4 Task 4: determine other functional failures and potential mitigations

In this task, each of the other system components that could affect the GSM-R radio’s performance were discussed and reviewed as a continuation from the registration failures workshop.

Three all-day workshops were held, based on the different components of the GSM-R system:

• Workshop 1: Thursday 5 April 2012, base station sub-system • Workshop 2: Thursday 12 April 2012, national switching sub-system and first pass FTS • Workshop 3: Wednesday 25 April 2012, on-board train equipment and finalising FTS

The methodology was of a similar vein to the registration failures workshop, namely capturing each possible type of failure in a spreadsheet. The structure of the workshops is illustrated in the diagram in Figure 3 with the numbering describing which workshop the component was discussed in.

1. Review factors/guide

lists

2. Identify causes of

failure

3. Identify funcational

failures

4. Identify mitigation

5. Consideration of failure rates

Repeat for each cause

Repeat for each registration failure view

10

Figure 3: Workshop scopes

As before, the briefing note for each workshop was supplemented with a list of guidewords so that all responses would be consistent and aid in the evaluation in task 5, and details of people or documents to consult were recorded where answers could not be found within the workshop.

The outputs from the workshops are given in Appendix E.

5.5 Task 5: risk assessment

For the risk assessment, the safety risk and operational delay implications for each failure type were evaluated in terms of FWI per year and delay minutes per year respectively, assuming complete fitment and roll-out of GSM-R radio across GB. The risk assessment also includes the impacts of potential miscommunication from an unregistered phone and the benefits to the driver from the DSD/PA link, if the driver became incapacitated.

An overview of the methodology is given in Figure 4. It follows the principle that by working out the least safety or operational risk for a given known failure (or functionality loss), when the source of the failure is potentially unknown (that is, based on observation of the cab-mobile), a response can be chosen based on the weighted likely outcomes. So that if the driver observes searching for networks, but has no other information, the responses considered are evaluated by assessing their impact on each functionality loss scenario and weighting them by the relative likelihood of each scenario given the message observed.

The risk assessment builds upon the same framework that was used for the Assessing the risk from the loss of the NRN frequency spectrum in 2012 study [Ref: 2], where the benefits of cab radio were assessed using the Safety Risk Model version 7 data [Ref: 20] and Call Success Probability. Call Success Probability is defined as the probability of successfully stopping a train to avoid an accident, by means of alerting the driver. That is:

𝐶𝑎𝑙𝑙 𝑆𝑢𝑐𝑐𝑒𝑠𝑠 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑦 = 𝐴𝑣𝑎𝑖𝑙𝑎𝑏𝑖𝑙𝑖𝑡𝑦 × 𝐶𝑜𝑣𝑒𝑟𝑎𝑔𝑒 × 𝐸𝑓𝑓𝑒𝑐𝑡𝑖𝑣𝑒𝑛𝑒𝑠𝑠

where:

• Availability is defined as the system availability, based on the cab radio functioning.

3

1 2 2/3

11

• Coverage is determined for each system as a percentage based on the availability of the network. • Effectiveness is estimated as a probability of being able to stop other potentially affected trains and

is based on the time taken to contact the controlling signaller via the GSM-R radio system.

The values calculated for availability, coverage and effectiveness are given in Appendix F.

Figure 4: Risk assessment overview

5.5.1 Potential consequences

The failure consequences were taken from the results of the workshops and were summarised and placed into groups of functionality loss scenarios (see Appendix G for definitions):

• Single cab radio failure • Small radio network failure • Medium radio network failure • Large radio network failure • Single unregistered cab radio - temporary • Single unregistered cab radio - permanent • Multiple uncorrelated cab radios (TD.net outage) • Multiple uncorrelated cab radios (TD feed outage) • DSD/PA link unavailable • Single radio terminal failure • Multiple radio terminal failure • Driver:driver radio communication only

For example, a single cab radio failure would only affect the cab radio itself but could result in no receiving or making calls throughout its planned journey whereas a single radio terminal failure would affect all trains in the area it was servicing.

To calculate the frequency of each functionality loss scenario, data was taken from the outputs from the workshops and expert judgement is applied where necessary. The registration failure rates were taken from weekly reports of attempts made by drivers to register the radio where the outcomes were recorded. The most recent data (February-April 2012) was preferred for applicability and was scaled up to calculate functionality loss estimates per year when GSM-R is fully rolled out. Other failure rates were also gathered from previous documents that evaluated the GSM-R testing phase from the

Calculate the safety benefit

for each functionality

loss and operational response scenario

Calculate the operational delay for

each functionaliity

loss and operational response scenario

Identify the optimum

response for each

functionality loss scenario

Calculate the overall safety benefit and operational delay for

each observation

Identify optimum

responses for observations

where the cause is unknown

12

trials on the Strathclyde network. The full calculations for the failure rates are contained within risk model developed for the study (safety disbenefit model v4.15.xls).

5.5.2 Potential mitigations

To work out what the optimum response should be for a particular observation/functionality loss, five different potential responses were identified:

5. Continue in service. The train continues in service as normal regardless of the radio fault. If deemed to be cab mobile related, at the end of the day the train is sent to the maintenance depot for repair. If deemed to be network-related it is assumed that this is fixed at the end of the day. This is considered to be the base case for the risk analysis.

6. Cancel trains. Where only one train reports an issue, if at the start of the journey the train does not enter service. If part way through the journey it continues to the next suitable location, where the passengers are detrained. The train is then sent as empty coaching stock (ECS) to the maintenance depot for repair. Where multiple trains are reporting issues it is more likely to be a network related issue, in which case, trains are not permitted to pass through the affected area. The trains terminate at the nearest suitable location before the fault.

7. Hand/transportable. The train enters or continues in service to the next location where a hand/transportable radio can be picked up. The train then continues until it is scheduled to reach the maintenance depot, where the fault is repaired. This response only provides benefit where the fault lies with the cab-mobile; there is no mitigation against network based faults.

8. Reduce speed. This is as per response 2 but trains travel at a reduced speed1 (taken to be 60mph2), reducing the potential consequences for collisions. Where the cause is deemed to be cab-mobile related the speed is reduced for all journeys where the affected cab is in the lead. Where the cause is deemed to be network related, the speed is reduced through the affected section of route. It is assumed that network based faults are fixed at the end of the day.

9. Delayed reduced speed. This is as per response 4, except trains continue at normal speeds for up to four hours3 from when the fault was first identified. After which, it is considered that an emergency timetable is introduced and the speed can be reduced to 60mph with minimal disruption.

The safety benefit is calculated from the risk per kilometre where there would be no radio available or reduced radio capability. For example, a single cab failure could be removed from service and taken to the nearest suitable location or maintenance depot for repair. The total risk is then calculated by scaling it over the distance the train would have to travel without a functional radio. The change in risk for each response is calculated relative to the base case: continuing in service. The change in risk, or safety benefit, is converted from fatalities and weighted injuries to a monetary value using the value of preventing a fatality (VPF) – see Appendix I for the value used.

1 The idea of running at reduced speed stems from the review of good practice completed in the Risk assessment of the Interim Voice Radio System (IVRS) [Ref: 38]. 2 TPWS overspeed sensors are typically set between 40mph and 60mph, a lower speed limit will therefore lower the effectiveness of TPWS. Results from Ref 38 show that reducing the speed to below 60mph was not justified because the disruption to service was excessive compared to the additional safety benefits.. 3 A four hour planning period is considered [Ref 38] to give the infrastructure controller an opportunity to assess and repair the fault, whilst trains running at linespeed.

13

The results are calculated for four characteristic types of train journey: intercity, suburban, suburban DOO(P) and freight as the circumstances surrounding the train’s location, journey length and other route characteristics (such as radio use) are different.

5.5.3 Operational delays

Alongside safety impacts, the loss of radio functionality also contributes to operational delays. Types of delay that could be incurred were identified to be:

A. Delays are accrued in the event that a radio is required to help ease other operational disruptions eg stop at signal/failed signalling but no radio is available on-board train.

B. Full (at start of journey) or part (mid-way through journey) cancellation of trains, plus full cancellation of their subsequent journeys. Part cancellation assumed to be 25 equivalent delay minutes. Full cancellation assumed to be 50 equivalent delay minutes.

C. Delays accrued to obtain hand/transportable. D. Delays accrued from running at reduced speed. E. Part cancellation of trains, through a particular section. F. Delays from rerouting call, initial call goes to nominated rather than controlling signaller. G. Delays from the signaller not being able to contact a member of on board staff. H. Delays from the driver not being able to contact the controlling signaller at all.

Each functional loss scenario was mapped to the applicable delays to enable the appropriate operational disbenefit to be calculated (Appendix H). Delay minutes are converted to a monetary value by multiplying by a typical cost of delay per minute for each train type (estimated from TRUST data).

The list of operational delays, above, represents the current practice of use. Although not considered in the modelling it is noted that train radios may be used more in the future to advise passengers of disruption, creating a greater dependence. Also with possible reductions in the number of signal post telephones (SPTs) the opportunity for alternative communication may be limited, increasing operational delays.

The list of modelling assumptions for this task is provided in Appendix I.

5.5.4 Optimisation of results

The potential mitigation responses were compared against each functional loss scenario to calculate a benefit-cost ratio (BCR). For the purposes of this analysis and following the principles laid out in Taking Safe Decisions [Ref: 38], the benefits are considered to be the change in safety benefit for the response option relative to the base case – continuing in service, plus the avoided cost of accidents. The avoided cost of accidents is assumed to be of similar magnitude to the monetary value of the safety benefit. The costs are taken to be the cost of operational delays incurred relative to continuing in service. To simplify the analysis the costs used here to not include the costs of implementation (such as purchasing and maintaining hand/transportables) or operational costs such as (additional staff or overtime). It is recognised therefore that the costs used in the analysis may be an underestimate of actual costs.

Annual costs and benefits were used with no discounting applied since the lifetime of the measure is taken to the instance when the response would be applied.

14

The benefits and costs for each functional loss scenario were used to compile likely results for each observation state of the cab-radio.

Where assumptions were made or uncertainty exists in the key data used to calculate the safety benefit or operational delay, sensitivity analysis was carried out to determine the robustness of the results.

The BCRs calculated were then considered with respect to the criteria outlined in section 4.2. That is to make a qualitative and quantitative comparison of changes in safety benefit against cost of mitigation to determine whether the responses are reasonably practicable.

6 Results The results of the analysis are split into five themes:

• Understanding the context of the safety benefits • Understanding the causes and consequences of failures • Understanding the safety benefit for each response option • Understanding the operational delay for each response option • Optimising the response

Each of these is presented in turn.

6.1 Understanding the context of the safety benefits

The total risk from the railway in Great Britain is estimated to be 140.9 FWI/year [Ref: 20]. The total safety benefit that GSM-R radio is considered to provide is around 1.7 FWI/year, for passengers and freight trains (Table 1) – that is the anticipated increase in risk across the network if all cab radios were taken away. This is through GSM-R radio facilitating REC, urgent (yellow button) calls to/from the signaller calls and the DSD/PA link. A list of key hazardous events where GSM-R radio is considered to provide some benefits is included in Appendix J.

This benefit is reduced by some 0.03 FWI/year (to around 1.68 FWI/year) if all cab radios were unregistered. That is an increase due to potential miscommunications and increased average times to contact the right signaller/driver.

The benefit from the DSD/PA link to Suburban DOO(P), freight and ECS trains is considered to be around 0.005 FWI/year. This is the benefit associated with providing an incapacitated driver with assistance quicker than if no DSD/PA link were provided.

Table 1: The safety benefit from GSM-R radio (against a base case of no radio)

Case Passenger trains (incl ECS) FWI/year

Freight trains FWI/yr Total safety benefit FWI/year

GSM-R fully working 1.49 0.22 1.71

GSM-R unregistered 1.47 0.21 1.68

DSD/PA link only 0.004 0.001 0.005

15

6.2 Understanding the causes and consequences of failures

Frequencies were estimated for different likely functional loss scenarios based on data from the reports reviewed, expert judgement and calculations (full calculations can be found in the risk model developed for this study – safety disbenefit model v4.15.xls). These were mapped to the different observation scenarios identified during the workshops.

Table 2: Functional loss scenario frequencies

Outcomes (events/year)

Observation

Sing

le c

ab ra

dio

failu

re

Smal

l rad

io n

etw

ork

failu

re

Med

ium

radi

o ne

twor

k fa

ilure

Larg

e ra

dio

netw

ork

failu

re

Sing

le u

nreg

iste

red

cab

radi

o - t

empo

rary

Sing

le u

nreg

iste

red

cab

radi

o - p

erm

anen

t

Mul

tiple

unc

orre

late

d ca

b ra

dios

(TD

.net

out

age)

Mul

tiple

unc

orre

late

d ca

b ra

dios

(TD

feed

out

age)

DSD

/PA

link

una

vaila

ble

Sing

le ra

dio

term

inal

fa

ilure

Mul

tiple

radi

o te

rmin

al

failu

re

Driv

er:D

river

radi

o co

mm

unic

atio

n on

ly

Searching for networks

0.012 335* 0.08 0.02

GSM-R GB 1493 74 0.03 299 120 5 0.005

Blank screen 91

Registration - lead driver

23779 247 0.009 0.87

Registration - duplicate

4.3 0.009 0.87

Registration - PA

100

Failure/fault code

597

Total 2181 342 0.11 0.02 23779 252 0.02 1.7 399 120 5

In the case of searching for networks, a small network failure (taken to be BTS outage) is has been estimated to occur 335 times per year, however on this basis it is likely to affect (and therefore be observable by the drivers of) 32,426 train journeys per year. Although the rate of failure should be considered as a frequency when the cause is known, the number of observable cases should be used to calculate the likelihood of consequence when the cause is unknown (see section 6.5.2). This

4 See discussion in paragraph below table on the sensitivity of GSM-R GB displaying versus searching for networks.

16

is based on the assumption that the cab radio displays searching for networks whenever the network signal is too weak to make a call. However, in reality there is some delay in switching from GSMR-GB and searching for networks and vice versa where this signal is still strong enough to recognise the network but not to connect a call. This is considered further in the sensitivity analysis (Appendix P).

