Remember this:
When a train order has been repeated and before "complete" has been given, the order must be treated as a holding order for the train addressed, but must not be otherwise acted upon until "complete" has been given.
If the means of communication fail before an office has repeated an order, the order at that station is of no effect and must be there treated as if it had not been sent.
This rule, of course, was an attempt to reconcile the transmission of vital information over the means of communication that were not vital. By vital, I mean authorizing, or restricting the authority of, train movement. And as a consequence of that authorizing function, operational vitality has to be designed to always fail in the safe mode.
Back in the day, the train order was vital, but the block line, the telephone, the radio were not. Hence the elaborate procedures for ensuring the correct issuance, copying, repeating, and delivery of the orders, and for "withdrawing" or stopping the process should the means of communication fail before the order was repeated.
In more modern times, while the controlled points of a CTC system are governed by a vital logic embedded in the field apparatus, the code lines transmitting requests for switch and signal alignments are not vital. This separation of office and field is fundamental to the "strength" or what we now call "robustness" of signaled train control systems.
Vitality is resident in the field. The track circuit, registering occupancy, is vital. The signal, communicating that condition of occupancy is vital when we make it vital as we do with operating rules that declare "(on tracks) (in territories) so designated in the timetable, signal indication will [supersede the superiority of trains] [be the authority for movement] for [following, following and opposing] train movements on the same track." (Good old '251' and '261' territory.)
In these most modern times, however, we are moving to a condition that reduces that separation between office and field, and as a consequence, pushes the means of communication into operational vitality, requiring fail-safe functionality.
For example...this came to from the UK's Rail Accident Investigation Branch (RAIB):
During the morning of Friday 20 October 2017, a train driver travelling on the Cambrian coast line in North Wales reported that long standing temporary speed restrictions were not indicated on their in-cab display. As signalling staff at the control centre in Machynlleth investigated this report, they became aware that this failure applied to several trains under their control. The temporary speed restrictions were required on the approach to level crossings so that people crossing the line had sufficient warning of an approaching train.
The Cambrian lines were equipped in 2011 with a pilot installation of the European Rail Traffic Management System (ERTMS), a form of railway signalling. ERTMS removes the need for signals along the track by transmitting data directly to the train. This data is used to display movement authorities and other information such as temporary and permanent speed restrictions, on a screen in front of the driver.
Subsequent investigation found that the signalling system stopped transmitting temporary speed restriction data after a routine shutdown and restart at around 23:10 hrs the previous evening. The signallers had no indication of an abnormal condition and signalling control centre displays showed these restrictions as being applied correctly.
The RAIB has decided to undertake an independent investigation because to date, the signalling system supplier has not identified the cause of the failure. It is possible that finding the cause would have been assisted by downloading of suitable data from the signalling system before it was restarted during correction of the failure.
An additional procedure, since introduced at the control centre, is intended to identify and avoid any recurrence of the failure.
The RAIB investigation will consider:
the geographic extent of the failure and the effect it had on the safety of railway operations;
why trains were permitted to operate without information about temporary speed restrictions;
practices for the gathering of data needed for investigation before restarting computer based signalling systems after a potentially unsafe failure.
Our investigation is independent of any investigation by the railway industry or by the industry’s regulator, the Office of Rail and Road.
We will publish our findings, including any recommendations to improve safety, at the conclusion of our investigation.
This report will be available on our website.
ERTMS is the European Rail Traffic Management System which is made up of two components: 1) a dedicated communications system using GSM-R for wireless data transmission of 2) movement authorities and restrictions to movement authorities to trains, in conjunction with the use of balises to determine train location. This second component is known as the European Train Control System [ETCS].
Level 2 is intended to be 1)interoperable across all of the EU countries 2) an in-cab replacement for fixed wayside (called "line side" in the UK) signaling. It's installation and operation on the Cambrian has not been easy. These things never are.
As near as I can determine from the Arriva presentation, the speed restrictions for approaching automatic level crossings are not actively integrated into the train's virtual timetable/special orders for the enforcement of speed restrictions. The restrictions are displayed in-cab as information, and require the train operator to initiate and maintain the necessary speed reductions.
The information is vital. The absence of the information is the equivalent of a "false proceed" indication on a fixed signal, not just allowing, but in fact authorizing movement at a speed that overruns the safety devices at the level crossing.
In this case, we have then eliminated the distinction between the vital information and the means of its communication.
It is of course possible that the train crew is required to familiarize itself with these restrictions through another means, like a bulletin order, or a special instruction that is produced and distributed in hard (paper) copy. But that doesn't make the failure of this equipment any more tolerable as 1) the display is supposed to be "real time" and capable of being update for restrictions required on an emergency basis and 2).....human beings what we are, that is to say marvels of sloppy engineering biologically, and marvels of adaptive laziness mentally, to depend on the train operator to make the additional effort to read and remember bulletins when the information is supposedly always and immediately available on a visual display is, well, a bit of intellectual laziness, and self-delusion, of its own.
So....we have a condition where the means of transmitting vital information have failed, but nobody really knows it; or maybe somebody does, but that, the knowledge, is random, chance, luck, and is itself an indication that vitality has been compromised.
And we've created a situation where the vital information is so dependent on the means of communication, so seamlessly bound to the mechanism of transmission and display, as to be practically indistinguishable from those means.
This represents a fundamental threat to safe train operations.
Now according to the RAIB report, this occurred some five months ago, and the cause for the failure has not yet been determined. Certainly, simply rebooting the system in the attempt to correct the failure does not protect the vitality of the train operation, restore the vitality of the communication system. As a close friend and colleague pointed out, without a definite cause and a definite resolution, the automatic temporary speed restriction display function cannot be regarded as safe.
I bring this up because, to some degree, all train control systems are communication based train control systems, even if they only overlay an existing signal system; particularly if they enforce the authorities and restrictions to authorities no longer solely generated in the field, independently of the office. Communication protocols need to include a monitoring system that functions in parallel that can verify that the information transmitted to trains in the field is complete, comprehensive, and compliant.
David Schanoes
February 25, 2018
Y
Copyright 2012 Ten90 Solutions LLC. All rights reserved.