NCN5 Issue 86 Risk assessment of GSM-R failures

Transcription

1 NCN5 Issue 86 Risk assessment of GSM-R s

2 Contents Executive summary... Introduction...6 Objectives...6 Scope...6 Approach...7. The nature of the decision Decision criteria Risk assessment methodology Task : kick off meeting Task : review background information Task : investigate non-registered cab-radios Task : determine other functional s and potential mitigations Task 5: risk assessment... 6 Results Understanding the context of the safety benefits Understanding the causes and consequences of s Understanding the safety benefit for each response option Understanding the operational delay for each response option Optimising the response Discussion The definition of a defective GSM-R fixed cab radio What action should be taken if the fixed cab radio is defective? Can a train enter service if the registration fails? What action should be taken if the radio network fails? Sensitivity analysis Conclusions... 0 Items for consideration Review of Railway Group Standards and other supporting documents Further analysis Further process mitigations for consideration... Appendix A Glossary... Appendix B Documents reviewed... 5

3 Appendix C Workshop attendees... 8 Appendix D Workshop guidewords... 9 Appendix E Workshop outputs... Appendix F Call success probabilities Appendix G Functional loss scenarios... 6 Appendix H Mapping of operational delay to functional losses... 6 Appendix I Modelling assumptions Appendix J Hazardous events mitigated by GSM-R radio Appendix K Safety benefits Appendix L Operational delays Appendix M Functional loss scenario comparisons... 8 Appendix N Observation scenario comparisons Appendix O Benefit cost ratios Appendix P Sensitivity analysis Issue record Issue Date Comments 0 6 August 0 Draft for internal comment 0 August 0 Draft for steering group comment September 0 Incorporating steering group comments 9 October 0 Amendment to tables in Appendix K

4 Executive summary In response to the 5th Network Change Notice (NCN5) on GSM-R issued by Network Rail, the majority of Train Operators raised the concern: There are no national rules that make clear whether a train can go into service if unable to register (particularly for DOO(P)); this presents a major potential performance impact if not resolved. Therefore RSSB undertook a risk assessment study to examine what a is with respect to the GSM-R radio system, with the objective to inform proposals for changes to Railway Group Standards. Specifically the study considers: What is the definition of a defective cab radio? What actions should be taken if train fixed radio fails? Can a train enter service if it is unable to register (a journey)? What actions should be taken if the network fails? This report was commissioned by the GSM-R Programme to inform potential changes to the Rule Book and supporting Railway Group Standards. Approach and methodology The approach follows the principles set out in Taking Safe Decisions [Ref: 9] and applies decision criteria based on benefit-cost ratios (BCRs) and changes in absolute risk levels. Positive BCRs with a value greater than or equal to one suggest that a measure is reasonably practicable. The study was completed through document review and a series of workshops to identify the potential cases and associated impacts on the GSM-R system. This then fed into a safety and operational delay risk assessment. The safety risk assessment builds upon the same framework that was used for the Assessing the risk from the loss of the NRN frequency spectrum in 0 study [Ref: ], where the benefits of cab radio were assessed using the latest Safety Risk Model version 7 data [Ref: 0] and Call Success Probability. The risk assessment also considers four different train types: intercity, suburban, suburban driver only operation with passengers (DOO(P)) and freight. The risk assessment considered five different response options: 0. Continue in service. Trains continue in service regardless of radio problems. This is considered to be the base case.. Cancel trains. Taking trains out of service when faced with either a cab radio or network.. Hand/transportable. As with response, but picking up a hand/transportable radio at the next available location. Reduce speed. As with response, but trains travel at a reduced speed (taken to be 60mph).. Delayed reduced speed. As with response, but the speed limit is applied after four hours if the problem still exists. Typically the different observations seen by the driver on the cab radio do not map directly to distinct s. That is it is not always clear if it is a cab radio or a radio network issue. Therefore the risk assessment considers both the impacts for the functional losses (based on known causes of ) and potential outcomes based on the driver s observations (based on unknown causes of ).

5 Results The risk assessment identified the most likely functional loss scenario to be a single unregistered radio (temporary that is the cab radio eventually does register and correlate with the GSM-R system). However, the most likely observations (of s) on the cab radio is Searching for networks or GSM-R GB (which most commonly occurs as a result of a small radio network and can affect multiple trains), followed by Registration failed Lead Driver (which most commonly occurs as a result of a single unregistered cab radio). For all the response options considered, except using hand/transportables (response ), the operational delays significantly dominate the safety benefits. That is the positive BCRs calculated were significantly less than one. What is the definition of a defective cab radio? The analysis has shown that if a cab radio displays a fatal fault code (such as Failure XX, MT fatal, Cab Radio Flt, EPROM/RAM Flt and not a warning, as defined in Ref ) or a blank screen then it should be considered defective. Failing on demand when the display shows GSM-R GB or Searching for networks is most likely to be caused by a network issue, however if the problem persists for a particular cab radio throughout its journey and no fault can be found with the network it should be treated as a defective cab radio for example the antenna could have detached. Not being able to register a journey is not considered to be a cab radio, as it still offers call and radio emergency call (REC) functionality. What actions should be taken if a fixed cab radio fails? The safety benefit attributed to GSM-R cab radio against a base case of no radio being available at all is about.7fwi/year, or the equivalent of around 0.0 per journey on average (based on the current VPF). Should a cab radio fail (see above), for all the responses except, continue with hand/transportable (response ) the BCRs calculated are significantly less than one. That is the delay costs associated with measures are grossly disproportionate to the safety benefits when compared against the base case of continuing in service. It should be noted that this risk assessment has not considered the costs providing hand/transportables. These conclusions apply when the functional loss is known, and when it is unknown but assumed based on the driver s observation to all train types (including DOO(P)). Although it may be reasonable to continue in service with a defective radio, it does impact on both safety and operations. Therefore it is of interest to continue maintaining both radios and DSD/PA links to a working standard and reasonable to suggest that trains do not leave a maintenance depot with a defective radio. Can a train enter service with an unregistered cab radio? The safety disbenefit of all cab radios being unregistered (but with call and REC available) is estimated to be around 0.0FWI/year or around an average of 0.0 per journey (based on the current value of preventing a fatality (VPF)). The cost of taking a train out of service (response ) or reducing its speed (responses and ) as a response to registration is far greater than the safety benefits (that is the BCRs are significantly less than one) making these options not reasonably practicable.