The most likely observation is Searching for networks/GSM-R GB, followed by Registration – lead driver. Registration – duplicate is considered to be the least likely observation (based on assumptions identified during the workshops on version 2 of the GSM-R software).

Using these estimated frequencies it is possible to calculate the likelihood of a particular outcome, given a particular observation. These are shown in Table 3.

Table 3: Functional loss scenario probabilities by observation

Outcomes (probability per observation)

Observation

Sing

le c

ab ra

dio

failu

re

Smal

l rad

io n

etw

ork

failu

re

Med

ium

radi

o ne

twor

k fa

ilure

Larg

e ra

dio

netw

ork

failu

re

Sing

le u

nreg

iste

red

cab

radi

o - t

empo

rary

Sing

le u

nreg

iste

red

cab

radi

o - p

erm

anen

t

Mul

tiple

unc

orre

late

d ca

b ra

dios

(TD

.net

out

age)

Mul

tiple

unc

orre

late

d ca

b ra

dios

(TD

feed

out

age)

DSD

/PA

link

una

vaila

ble

Sing

le ra

dio

term

inal

fa

ilure

Mul

tiple

radi

o te

rmin

al

failu

re

Driv

er:D

river

radi

o co

mm

unic

atio

n on

ly


4x10-7 0.999 4x10-4 8x10-4

GSM-R GB 0.78 0.004 2x10-5 0.16 0.06 0.003 2x10-6

Blank screen 1


0.99 0.01 4x10-7 4x10-5


0.83 0.002 0.17

Registration - PA

1

Failure/fault code

1

17

6.3 Understanding the safety benefit for each response option

The safety benefit per event by functional loss scenario for intercity type trains is shown in Table 4 relative to the base case of continuing in service. Intercity type trains are shown for illustration purposes only, for other train type results see Appendix K. All options demonstrate a safety benefit against some functional loss scenarios. The response with the largest safety benefit by functional loss scenario is highlighted in green. Running at reduced speed (responses 3) shows the largest safety benefit. This is because running at a lower speed reduces the consequences of some hazardous events (such as collisions and derailments).

Table 4: Safety benefit by function loss scenario relative to continuing in service, for intercity type trains

Response

Functional loss

Change in safety benefit (£/event)

1 Cancel 2 Hand/trans

portable 3 Reduced

speed 4 Delayed

reduced speed

Single cab radio failure 1 2 5 3

Small radio network outage 1 0 3 2

Medium radio network outage 980 0 2,900 1,600

Large radio network outage 3,700 0 11,000 6,200

Single unregistered cab radio - temporary

0 0 <1 0

Single unregistered cab radio - permanent

<1 <1 1 0

Multiple uncorrelated cab radios (TD.net outage)

56 0 10,000 5,700

Multiple uncorrelated cab radios (TD feed outage)

1 0 230 130

DSD/PA link unavailable <1 0 5 3

Single radio terminal failure 5 0 42 23

Multiple radio terminal failure 28 0 240 130

Driver:driver communications only 1,300 0 11,000 5,900

18

Large radio network outage has the greatest impact on safety levels, and therefore the biggest change in risk between continuing in service and the response options. This is perhaps not surprising given it represents no radio functionality for all trains on the network.

No safety benefit is shown for the functional loss of the DSD/PA link from cancelling trains (response 1) or picking up a hand/transportable (response 2) for intercity trains as the other members of train crew are assumed to mitigate the situation. This is not the case for the suburban DOO(P) and freight train types (see appendices K.1.3 and K.1.4).

6.4 Understanding the operational delay for each response option

The potential operational delays per event by functional loss scenario for intercity type trains (for illustration purposes only) are shown in Table 5 (for other train types see Appendix L) relative to the base case – continuing in service. These represent the monetary value of delays associated with the different response scenarios. A negative operational delay represents a saving relative to the base case – continuing in service. For intercity trains, suburban and suburban-DOO(P) majority of functional loss scenarios incur a cost of delay compared to the continuing in service. The exceptions being using a hand/transportable (response 2) to mitigate a single cab radio failure – where performance savings can be made, or where running with hand/transportables or delayed reduced speed (response 4) offer no additional delays to the base case – continuing in service. These responses create the least amount of operational delay for each functional loss scenario and are highlighted in green in Table 5. Cancelling trains (response 1) and reducing speed immediately (response 3) create the most operational delays (highlighted in red).

For freight trains, cancelling trains (response 1) creates the most operational delays. The other responses offer little difference (due to the general lower speed of freight trains to other services) from the base case – continuing in service.

19

Table 5: Operational delays by function loss scenario relative to continuing in service, for intercity train types

Response

Functional loss

Operational delays (£/event)


portable 3 Reduced

speed 4 Delayed

reduced speed

Single cab radio failure 10,000 -280 73,000 42,000

Small radio network outage 180,000 0 48,000 27,000

Medium radio network outage 2,700,000 0 41,000,000 23,000,000

Large radio network outage 57,000,000 0 160,000,000 88,000,000


1,600 0 640 0


12,000 540 18,000 0


61,000,000 0 160,000,000 88,000,000


640,000 0 3,500,000 2,000,000

DSD/PA link unavailable 12,000 0 73,000 43,000

Single radio terminal failure 180,000 0 310,000 170,000

Multiple radio terminal failure 600,000 0 3,500,000 2,000,000

Driver:driver communications only 59,000,000 0 160,000,000 88,000,000

6.5 Optimising the response

On comparison of the magnitude of the safety benefit to the operational delay, the monetary value of operational delay greatly exceeds the safety benefit in all cases; ranging from being a hundred to several million times larger than the monetary value of safety benefit. This is highlighted in both Figure 5 and Figure 6 – in all charts the safety benefit is hardly noticeable.

6.5.1 When the type of functional loss is known

The least delays are accrued in general by the base case (continuing in service) and when running with a hand/transportable (responses 2) (see Figure 5). This is because these options are the same

20

Figure 5: Comparison of safety benefit and operational delay for each functional loss scenario and response option (1-4), intercity type trains

Operational delay (£k/year) Safety benefit (£k/year)

Note: Safety benefit is plotted on the above charts, the magnitude is so much smaller than the cost of delays that it is hard to be seen.

-£200,000 -£160,000 -£120,000 -£80,000 -£40,000 £ £40,000

1

2

3

4

Single cab radio failure

-£80,000 -£60,000 -£40,000 -£20,000 £ £20,000

1

2

3

4

Small radio network outage

-£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4

Medium radio network outage

-£3,000 -£2,500 -£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4

Large radio network outage

-£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4


-£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4


-£3,000 -£2,500 -£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4


-£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4


-£35,000 -£30,000 -£25,000 -£20,000 -£15,000 -£10,000 -£5,000 £ £5,000

1

2

3

4

PA unavailable

-£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4

Single radio terminal failure

-£20,000 -£15,000 -£10,000 -£5,000 £ £5,000

1

2

3

4

Multiple radio terminal failure

-£800 -£700 -£600 -£500 -£400 -£300 -£200 -£100 £ £100

1

2

3

4

Driver:driver communications only

21

but with the hand/transportable providing some benefit when the cab radio is the cause of the loss of functionality (but delays being incurred to pick up the device).

Continuing as normal for a fixed time period then reducing the speed (response 4) is the next preferable option in terms of delay in some cases. In these instances it offers a compromise between continuing as normal, and reducing the speed. The time limit also encourages the problem to be fixed in a timely manner and not continue unconditionally. It should be noted, however, this is not the only option for encouraging problems to not continue unconditionally.

However, in the case of other functional loss scenarios, cancelling train (response 1) may offer some benefits in terms of minimising delays compared with the options to reduce speed. That is, the delays accrued on route with response 4 may exceed the equivalent delay minutes for part/full cancellation of a train.

In the case of freight trains, running at reduced speed (response 4) appears to be a good continuing in service, however, this is a symptom of the characteristics of freight operations, in that the average speed of freight trains is below the reduced speed limit considered (60mph), and therefore no delay or safety impacts are considered for this train type when the speed limit is introduced.

The benefit-cost ratios (BCRs) are calculated for the intercity train types are shown in Table 6. Intercity train types are shown for illustration purposes only. For other train types see Appendix O.

All of the BCR (where there is a difference from the base case, that is, not equal to zero), where positive, are significantly less than one. Three cases for intercity train types have negative BCRs.

Those that are highlighted in red in Table 6 represent cases where there is a safety disbenefit and operational cost associated with the functional loss scenario and the particular response. For example, using a hand/transportable instead of a permanently unregistered cab radio may increase risk due to the differences in performance between the two different radios. Those scenarios highlighted in red are considered not to be practicable.

The BCR highlighted in green, is also negative. However this is because the safety benefit is positive and there are potential operational delay savings (compared to the base case of continue in service) from using a hand/transportable (response 2) when a single cab radio is known to have failed. Thus there is a good indication that this option is practicable, subject to any other costs associated with the provision of hand/transportables (not included in this assessment) not outweighing the operational delay savings.

22

Table 6: Benefit-cost ratios for each response option by functional loss scenario, for intercity train types

Response

Functional loss

BCR


portable 3 Reduced

speed 4 Delayed

reduced speed

Single cab radio failure 2.8 x 10-4 -1.1 x 10-2 1.4 x 10-4 1.4 x 10-4

Small radio network outage 1.2 x 10-5 0 1.4 x 10-4 1.4 x 10-4

Medium radio network outage 7.2 x 10-4 0 1.4 x 10-4 1.4 x 10-4

Large radio network outage 1.3 x 10-4 0 1.4 x 10-4 1.4 x 10-4


0 0 1.3 x 10-4 0


4.3 x 10-7 -9.2 x 10-6 1.3 x 10-4 0


1.8 x 10-6 0 1.3 x 10-4 1.3 x 10-4


3.9 x 10-6 0 1.3 x 10-4 1.3 x 10-4

DSD/PA link unavailable -3.5 x 10-5 0 1.3 x 10-4 1.3 x 10-4

Single radio terminal failure 5.7 x 10-5 0 2.7 x 10-4 2.7 x 10-4

Multiple radio terminal failure 9.4 x 10-5 0 1.3 x 10-4 1.3 x 10-4

Driver:driver communications only 4.3 x 10-5 0 1.3 x 10-4 1.3 x 10-4

6.5.2 When the type of functional loss is unknown

Not all the cab radio observations provide direct insight into the cause of the problem and therefore the expected functional loss. Taking into account the likely failure rates and how the functional losses may appear to the driver (in the absence of any other information), the weighted average consequences have been estimated.

In terms of the observation scenarios, the potential annual safety benefits in £ per year relative to the base case (continuing in service) are given in Table 7. All response options demonstrate some safety benefit relative to continuing in service. Again, reduce speed (response 3 – highlighted in green) offers the greatest safety benefit due to the less severe consequences of some hazardous events (such as collisions and derailments). However, this response may not be practical from a

23

timetable perspective, given the delays passed on to subsequent trains and journeys will affect network capacity.

GSMR-GB displaying and failing on demand shows the greatest potential safety benefit per year from each response due to a combination of both assuming full functionality loss and the calculated failure frequency. However, as discussed previously full functionality loss may not always be the case as GSM-R GB can also be caused by temporary loss of network signal (see Appendix P).

Table 7: Safety benefit by observation scenario, for intercity type trains

Response

Observation

Safety benefit (£/year)


portable 3 Reduced speed

4 Delayed reduced speed

Searching for networks 550 <1 1,700 920

GSM-R GB 2,700 2,200 15,000 8,700

Blank screen 130 140 470 270

Registration - lead driver 2 <1 1,600 160

Registration - duplicate 2 <1 290 160

Registration - PA <1 0 470 270

Failure/fault 820 890 3,100 1,800

The least amount of a safety benefit is achieved (for all response options) against registration failures (lead driver, duplicate, PA), this is due to the low impact nature of the failures. That is, the cab radio still retains call and REC functionality.

In the case of delay minutes accrued when considering a response based on an observation (Table 8), running at reduced speed (response 3) and cancelling trains (response 1) generate the most operational delays for intercity train types (shaded in red) relative the base case – continuing in service. Whereas continuing with hand/transportable (response 2) offers the least delays (shaded in green), and in some cases potential operational delay savings. When the radio has failed on demand and is displaying GSM-R GB has the potential for the biggest operational losses – the figure below is based largely on cab radio failures and does not include the effects from network signal (see Appendix P for sensitivity analysis).

Similar results are generated for suburban and suburban-DOO(P) train types. For freight trains, cancelling trains (response 1) generated the most operational delays – this is an artefact of freight trains not being affected by the measures that impose speed restrictions.

24

Table 8: Operational delays by observation scenario, intercity train types

Response

Observation

Operational delays (£/year)


portable 3 Reduced

speed 4 Delayed

reduced speed

Searching for networks 64,000,000 -3 23,000,000 13,000,000

GSM-R GB 43,000,000 -410,000 190,000,000 110,000,000

Blank screen 910,000 -25,000 6,600,000 3,900,000

Registration - lead driver 41,000,000 130,000 24,000,000 2,500,000

Registration - duplicate 1,100,000 2,300 4,600,000 2,500,000

Registration - PA 1,200,000 0 7,300,000 4,300,000

Failure/fault 6,000,000 -170,000 43,000,000 25,000,000

For intercity (Figure 6), suburban (K.2.2) and suburban DOO(P) (K.2.3) train types the base case and continue with a hand/transportable (response 2) appear to be the optimum cases. In some cases there is no difference between the two options. This is where the cause is more likely to be network related and therefore the hand/transportable provides no benefit.

