The reporter has raised a safety concern in relation to [Automated system] (a system that enhances safety by monitoring train speed and improving signal enforcement) failing to recognise a change in movement authority.
The reporter states, they were driving an [Automated system] active train in a two-driver operation (TDO) configuration west towards [Location 1] and had a restored and passed at danger (RAPAD) event. The [Location 2] signal [signal number] restored to red when they were approximately 100 m away doing approximately 60 km/h. At this stage [Automated system] did not recognise the change in movement authority, consistent with the explanation the reporter received from a previous restored in-face of train (RIFOT) event.
The reporter states, 'on passing [signal number] [Automated system] failed to update the movement authority as I had been told it would. At no time did [Automated system] show anything other than a proceed (photo of the [Automated system] screen supplied to the ATSB). We stopped just short of the [x] km sign. If this service had not been TDO, I cannot guarantee that I would have noticed the RAPAD, as immediately prior my primary screen had failed, and my attention had been momentarily drawn to that issue. [Automated system] failed to operate as per previous training and subsequently as explained'. The reporter believes Network control have not reported the fault.
The reporter states, [Automated system] is a good system however there are still technical glitches as described that need to be addressed. The reporter further states, to enhance crew safety, the operation should remain a TDO configuration until reliability of the [Automated system] has significantly improved.
Thank you for your Notice (RR2024-00029) advising of this REPCON. [Operator] acknowledges the reporter’s concerns and provides a response on each element below. In summary, [Operator] believes the system has performed as designed in the scenario reported, and [Operator] has in place appropriate driver training and groups to provide technical expertise on system response that should have been utilised by the reporter. [Operator] has no evidence to suggest these mechanisms were used by the reporter.
The reporter has raised a concern that the system has failed to recognise a change in movement authority.
In the absence of incident specific details, [Operator] has reviewed potential scenarios and believes the most likely cause is the operation of a [timer]. This timer holds a proceed authority in the system while the train passes a signal, as long as the request to proceed by the radio block centre (RBC) is set or until the time expires [300 seconds].
This function prevents an emergency brake intervention should timing issues associated with state indications arriving out of sequence suggest a signal restoring in front of the train (RIFOT) where the movement was actually normal.
Importantly, the [timer] function only activates if the train is detected to be immediately on approach to the signal (berth track has been occupied for a period of time) and the replacement track is detected to be occupied – this follows the aspect sequencing logic of [Operator]’s remote control signalling (RCS) principles.
The reporter has stated concerns with system reliability in transitioning from two driver operations (TDO) to driver only operations (DOO).
As described above, the reported issue is not believed to be a reliability issue. In general, reliability is actively monitored by [Operator]’s project and operational teams, and [Operator] has completed a large amount of consultation with rail traffic crew on the transition to DOO, which has now been executed.
The reporter has reported issues with the failure of the primary screen.
[Operator] has recently implemented changes to the driver machine interface (DMI) to resolve this issue of the failure to the primary screen.
The reporter has stated a belief that Network Control have not reported the fault.
In the absence of incident specific details, [Operator] has reviewed and determined that Network Control have reported RAPAD occurrences as expected, including satisfying [Operator] network’s reporting obligations to ONRSR.
The reporter has stated the [Automated system] failed to operate as trained.
[Operator] provides rail traffic crew with extensive training on system use and expected performance. Noting however the many different operational scenarios that can present, [Operator] expects that any queries around how the system responds in specific operational scenarios would be made to technical specialists, [Operator]’s [Automated system] project team, through their Leader, or through their workplace health and safety committee.
ONRSR confirms receipt of ATSB REPCON report number RR2024-00029, regarding concerns with an operational system failing to recognise a change in movement authority. ONRSR has reviewed the reporter’s concerns and operator’s response. ONRSR is aware of this matter through previous regulatory interactions with the operator which included requesting and reviewing further evidence regarding the [timer] configuration and related risk management. ONRSR is liaising with the operator to gain further understanding of any communications made to rail safety workers following the REPCON report.