6 Network The results from the risk analysis show that, as with the cab radio defects, the operational delays significantly dominate the safety benefits the BCRs are significantly less than one. Cancelling trains (response ) and running at reduced speed (responses and ) are not considered to be reasonably practicable. Provision of hand/transportable (response ) in the case of network will offer no additional benefit over continuing in service, since the hand/transportable would also not work. The response recommended on the basis of this risk assessment is to continue in service. However, GSM-R provides safety and operational benefits so should be restored as soon as possible after a. The industry therefore needs to decide whether it is appropriate to impose limits on the continue in service option. The conclusions are in general the same for all train types (including DOO(P)). Overall conclusions A defective cab radio is considered to be one that displays Failure XX, MT Fatal, Cab Radio Flt, EPROM/RAM Flt or a blank screen. Other displays may also indicate a cab radio defect but require further diagnosis, for example, persistent throughout its journey (with confirmation that the network is working). For all the response options considered, ranging from continuing as normal regardless of no radio to cancelling trains the operational delays significantly dominate the safety benefits. Continuing as normal (the base case) and continuing with the use of hand/transportables (response ) minimise the operational delays but accrue a small amount of safety disbenefit. The other responses analysed are not considered to be reasonably practicable. The analysis did not consider the costs of providing hand/transportables. However, GSM-R provides safety and operational benefits so it is important that equipment is properly maintained. It seems reasonable therefore to prevent a train from entering service from a maintenance depot if it has a defective cab radio. The analysis shows it is reasonable for a train to enter or stay in service even if it is unable to register (for all train types). For network s, the response recommended on the basis of this risk assessment is also to continue in service (for all train types, including DOO(P)). Hand/transportables would provide no additional benefit in this situation. However, for the reasons stated above, the industry therefore needs to decide whether it is appropriate to impose limits or constraints on the continue in service option. The conclusions are considered robust to changes in the key assumptions. Items for further consideration It is proposed that the Rule Book, specifically module TW5, Railway Group Standard GO/RT7 and Rail Industry Approved Code of Practice GO/RC57 are reviewed with respect to the findings of this risk assessment, and appropriate proposal for change prepared. The report also lists some areas for further investigation, relating to GSM-R s. 5

7 Introduction In response to the 5th Network Change Notice (NCN5) on GSM-R issued by Network Rail, the majority of Train Operators raised the concern: There are no national rules that make clear whether a train can go into service if unable to register (particularly for DOO(P)); this presents a major potential performance impact if not resolved. The Rule Book module TW5 [Ref: ] states that a train should not enter service with a defective radio, or enter service from a depot with a defective public address (PA). GO/RT7 [Ref: ] requires each train operator to have in place a defective on-train equipment contingency plan, which describes the action to be taken if on-train equipment becomes defective when: Entering service either from a maintenance depot or from elsewhere Already in service A workshop was held on 7 January 0 to determine a way forward and establish principles for operational rules. Two actions arose from the workshop for RSSB to: Consider the degree to which these principles should be captured, possibly in the GSM-R Operational Concept. Develop proposals for changes to Railway Group Standards (RGS) to reflect these principles including in particular an understanding of the risk from running trains without REC functionality and extended running without registration. Therefore RSSB undertook a study to examine what a is with respect to the GSM-R radio system and what action should be taken if it is deemed to have failed. This report was commissioned by the GSM-R Programme to inform potential changes to the Rule Book and supporting standards. Objectives The purpose of the study is through the assessment of safety and operational risks to produce proposals for changes to the Rule Book and other standards-related materials so that there are clear national rules on whether and how a train can enter (or continue in) service in the event of s within the GSM-R system (trackside and on-board). Specifically it aims to answer: What is the definition of a defective cab radio? Can a train enter service if it is unable to register (a journey)? What actions should be taken if the network fails? What actions should be taken if train fixed radio fails? Scope The scope of this study relates to degraded working of GSM-R voice and messaging capability, separate to the ERTMS (speed/location) data functionality. It includes both s of GSM-R equipment on board trains (as referred to in Rule Book Module TW5 [Ref: ], GO/RT7 [Ref: ] and GO/RC57 [Ref: ]) and s of the GSM-R infrastructure (not included in RGS). It applies to all trains (passenger, empty coaching stock, freight) on Network Rail managed infrastructure but 6

8 excludes the use of GSM-R for shunting purposes. It considers its use during and on completion of the national migration to GSM-R from other methods of radio communications. The assessments undertaken are with respect to Siemens version of the cab mobile GSM-R software on the GSM-R network provided by Network Rail. That is, the assessment does not take into account future potential radio functions or operating scenarios, such as roaming onto the public mobile network, but does take into account the potential for public mobile network interference. Approach. The nature of the decision To answer the questions on how GSM-R radio s should be treated, the decision making framework from Taking Safe Decisions [Ref: 9] has been followed. Firstly, it is important to understand the scope of the decision to be made. The decision can be viewed from three different perspectives. Should a train be taken out of service if the GSM-R radio is considered defective. This lies to the left of the decision taking spectrum (Figure, purple). Here, rules are significant in guiding the decision, as to whether defective on train equipment (DOTE) plans are implemented or not. This decision is made by front line staff, in relatively short timescales and implemented immediately. What response is taken, is decided by senior management through the development of the contents of the DOTE, it determined by senior management within a train operating company. This decision is made over longer timescales, taking into consideration wider knowledge of the GSM-R radio system, and ultimately shared with the infrastructure manager. This decision lies towards the middle of the decision taking spectrum (Figure, green). The third perspective, is a more strategic one, and lies to the right of the decision taking spectrum (Figure, red). This is the decision as how the industry should manage GSM-R s, and in particular what the Rules and guidance should contain to support the development of company DOTEs. Here the decision is made by the industry, that is, at a national level, by senior management representatives, Good practice plays a large part in influencing the decision, but there is recognition that the decision is complex and therefore requires analysis (strategic, targeted, qualitative and quantitative) to guide it. It is this latter perspective that this study aims to support. As such the approach to this study is to consider the risks (both quantitative and qualitative elements) in order inform improvements to the Rule Book and other Railway Group Standards. The results of the assessment will then be used to inform the wider GSM-R project stakeholder representatives to gain consensus on the strategic approach and industry response required. 7

9 Figure : The nature of the decision WHERE WILL THE DECISION BE TAKEN? Front-line Management WHO SHOULD TAKE THE DECISION? Worker Local Manager Senior Manager Board HOW MANY ORGANISATIONS OWN THE RISK? Owned by one organisation Shared by two organisations Shared by many organisations HOW MUCH CONSULTATION? OPERATIONAL EXPERIENCE OF THE ISSUE/PROBLEM? None Local Regional National Extensive Considerable Limited None EXPERIENCE OF THE TECHNOLOGY? Technology or way of working is mature Technology or way of working is already in use Technology or way of working is understood Technology or way of working is novel TIME BETWEEN SCOPING AND TAKING THE DECISION? Seconds to minutes Days to weeks Weeks to months Months to years METHOD OF IMPLEMENTATION? Immediate action Memo or instruction Business case Company policy Rules and good practice Qualitative analysis. Decision criteria To assess which mitigation or response option is the most appropriate the following comparisons have been made: The change in safety benefit and operational delay for each response option relative to continuing operations regardless of the state of the radio. The calculation of benefit-cost ratios indicates whether the response is appropriate. Positive benefit-cost ratios support the implementation of a mitigation option. Ideally the proposed mitigation should produce a ratio of greater than one (taking into consideration of sensitivities). Where the ratio is significantly less than one, the option is not considered to be reasonably practicable. The change in safety benefit for each response option relative to absolute risk levels, and overall benefit provided by GSM-R and its predecessors: CSR and NRN. This provides context in terms of the magnitude of change. 8