25

Figure 6: Comparison of safety benefit and operational delay (purple) for each observation scenario and response option (1-4), intercity type trains

Operational delay (£k/year) Safety benefit (£k/year)

Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see

-£80,000 -£60,000 -£40,000 -£20,000 £ £20,000

1

2

3

4


-£200,000 -£150,000 -£100,000 -£50,000 £ £50,000

1

2

3

4

GSM-R GB

-£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4

Blank screen

-£50,000 -£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4


-£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4


-£8,000 -£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4

Registration - PA

-£50,000 -£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4

Failure/fault

26

All of the positive BCR (where there is a difference from the base case, that is, not equal to zero) are significantly less than one (see Table 9) for intercity train types. There are seven cases where the BCR has been estimated to be negative.

Those that are highlighted in red in Table 9 Error! Not a valid bookmark self-reference.represent cases where there is a safety disbenefit and operational cost associated with the observation scenario and the particular response. For example, using a hand/transportable instead of a cab radio that displayed a registration failure may increase the risk due to the differences in performance between the two different radios. Those scenarios highlighted in red are considered not to be practicable.

The BCRs highlighted in green, are also negative. However this is because the safety benefit is positive and there are potential operational delay savings (compared to the base case of continue in service) from using a hand/transportable (response 2) for observation scenarios where cab radio failure is possible. Thus there is a good indication that this option is practicable, subject to any other costs associated with the provision of hand/transportables (not included in this assessment) outweighing the operational delay savings.

Table 9: Benefit-cost ratios for each response option by cab radio observation, for intercity train types

Response

Observation

BCR


portable 3 Reduced

speed 4 Delayed

reduced speed

Searching for networks 1.7 x 10-5 -1.1 x 10-2 1.4 x 10-4 1.4 x 10-4

GSM-R GB 1.3 x 10-4 -1.1 x 10-2 1.6 x 10-4 1.6 x 10-4

Blank screen 2.8 x 10-4 -1.1 x 10-2 1.4 x 10-4 1.4 x 10-4

Registration - lead driver 1.1 x 10-7 -9.2 x 10-6 1.3 x 10-4 1.3 x 10-4

Registration - duplicate 2.8 x 10-6 -9.2 x 10-6 1.3 x 10-4 1.3 x 10-4

Registration - PA -3.5 x 10-5 0 1.3 x 10-4 1.3 x 10-4

Failure/fault 2.8 x 10-4 -1.1 x 10-2 1.4 x 10-4 1.4 x 10-4

27

7 Discussion

7.1 The definition of a defective GSM-R fixed cab radio

When the cab radio displays Radio Failure XX, MT Fatal or a blank screen then it is certain that the cab radio will not function properly and that the fault lies with the cab radio. This is the only observation case when the driver can be certain that the cab radio is defective. Other displays such as Warning XX are non-service affecting and should not be considered as defects.

If the cab radio is displaying searching for networks it is likely to be due to a network related problem, which could clear on moving the train. However if the problem persists for a particular cab radio through its journey or the signaller is able to confirm that the train lies within a fully operational part of the GSM-R network, then it is likely that the problem is associated with the train’s antenna. In this case the cab radio should be considered as defective. To help with the diagnosis of the problem and potentially speed up the repair of network issues, drivers should contact the signaller and report the issue at the first convenient opportunity, even if the radio subsequently displays GSM-R GB.

If the cab radio displays an error on registration (registration – lead driver/duplicate/PA) there could be an issue with the network or the information being entered. Either way the cab-radio should still have call and REC functionality and is therefore not considered an on-train defect.

If the cab radio fails on demand whilst displaying GSM-R GB it could be due to a cab fault or network issue. Without further diagnosis or failure symptoms being observed by other network users it is difficult to determine the cause. If the train continues its journey and the problem in the cab persists it is likely it is a cab radio defect. However, if on moving the train the problem remedies itself it is likely to be a network issue.

Although this analysis helps with a definition for a defective cab radio, it does not necessarily mean that a train with a defective cab-radio should be withdrawn from service (see subsequent conclusions).

7.2 What action should be taken if the fixed cab radio is defective?

Regardless of the definition of a defective cab radio, the results from the risk analysis show that for all response cases considered, in terms of monetary equivalent values, the cost of operational delays dominates the cost of the safety benefits. That is the safety benefit from GSM-R cab radio is estimated to be around 1.7 FWI/year (based on current use and practices), or equivalent to around £3million/year (based on the VPF). With some 7 million train journeys/year, this gives an average safety benefit around £0.40/journey. This is significantly less than the cost of cancelling a train journey, estimated to be around £800 to £6000, dependent on the type of journey.

For all the responses except, continue with hand/transportable (response 2) the BCRs calculated are significantly less than one. That is the delay costs associated with the measures are grossly disproportionate (in some cases over a hundred times greater) to the safety benefits when compared against the base case of continuing in service. This applies to both when the functional loss is known and unknown but based upon the driver’s observation.

Although it may be reasonable to continue in service with a defective radio, it does impact on both safety and operations. Therefore it is of interest to continue maintaining both radios and DSD/PA links to a working standard and reasonable to suggest that trains do not leave a maintenance depot

28

for service with a defective radio (as currently required by the rules with a PA system). This is similar to requirements for other defective on-train equipment such as headlamps, taillights and warning horns.

The conclusions over what to do when a fixed radio fails are the same for all train types, despite having slightly different magnitudes of result. This includes services where the driver is on his own (suburban DOO(P) and freight). The results of the risk assessment show that although the DSD/PA provides some benefit (0.005FWI/year across all trains) this is also dwarfed the cost of cancelling a train. However, it is recognised that the radio and DSD/PA link provide additional security and comfort benefits for the driver not included in this risk assessment. Also, in the future the PA link may be used by operations centres to provide passengers with information relating to their journey, placing a greater dependence on the PA link. Therefore should the radio or PA link fail on a DOO(P) train, the operating company may choose to implement additional measures (such as provision of hand/transportable, a public mobile phone or an additional member of staff to travel on board the train) to compensate.

7.3 Can a train enter service if the registration fails?

The workshops identified that if a cab radio fails to register a journey properly there is a reduction in call success – that is a call may route to the wrong signaller (the REC will still function). In the event that proper communication protocols are not followed this could lead to errors in train movements. For example, permission could be given to pass a signal at danger, because the signaller has misunderstood which driver he is speaking to. Based on the current rates of miscommunication leading to a movement accident, operating all cab radios unregistered is estimated to reduce the safety benefit by around 0.03FWI/year, or around £50,000/year (based on the VPF). Again, with some 7 million train journeys/year, the average safety benefit/journey is estimated to be less than £0.01.

The cost of taking a train out of service (response 1) or reducing its speed (responses 3 and 4) to compensate is far greater than the safety benefits (that is the BCRs are significantly less than one) making these options not reasonably practicable.

Running with an unregistered cab radio could be further mitigated by training drivers to be aware that it is more likely for a call to be routed to the wrong signaller and thus of the need to place greater importance on the communications protocol to ensure a clear understanding of who is involved in a call (see 10.2 Further analysis).

The conclusions are the same for all train types, despite having slightly different magnitudes of operational delays.

7.4 What action should be taken if the radio network fails?

Network failures have the potential to extend from a few kilometres of track up to the whole network, affecting both trains entering service and those already in service. The results from the risk analysis show that, as with the cab radio defects, the operational delays significantly dominate the safety benefits – the BCRs are significantly less than one. Cancelling trains (response 1) or running at reduced speed (responses 3 and 4) increase the operational delay the most whilst minimising the risk. However, due to the magnitude of the costs being grossly disproportionate to the safety benefits, they are not considered reasonably practicable. In the case of network failures provision of hand/transportables (response 2) will provide no additional benefit, since the hand/transportable also would not work.

29

In the event that there is a total network failure or significant network outage (multiple terminal failures etc), cancelling of all trains would cause chaos for passengers. This would be detrimental to both safety (in terms of passenger overcrowding and assaults) and rail industry reputation, and generally is not considered acceptable by rail industry representatives.

Therefore, the response recommended on the basis of this risk assessment is to continue in service. However, GSM-R provides safety and operational benefits so should be restored as soon as possible after a failure. The industry therefore needs to decide whether it is appropriate to impose limits or constraints on the ‘continue in service’ option. Imposing restrictions after a four-hour time limit (response 4) was one of the responses considered by this risk assessment but it may not be practical to implement.

The conclusions are in general the same for intercity, suburban and suburban DOO(P) trains, despite having slightly different magnitudes of result. Freight trains are less influenced by speed reductions due to the lower average speeds at which they travel.

8 Sensitivity analysis Sensitivity analysis was carried out on the risk modelling (see Appendix P), focussing on the key assumptions.

• The cost of delays • The rate of reactionary delay incurred • The version of the cab radio software • The number of BTSs • The number of registrations per day • The split between searching for networks and GSM-R GB with network issues • Failure rates

The sensitivity analysis shows that the conclusions are robust with respect to the cost of delays and the rate of reactionary delay for intercity, suburban and suburban DOO(P) train types. For freight, cancelling trains may be a better option for some functional losses, when operating in areas with potential for significant reactionary delays.

With respect to the cab radio software, the conclusions are considered robust with respect to the increased likelihood of Registration – duplicate with Siemens version 1E, when compared to the assumed version 2.

The sensitivity analysis also showed that the conclusions are robust with respect to the number of BTS, the number of registrations per day and failures. As in all cases where the cost of delays was grossly disproportionate to the safety benefits, they remain so for the sensitivity test scenarios.

A similar conclusion was drawn for testing the sensitivity of the split between searching for networks and GSM-R GB for network issues. However, the sensitivity analysis also showed that it is significant uncertainty that GSM-R GB signifies a cab radio failure without further diagnosis. That is, if a cab radio fails on demand whilst displaying GSM-R GB it may be due to a network issue.

30

9 Conclusions A defective cab radio is considered to be one that displays Failure XX, MT Fatal, Cab Radio Flt, EPROM/RAM Flt or a blank screen. Other displays may also indicate a cab radio defect but require further diagnosis, for example, persistent failure throughout its journey (with confirmation that the network is working).

For all the response options considered, ranging from continuing as normal regardless of no radio to cancelling trains the operational delays significantly dominate the safety benefits.

Continuing as normal (the base case) and continuing with the use of hand/transportables (response 2) minimise the operational delays but accrue a small amount of safety disbenefit. The other responses analysed are not considered to be reasonably practicable because the additional delay costs are disproportionate to the safety disbenefits (for all train types, including suburban DOO(P)). The analysis did not consider the costs of providing hand/transportables.

However, GSM-R provides safety and operational benefits so it is important that equipment is properly maintained. It seems reasonable therefore to prevent a train from entering service from a maintenance depot if it has a defective cab radio.

The analysis shows it is reasonable for a train to enter or stay in service even if it is unable to register (for all train types). That is, none of the responses considered were demonstrated to be reasonably practicable to mitigate registration issues.

For network failures, the response recommended on the basis of this risk assessment is also to continue in service (for all train types, including DOO(P)). Hand/transportables would provide no additional benefit in this situation. However, for the reasons stated above, the industry therefore needs to decide whether it is appropriate to impose limits or constraints on the ‘continue in service’ option.

The conclusions are considered robust to changes in the key assumptions.

10 Items for consideration

10.1 Review of Railway Group Standards and other supporting documents

It is proposed that the Rule Book, specifically module TW5, Railway Group Standard GO/RT3437 and Rail Industry Approved Code of Practice GO/RC3537 are reviewed with respect to the findings of this risk assessment, and appropriate proposal for change prepared. The proposed changes should reflect that:

• Registration failures are not considered to be defects • Trains can stay and enter service with a defective cab radio • Trains can stay and enter service with a defective radio network.

However to encourage the recovery of faults it is suggested that a train does not enter service from a maintenance depot with a defective radio. This is similar practice already applied to other on-train equipment such as headlamps and warning horns.

10.2 Further analysis

During the completion of this study, further related areas of analysis have been identified to be of interest. These have not been included in this analysis but will be investigated later:

31

• When should planned outages of the network (for maintenance, upgrades etc) take place to minimise risk?

• Whether or not there is need to get agreement from TOCS for the planned outage times chosen or that they and the signallers can just be informed?

• Can the signaller still authorise the driver of an unregistered cab radio to pass a signal at danger? • Whether it is safer to use an SPT or an unregistered cab radio to contact the signaller?

10.3 Further process mitigations for consideration

During the workshops some ideas were generated on how errors could be reduced when using GSM-R. These included:

• Providing repeater plates where the signal is not visible at registration – this would avoid excessive use of the wildcard

• After observing a registration failed – lead driver and being instructed by the signaller to use the wildcard, the driver could contact the signaller again to confirm that the radio was registered with the correct headcode.

• Monitoring cell pick-ups to help reduce the number of misrouted calls. • Reinforcing during training the need to place greater importance on the communications protocol

to ensure a clear understanding of who is involved in a call when using an unregistered cab.

