Mode Rail
Reference No. RR201600016
Date reported 26 December 2016
Concern title The delay in correcting a system fault which protects points on the computerised train control system
Concern summary

The concern related to the delay in responding to a fault in the system which prevents the unintended use of a section of track in the computerised train control system.

Industry / Operation affected Rail: Passenger - metropolitan
Concern subject type Rail: Track infrastructure

Reporter's concern

The reporter expressed a safety concern relating to the application of blocking facilities in the computer control system at the [Location 1] control centre. Blocking facilities are an essential tool for preventing the unintended operation of points and are often used as a method of protection for worksites. However, on [date] 2016, it was identified and reported that points at [Location 2] operated when a route was set, even though blocking facilities had been applied to the points in the [type] system.

The reporter is concerned that six days later, the fault in the [type] system still existed and no process had been implemented to manage the increased safety risk.

Operator's response (Operator 1)

Blocking facilities (blocks) are used to mitigate the risk of unintended operation of signalling equipment. Blocks may be purpose designed physical devices placed to prevent operation of equipment, or computer commands as in the case of [type] signalling equipment.

A review of [type] logs and replay system has shown that the following occurred in regard to the attempted application of blocks at [Location 2] on [date] 2016:

  • When the Signaller attempted to place blocks on 51, 52 and 53 points the error message illustrated below was displayed. SET REVERSE TOTAL_ BLOCK for [location 3]:B52 (Railway Points] failed! [location 3]:B52 [Railway Points] not locked by operator! OK
  • Individual sets of points that had been operated manually were unable to be detected as ‘locked’ by the system following their operation. Points are required to be in the ‘locked state’ prior to being able to apply a block to them.
  • Points that were operated by the system as part of ‘route setting’ did detect locking, therefore a block could be successfully applied.

With reference to the REPCON report stating ‘reporter is concerned that six days later, the fault in the [type] system still existed and no process had been implemented to manage the increased safety risk’.

The Signal Engineer and Control Systems Engineer investigated the incident on [date] from both the signalling and control systems perspective. The Signal Engineer replaced a number of components on the signalling/Control systems interface side.

From the control systems perspective, there were no issues with data or the software. Commands were being issued correctly and the system was in a healthy state. As the possession was to be handed back, the investigating engineers were unable to continue further testing at this point of time.

It was determined during subsequent tests and analysis by the control systems engineer that the cause of the error was due to points free state inputs from the interlocking not going to the OFF state, which is a required condition for initiating manually blocking of the points.

Due to availability of resources (holiday period) and priority planned maintenance works coupled with urgent maintenance issues, signalling staff were unable to attend and rectify the fault until seven days later.

The fault was identified as a defective ‘blocking’ diode. This prevented the application of control blocking for 51, 52, 53 points at [Location 2]. The defective blocking diode was replaced and all blocking functions for the points were tested and confirmed by the signaller to be fully working.

All other [type] system functions remained available throughout. Also, during this time no reports of [type] system errors were received from signallers where points were set by way of ‘route setting’ at [Location 2] and had blocks applied.

Regulator's response (Regulator 1)

A fault at the interface between the interlocking and the train control system impacting the ability to apply points blocking can occur. Operators should have systems in place to deal with such faults, including effective alternative protection methods to protect worksites.

The response from the operator indicates that a fault message was displayed to the signaller. At that point, the signaller should have chosen alternative protection methods to protect the worksite. It remains unclear from the response by the operator whether such alternative protection methods were implemented or not.

Clarification is to be sought as to why the operator allowed a fault impacting the blocking functionality on the train control system to remain for seven days. The ONRSR will discuss the issue further with the operator.

Last update 12 July 2018