10 5 Risk assessment methodology The risk assessment comprised five tasks: Task : kick-off meeting Task : review background information Task : investigate non-registered cab radios Task : determine other functional s and potential mitigations Task 5: safety and operational risk assessment 5. Task : kick off meeting A kick-off meeting was held on the 8 January 0 to discuss the approach and to come to a clear understanding of the study objectives. The meeting was attended by representatives from RSSB, Network Rail and ATOC. The meeting also provided a chance for the study team to collect and source relevant background information that was to be considered in task. 5. Task : review background information Documents identified during task were reviewed for their applicability for the study along with a number of sources of background information that had already been gathered. All document types were considered and the study team obtained and reviewed the following: Existing local and national operational rules (eg for Strathclyde) Previous risk assessments (eg NXEA risk assessment) The GSM-R operational concept (version ) Contingency plans for TOCs Requirements specification Flow chart processes for signallers A full list of documents included in the review is given in Appendix B. All documents were reviewed for relevant scenarios (both for registration and network, from the driver and signaller perspectives), rates, current mitigations or practices implemented on recognition of a or fault. This information was used to identify and consolidate factors that would be considered in the later tasks, specifically the scope and layout of the workshops and risk assessment analysis. 5. Task : investigate non-registered cab-radios Since the initial question arising for this study is: Can a train enter service if it is unable to register? the first part of the investigative workshops focused solely on registration s. Other s of the cab radio and the radio network were investigated separately. A HAZOP style workshop was held on March 0 to identify aspects of the GSM-R that would lead to a registration along with the current mitigations for each cause and the impact on performance. The workshop was attended by technical experts (Appendix C) representing risk assessment, signalling, train driving and radio network capabilities. The process for each workshop approach followed the flow chart in Figure. 9

11 Figure : Workshop approach. Review factors/guide lists. Identify causes of. Identify funcational s. Identify mitigation 5. Consideration of rates Repeat for each cause Repeat for each registration view The attendees were asked to consider the causes and sub-causes of each, listing all the possible impacts on the functionality of the cab radio and give their views on potential rates. Each focussed on what the driver would observe on the GSM-R screen and the results recorded in a spreadsheet visible to all attendees (Appendix C) throughout the process. Examples of the screen displays discussed include: Registration failed specifically for registration causes Searching for networks please wait usually for causes due to network GSM-R GB centred around s that the driver would not be aware of For the full set of potential displays see Ref: 6. Guidewords (Appendix D) were provided to help steer the group into discussing the relevant observations and impacts that would help create the risk assessment later on in the study. During the workshop, additional personnel were identified with sources of information to help with rate data and impacts on GSM-R functionality that was uncertain. 5. Task : determine other functional s and potential mitigations In this task, each of the other system components that could affect the GSM-R radio s performance were discussed and reviewed as a continuation from the registration s workshop. Three all-day workshops were held, based on the different components of the GSM-R system: Workshop : Thursday 5 April 0, base station sub-system Workshop : Thursday April 0, national switching sub-system and first pass FTS Workshop : Wednesday 5 April 0, on-board train equipment and finalising FTS The methodology was of a similar vein to the registration s workshop, namely capturing each possible type of in a spreadsheet. The structure of the workshops is illustrated in the diagram in Figure with the numbering describing which workshop the component was discussed in. 0

12 Figure : Workshop scopes / As before, the briefing note for each workshop was supplemented with a list of guidewords so that all responses would be consistent and aid in the evaluation in task 5, and details of people or documents to consult were recorded where answers could not be found within the workshop. The outputs from the workshops are given in Appendix E. 5.5 Task 5: risk assessment For the risk assessment, the safety risk and operational delay implications for each type were evaluated in terms of FWI per year and delay minutes per year respectively, assuming complete fitment and roll-out of GSM-R radio across GB. The risk assessment also includes the impacts of potential miscommunication from an unregistered phone and the benefits to the driver from the DSD/PA link, if the driver became incapacitated. An overview of the methodology is given in Figure. It follows the principle that by working out the least safety or operational risk for a given known (or functionality loss), when the source of the is potentially unknown (that is, based on observation of the cab-mobile), a response can be chosen based on the weighted likely outcomes. So that if the driver observes searching for networks, but has no other information, the responses considered are evaluated by assessing their impact on each functionality loss scenario and weighting them by the relative likelihood of each scenario given the message observed. The risk assessment builds upon the same framework that was used for the Assessing the risk from the loss of the NRN frequency spectrum in 0 study [Ref: ], where the benefits of cab radio were assessed using the Safety Risk Model version 7 data [Ref: 0] and Call Success Probability. Call Success Probability is defined as the probability of successfully stopping a train to avoid an accident, by means of alerting the driver. That is: where: Call Success Probability = Availability Coverage Effectiveness Availability is defined as the system availability, based on the cab radio functioning.

13 Coverage is determined for each system as a percentage based on the availability of the network. Effectiveness is estimated as a probability of being able to stop other potentially affected trains and is based on the time taken to contact the controlling signaller via the GSM-R radio system. The values calculated for availability, coverage and effectiveness are given in Appendix F. Figure : Risk assessment overview Calculate the safety benefit for each functionality loss and operational response scenario Calculate the operational delay for each functionaliity loss and operational response scenario Identify the optimum response for each functionality loss scenario Calculate the overall safety benefit and operational delay for each observation Identify optimum responses for observations where the cause is unknown 5.5. Potential consequences The consequences were taken from the results of the workshops and were summarised and placed into groups of functionality loss scenarios (see Appendix G for definitions): Single cab radio Small radio network Medium radio network Large radio network Single unregistered cab radio - temporary Single unregistered cab radio - permanent Multiple uncorrelated cab radios (TD.net outage) Multiple uncorrelated cab radios (TD feed outage) DSD/PA link unavailable Single radio terminal Multiple radio terminal Driver:driver radio communication only For example, a single cab radio would only affect the cab radio itself but could result in no receiving or making calls throughout its planned journey whereas a single radio terminal would affect all trains in the area it was servicing. To calculate the frequency of each functionality loss scenario, data was taken from the outputs from the workshops and expert judgement is applied where necessary. The registration rates were taken from weekly reports of attempts made by drivers to register the radio where the outcomes were recorded. The most recent data (February-April 0) was preferred for applicability and was scaled up to calculate functionality loss estimates per year when GSM-R is fully rolled out. Other rates were also gathered from previous documents that evaluated the GSM-R testing phase from the

14 trials on the Strathclyde network. The full calculations for the rates are contained within risk model developed for the study (safety disbenefit model v.5.xls) Potential mitigations To work out what the optimum response should be for a particular observation/functionality loss, five different potential responses were identified: 5. Continue in service. The train continues in service as normal regardless of the radio fault. If deemed to be cab mobile related, at the end of the day the train is sent to the maintenance depot for repair. If deemed to be network-related it is assumed that this is fixed at the end of the day. This is considered to be the base case for the risk analysis. 6. Cancel trains. Where only one train reports an issue, if at the start of the journey the train does not enter service. If part way through the journey it continues to the next suitable location, where the passengers are detrained. The train is then sent as empty coaching stock (ECS) to the maintenance depot for repair. Where multiple trains are reporting issues it is more likely to be a network related issue, in which case, trains are not permitted to pass through the affected area. The trains terminate at the nearest suitable location before the fault. 7. Hand/transportable. The train enters or continues in service to the next location where a hand/transportable radio can be picked up. The train then continues until it is scheduled to reach the maintenance depot, where the fault is repaired. This response only provides benefit where the fault lies with the cab-mobile; there is no mitigation against network based faults. 8. Reduce speed. This is as per response but trains travel at a reduced speed (taken to be 60mph ), reducing the potential consequences for collisions. Where the cause is deemed to be cab-mobile related the speed is reduced for all journeys where the affected cab is in the lead. Where the cause is deemed to be network related, the speed is reduced through the affected section of route. It is assumed that network based faults are fixed at the end of the day. 9. Delayed reduced speed. This is as per response, except trains continue at normal speeds for up to four hours from when the fault was first identified. After which, it is considered that an emergency timetable is introduced and the speed can be reduced to 60mph with minimal disruption. The safety benefit is calculated from the risk per kilometre where there would be no radio available or reduced radio capability. For example, a single cab could be removed from service and taken to the nearest suitable location or maintenance depot for repair. The total risk is then calculated by scaling it over the distance the train would have to travel without a functional radio. The change in risk for each response is calculated relative to the base case: continuing in service. The change in risk, or safety benefit, is converted from fatalities and weighted injuries to a monetary value using the value of preventing a fatality (VPF) see Appendix I for the value used. The idea of running at reduced speed stems from the review of good practice completed in the Risk assessment of the Interim Voice Radio System (IVRS) [Ref: 8]. TPWS overspeed sensors are typically set between 0mph and 60mph, a lower speed limit will therefore lower the effectiveness of TPWS. Results from Ref 8 show that reducing the speed to below 60mph was not justified because the disruption to service was excessive compared to the additional safety benefits.. A four hour planning period is considered [Ref 8] to give the infrastructure controller an opportunity to assess and repair the fault, whilst trains running at linespeed.