32

Appendix A Glossary ATOC Association of Train Operating Companies

BSC Base station controller

BSS Base station sub-system

BTS Base transceiver station

DOO Driver only operation

DOO(P) Driver only operation (Passenger)

DOTE Defective on-train equipment

DSD Driver safety device

ECS Empty coach stock

ERTMS European Rail Traffic Management System

FTN Fixed telephone network

FTS Fixed terminal system

FWI Fatalities and weight injuries

GSC Ground switching centre

GSM-R Global system for mobile communications - Railways

HAZOP Hazard and operability

LAC Location area code

NCN5 5th Network change notice

NSS Network switching system

NXEA National Express East Anglia (train operating franchise)

REC Railway emergency call

PA Public address

RGS Railway Group Standards

RSSB Rail Safety & Standards Board

33

SPT Signal post telephone

TD Train describer

TEC Telecomm Engineering Centre

TOC Train operating company

TPWS Train Protection Warning System

VPF Value of preventing a fatality

34

Appendix B Documents reviewed This appendix contains the references for the documents reviewed as part of task 2 and subsequent documents received and considered in later tasks.

1. GSM-R/FTN Programme Cab Handportable estimated usage, NR/AM/SA/REP/00241. Issue A01, Network Rail, May 2012.

2. Assessing the risk from the loss of the NRN frequency spectrum in 2012, RSSB, April 2012.

3. Trains Required to be Taken Out of Service as a Result of Defective On-train Equipment. Train Operator’s Contingency Plan, CP 3437, Issue 7, Arriva Trains Wales, January 2012.

4. HMI Design Requirements Specification for Network Rail GSM-R Cab Radio – “Version 2”, Issue 9.0B Draft, Siemens, 20 December 2011.

5. Using GSM-R in Great Britain Briefing Note - Changes to the Siemens GSM-R Cab Radio (Version 2), GSMR/FTN/TRG/BN/03, Issue 1.2, Network Rail, 14 December 2011.

6. GSM-R user procedures (cab radio) Procedures for using the Siemens GSM-R cab radio (Version 2), NS-GSM-R-OPS-0514, Issue 6.1, RSSB, December 2011.

7. Voice Communication System FTS Failure Modes, Effects and Criticality Analysis (FMECA), 04A05E606.24, Issue 2.5, Frequentis, 19 October 2011.

8. AM Amendments module, GE/RT8000/AM Rule Book, Issue 13, September 2011.

9. CMv1E – CMv2 Requirements Summary, Issue 1, R Hill, 2 September 2011.

10. GSM-R System Resilience, version 2, E Nix & T Foulkes, 16 June 2011.

11. National Control Instructions Procedure for the Planned Response to GSM-R System Failures, Issue 4, 4 June 2011.

12. Human Factors Railway Emergency Call Study, Issue 2, RSSB, 2 June 2011.

13. Cab Radio Reliability Time Truncated Test Results, GSMR/RWG, Issue 2, Network Rail, May 2011.

14. GSM-R Network Observed Reliability during Operational Trial, GSMR/RWG, Issue 2, Network Rail, May 2011.

15. NWR GSM-R Core Network System Definition, NWR/NE/DD/025055, Version 8.00, Kapsch CarrierCom, 25 March 2011.

16. Amendments to SMS9.3 Defective On-Train Equipment Contingency Plan, NXEC9.3, Issue 7, East Coast, 30 December 2010.

17. GSM-R (IVRS) Radio system Handbook, RS/520, Issue 1, RSSB, December 2010.

35

18. National GSM-R Radio Project Hazard Identification Workshop Report Multiple Signallers in RECs, A305/GSM-R/IMP/Dxxx, Issue 1, Network Rail, 12 November 2010

19. National Control Instructions and Approved Code of Practice Section 2.1 Communications, NR/L3/OCS/043/2.1, Issue 2, 5 June 2010.

20. Risk Profile Bulletin, Table B1, Version 7, RSSB, August 2010

21. Contingency Plan & Matrix for Trains with Defective On-train Equipment, SM0901, Issue 6, First Great Western, June 2010.

22. Defective On-Train Equipment, GO/RT3437, Issue 6, June 2010.

23. Recommendations for Defective On-train Equipment, GO/RC3537, Issue 4, June 2010.

24. GSM-R Signallers Fixed Terminal User Guide, Issue 1, Network Rail, June 2010.

25. GSM-R Emergency Call Risk Assessment, RSSB, 8 January 2010.

26. GSM-R Strathclyde Trial Objectives Close out Report, NR/EE/REP/00181, Issue A02, Network Rail, December 2009.

27. FTN & GSM-R GSM-R Trial for Pilot Route A (PA05/03377/T) – Critical Review Report, CCMS:6866706, Issue 3.3, Network Rail, 12 June 2009.

28. GSM-R Strathclyde Operational Trial Reliability and Maintainability Demonstration Plan, Issue 4.1, Network Rail, June 2009.

29. Taking Safe Decisions -how Britain’s railways take decisions that affect safety, RSSB, 2009.

30. Using GSM-R in Great Britain Procedures for using the Frequentis GSM-R fixed terminal Appendix 4: Amendments, FTN&GSMR/PM/MAN/002, Issue 2, Network Rail, 28 October 2008.

31. Preparation and movement of trains General, GE/RT8000/TW1 Rule Book, Issue 8, October 2008.

32. Cab secure radio (CSR) Handbook, RS/516, Issue 1, June 2008.

33. Preparation and movement of trains Defective or isolated vehicles and on-train equipment, GE/RT8000/TW5 Rule Book, Issue 3, April 2008.

34. Using GSM-R in Great Britain Procedures for using the Frequentis GSM-R fixed terminal Appendix 3: General Instructions, FTN&GSMR/PM/MAN/002, Issue 3, Network Rail, 22 October 2007.

35. GSM-R Reliability, Availability & Maintainability (RAM) Study, A305/GSM-R/124, Issue 4, Network Rail, August 2007.

36. GSM-R Cab Mobile, Great Britain Open Interface Requirements, GE/RT8082, Issue 1, July 2007.

36

37. UK Application of GSM-R The Operational Concept, Issue 1, RSSB, 14 December 2006.

38. Risk Assessment of Failure of the Interim Voice Radio System (IVRS), RSSB, February 2006.

39. Train Radio Systems for Voice and Related Messaging Communications, GE/RT8080, Issue 1, December 2003.

40. Requirements for GSM-R Voice Radio System, GE/RT8081, Issue 1, December 2003.

41. Safety Risk Assessment for the National GSM-R Radio Network Project, A305/GSM-R/IMP/D057, Issue 2, Network Rail, 7 November 2003.

42. Flowchart process for signallers.

43. Ops Controller LAC Map

37

Appendix C Workshop attendees

Attendee Job title and organisation Workshop

Registration 1 BSS 2 NSS/FTS 3 FTS/On-board equipment

Ed Nix Senior NSS Design Engineer, Network Rail Yes Yes Yes

Neil Ramsey Senior Programme Manager, Network Rail Yes Yes

Chris Fulford GSMR Operations Advisor, ATOC Yes Yes Yes

Rob Hill Senior FTS Design Engineer, Network Rail Yes

Paul Ashton Operational Rules Specialist, Network Rail Yes

Keith Fox Operations Specialist, RSSB Yes Yes Yes Yes

Jay Heavisides Senior Risk Analyst, RSSB Yes Yes Yes Yes

Will Clayton Risk Analyst, RSBB Yes Yes Yes Yes

David Griffin Senior Risk Analyst, RSSB Yes Yes Yes

38

Appendix D Workshop guidewords

D.1 Registration observations Observer View

Driver ‘Registration failed’

‘Registration failed – Duplicate’

‘Registration failed – PA’

Wrong headcode returned

No headcode returned

Signaller

D.2 GSM-R Functions Initiator Function

Driver A) Point-to-point call to controlling signaller

B) Urgent point-to-point call to controlling signaller (yellow button)

C) Railway emergency group call (red button)

D) Non-operational calls

E) Driver safety device activation alarm

F) Standing at signal text message

Device registration

Signaller initiation G) Point-to-point call to driver

H) Urgent point-to-point call (yellow button)

I) PA announcements

J) General broadcast voice calls to local area

K) Non-emergency group voice calls

L) Railway emergency group call (red button

M) Operational text(‘Wait’, ‘Contact signaller’)

Other N) Voice recording

O) Coverage

39

D.3 Influencing factors: frequency Parameter Deviation

Migration During

Post

Network outage Planned

Unplanned

Point of journey Leaving depot

Start of journey

Mid journey

End journey

Turnaround

Splitting/joining units

D.4 Influencing factors: consequence Parameter Deviation

Alternative communication method Handportables

Transportables

CSR

NRN

IVRS

Signal post telephones

Public mobile phone

Train type Non-DOO

DOO(P)

Freight

ECS

Track type Single

Double

Multiple

40

Parameter Deviation

Train speed Slow (<15mph)

Medium (15-75mph)

Fast (>75mph)

Line type Rural

Sub-urban

Mainline

Train frequency Low frequency

High frequency

Journey time/distance Short

Medium

Long

D.5 Potential responses Option group Response

No replacement equipment available Suspend service at point of failure until fixed.

Send straight to depot for fixing.

Continue to next point of call, then suspend service until fixed.

Continue to next point of call, detrain passengers and operate ECS until fixed/replaced.

Continue to end of journey, then to depot/fix.

Continue to end of day/final journey to depot/fix

Replacement equipment available (awaiting outputs from NRN switch off study)

Await arrival of handportable/transportable

Continue to next point of call to collect handportable/transportable

Continue to end of journey/next hub to collect handportable/transportable

Rely on SPTs

41

Appendix E Workshop outputs The notes in this appendix represent the outputs after completion of the workshops. That is they represent a fixed point in time during the study. Data gathering and analysis was completed after the workshops to finalise the failure rates. Calculations for such can be found in the risk model developed for this study (safety disbenefit model v4.12.xls).

E.1 Cab-registrations

The letters in the column Impact of failure are based on function guidewords listed in the table in Appendix D.2.

42

Observation Cause of failure

Sub-cause of failure

Distinction Impact of failure Mitigation Failure rate Influences

1. Registration failed - lead driver

1.1 Driver input incorrect registration headcode

1.1.1 Driver error (misread)

Entered data is visible on display

A, B, E, F) Yes - no longer calling the controlling signaller but the nominated one

A, B, C, E, F) Calling identity is the unit number and not the headcode

C) Nominated signaller has control of REC

G, H, I) Can only be done using unit number and there will be a delay to call

K) Will not function without headcode

M) Can only be done using unit number and there will be a delay to call - contact signaller only (check that it can be done using CT3)

Current: Driver retries. Call signaller if still fails. Signaller checks code and gives wildcard (wrong headcode) Verbal communication protocol may lead to recognition of error and the signaller will know the train headcode from either ARS or train list

New: Driver would contact the signaller once registration complete to check headcode

Jim Carney (NR) - breakdown of registration statistics

During migration - more likely to enter wrong headcode and be unaware of it through pre-registration process (wildcard)

1.1.2 Driver error (input error)

As 1.1.1 As 1.1.1 As 1.1.1.

43




1. Registration failed - lead driver (continued)

1.2 Driver input incorrect location code

1.2.1 Driver error (misread)

Entered data is visible on display

As above for 1.1.1

Performance delay impact

Current: Driver retries. Call signaller if still fails. Signaller checks code and gives wildcard (right headcode). Verbal communication protocol may lead to recognition of error.

Jim Carney (NR) - breakdown of registration statistics

1.2.2 Driver error (input error)

As 1.2.1 As 1.1.1

1.2.3 Missing alias plate

Speak to signaller As 1.1.1

1.2.4 Signal identity not visible

Visit signal to check plate

As 1.1.1 New: Provide signal repeater plates

44





1.3 Train description not associated with berth

1.3.1 Signaller has not entered TD

Speak to signaller As 1.1.1 Current: Driver retries. Call signaller if still fails. Signaller checks TD and inserts code

1.3.2 Late entry by automatic coding insertion

Speak to signaller As 1.1.1 As above (1.3.1)

1.4 Train describer failure

1.4.1 TD.Net failure (national)

Speak to signaller (may not know there is a failure)

As above for 1.1.1 but for multiple trains

Current: Use wildcard

Increased registration failure rate due to possible duplication

None

1.4.2 Local TD failure

Speak to signaller As above for 1.4.1 but for trains in local area


Increased registration failure rate due to possible duplication (smaller risk than 1.4.1)

45





1.5 Cell not associated with berth

1.5.1 Train on unexpected cell

Speak to signaller (use wildcard)

As above for 1.1 but for single train and definitely contacting nominated signaller (not controlling)


New: Monitor cell pick-ups

Dependent on location - see Jim Carney

Initial increase during migration.

1.5.2 BSS failure (see 1.8)

See 1.8 See 1.8

1.6 NSS failure 1.6.1 Failure on demand

Use alternative means to contact signaller

As above for 1.4.1

1.7 FTS failure 1.7.1 Failure on demand

Signaller may already be aware - use alternative means for contact

As above for 1.4.2

1.8 BSS failure 1.8.1 Interference Use alternative means to contact signaller

As above for 1.4.2 - more localised

46




2. Registration failed - duplicate

2.1 Three trains already in service with the same 8 digit code

2.1.1 As per 1.1 Current: Use wildcard - worse case correlation attempted every 3 minutes

Minimal

2. Registration failed - duplicate (continued)

2.2 NSS failure 2.2.1 Current: log as fault as unable to register

3. Registration failure - PA

3.1 BSS failure 3.1.1 Interference on uplink

None for driver, yes for signaller dependent on contact

I) Not available Current: Contact signaller to determine uplink or downlink. Does not matter if non-DOO(P)

Jim Carney (NR) - breakdown of registration statistics. Reduce by factor of 100 for v2? (stuck, retry and driver intervention)

More likely to cause problems whilst on the move (during migration)

3.1.2 Interference on downlink

No impact - driver unaware so possible performance delay

47

E.2 Base station sub-system Observation Cause of

failure Sub-cause of failure

Distinction Impact of failure Recovery Geographical size of failure

Duration of failure Failure rate Influences Notes

1. Searching networks -please wait

1.1 BTS or repeater failure (local)

1.1.1 Antenna and feeder damage

Catastrophic - (specific) alarm to TEC Non-catastrophic - possible alarm

No service available whilst display is 'Searching networks'

Attempts to search for networks ('Searching networks' displayed). Attaches to nearest cell but might not be on the correct route.

4-8km of track effected or less depending on whether adjacent cells fill in eg West Coast Mainline

Contact Paul Strachan for target fix time and actuals The antenna system takes approximately 24 hours to repair

Contact Paul Strachan for target fix time and actuals The mean time between antenna failures is 131400 hours ie 15 years, so assume 0.07 failures per antenna year

As system is better understood, recovery rates will improve. If occurs at start of journey, train will not be able to register - if this is the first train to report this problem signaller may not be aware

1.1.2 Antenna re-alignment (partial failure)

Driver reports intermittent coverage - audible and visual in cab alarm

As 1.1.1 or 4.1.1 Driver reports failures to control. Aids subsequent trains

Maybe slightly better than 1.1.1 due to only partial loss

as above

1.1.3 Power loss (specific) alarm to TEC

As 1.1.1 Opportunity to rectify upon receiving alarm. Back up power supply for 6 hours


Contact Paul Strachan for target fix time and actuals


as above

1.1.4 Air conditioning failure

High temp alarm to TEC

As 1.1.1 Opportunity to rectify upon receiving alarm.




as above

1.1.5 BTS or repeater electronics hardware

(specific) alarm to TEC

As 1.1.1 Opportunity to rectify upon receiving alarm.

Maybe slightly better than 1.1.1 if only partial loss Indicates 5.9km gap in service

Indicates a BTS repeater failure takes approximately 12 hours to repair

The mean time between repeater failures is 50000 hours ie 5.7 years, so assume 0.175 failures per BTS per year

as above

1.1.6 Cell BTS configuration error

None - non-detectable

No P2P or REC calls

System commissioning procedures


Indicates a BTS MUX failure takes approximately 12 hours to repair

The mean time between MUX failures is 1384000 hours ie 158 years, so assume 0.00633 failures per year

as above

1.1.7 Loss of REB due to damage/vandalism

Alarm to TEC As 1.1.1 Replace REB 4-8km of track effected

ask Paul Strachan for contacts

ask Paul Strachan for contacts

as above Check for contingency plans Ed to confirm % of joint REB sites

48





1.2 Multi BTS failure

1.2.1 FTN transmission failure

(specific) alarm to TEC from BTS and FTN

As 1.1.1, but may also impact availability of SPT and LX T

Opportunity to rectify upon receiving alarm. Easier to identify as an infrastructure failure by the signaller through driver observation. Requires 2 breaks in ring to reduce functionality

Single chain - 30km Entire ring - hundreds of km (Check transmission backgrounds)

FTN (single chain) failure takes approximately 4 hours to repair A fixed terminal core failure takes 2 hours

The mean time between FTN failures is 36730 hours ie 4.19 years, so assume 0.238 failures per year A fixed terminal core failure is 63800 hours ie 7.28 years, so assume 0.137 failures per year.

During migration adding additional rings may lead to accidental severance

Is transmission failure to do with a single site? Speak to Ian Burrows

1.2.2 BSC failure/damage

TEC receives (specific) critical alarm

As 1.1.1 Migrate services onto backup BSC (manual disaster recovery - BSC)

All BTS connected to BSC - approx 1/9th of network

2 hours for disaster recovery to be implemented - TBC Confirmed from RAM study

The mean time between BSC failures is > 1000000 hours. Use worst case ie 114.155 years, so assume 0.0876 failures per year

Possible problems during software upgrades to BSC. No planned outage of BSC due to constant demand

There are 2380 BTS across 10 BSCs, each BTS covers 5.9km therefore ring failure = 2380/10*5.9 = 1400 km

1.2.3 NSS failure - see later workshops

1.2.4 FTN to NSS failure (maybe common to 1.2.1)

Can lead to 1.2.1 or 1.2.2

As 1.2.1 Somewhere between 1.2.1 and 1.2.2

1 in 70 years per km of track, although maybe on increase due to possibility of cable theft

1.3 Cell inaccessible

1.3.1 Route configuration

None As 1.1.1 or 4.1.1 Driver identifies problems and is fed back into system design

Only applies during migration

1.4 RF interference

1.4.1 PLMN 2G (public network) - 900Mhz

None Reduction of call quality on the downlink whilst travelling 30-40mph, otherwise may not notice. Problems more severe when stationary and will continue to be affected until the voice traffic on the PLMN has dropped.

No specific mitigation for the driver to detect this problem at the present time. It can take 20 seconds-2 minutes for the mobile to re-attach to GSM-R GB but may need a reset. If the driver sees a mast, moving the train away from the mast may help reduce interference. Actions such as moving the train forward slightly or using the cab mobile at the other end of the train have been suggested when at a station.

Unable to tell for certain at this stage. Units 20-50m from the interference source will be more affected. But it is likely that it affects a particular train at a time rather than a whole cell. Most likely to be an issue for the train antenna than a BSS.

20 seconds to 2 minutes for the train to locate the correct mobile, once interference has reduced. Longer if the mobile is 'stuck' and needs resetting.

Approx 600 EGSM-R failures in Germany in 3 years ie 300/year. Alternatively, there were 5 recorded interference failures on the GB network over a period of 1 year. Assuming that: only 20% of the network is currently rolled out (x 5), the impending switch-on of Vodafone's additional mobile network increases interference (x2) and other PLMN follow suit (x2) equates to around 100 failures per year for the UK.

May effect migration and could increase impact if more mobile networks switch on. Suggestions have been to add stronger BSSs at stations where most of the impact lies and create a more compatible cab mobile. Filters can concentrate the reception into the mobile, but is costly to set up and sometimes unreliable. One option is to introduce equipment which records interference and replays it to show where in interruptions have been and therefore could be in future.

Future strategy between NR and mobile networks unclear. Difficult to predict rate of interference due to the continuing introduction of more PLMN.

49





1.4.2 PLMN 3G - 900Mhz band

Assumed none Yet to determine

1.4.3 Broadband noise


1.4.4 Other train antenna (repeaters)


2. PA call in progress

N/A May allow PA calls in normal operation - depending on rules surrounding process

3. Fatal error N/A low Recognised that this may happen eg rollout of 3G technology - data TBC

4 GSM-R GB 4.1 BTS failure

4.1.1 Cell BTS configuration error

Failure on demand

No P2P or REC calls but gives impression that system is working to user Possible poor quality calls, increased possibility of misrouted calls. Risk of no coverage. Poor speech quality at one end between the driver and the signaller If connection made to non-designated cell registration may fail without use of wildcard

Driver would only be aware if attempting to use radio

A BTS repeater failure takes approximately 12 hours to repair

Mean time between BTS core failure is 148600 hours. Use worst case ie 16.96 years, so assume 0.059 failures per year

Misrouted calls caused by cab-mobile attaching to cells on adjacent routes (in the future) may be managed though experience and including trains on actual and adjacent route cell train list. Downside of this approach is that it will increase the size of the REC and therefore potential delays in the event of an emergency. For the purposes of the assessment it will be assumed that the calls may be misrouted.

4.2 Multi BTS failure

4.1.2 BSC failure - likely to be a configuration issue

TEC receives unique critical alarm

As above Migrate services onto backup BSC (manual disaster recovery - BSC)

All BTS connected to BSC - approx 1/9th of network

2 hours for disaster recovery to be implemented

Mean time between BSC failures is > 1000000 hours. Use worst case ie 114.155 years, so assume 0.0876 failures per year

Possible problems during software upgrades to BSC. No planned outage of BSC due to constant demand

50





4.1.3 FTN failure Alarm to TEC from BTS and FTN

As above Opportunity to rectify upon receiving alarm. Easier to identify as an infrastructure failure by the signaller through driver observation. Requires 2 breaks in ring to reduce functionality

Single chain - 30km Entire ring - hundreds of km (Check transmission backgrounds)

as above Approx 90% would show a 'Searching please wait' display Mean time between FTN failures is 36730 hours ie 4.19 years, so assume 0.238 failures per year A fixed terminal core failure is 63800 hours ie 7.28 years, so assume 0.137 failures per year.

During migration adding additional rings may lead to accidental severance

4.3 Wrong cell accessible

1.4.1 As 1.3.1 None As 1.1.1 or 4.1.1 Driver identifies problems and is fed back into system design


Only applies during migration

E.3 FTS sub-system Observation Cause of failure Sub-cause of

failure Distinction Impact of failure Recovery Geographical

size of failure Duration of failure

Failure rate

Influences Notes

1. Registration failed

1.1 TD.Net failure

1.1.1 Train describer failure - area failed

Apparent to the signaller of the area affected that the TD has failed

Registration will fail when location code is entered, signaller will know and issue wildcard (apart from within areas without TD available). Risk of misrouting due to no ELDA from a shared cell. Driver error in registering will not be picked up and will be accepted when the wildcard is used.

Signaller will inform drivers and ops control. Ops control will contact the train operators. FTS can be told that the TD data is not available ie become a non-TD area. This accepts location code without checking

Local to one signal box/TD area

Speak to Paul Strachan


Ed to clarify that this is the correct recovery procedure.

1.1.2 Transmission to or from TD.Net fails

Local functionality for the signaller but no link to TD.Net

As above except signaller will be unaware unless the train list is checked. Trains will de-correlate.

As above + duplicate connection used in case one fails

As above As above As above Ed to talk to Rob Hill for failures that would cause all trains in train list to de-correlate

1.1.3 TD.Net overall failure

Trains de-correlated nationally in train list

National network failure Do not validate the TD. Will not be able to detect driver entering the wrong info

Whole country As above As above

51

Observation Cause of failure Sub-cause of failure


Duration of failure

Failure rate

Influences Notes

1.1.4 General changes in TD

Misrouting calls As above for 1.1.1 Monitoring for paging by TEC Local to cell as above as above After rollout is complete

1.2 TD Bridge failure

1.2.1 As per TD.Net failure

as above as above Both bridges would need to fail - replicate bridge on auto start-up

as above as above

1.3 Complete FTS failure - loss of site

1.3.1 Air con failure

Possible loss of all systems except REC (would receive the call on other trains but not signaller). Communication possible between drivers but no signaller

Switching over would take approx. 4 hours

as above Hot weather

1.3.2 Loss of power

DC power failure: Shut down of switch ie no calls, registration possible AC failure: no registration, outgoing calls ok, no communication

DC and AC has two feeds so some redundancy

as above as above

1.3.3 Fire Possible loss of all systems except REC (would receive the call on other trains but not signaller). Communication possible between drivers but no signaller

as above as above

1.3.4 Vandalism Worst case - Possible loss of all systems except REC (would receive the call on other trains but not signaller). Communication possible between drivers but no signaller

as above as above

1.3.5 Terrorism As above as above as above 1.4 Routing

Server failure 1.4.1 Power outage

Unable to register Duplicated on auto start-up as above as above

1.4.2 Hardware failure

As above As above as above as above

1.4.3 Software failure

As above As above as above as above

1.5 Management server failure

1.5.1 Signaller would be made aware whilst recording new messages

Signallers unable to logon, record new message

as above as above Rob to confirm

1.6 GSC failure 1.6.1 Hardware failure

No calls or messages possible between drivers and signallers

as above as above

2. GSM-R GB 2.1 ELDA failure 2.1.1 Routing server

Immediate failure Call routing not possible ie no call functionality to the signaller



52



Duration of failure

Failure rate

Influences Notes

2.1.2 TD.Net, TD.Bridge failure

Gradual failure over time as data becomes out of date

Misrouted calls eg calls going to the nominated and not controlling signaller

as above as above

2.2 IMUX failure 2.2.1 Hardware failure

Warning on fixed terminal. Future: log out after 20 mins

Up 15 fixed terminals will lose their function which may not be in the same signal box ie lose call functionality

Possibility of role sharing with another signaller

Depends on diversity of FTs fed

as above as above Depends where IMUX is based in terms of single or multi panel signal box functionality

Rob to investigate

2.3 ISDN failure 2.3.1 Hardware failure

1 terminal failure Share role with another signaller in the same box

1 signaller's position

as above as above Only available in multi panel signal box

Are there any single points of failure for multiple fixed terminals

2.4 Fixed terminal failure

2.4.1 Touch screen unit failure

Blank screen/ non-responsive screen

1 terminal failure Share role with another signaller in the same box


as above as above Only available in multi panel signal box

Are there any single points of failure for multiple fixed terminals

2.4.2 Audio module failure

Signaller cannot be heard/hear

May impact communications if both hands free and handset fails

Use other mode 1 signaller's position

as above as above

2.4.3 NTBA box failure

As 2.2 Similar to IMUX failure but would only affect 1 terminal

Share role with another signaller in the same box


as above as above Recovery is dependent on single or multi panel signal box

2.5 Signal box power failure

2.5.1 Blank screen All terminals in signal box will fail UPS would provide backup 1 signaller's position

as above as above Dependant on single or multi panel signal box

Check with tech (1st floor) or Rob to check if all signal boxes connected to UPS

2.6 GSC failure 2.6.1 Hardware failure

Failure on demand - driver unaware

Registration possible, but no calls can be made between drivers and signallers. Existing calls will be dropped. Driver initiated REC will stop trains, but the signaller will not be aware. Signaller initiated REC will not stop trains.