15 The results are calculated for four characteristic types of train journey: intercity, suburban, suburban DOO(P) and freight as the circumstances surrounding the train s location, journey length and other route characteristics (such as radio use) are different Operational delays Alongside safety impacts, the loss of radio functionality also contributes to operational delays. Types of delay that could be incurred were identified to be: A. Delays are accrued in the event that a radio is required to help ease other operational disruptions eg stop at signal/failed signalling but no radio is available on-board train. B. Full (at start of journey) or part (mid-way through journey) cancellation of trains, plus full cancellation of their subsequent journeys. Part cancellation assumed to be 5 equivalent delay minutes. Full cancellation assumed to be 50 equivalent delay minutes. C. Delays accrued to obtain hand/transportable. D. Delays accrued from running at reduced speed. E. Part cancellation of trains, through a particular section. F. Delays from rerouting call, initial call goes to nominated rather than controlling signaller. G. Delays from the signaller not being able to contact a member of on board staff. H. Delays from the driver not being able to contact the controlling signaller at all. Each functional loss scenario was mapped to the applicable delays to enable the appropriate operational disbenefit to be calculated (Appendix H). Delay minutes are converted to a monetary value by multiplying by a typical cost of delay per minute for each train type (estimated from TRUST data). The list of operational delays, above, represents the current practice of use. Although not considered in the modelling it is noted that train radios may be used more in the future to advise passengers of disruption, creating a greater dependence. Also with possible reductions in the number of signal post telephones (SPTs) the opportunity for alternative communication may be limited, increasing operational delays. The list of modelling assumptions for this task is provided in Appendix I Optimisation of results The potential mitigation responses were compared against each functional loss scenario to calculate a benefit-cost ratio (BCR). For the purposes of this analysis and following the principles laid out in Taking Safe Decisions [Ref: 8], the benefits are considered to be the change in safety benefit for the response option relative to the base case continuing in service, plus the avoided cost of accidents. The avoided cost of accidents is assumed to be of similar magnitude to the monetary value of the safety benefit. The costs are taken to be the cost of operational delays incurred relative to continuing in service. To simplify the analysis the costs used here to not include the costs of implementation (such as purchasing and maintaining hand/transportables) or operational costs such as (additional staff or overtime). It is recognised therefore that the costs used in the analysis may be an underestimate of actual costs. Annual costs and benefits were used with no discounting applied since the lifetime of the measure is taken to the instance when the response would be applied.

16 The benefits and costs for each functional loss scenario were used to compile likely results for each observation state of the cab-radio. Where assumptions were made or uncertainty exists in the key data used to calculate the safety benefit or operational delay, sensitivity analysis was carried out to determine the robustness of the results. The BCRs calculated were then considered with respect to the criteria outlined in section.. That is to make a qualitative and quantitative comparison of changes in safety benefit against cost of mitigation to determine whether the responses are reasonably practicable. 6 Results The results of the analysis are split into five themes: Understanding the context of the safety benefits Understanding the causes and consequences of s Understanding the safety benefit for each response option Understanding the operational delay for each response option Optimising the response Each of these is presented in turn. 6. Understanding the context of the safety benefits The total risk from the railway in Great Britain is estimated to be 0.9 FWI/year [Ref: 0]. The total safety benefit that GSM-R radio is considered to provide is around.7 FWI/year, for passengers and freight trains (Table ) that is the anticipated increase in risk across the network if all cab radios were taken away. This is through GSM-R radio facilitating REC, urgent (yellow button) calls to/from the signaller calls and the DSD/PA link. A list of key hazardous events where GSM-R radio is considered to provide some benefits is included in Appendix J. This benefit is reduced by some 0.0 FWI/year (to around.68 FWI/year) if all cab radios were unregistered. That is an increase due to potential miscommunications and increased average times to contact the right signaller/driver. The benefit from the DSD/PA link to Suburban DOO(P), freight and ECS trains is considered to be around FWI/year. This is the benefit associated with providing an incapacitated driver with assistance quicker than if no DSD/PA link were provided. Table : The safety benefit from GSM-R radio (against a base case of no radio) Case Passenger trains (incl ECS) FWI/year Freight trains FWI/yr Total safety benefit FWI/year GSM-R fully working GSM-R unregistered DSD/PA link only

17 6. Understanding the causes and consequences of s Frequencies were estimated for different likely functional loss scenarios based on data from the reports reviewed, expert judgement and calculations (full calculations can be found in the risk model developed for this study safety disbenefit model v.5.xls). These were mapped to the different observation scenarios identified during the workshops. Table : Functional loss scenario frequencies Outcomes (events/year) Observation Single cab radio Small radio network Medium radio network Large radio network Single unregistered cab radio - temporary Single unregistered cab radio - permanent Multiple uncorrelated cab radios (TD.net outage) Multiple uncorrelated cab radios (TD feed outage) DSD/PA link unavailable Single radio terminal Multiple radio terminal Driver:Driver radio communication only Searching for networks 0.0 5* GSM-R GB Blank screen 9 Registration - lead driver Registration - duplicate Registration - PA 00 Failure/fault code 597 Total In the case of searching for networks, a small network (taken to be BTS outage) is has been estimated to occur 5 times per year, however on this basis it is likely to affect (and therefore be observable by the drivers of),6 train journeys per year. Although the rate of should be considered as a frequency when the cause is known, the number of observable cases should be used to calculate the likelihood of consequence when the cause is unknown (see section 6.5.). This See discussion in paragraph below table on the sensitivity of GSM-R GB displaying versus searching for networks. 6

18 is based on the assumption that the cab radio displays searching for networks whenever the network signal is too weak to make a call. However, in reality there is some delay in switching from GSMR- GB and searching for networks and vice versa where this signal is still strong enough to recognise the network but not to connect a call. This is considered further in the sensitivity analysis (Appendix P). The most likely observation is Searching for networks/gsm-r GB, followed by Registration lead driver. Registration duplicate is considered to be the least likely observation (based on assumptions identified during the workshops on version of the GSM-R software). Using these estimated frequencies it is possible to calculate the likelihood of a particular outcome, given a particular observation. These are shown in Table. Table : Functional loss scenario probabilities by observation Outcomes (probability per observation) Observation Single cab radio Small radio network Medium radio network Large radio network Single unregistered cab radio - temporary Single unregistered cab radio - permanent Multiple uncorrelated cab radios (TD.net outage) Multiple uncorrelated cab radios (TD feed outage) DSD/PA link unavailable Single radio terminal Multiple radio terminal Driver:Driver radio communication only Searching for networks x x0-8x0 - GSM-R GB x x0-6 Blank screen Registration - lead driver x0-7 x0-5 Registration - duplicate Registration - PA Failure/fault code 7