Attempts will be made to get it fixed. If total failure, the system at Stoke may be used.

as above as above

53

E.4 On-board train equipment Observation Cause of failure Sub-cause of

failure Distinction Impact of failure Recovery Geographical

size of failure Duration of failure

Failure rate Influences Notes

1. Searching networks please wait

1.1 Broken antenna 1.1.1 Loose connector

Driver checks other cab radio - if functional, fault is identified. Most likely a network failure if both do not function

No functionality. Can pre-register

None - fault reported 1 cab radio Throughout service for 1 cab

Awaiting reliability figures

Identified at any point in the journey

1.1.2 Degradation as above as above as above as above as above as above as above 2. Blank 2.1 DCP failure 2.1.1 Loss of

connection between DCP and radio unit

No screen at power up No call functionality as buttons will not work

1 cab Contact Brian Sowbry at Siemens

Contact Brian Sowbry at Siemens

Identified at any point in the journey

2.2 Loss of connection 2.2.1 Lack of power to screen, hardware fault

No screen at power up Call functionality available although screen remains blank and unable to tell who is calling

1 cab as above as above as above

2.3 Loss of power 2.3.1 Lack of power to screen

No screen at power up No call functionality UPS will take over if available 1 cab as above as above as above

2.3.2 MCB failure MCB switch set to off No call functionality until reset Driver resets 1 cab as above as above as above

2.4 Screen failure 2.4.1 Hardware fault No screen at power up Call functionality available although screen remains blank and unable to tell who is calling


2.5 Driver key/cab active

2.5.1 Loose connection

None No functionality Alternative method to power up radio (not commonly known)





2.5.3 Faulty key switching arrangement



3. Warning (fault) 3.1 See Appendix R - NRCR HMI Design spec. (Siemens)

3.1.1 Various Unique fault code No critical functionality loss Fault is logged and service is continued

1 cab No actual failure

n/a Ask Ed for 'SIM card incomplete' fault code and warning 02

54



Duration of failure


4. Failure 4.1 See Appendix R - NRCR HMI Design spec. (Siemens)

4.1.1 Various Unique fault code No call functionality None during service 1 cab Throughout service


Can happen start or mid-journey

5. Cab radio flt 5.1 Communications failure between DCP and cab radio unit

5.1.1 Single fault message No functionality - could receive REC, but no outgoing calls

None during service 1 cab Throughout service


Can happen start or mid-journey

6. Battery low 6.1 See 3.1 6.1.1 7. EPROM/RAM flt

7.1 See 5.1 7.1.1

8.1 MT fatal 8.1 Brick fault 8.1.1 No functionality Reboot by driver or self-reboot may overcome this error

Failure in both cabs (if shared brick)

Throughout service


9. GSM-R GB 9.1 Screen freeze 9.1.1 Screen failure No functionality when calls are attempted and screen does not change

Speak to Siemens Reset may fix it 1 cab Contact Brian Sowbry at Siemens

9.2 Handset failure 9.2.1 PTT failure Could hear messages but cannot be heard or vice versa

Only affects RECs Handset test 1 cab Throughout service

as above

9.2.2 Pickup failure Could hear messages but cannot be heard or vice versa

Affects all calls Handset test 1 cab as above

9.2.3 Speaker failure

Difficult to hear/cannot hear Volume dropped on loudspeaker, handset speaker does not work so may not be able to hear calls coming through

Handset test 1 cab as above

9.2.4 Cradle switch failure

Cannot hear loudspeaker May not be aware of calls coming through as all are directed to the handset

Handset test 1 cab as above

9.3 DSD connector failure

9.3.1 Loose connection

Maintenance testing If driver is incapacitated, it will not be detected

1 cab as above


Maintenance testing If driver is incapacitated, it will not be detected

1 cab as above

9.4 PA connector failure 9.4.1 Loose connection

Failure on demand PA not available (signaller) PA menu test 1 cab Throughout service

as above


Failure on demand PA not available (signaller) PA menu test 1 cab Throughout service

as above

55



Duration of failure


9.5 DCP stuck buttons 9.5.1 Lack of maintenance, wear and tear

Failure on demand Depends on button concerned Alternative means of contacting signaller ie tries other buttons (yellow, red, call signaller, phonebook), go to other cab

1 cab as above

56

Appendix F Call success probabilities The availability, coverage and effectiveness calculations are contained within the risk model developed for the study (safety disbenefit model v4.12.xls).

F.1 Intercity trains types Speed Consequence scenario Availability Broadcasting Receiving Call Success

Probability Coverage Effectiveness Coverage Effectiveness

Normal GSM-R cab mobile - base case (as per NRN) 0.9999 1.0000 0.9447 1.000 0.9603 0.952

No radio 0.0000 1.0000 0.0000 1.000 0.0000 0.000

Unregistered radio 0.9999 1.0000 0.9338 1.000 0.9411 0.937

DSD/PA link unavailable 0.9999 1.0000 0.9447 1.000 0.9603 0.952

Driver:Driver communication only 0.9998 1.0000 0.4254 1.000 0.8320 0.629

GSM-R registered handportable 0.9900 0.9650 0.9439 1.000 0.9603 0.926

CSR 0.9998 1.0000 0.9176 1.000 0.9073 0.912

NRN 0.9994 0.9000 0.8910 1.000 0.8761 0.839

Reduced (60mph) No radio 0.0000 1.0000 0.0000 1.000 0.0000 0.000




57

F.2 Suburban train types Speed Consequence scenario Availability Broadcasting Receiving Call Success



No radio 0.0000 1.0000 0.0000 1.0000 0.0000 0.000





CSR 0.9998 1.0000 0.9237 1.0000 0.9128 0.918

NRN 0.9994 0.9000 0.8971 1.0000 0.8821 0.844





58

F.3 Suburban DOO(P) train types Speed Consequence scenario Availability Broadcasting Receiving Call Success



No radio 0.0000 1.0000 0.0000 1.0000 0.0000 0.000





CSR 0.9998 1.0000 0.9237 1.0000 0.9128 0.918

NRN 0.9994 0.9000 0.8971 1.0000 0.8821 0.844





59

F.4 Freight train types Speed Consequence scenario Availability Broadcasting Receiving Call Success



No radio 0.0000 1.0000 0.0000 1.0000 0.0000 0.000





CSR 0.9998 1.0000 0.7591 1.0000 0.7322 0.745

NRN 0.9994 0.9000 0.6777 1.0000 0.6723 0.641





60

Appendix G Functional loss scenarios These functional loss scenarios were identified following the completion of the workshops.

Functional loss scenario

Consequence Scope


No radio (receiving and broadcasting). One cab.

Small radio network failure

No radio (receiving and broadcasting). All trains passing through a small section of the network. Assumed to be the equivalent of a BTS outage.

Medium radio network failure

No radio (receiving and broadcasting). All trains passing through a medium section of the network. Assumed to be the equivalent of a BSC outage.

Large radio network failure

No radio (receiving and broadcasting) All cabs. Assumed to occur if Stoke and Didcot not working.


Cab radio functions but communication may not be to the controlling signaller. This reduces the effectiveness of urgent communications to the signaller. REC still works.

Assumed to be one cell for one cab (radio correlated on reaching new cell).



All journeys for one cab.



All cabs.



All cabs through the affected signaller’s area.

DSD/PA link unavailable

Cab radio functions but signaller cannot use PA on-board train. DSD alarm not received by signaller

One cab.

61

Functional loss scenario

Consequence Scope


Cab radio functions but communication may not be available to the controlling signaller. This reduces the effectiveness of calls from the driver, as alternative routes of communication are required. Signallers cannot contact drivers. Driver initiated REC works but recovery is slower. SPTs still work

All cabs through the affected signaller’s area.


Cab radio functions but communication may not be available to the controlling signaller. This reduces the effectiveness of calls from the driver as alternative routes of communication are required. Signallers cannot contact drivers. Driver initiated REC works but recovery is slower. SPTs still work.

All cabs through the affected signallers’ areas. Assumed to affect 15 signallers.

Driver:driver communication only

Cab radio functions but no communication available to any signaller via radio. Driver initiated REC works but recovery is slower. SPTs still work.

All cabs through the affected areas.

62

Appendix H Mapping of operational delay to functional losses

Functionality loss scenario Response

0 Continue in service

1 Cancel trains

2 Hand/trans portable

3 Reduced speed


Single cab failure A, G A, B A, C, G A, D, G A, D, G

Small network failure (BTS outage) A, G A, E A, G A, D, G A, D, G

Medium network failure (BSC outage) A, G A, E A, G A, D,G A, D, G

Large network failure (total outage) A, G A, B A, G A, D, G A, D, G

Single registered cab - temporary F B, F F D, F F

Single registered cab - permanent F B, F F D, F F

Multiple uncorrelated cab (TD.net outage)

F B, F F D, F D, F

Multiple uncorrelated cab (TD feed outage)

F E, F F D, F D, F

DSD/PA link unavailable G B, G G D, G D, G

Single terminal failure G, H E, G, H G, H D, G, H D, G, H

Multiple terminal failure G, H E, G, H G, H D, G, H D, G, H

Driver:driver communication only* G B, G G D, G D, G

*Does not affect calls from SPTs

Where:

A. Delays are accrued in the event that a radio is required to help ease other operational disruptions eg stop at signal/failed signalling but no radio is available on-board train.

B. Full (at start of journey) or part (mid-way through journey) cancellation of trains, plus full cancellation of their subsequent journeys. Part cancellation assumed to be 25 equivalent delay minutes. Full cancellation assumed to be 50 equivalent delay minutes.

C. Delays accrued to obtain hand/transportable. D. Delays accrued from running at reduced speed. E. Part cancellation of trains, through a particular section.

63

F. Delays from rerouting call, initial call goes to nominated rather than controlling signaller. G. Delays from the signaller not being able to contact a member of on board staff. H. Delays from the driver not being able to contact the controlling signaller at all.

64

Appendix I Modelling assumptions The following assumptions were included in the risk modelling.

I.1 Philosophical assumptions • SPTs are available at every signal and therefore the average distance between signals is

0.66miles. • The type of train detection does not impact the frequency or consequences of GSM-R radio

failure. • Only one approaching train is at risk of hitting the wreckage of a previous accident. • 50% likelihood of the driver of an affected cab radio being the one to initiate a REC or call.

Simillarly 50% likelihood of the driver of an affected cab radio being the one to receive a REC or call.

• The train broadcasting a REC is stationary (this is a simplification for the calculations). • In-cab radio is Siemens version2. • The same network strength coverage is needed for both red and yellow button calls. • Cab/network faults occur halfway through the operating day, half-way through the current journey. • Network problems are fixed at the end of the day. • There is always a rolling stock technician at each available location in order to install a

transportable. • Reduction in speed only benefits passenger/ECS trains ie not freight (as the average speed is

below the reduced speed limit (taken to be 60mph).Reduction in speed only benefits hazard events where speed is considered a factor of the consequences ie includes derailments and collisions but not train fires, explosions etc. The effect of the speed reduction is based on the average speed before the reduction relative to the average speed after the reduction (as estimated from timetable analysis).

• When using an unregistered cab radio, the radio does not mitigate against collisions/derailments due to miscommunication.

• If the cab radio is unregistered the DSD and PA link still works. • Part/full cancellation of trains do not incur reactionary delays. • Each train service type model is made up of only trains of the same type. • The strength of signal from a BTS decays at a rate proportional to the inverse square of the

distance from the BTS. • Response 3 uses the results (availability and coverage) of the NRN study [Ref: 2] for a GSM-R

registered handportable. • The number of hours before a speed restriction is put in place (response 5) is 4 hours. • The knock-on risk from delays such as overcrowding at stations, passenger loadings on trains,

assaults has not been included in the assessment as a simplification (timescales of the project) and due to uncertainty in previous estimates for other projects.

• Cancelling a train removes all risk from that train

I.2 Numerical assumptions

These are based on both data (D) and expert judgement (E).

65

• Part cancellation is taken to be 25 equivalent delay minutes. Full cancellation is taken to be 50 equivalent delay minutes.

• There are 2380 BTS and 9 BSC on the GSM-R network (D). • There are 673 signallers working at any one time (taken from the number of terminals) (D) • The average distance of track covered by a signaller is 23km (the average track km per signaller)

(D). • The probability that a driver initiated yellow button call goes to the wrong signaller is 0.1 (E) – this

is considered conservative. • The probability that the train latches onto the wrong base station is 0.02 (E). • The times to contact signallers agreed for the NRN study [Ref: 2] equally apply and in addition:

• It takes 30 minutes for help to arrive via a single line (E). • It takes 5 minutes to receive and setup a hand/transportable at an available station (E). • It takes an additional 2 minutes to contact a signaller via an SPT or platform phone (E).

• Reactionary delay is 3 times the primary delay (D). • There are 31,073,000 track metres (D). • 488,217,472 passenger train km, 45,839,064 freight train km, 22,379,000 ECS train km (D). • The proportion of track that is single track (weighted by train miles) is 0.069 (D). • The rate at which a DOO(P) service has needed help via the PA link is once every 10 years (D). • The additional safety benefit the DSD/PA link provides to the driver is 0.04 FWI/event (E). • There are 18 operational hours per day, and 363.25 operational days per year (D). • The value of preventing a fatality (VPF) is £1,763,000 per FWI (D). • Driver reaction time to apply brakes is 5 seconds, the brake build-up time is 2 seconds (E). • The minimum strength required for cab mobile is -101dBm, the optimum strength for a cab mobile

is -98dBm (D). • The probability of the faulty cab being used to return the train to the maintenance depot is 0.5 (E). • The number of signallers affected by a multiple terminal outage or TD.net feed problem is 15 (E).

I.3 Train type assumptions

These are based on both data (D) and expert judgement (E).