19 6. Understanding the safety benefit for each response option The safety benefit per event by functional loss scenario for intercity type trains is shown in Table relative to the base case of continuing in service. Intercity type trains are shown for illustration purposes only, for other train type results see Appendix K. All options demonstrate a safety benefit against some functional loss scenarios. The response with the largest safety benefit by functional loss scenario is highlighted in green. Running at reduced speed (responses ) shows the largest safety benefit. This is because running at a lower speed reduces the consequences of some hazardous events (such as collisions and derailments). Table : Safety benefit by function loss scenario relative to continuing in service, for intercity type trains Response Change in safety benefit ( /event) Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Single cab radio 5 Small radio network outage 0 Medium radio network outage 980 0,900,600 Large radio network outage,700 0,000 6,00 Single unregistered cab radio - temporary 0 0 < 0 Single unregistered cab radio - permanent < < 0 Multiple uncorrelated cab radios (TD.net outage) ,000 5,700 Multiple uncorrelated cab radios (TD feed outage) DSD/PA link unavailable < 0 5 Single radio terminal 5 0 Multiple radio terminal Driver:driver communications only,00 0,000 5,900 8

20 Large radio network outage has the greatest impact on safety levels, and therefore the biggest change in risk between continuing in service and the response options. This is perhaps not surprising given it represents no radio functionality for all trains on the network. No safety benefit is shown for the functional loss of the DSD/PA link from cancelling trains (response ) or picking up a hand/transportable (response ) for intercity trains as the other members of train crew are assumed to mitigate the situation. This is not the case for the suburban DOO(P) and freight train types (see appendices K.. and K..). 6. Understanding the operational delay for each response option The potential operational delays per event by functional loss scenario for intercity type trains (for illustration purposes only) are shown in Table 5 (for other train types see Appendix L) relative to the base case continuing in service. These represent the monetary value of delays associated with the different response scenarios. A negative operational delay represents a saving relative to the base case continuing in service. For intercity trains, suburban and suburban-doo(p) majority of functional loss scenarios incur a cost of delay compared to the continuing in service. The exceptions being using a hand/transportable (response ) to mitigate a single cab radio where performance savings can be made, or where running with hand/transportables or delayed reduced speed (response ) offer no additional delays to the base case continuing in service. These responses create the least amount of operational delay for each functional loss scenario and are highlighted in green in Table 5. Cancelling trains (response ) and reducing speed immediately (response ) create the most operational delays (highlighted in red). For freight trains, cancelling trains (response ) creates the most operational delays. The other responses offer little difference (due to the general lower speed of freight trains to other services) from the base case continuing in service. 9

21 Table 5: Operational delays by function loss scenario relative to continuing in service, for intercity train types Response Operational delays ( /event) Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Single cab radio 0, ,000,000 Small radio network outage 80, ,000 7,000 Medium radio network outage,700,000 0,000,000,000,000 Large radio network outage 57,000, ,000,000 88,000,000 Single unregistered cab radio - temporary, Single unregistered cab radio - permanent, ,000 0 Multiple uncorrelated cab radios (TD.net outage) 6,000, ,000,000 88,000,000 Multiple uncorrelated cab radios (TD feed outage) 60,000 0,500,000,000,000 DSD/PA link unavailable, ,000,000 Single radio terminal 80, ,000 70,000 Multiple radio terminal 600,000 0,500,000,000,000 Driver:driver communications only 59,000, ,000,000 88,000, Optimising the response On comparison of the magnitude of the safety benefit to the operational delay, the monetary value of operational delay greatly exceeds the safety benefit in all cases; ranging from being a hundred to several million times larger than the monetary value of safety benefit. This is highlighted in both Figure 5 and Figure 6 in all charts the safety benefit is hardly noticeable When the type of functional loss is known The least delays are accrued in general by the base case (continuing in service) and when running with a hand/transportable (responses ) (see Figure 5). This is because these options are the same 0

22 Figure 5: Comparison of safety benefit and operational delay for each functional loss scenario and response option (-), intercity type trains Operational delay ( k/year) Safety benefit ( k/year) Single cab radio Small radio network outage Medium radio network outage - 00,000-60,000-0,000-80,000-0,000 0,000-80,000-60,000-0,000-0,000 0,000-5,000 -,000 -,000 -,000 -,000,000 Large radio network outage Single unregistered cab radio - temporary Single unregistered cab radio - permanent -,000 -,500 -,000 -,500 -, ,000-0,000-0,000-0,000 0,000-5,000 -,000 -,000 -,000 -,000,000 Multiple uncorrelated cab radios (TD.net outage) Multiple uncorrelated cab radios (TD feed outage) PA unavailable -,000 -,500 -,000 -,500 -, ,000-6,000-5,000 -,000 -,000 -,000 -,000,000-5,000-0,000-5,000-0,000-5,000-0,000-5,000 5,000 Single radio terminal Multiple radio terminal Driver:driver communications only - 0,000-0,000-0,000-0,000 0,000-0,000-5,000-0,000-5,000 5, Note: Safety benefit is plotted on the above charts, the magnitude is so much smaller than the cost of delays that it is hard to be seen.

23 but with the hand/transportable providing some benefit when the cab radio is the cause of the loss of functionality (but delays being incurred to pick up the device). Continuing as normal for a fixed time period then reducing the speed (response ) is the next preferable option in terms of delay in some cases. In these instances it offers a compromise between continuing as normal, and reducing the speed. The time limit also encourages the problem to be fixed in a timely manner and not continue unconditionally. It should be noted, however, this is not the only option for encouraging problems to not continue unconditionally. However, in the case of other functional loss scenarios, cancelling train (response ) may offer some benefits in terms of minimising delays compared with the options to reduce speed. That is, the delays accrued on route with response may exceed the equivalent delay minutes for part/full cancellation of a train. In the case of freight trains, running at reduced speed (response ) appears to be a good continuing in service, however, this is a symptom of the characteristics of freight operations, in that the average speed of freight trains is below the reduced speed limit considered (60mph), and therefore no delay or safety impacts are considered for this train type when the speed limit is introduced. The benefit-cost ratios (BCRs) are calculated for the intercity train types are shown in Table 6. Intercity train types are shown for illustration purposes only. For other train types see Appendix O. All of the BCR (where there is a difference from the base case, that is, not equal to zero), where positive, are significantly less than one. Three cases for intercity train types have negative BCRs. Those that are highlighted in red in Table 6 represent cases where there is a safety disbenefit and operational cost associated with the functional loss scenario and the particular response. For example, using a hand/transportable instead of a permanently unregistered cab radio may increase risk due to the differences in performance between the two different radios. Those scenarios highlighted in red are considered not to be practicable. The BCR highlighted in green, is also negative. However this is because the safety benefit is positive and there are potential operational delay savings (compared to the base case of continue in service) from using a hand/transportable (response ) when a single cab radio is known to have failed. Thus there is a good indication that this option is practicable, subject to any other costs associated with the provision of hand/transportables (not included in this assessment) not outweighing the operational delay savings.