Assumption Intercity Suburban Suburban DOO(P)

Freight

Cost of delay (£/minute) 117 (D) 35 (D) 35 (D) 17 (D)

Distance between needs to contact the signaller (miles)

400 (E) 50 (E) 50 (E) 60 (E)

National journeys per day 2580 (D) 8302 (D) 8472 (D) 865 (D)

Journeys per day on a typical route

127 (D) 144 (D) 144 (D) 10 (E)

Journeys per day per train set 4 (D/E) 14.4 (D/E) 14.4 (D/E) 2 (D/E)

66

Assumption Intercity Suburban Suburban DOO(P)

Freight

Typical journey lengths (km) 169 (D) 58 (D) 60 (D) 66 (D)

Average journey lengths to next available location (km)

42 (D/E) 15 (D/E) 15 (D/E) 33 (E)

Average journey lengths to next suitable locations (km)

23 (D/E) 8 (D/E) 8 (D/E) 33 (E)

Average journey lengths to maintenance depot (km)

64 (D/E) 22 (D/E) 22 (D/E) 33 (E)

67

Appendix J Hazardous events mitigated by GSM-R radio This appendix includes a list of the hazardous events modelled in the Safety Risk Model version 7 [Ref: 20] that are considered to be partially mitigated by GSM-R radio.

HET-01 Collision between two passenger trains resulting from a: passenger train Cat A SPAD; runaway train; misrouted train; or WSF

HET-02 Collision between a passenger train and non-passenger train resulting from a: passenger train Cat A SPAD; runaway train; misrouted train; or WSF

HET-03 Collision between two non-passenger trains resulting from a: non-passenger train Cat A SPAD; runaway train; misrouted train; or WSF

HET-04 Collision of train with object (not resulting in derailment)

HET-10 Passenger train collision with road vehicle on level crossing

HET-11 Non-passenger train collision with road vehicle on level crossing

HET-12 Derailment of passenger train

HET-13 Derailment of non-passenger train

HET-17 Fire on passenger train

HEM-01 Passenger injury during evacuation following stopped train (not at a platform)

HEM-12 MOP (trespasser) struck/crushed by train while on tracks at station

HEM-14 Workforce (not infrastructure worker) struck/crushed by train

HEM-25 MOP (trespasser) struck/crushed by train while on railway infrastructure not at station

HEN-13 Passenger fall from platform onto track (no electric shock nor struck by train)

HEN-67 MOP (non-trespasser) fall from platform onto track (no electric shock nor struck by train)

68

Appendix K Safety benefits

K.1 Safety benefits by function loss scenario

The response options with the greatest safety benefit are highlighted in green.

K.1.1 Intercity

Response

Functional loss

Safety benefit (£/event)

1 Cancel trains 2 Hand/trans

portable 3 Reduced

speed 4 Delayed

reduced speed



Medium radio network outage 980 0 2,900 1,600


Single unregistered cab radio - temporary 0 0 <1 0

Single unregistered cab radio - permanent <1 >-1 1 0

Multiple uncorrelated cab radios (TD.net outage) 56 0 10,000 5,700

Multiple uncorrelated cab radios (TD feed outage) 1 0 230 130

DSD/PA link unavailable >-1 0 5 3




69

K.1.2 Suburban train types

Response

Functional loss


1 Cancel trains


3 Reduced speed



Small radio network outage 1 0 2 <1

Medium radio network outage 290 0 420 230



0 0 <1 0


<1 >-1 <1 0


51 0 4,300 2,400


1 0 97 54

DSD/PA link unavailable >-1 0 3 2




70

K.1.3 Suburban DOO(P) train types

Response

Functional loss


1 Cancel trains


3 Reduced speed




Medium radio network outage 300 0 1,000 570



0 0 <1 0


<1 >-1 <1 0


51 0 11,000 6,100


1 0 240 140

DSD/PA link unavailable >-1 >-1 6 5




71

K.1.4 Freight train types

Response

Functional loss


1 Cancel trains


3 Reduced speed


Single cab radio failure <1 <1 0 0

Small radio network outage <1 0 0 0

Medium radio network outage 500 0 0 0

Large radio network outage 4,800 0 0 0


0 0 0 0


>-1 0 0 0


140 0 0 0


3 0 0 0

DSD/PA link unavailable 0 0 0 0

Single radio terminal failure <1 0 0 0


Driver:driver communications only 1,500 0 0 0

72

K.2 Safety benefits by observation scenario

K.2.1 Intercity type trains

Response

Functional loss



portable 3 Reduced

speed 4 Delayed

reduced speed


GSM-R GB 2,700 2,200 15,000 8,700

Blank screen 130 140 470 270

Registration - lead driver 2 >-1 1,600 160

Registration - duplicate 2 >-1 290 160

Registration - PA -20 0 470 270

Failure/fault 820 890 3,100 1,800

K.2.2 Suburban train types

Response

Functional loss



portable 3 Reduced

speed 4 Delayed

reduced speed

Searching for networks 450 <1 680 380

GSM-R GB 3,300 2,600 7,600 5,000

Blank screen 160 160 240 180

Registration - lead driver 2 >-1 580 68


Registration - PA -7 0 250 180

Failure/fault 1,000 1,000 1,600 1,200

73

K.2.3 Suburban DOO(P) train types

Response

Functional loss



portable 3 Reduced

speed 4 Delayed

reduced speed


GSM-R GB 3,500 2,600 19,000 13,000

Blank screen 170 160 600 440

Registration - lead driver 2 >-1 1,500 170


Registration - PA -1 -12 640 460

Failure/fault 1,100 1,100 3,900 2,800

K.2.4 Freight train types

Response

Functional loss



portable 3 Reduced

speed 4 Delayed

reduced speed

Searching for networks 150 <1 0 0

GSM-R GB 400 330 0 0

Blank screen 10 20 0 0

Registration - lead driver 3 0 0 0

Registration - duplicate 4 0 0 0

Registration - PA 0 0 0 0

Failure/fault 67 130 0 0

74

Appendix L Operational delays The response options with the most operational delays are highlighted in red. The response options with the least operational delays are highlighted in green. Values are presented as costs. Negative values therefore represent an operational delay saving relative to the base case – continue in service.

L.1 Operational delay by functional scenario

L.1.1 Intercity train types

Response

Functional loss

Operational delay (£/year)


portable 3 Reduced

speed 4 Delayed

reduced speed

Single cab radio failure 22,000,000 -600,000 160,000,000 92,000,000

Small radio network outage 63,000,000 0 16,000,000 9,100,000

Medium radio network outage 290,000 0 4,300,000 2,400,000

Large radio network outage 1,000,000 0 2,800,000 1,600,000

Single unregistered cab radio - temporary 37,000,000 0 15,000,000 0

Single unregistered cab radio - permanent 2,900,000 140,000 4,600,000 0

Multiple uncorrelated cab radios (TD.net outage) 1,100,000 0 2,800,000 1,500,000

Multiple uncorrelated cab radios (TD feed outage) 1,100,000 0 6,200,000 3,400,000

DSD/PA link unavailable 4,700,000 0 29,000,000 17,000,000

Single radio terminal failure 22,000,000 0 38,000,000 21,000,000

Multiple radio terminal failure 3,000,000 0 18,000,000 9,800,000


75

L.1.2 Suburban train types

Response

Functional loss



portable 3 Reduced

speed 4 Delayed

reduced speed

Single cab radio failure 21,000,000 -5,700,000 38,000,000 27,000,000

Small radio network outage 21,000,000 0 3,600,000 2,000,000

Medium radio network outage 56,000 0 290,000 160,000



120,000,000 0 3,000,000 0


3,200,000 34,000 300,000 0


290,000 0 540,000 300,000


270,000 0 1,200,000 660,000

DSD/PA link unavailable 5,000,000 0 6,900,000 5,200,000

Single radio terminal failure 6,200,000 0 8,300,000 4,600,000

Multiple radio terminal failure 400,000 0 3,400,000 1,900,000


76

L.1.3 Suburban DOO(P) train types

Response

Functional loss



portable 3 Reduced

speed 4 Delayed

reduced speed

Single cab radio failure -21,000,000 5,900,000 -39,000,000 -28,000,000

Small radio network outage -21,000,000 0 -3,600,000 -2,000,000

Medium radio network outage -78,000 0 -290,000 -160,000

Large radio network outage -220,000 0 -540,000 -300,000


-110,000,000 0 -3,000,000 0


-3,200,000 -34,000 -310,000 0


-290,000 0 -540,000 -300,000


-270,000 0 -1,200,000 -660,000

DSD/PA link unavailable -5,000,000 0 -7,100,000 -5,300,000

Single radio terminal failure -6,200,000 0 -8,300,000 -4,600,000

Multiple radio terminal failure -400,000 0 -3,400,000 -1,900,000

Driver:driver communications only -61,000 0 -140,000 -78,000

77

L.1.4 Freight train types

Response

Functional loss



portable 3 Reduced

speed 4 Delayed

reduced speed

Single cab radio failure 620,000 -17,000 0 0

Small radio network outage 710,000 0 0 0

Medium radio network outage 41,000 0 0 0

Large radio network outage 120,000 0 0 0


1,800,000 0 0 0


210,000 21,000 0 0


140,000 0 0 0


140,000 0 0 0

DSD/PA link unavailable 340,000 0 0 23,000

Single radio terminal failure 230,000 0 0 0

Multiple radio terminal failure 230,000 0 0 0

Driver:driver communications only 31,000 0 0 0

78

L.2 Operational delay by observation scenario

L.2.1 Intercity train types

Response

Observation






GSM-R GB 43,000,000 -410,000 190,000,000 110,000,000

Blank screen 910,000 -25,000 6,600,000 3,900,000

Registration - lead driver 41,000,000 130,000 24,000,000 2,500,000

Registration - duplicate 1,100,000 2,300 4,600,000 2,500,000

Registration - PA 1,200,000 0 7,300,000 4,300,000

Failure/fault 6,000,000 -170,000 43,000,000 25,000,000

L.2.2 Suburban train types

Response

Observation



portable 3 Reduced

speed 4 Delayed

reduced speed


GSM-R GB 25,000,000 -3,900,000 43,000,000 29,000,000

Blank screen 870,000 -240,000 1,600,000 1,100,000

Registration - lead driver 120,000,000 34,000 4,100,000 480,000

Registration - duplicate 330,000 580 870,000 480,000

Registration - PA 1,300,000 0 1,700,000 1,300,000

Failure/fault 5,700,000 -1,600,000 10,000,000 7,500,000

79

L.2.3 Suburban DOO(P) train types

Response

Observation






GSM-R GB 24,000,000 -4,000,000 44,000,000 30,000,000

Blank screen 860,000 -250,000 1,600,000 1,200,000

Registration - lead driver 120,000,000 34,000 4,100,000 480,000

Registration - duplicate 330,000 580 870,000 480,000

Registration - PA 1,300,000 0 1,800,000 1,300,000

Failure/fault 5,600,000 -1,600,000 11,000,000 7,700,000

L.2.4 Freight train types

Response

Observation



portable 3 Reduced

speed 4 Delayed

reduced speed

Searching for networks -870,000 <1 0 0

GSM-R GB -1,200,000 -12,000 0 -17,000

Blank screen -26,000 -730 0 0

Registration - lead driver -2,200,000 -21,000 0 0

Registration - duplicate -140,000 -360 0 0

Registration - PA -85,000 0 0 -5,700

Failure/fault -170,000 -4,800 0 0

80

Appendix M Functional loss scenario comparisons

M.1 Intercity train types

Operational benefit (£k/year) Safety benefit (£k/year)


-£200,000 -£160,000 -£120,000 -£80,000 -£40,000 £ £40,000

1

2

3

4


-£80,000 -£60,000 -£40,000 -£20,000 £ £20,000

1

2

3

4


-£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4


-£3,000 -£2,500 -£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4


-£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4


-£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4


-£3,000 -£2,500 -£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4


-£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4


-£35,000 -£30,000 -£25,000 -£20,000 -£15,000 -£10,000 -£5,000 £ £5,000

1

2

3

4

PA unavailable

-£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4


-£20,000 -£15,000 -£10,000 -£5,000 £ £5,000

1

2

3

4


-£800 -£600 -£400 -£200 £ £200

1

2

3

4


81

M.2 Suburban train types



-£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4


-£25,000 -£20,000 -£15,000 -£10,000 -£5,000 £ £5,000

1

2

3

4


-£350 -£300 -£250 -£200 -£150 -£100 -£50 £ £50

1

2

3

4


-£600 -£500 -£400 -£300 -£200 -£100 £ £100

1

2

3

4


-£140,000 -£100,000 -£60,000 -£20,000 £20,000

1

2

3

4


-£3,500 -£3,000 -£2,500 -£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4


-£600 -£500 -£400 -£300 -£200 -£100 £ £100

1

2

3

4


-£1,400 -£1,200 -£1,000 -£800 -£600 -£400 -£200 £ £200

1

2

3

4


-£8,000 -£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4

PA unavailable

-£10,000 -£8,000 -£6,000 -£4,000 -£2,000 £ £2,000

1

2

3

4


-£4,000 -£3,500 -£3,000 -£2,500 -£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4


-£160 -£140 -£120 -£100 -£80 -£60 -£40 -£20 £ £20

1

2

3

4


82

M.3 Suburban DOO train types



-£50,000 -£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4


-£25,000 -£20,000 -£15,000 -£10,000 -£5,000 £ £5,000

1

2

3

4


-£350 -£300 -£250 -£200 -£150 -£100 -£50 £ £50

1

2

3

4


-£600 -£500 -£400 -£300 -£200 -£100 £ £100

1

2

3

4


-£120,000 -£100,000 -£80,000 -£60,000 -£40,000 -£20,000 £ £20,000

1

2

3

4


-£3,500 -£3,000 -£2,500 -£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4


-£600 -£500 -£400 -£300 -£200 -£100 £ £100

1

2

3

4


-£1,400 -£1,200 -£1,000 -£800 -£600 -£400 -£200 £ £200

1

2

3

4


-£8,000 -£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4

PA unavailable

-£10,000 -£8,000 -£6,000 -£4,000 -£2,000 £ £2,000

1

2

3

4


-£4,000 -£3,500 -£3,000 -£2,500 -£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4