24 Table 6: Benefit-cost ratios for each response option by functional loss scenario, for intercity train types Response BCR Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Single cab radio.8 x x 0-. x 0-. x 0- Small radio network outage. x x 0-. x 0- Medium radio network outage 7. x 0-0. x 0-. x 0- Large radio network outage. x 0-0. x 0-. x 0- Single unregistered cab radio - temporary 0 0. x 0-0 Single unregistered cab radio - permanent. x x 0-6. x 0-0 Multiple uncorrelated cab radios (TD.net outage).8 x x 0-. x 0- Multiple uncorrelated cab radios (TD feed outage).9 x x 0-. x 0- DSD/PA link unavailable -.5 x x 0-. x 0- Single radio terminal 5.7 x x 0-.7 x 0- Multiple radio terminal 9. x x 0-. x 0- Driver:driver communications only. x x 0-. x When the type of functional loss is unknown Not all the cab radio observations provide direct insight into the cause of the problem and therefore the expected functional loss. Taking into account the likely rates and how the functional losses may appear to the driver (in the absence of any other information), the weighted average consequences have been estimated. In terms of the observation scenarios, the potential annual safety benefits in per year relative to the base case (continuing in service) are given in Table 7. All response options demonstrate some safety benefit relative to continuing in service. Again, reduce speed (response highlighted in green) offers the greatest safety benefit due to the less severe consequences of some hazardous events (such as collisions and derailments). However, this response may not be practical from a

25 timetable perspective, given the delays passed on to subsequent trains and journeys will affect network capacity. GSMR-GB displaying and failing on demand shows the greatest potential safety benefit per year from each response due to a combination of both assuming full functionality loss and the calculated frequency. However, as discussed previously full functionality loss may not always be the case as GSM-R GB can also be caused by temporary loss of network signal (see Appendix P). Table 7: Safety benefit by observation scenario, for intercity type trains Response Safety benefit ( /year) Observation Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks 550 <, GSM-R GB,700,00 5,000 8,700 Blank screen Registration - lead driver <, Registration - duplicate < Registration - PA < Failure/fault ,00,800 The least amount of a safety benefit is achieved (for all response options) against registration s (lead driver, duplicate, PA), this is due to the low impact nature of the s. That is, the cab radio still retains call and REC functionality. In the case of delay minutes accrued when considering a response based on an observation (Table 8), running at reduced speed (response ) and cancelling trains (response ) generate the most operational delays for intercity train types (shaded in red) relative the base case continuing in service. Whereas continuing with hand/transportable (response ) offers the least delays (shaded in green), and in some cases potential operational delay savings. When the radio has failed on demand and is displaying GSM-R GB has the potential for the biggest operational losses the figure below is based largely on cab radio s and does not include the effects from network signal (see Appendix P for sensitivity analysis). Similar results are generated for suburban and suburban-doo(p) train types. For freight trains, cancelling trains (response ) generated the most operational delays this is an artefact of freight trains not being affected by the measures that impose speed restrictions.

26 Table 8: Operational delays by observation scenario, intercity train types Response Operational delays ( /year) Observation Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks 6,000,000 -,000,000,000,000 GSM-R GB,000,000-0,000 90,000,000 0,000,000 Blank screen 90,000-5,000 6,600,000,900,000 Registration - lead driver,000,000 0,000,000,000,500,000 Registration - duplicate,00,000,00,600,000,500,000 Registration - PA,00, ,00,000,00,000 Failure/fault 6,000,000-70,000,000,000 5,000,000 For intercity (Figure 6), suburban (K..) and suburban DOO(P) (K..) train types the base case and continue with a hand/transportable (response ) appear to be the optimum cases. In some cases there is no difference between the two options. This is where the cause is more likely to be network related and therefore the hand/transportable provides no benefit. 5

27 Figure 6: Comparison of safety benefit and operational delay (purple) for each observation scenario and response option (-), intercity type trains Operational delay ( k/year) Safety benefit ( k/year) Searching for networks GSM-R GB Blank screen - 80,000-60,000-0,000-0,000 0,000-00,000-50,000-00,000-50,000 50,000-7,000-6,000-5,000 -,000 -,000 -,000 -,000,000 Registration - lead driver Registration - duplicate Registration - PA - 50,000-0,000-0,000-0,000-0,000 0,000-5,000 -,000 -,000 -,000 -,000,000-8,000-7,000-6,000-5,000 -,000 -,000 -,000 -,000,000 Failure/fault - 50,000-0,000-0,000-0,000-0,000 0,000 Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see 6

28 All of the positive BCR (where there is a difference from the base case, that is, not equal to zero) are significantly less than one (see Table 9) for intercity train types. There are seven cases where the BCR has been estimated to be negative. Those that are highlighted in red in Table 9 Error! Not a valid bookmark self-reference.represent cases where there is a safety disbenefit and operational cost associated with the observation scenario and the particular response. For example, using a hand/transportable instead of a cab radio that displayed a registration may increase the risk due to the differences in performance between the two different radios. Those scenarios highlighted in red are considered not to be practicable. The BCRs highlighted in green, are also negative. However this is because the safety benefit is positive and there are potential operational delay savings (compared to the base case of continue in service) from using a hand/transportable (response ) for observation scenarios where cab radio is possible. Thus there is a good indication that this option is practicable, subject to any other costs associated with the provision of hand/transportables (not included in this assessment) outweighing the operational delay savings. Table 9: Benefit-cost ratios for each response option by cab radio observation, for intercity train types Response BCR Observation Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks.7 x x 0-. x 0-. x 0- GSM-R GB. x x 0-.6 x 0-.6 x 0- Blank screen.8 x x 0-. x 0-. x 0- Registration - lead driver. x x 0-6. x 0-. x 0- Registration - duplicate.8 x x 0-6. x 0-. x 0- Registration - PA -.5 x x 0-. x 0- Failure/fault.8 x x 0-. x 0-. x 0-7

29 7 Discussion 7. The definition of a defective GSM-R fixed cab radio When the cab radio displays Radio Failure XX, MT Fatal or a blank screen then it is certain that the cab radio will not function properly and that the fault lies with the cab radio. This is the only observation case when the driver can be certain that the cab radio is defective. Other displays such as Warning XX are non-service affecting and should not be considered as defects. If the cab radio is displaying searching for networks it is likely to be due to a network related problem, which could clear on moving the train. However if the problem persists for a particular cab radio through its journey or the signaller is able to confirm that the train lies within a fully operational part of the GSM-R network, then it is likely that the problem is associated with the train s antenna. In this case the cab radio should be considered as defective. To help with the diagnosis of the problem and potentially speed up the repair of network issues, drivers should contact the signaller and report the issue at the first convenient opportunity, even if the radio subsequently displays GSM-R GB. If the cab radio displays an error on registration (registration lead driver/duplicate/pa) there could be an issue with the network or the information being entered. Either way the cab-radio should still have call and REC functionality and is therefore not considered an on-train defect. If the cab radio fails on demand whilst displaying GSM-R GB it could be due to a cab fault or network issue. Without further diagnosis or symptoms being observed by other network users it is difficult to determine the cause. If the train continues its journey and the problem in the cab persists it is likely it is a cab radio defect. However, if on moving the train the problem remedies itself it is likely to be a network issue. Although this analysis helps with a definition for a defective cab radio, it does not necessarily mean that a train with a defective cab-radio should be withdrawn from service (see subsequent conclusions). 7. What action should be taken if the fixed cab radio is defective? Regardless of the definition of a defective cab radio, the results from the risk analysis show that for all response cases considered, in terms of monetary equivalent values, the cost of operational delays dominates the cost of the safety benefits. That is the safety benefit from GSM-R cab radio is estimated to be around.7 FWI/year (based on current use and practices), or equivalent to around million/year (based on the VPF). With some 7 million train journeys/year, this gives an average safety benefit around 0.0/journey. This is significantly less than the cost of cancelling a train journey, estimated to be around 800 to 6000, dependent on the type of journey. For all the responses except, continue with hand/transportable (response ) the BCRs calculated are significantly less than one. That is the delay costs associated with the measures are grossly disproportionate (in some cases over a hundred times greater) to the safety benefits when compared against the base case of continuing in service. This applies to both when the functional loss is known and unknown but based upon the driver s observation. Although it may be reasonable to continue in service with a defective radio, it does impact on both safety and operations. Therefore it is of interest to continue maintaining both radios and DSD/PA links to a working standard and reasonable to suggest that trains do not leave a maintenance depot 8