-£160 -£140 -£120 -£100 -£80 -£60 -£40 -£20 £ £20

1

2

3

4


83

M.4 Freight train types



-£700 -£600 -£500 -£400 -£300 -£200 -£100 £ £100

1

2

3

4


-£800 -£700 -£600 -£500 -£400 -£300 -£200 -£100 £ £100

1

2

3

4


-£50 -£40 -£30 -£20 -£10 £ £10

1

2

3

4


-£140 -£120 -£100 -£80 -£60 -£40 -£20 £ £20

1

2

3

4


-£2,000 -£1,500 -£1,000 -£500 £

1

2

3

4


-£250 -£200 -£150 -£100 -£50 £

1

2

3

4


-£160 -£140 -£120 -£100 -£80 -£60 -£40 -£20 £ £20

1

2

3

4


-£160 -£140 -£120 -£100 -£80 -£60 -£40 -£20 £ £20

1

2

3

4


-£400 -£350 -£300 -£250 -£200 -£150 -£100 -£50 £

1

2

3

4

PA unavailable

-£250 -£200 -£150 -£100 -£50 £ £50

1

2

3

4


-£250 -£200 -£150 -£100 -£50 £ £50

1

2

3

4


-£35 -£30 -£25 -£20 -£15 -£10 -£5 £ £5

1

2

3

4


84

Appendix N Observation scenario comparisons

N.1 Intercity train types



-£80,000 -£60,000 -£40,000 -£20,000 £ £20,000

1

2

3

4


-£200,000 -£150,000 -£100,000 -£50,000 £ £50,000

1

2

3

4

GSM-R GB

-£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4

Blank screen

-£50,000 -£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4


-£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4


-£8,000 -£7,000 -£6,000 -£5,000 -£4,000 -£3,000 -£2,000 -£1,000 £ £1,000

1

2

3

4

Registration - PA

-£50,000 -£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4

Failure/fault

85

N.2 Suburban train types



-£25,000 -£20,000 -£15,000 -£10,000 -£5,000 £ £5,000

1

2

3

4


-£50,000 -£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4

GSM-R GB

-£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4

Blank screen

-£140,000 -£100,000 -£60,000 -£20,000 £20,000

1

2

3

4


-£1,000 -£800 -£600 -£400 -£200 £ £200

1

2

3

4


-£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4

Registration - PA

-£12,000 -£10,000 -£8,000 -£6,000 -£4,000 -£2,000 £ £2,000 £4,000

1

2

3

4

Failure/fault

86

N.3 Suburban DOO(P) train types



-£25,000 -£20,000 -£15,000 -£10,000 -£5,000 £ £5,000

1

2

3

4


-£50,000 -£40,000 -£30,000 -£20,000 -£10,000 £ £10,000

1

2

3

4

GSM-R GB

-£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4

Blank screen

-£140,000 -£100,000 -£60,000 -£20,000 £20,000

1

2

3

4


-£1,000 -£800 -£600 -£400 -£200 £ £200

1

2

3

4


-£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4

Registration - PA

-£12,000 -£10,000 -£8,000 -£6,000 -£4,000 -£2,000 £ £2,000 £4,000

1

2

3

4

Failure/fault

87

N.4 Freight train types



-£1,000 -£800 -£600 -£400 -£200 £ £200

1

2

3

4


-£1,400 -£1,200 -£1,000 -£800 -£600 -£400 -£200 £ £200

1

2

3

4

GSM-R GB

-£30 -£25 -£20 -£15 -£10 -£5 £ £5

1

2

3

4

Blank screen

-£2,500 -£2,000 -£1,500 -£1,000 -£500 £ £500

1

2

3

4


-£160 -£140 -£120 -£100 -£80 -£60 -£40 -£20 £ £20

1

2

3

4


-£100 -£80 -£60 -£40 -£20 £

1

2

3

4

Registration - PA

-£200 -£150 -£100 -£50 £ £50

1

2

3

4

Failure/fault

88

Appendix O Benefit cost ratios BCRs highlighted in green are negative but show potential for safety benefits and operational delay savings.

BCRs highlighted in red are negative but show potential for safety disbenefits as well as operational delay costs.

O.1 Functional loss scenarios

O.1.1 Intercity type trains

Response

Functional loss

BCR


portable 3 Reduced

speed 4 Delayed

reduced speed






0 0 1.3 x 10-4 0


4.3 x 10-7 -9.2 x 10-6 1.3 x 10-4 0


1.8 x 10-6 0 1.3 x 10-4 1.3 x 10-4


3.9 x 10-6 0 1.3 x 10-4 1.3 x 10-4





89

O.1.2 Suburban train types Response

Functional loss

BCR

1 Cancel 2 Hand/trans portable

3 Reduced speed







0 0 2.8 x 10-4 0


1.2 x 10-7 -1.1 x 10-5 2.8 x 10-4 0


6.2 x 10-6 0 2.8 x 10-4 2.8 x 10-4


1.5 x 10-5 0 2.8 x 10-4 2.8 x 10-4





90

O.1.3 Suburban-DOO(P) train types

Response

Functional loss

BCR


portable 3 Reduced

speed 4 Delayed

reduced speed






0 0 7.1 x 10-4 0


1.2 x 10-7 -4.3 x 10-5 7.1 x 10-4 0


6.2 x 10-6 0 7.1 x 10-4 7.1 x 10-4


1.5 x 10-5 0 7.1 x 10-4 7.1 x 10-4





91

O.1.4 Freight train types

Response

Functional loss

BCR


portable 3 Reduced

speed 4 Delayed

reduced speed

Single cab radio failure 7.9 x 10-4 -5.5 x 10-2 0 0

Small radio network outage 4.6 x 10-5 0 0 0

Medium radio network outage 2.6 x 10-3 0 0 0

Large radio network outage 1.4 x 10-3 0 0 0


0 0 0 0


-8.5 x 10-6 0 0 0


3.6 x 10-5 0 0 0


8.1 x 10-5 0 0 0

DSD/PA link unavailable 0 0 0 0

Single radio terminal failure 4.5 x 10-4 0 0 0

Multiple radio terminal failure 1.5 x 10-3 0 0 0

Driver:driver communications only 4.6 x 10-4 0 0 0

92

O.2 Observation scenarios

O.2.1 Intercity train types

Response

Observation

BCR


portable 3 Reduced

speed 4 Delayed

reduced speed


GSM-R GB 1.3 x 10-4 -1.1 x 10-2 1.6 x 10-4 1.6 x 10-4






O.2.2 Suburban train types Response

Observation

BCR

1 Cancel 2 Hand/trans portable

3 Reduced speed



GSM-R GB 2.7 x 10-4 -1.3 x 10-3 3.6 x 10-4 3.5 x 10-4






93

O.2.3 Suburban DOO(P) train types

Response

Observation

BCR


portable 3 Reduced

speed 4 Delayed

reduced speed


GSM-R GB 2.9 x 10-4 -1.3 x 10-3 8.7 x 10-4 8.4 x 10-4






O.2.4 Freight train types

Response

Observation

BCR


portable 3 Reduced

speed 4 Delayed

reduced speed

Searching for networks 3.5 x 10-4 -5.5 x 10-2 0 0

GSM-R GB 6.8 x 10-4 -5.5 x 10-2 0 0

Blank screen 7.9 x 10-4 -5.5 x 10-2 0 0

Registration - lead driver 2.9 x 10-6 0 0 0

Registration - duplicate 5.6 x 10-5 0 0 0

Registration - PA 0 0 0 0

Failure/fault 7.9 x 10-4 -5.5 x 10-2 0 0

94

Appendix P Sensitivity analysis

P.1 The cost of delays

The assumed costs of delay per minute impacts the disproportionality between safety benefits and operational delays. The average delay minutes were calculated from a sample of TRUST data (for 30 December 2011 – 1 January 2012, some 493,000 entries), and are shown in Table 10.

Table 10: Sensitivity of cost per delay minute (for cab radio defects and cancelling trains)

Train type Average delay cost £/minute

Delay cost required to achieve operational delay:safety benefit ratio £/minute

10:1 5:1 1:1

Intercity 117 0.05 0.03 <0.01

Suburban 35 <0.01 <0.01 <0.01

Suburban DOO(P) 35 <0.01 <0.01 <0.01

Freight 17 0.10 0.05 0.01

The costs per delay minute required to make the cost of operational delay a similar magnitude to the safety disbenefits (that is to remove the grossly disproportionate argument) are significantly lower, and unrealistic. Therefore the conclusions are not considered to be sensitive to the assumed cost of delays.

P.2 The rate of reactionary delay incurred

The rate of reactionary delay was estimated from analysis completed for the REC risk assessment [Ref: 25]. For different locations such as Cheddington, Dovey Junction, Clapham Junction, Strathclyde, the delays per minute for the affected train (the source of the primary delay) were calculated relative to the delays incurred to following trains (the reactionary delay). For both Dovey Junction and Cheddington the reactionary delay was estimated to be equivalent to the primary delay. For Clapham Junction, the reactionary delay was estimated to be around three times the primary delay, whereas for Strathclyde, the reactionary delay was estimated to be around nine times that of the primary. As such the mid value of three was taken for the generating the risk assessment results, and sensitivity analysis completed for reactionary delay being one and nine times the primary delay.

The sensitivity analysis shows that for intercity, suburban and suburban DOO(P), continuing service with a hand/transportable (response 3) or without (response 2), remain the best options in all cases. However, in locations where the reactionary delay could be nine times the primary, cancelling trains (response 1) offers some reduction in benefit over reduced speed (response 4) and delayed reduced speed (response 5) for some functional loss scenarios (such as single cab radio failures and large radio network outages). This is because no reactionary delay is assumed in the model where trains are part or fully cancelled. Conversely, in locations where the reactionary delay could be equal to the primary, cancelling trains (response 1) appears worse for some functional loss scenarios than delayed reduced speed (response 5).

95

For freight type trains the results are not particularly sensitive to reactionary delay. The exceptions being:

• single cab radio failures, which in areas of nine times reactionary delay using a hand/transportable helps becomes the least operationally costly option

• multiple radio terminal failures and driver:driver communications only, which in areas of nine time reactionary delay, the cost of cancelling trains (response 1) becomes the most favourable response.

P.3 The version of the cab radio software

It was assumed at the start of the risk assessment study that the version of the cab radio software would be Siemens version 2. However, it may be some time before all existing users are upgraded to this version. One of the key differences of this version, compared to version 1E, is that the observation scenario Registration –duplicate is virtually eradicated.

If version 1E were considered instead, this would change the frequency of cab radios not being able to register a journey, and increase the estimated cost per year due to GSM-R radio registration issues. Although it changes the frequency, it does so to both safety benefit and operational delays, and as the error does not impact the consequences, it does not change the balance between preferred response options.

P.4 The number of base transceiver stations (BTSs)

The initial design for the GSM-R system included the provision of 2380 BTSs. However, as rollout and commissioning is undertaken, this number may increase to improve network reliability. As such the risk assessment was also run with 3000 BTS to account for the potential increase.

The impact of more BTS means a greater likelihood of a BTS failure but with now with lesser consequences as the blackspots created by a failed BTS will be smaller. As such change in risk is small and does not impact the conclusions of the study.

P.5 The number of registrations

The risk assessment was based on full GSM-R rollout for current levels of operations; that is around 20,000 registrations (or train journeys) per day. However, once GSM-R rollout is complete the level of operations may have increased. To test the effects of this the model was also run with 25% increase on train journeys, and therefore registrations.

The increase in registrations, also gives proportionally an increase in failed registrations, cab radios and trains affected by network failures. Thus in this sensitivity test the safety benefit increases for each of the response options considered. However, the operational delay associated with each response option also increases and as before where it was grossly disproportionate to the safety benefits it remains so. Therefore the conclusions of this study are not considered to be sensitive to the number of registrations.

P.6 How network signal fluctuations are observed by the driver

An initial assumption made during the development of the model was that when the cab radio loses the network signal it displays searching for networks. However, there is a transition period between losing the signal completely and when the strength of the signal is not strong enough to make a call. In the case of the latter, the cab radio may still display GSM-R GB. It is unclear what proportion of

96

instances where the signal is reduced will display GSM-R GB rather than searching for networks. So sensitivity analysis has been carried out assuming 50% and 90% of the time the cab radio may display GSM-R GB.

The effect of this switch does not affect the overall conclusions about whether the response options considered are reasonably practicable. This is because both the safety benefit and operational delays change in proportion with the change in frequency.

However, what does change is when GSM-R GB is displayed and the cab radio fails on demand that the likelihood of the cause being due to a cab radio defect is reduced (from 71% to 8%, at the 50% split between GSM-R GB and searching for networks and to 5% at the 90% split between GSM-R GB and searching for networks). Therefore the display of GSM-R GB cannot be concluded as a cab defect without further diagnosis.

P.7 The GSM-R cab radio and network failure rates

There is a degree of uncertainty associated with the failure rates used to calculate both the risk and operational delays. Where possible the rates were estimated with data recorded from routes already using GSM-R or design estimates. However as more experience of the system is obtained these rates may change.

Therefore sensitivity analysis was carried out for +/- 10% change in cab radio failure rates and +/- 10% change in network failure rates. As shown with previous sensitivity tests, this leads to proportionate changes in both safety benefit and operational delays for each of the response options considered. Therefore although the absolute levels of risk and operational delays change for each response option considered, where the costs of delays were grossly disproportionate to the safety benefit they remain so. Therefore the conclusions of this study with respect to response options are not considered to be affected by errors in the failure rates.

97