30 for service with a defective radio (as currently required by the rules with a PA system). This is similar to requirements for other defective on-train equipment such as headlamps, taillights and warning horns. The conclusions over what to do when a fixed radio fails are the same for all train types, despite having slightly different magnitudes of result. This includes services where the driver is on his own (suburban DOO(P) and freight). The results of the risk assessment show that although the DSD/PA provides some benefit (0.005FWI/year across all trains) this is also dwarfed the cost of cancelling a train. However, it is recognised that the radio and DSD/PA link provide additional security and comfort benefits for the driver not included in this risk assessment. Also, in the future the PA link may be used by operations centres to provide passengers with information relating to their journey, placing a greater dependence on the PA link. Therefore should the radio or PA link fail on a DOO(P) train, the operating company may choose to implement additional measures (such as provision of hand/transportable, a public mobile phone or an additional member of staff to travel on board the train) to compensate. 7. Can a train enter service if the registration fails? The workshops identified that if a cab radio fails to register a journey properly there is a reduction in call success that is a call may route to the wrong signaller (the REC will still function). In the event that proper communication protocols are not followed this could lead to errors in train movements. For example, permission could be given to pass a signal at danger, because the signaller has misunderstood which driver he is speaking to. Based on the current rates of miscommunication leading to a movement accident, operating all cab radios unregistered is estimated to reduce the safety benefit by around 0.0FWI/year, or around 50,000/year (based on the VPF). Again, with some 7 million train journeys/year, the average safety benefit/journey is estimated to be less than 0.0. The cost of taking a train out of service (response ) or reducing its speed (responses and ) to compensate is far greater than the safety benefits (that is the BCRs are significantly less than one) making these options not reasonably practicable. Running with an unregistered cab radio could be further mitigated by training drivers to be aware that it is more likely for a call to be routed to the wrong signaller and thus of the need to place greater importance on the communications protocol to ensure a clear understanding of who is involved in a call (see 0. Further analysis). The conclusions are the same for all train types, despite having slightly different magnitudes of operational delays. 7. What action should be taken if the radio network fails? Network s have the potential to extend from a few kilometres of track up to the whole network, affecting both trains entering service and those already in service. The results from the risk analysis show that, as with the cab radio defects, the operational delays significantly dominate the safety benefits the BCRs are significantly less than one. Cancelling trains (response ) or running at reduced speed (responses and ) increase the operational delay the most whilst minimising the risk. However, due to the magnitude of the costs being grossly disproportionate to the safety benefits, they are not considered reasonably practicable. In the case of network s provision of hand/transportables (response ) will provide no additional benefit, since the hand/transportable also would not work. 9

31 In the event that there is a total network or significant network outage (multiple terminal s etc), cancelling of all trains would cause chaos for passengers. This would be detrimental to both safety (in terms of passenger overcrowding and assaults) and rail industry reputation, and generally is not considered acceptable by rail industry representatives. Therefore, the response recommended on the basis of this risk assessment is to continue in service. However, GSM-R provides safety and operational benefits so should be restored as soon as possible after a. The industry therefore needs to decide whether it is appropriate to impose limits or constraints on the continue in service option. Imposing restrictions after a four-hour time limit (response ) was one of the responses considered by this risk assessment but it may not be practical to implement. The conclusions are in general the same for intercity, suburban and suburban DOO(P) trains, despite having slightly different magnitudes of result. Freight trains are less influenced by speed reductions due to the lower average speeds at which they travel. 8 Sensitivity analysis Sensitivity analysis was carried out on the risk modelling (see Appendix P), focussing on the key assumptions. The cost of delays The rate of reactionary delay incurred The version of the cab radio software The number of BTSs The number of registrations per day The split between searching for networks and GSM-R GB with network issues Failure rates The sensitivity analysis shows that the conclusions are robust with respect to the cost of delays and the rate of reactionary delay for intercity, suburban and suburban DOO(P) train types. For freight, cancelling trains may be a better option for some functional losses, when operating in areas with potential for significant reactionary delays. With respect to the cab radio software, the conclusions are considered robust with respect to the increased likelihood of Registration duplicate with Siemens version E, when compared to the assumed version. The sensitivity analysis also showed that the conclusions are robust with respect to the number of BTS, the number of registrations per day and s. As in all cases where the cost of delays was grossly disproportionate to the safety benefits, they remain so for the sensitivity test scenarios. A similar conclusion was drawn for testing the sensitivity of the split between searching for networks and GSM-R GB for network issues. However, the sensitivity analysis also showed that it is significant uncertainty that GSM-R GB signifies a cab radio without further diagnosis. That is, if a cab radio fails on demand whilst displaying GSM-R GB it may be due to a network issue. 0

32 9 Conclusions A defective cab radio is considered to be one that displays Failure XX, MT Fatal, Cab Radio Flt, EPROM/RAM Flt or a blank screen. Other displays may also indicate a cab radio defect but require further diagnosis, for example, persistent throughout its journey (with confirmation that the network is working). For all the response options considered, ranging from continuing as normal regardless of no radio to cancelling trains the operational delays significantly dominate the safety benefits. Continuing as normal (the base case) and continuing with the use of hand/transportables (response ) minimise the operational delays but accrue a small amount of safety disbenefit. The other responses analysed are not considered to be reasonably practicable because the additional delay costs are disproportionate to the safety disbenefits (for all train types, including suburban DOO(P)). The analysis did not consider the costs of providing hand/transportables. However, GSM-R provides safety and operational benefits so it is important that equipment is properly maintained. It seems reasonable therefore to prevent a train from entering service from a maintenance depot if it has a defective cab radio. The analysis shows it is reasonable for a train to enter or stay in service even if it is unable to register (for all train types). That is, none of the responses considered were demonstrated to be reasonably practicable to mitigate registration issues. For network s, the response recommended on the basis of this risk assessment is also to continue in service (for all train types, including DOO(P)). Hand/transportables would provide no additional benefit in this situation. However, for the reasons stated above, the industry therefore needs to decide whether it is appropriate to impose limits or constraints on the continue in service option. The conclusions are considered robust to changes in the key assumptions. 0 Items for consideration 0. Review of Railway Group Standards and other supporting documents It is proposed that the Rule Book, specifically module TW5, Railway Group Standard GO/RT7 and Rail Industry Approved Code of Practice GO/RC57 are reviewed with respect to the findings of this risk assessment, and appropriate proposal for change prepared. The proposed changes should reflect that: Registration s are not considered to be defects Trains can stay and enter service with a defective cab radio Trains can stay and enter service with a defective radio network. However to encourage the recovery of faults it is suggested that a train does not enter service from a maintenance depot with a defective radio. This is similar practice already applied to other on-train equipment such as headlamps and warning horns. 0. Further analysis During the completion of this study, further related areas of analysis have been identified to be of interest. These have not been included in this analysis but will be investigated later:

33 When should planned outages of the network (for maintenance, upgrades etc) take place to minimise risk? Whether or not there is need to get agreement from TOCS for the planned outage times chosen or that they and the signallers can just be informed? Can the signaller still authorise the driver of an unregistered cab radio to pass a signal at danger? Whether it is safer to use an SPT or an unregistered cab radio to contact the signaller? 0. Further process mitigations for consideration During the workshops some ideas were generated on how errors could be reduced when using GSM-R. These included: Providing repeater plates where the signal is not visible at registration this would avoid excessive use of the wildcard After observing a registration failed lead driver and being instructed by the signaller to use the wildcard, the driver could contact the signaller again to confirm that the radio was registered with the correct headcode. Monitoring cell pick-ups to help reduce the number of misrouted calls. Reinforcing during training the need to place greater importance on the communications protocol to ensure a clear understanding of who is involved in a call when using an unregistered cab.

34 Appendix A Glossary ATOC BSC BSS BTS DOO DOO(P) DOTE DSD ECS ERTMS FTN FTS FWI GSC GSM-R HAZOP LAC NCN5 NSS NXEA REC PA RGS RSSB Association of Train Operating Companies Base station controller Base station sub-system Base transceiver station Driver only operation Driver only operation (Passenger) Defective on-train equipment Driver safety device Empty coach stock European Rail Traffic Management System Fixed telephone network Fixed terminal system Fatalities and weight injuries Ground switching centre Global system for mobile communications - Railways Hazard and operability Location area code 5 th Network change notice Network switching system National Express East Anglia (train operating franchise) Railway emergency call Public address Railway Group Standards Rail Safety & Standards Board

35 SPT TD TEC TOC TPWS VPF Signal post telephone Train describer Telecomm Engineering Centre Train operating company Train Protection Warning System Value of preventing a fatality

36 Appendix B Documents reviewed This appendix contains the references for the documents reviewed as part of task and subsequent documents received and considered in later tasks.. GSM-R/FTN Programme Cab Handportable estimated usage, NR/AM/SA/REP/00. Issue A0, Network Rail, May 0.. Assessing the risk from the loss of the NRN frequency spectrum in 0, RSSB, April 0.. Trains Required to be Taken Out of Service as a Result of Defective On-train Equipment. Train Operator s Contingency Plan, CP 7, Issue 7, Arriva Trains Wales, January 0.. HMI Design Requirements Specification for Network Rail GSM-R Cab Radio Version, Issue 9.0B Draft, Siemens, 0 December Using GSM-R in Great Britain Briefing Note - Changes to the Siemens GSM-R Cab Radio (Version ), GSMR/FTN/TRG/BN/0, Issue., Network Rail, December GSM-R user procedures (cab radio) Procedures for using the Siemens GSM-R cab radio (Version ), NS- GSM-R-OPS-05, Issue 6., RSSB, December Voice Communication System FTS Failure Modes, Effects and Criticality Analysis (FMECA), 0A05E606., Issue.5, Frequentis, 9 October AM Amendments module, GE/RT8000/AM Rule Book, Issue, September CMvE CMv Requirements Summary, Issue, R Hill, September GSM-R System Resilience, version, E Nix & T Foulkes, 6 June 0.. National Control Instructions Procedure for the Planned Response to GSM-R System Failures, Issue, June 0.. Human Factors Railway Emergency Call Study, Issue, RSSB, June 0.. Cab Radio Reliability Time Truncated Test Results, GSMR/RWG, Issue, Network Rail, May 0.. GSM-R Network Observed Reliability during Operational Trial, GSMR/RWG, Issue, Network Rail, May NWR GSM-R Core Network System Definition, NWR/NE/DD/05055, Version 8.00, Kapsch CarrierCom, 5 March Amendments to SMS9. Defective On-Train Equipment Contingency Plan, NXEC9., Issue 7, East Coast, 0 December GSM-R (IVRS) Radio system Handbook, RS/50, Issue, RSSB, December 00. 5

37 8. National GSM-R Radio Project Hazard Identification Workshop Report Multiple Signallers in RECs, A05/GSM-R/IMP/Dxxx, Issue, Network Rail, November National Control Instructions and Approved Code of Practice Section. Communications, NR/L/OCS/0/., Issue, 5 June Risk Profile Bulletin, Table B, Version 7, RSSB, August 00. Contingency Plan & Matrix for Trains with Defective On-train Equipment, SM090, Issue 6, First Great Western, June 00.. Defective On-Train Equipment, GO/RT7, Issue 6, June 00.. Recommendations for Defective On-train Equipment, GO/RC57, Issue, June 00.. GSM-R Signallers Fixed Terminal User Guide, Issue, Network Rail, June GSM-R Emergency Call Risk Assessment, RSSB, 8 January GSM-R Strathclyde Trial Objectives Close out Report, NR/EE/REP/008, Issue A0, Network Rail, December FTN & GSM-R GSM-R Trial for Pilot Route A (PA05/077/T) Critical Review Report, CCMS: , Issue., Network Rail, June GSM-R Strathclyde Operational Trial Reliability and Maintainability Demonstration Plan, Issue., Network Rail, June Taking Safe Decisions -how Britain s railways take decisions that affect safety, RSSB, Using GSM-R in Great Britain Procedures for using the Frequentis GSM-R fixed terminal Appendix : Amendments, FTN&GSMR/PM/MAN/00, Issue, Network Rail, 8 October Preparation and movement of trains General, GE/RT8000/TW Rule Book, Issue 8, October Cab secure radio (CSR) Handbook, RS/56, Issue, June Preparation and movement of trains Defective or isolated vehicles and on-train equipment, GE/RT8000/TW5 Rule Book, Issue, April Using GSM-R in Great Britain Procedures for using the Frequentis GSM-R fixed terminal Appendix : General Instructions, FTN&GSMR/PM/MAN/00, Issue, Network Rail, October GSM-R Reliability, Availability & Maintainability (RAM) Study, A05/GSM-R/, Issue, Network Rail, August GSM-R Cab Mobile, Great Britain Open Interface Requirements, GE/RT808, Issue, July

38 7. UK Application of GSM-R The Operational Concept, Issue, RSSB, December Risk Assessment of Failure of the Interim Voice Radio System (IVRS), RSSB, February Train Radio Systems for Voice and Related Messaging Communications, GE/RT8080, Issue, December Requirements for GSM-R Voice Radio System, GE/RT808, Issue, December 00.. Safety Risk Assessment for the National GSM-R Radio Network Project, A05/GSM-R/IMP/D057, Issue, Network Rail, 7 November 00.. Flowchart process for signallers.. Ops Controller LAC Map 7

39 Appendix C Workshop attendees Attendee Job title and organisation Workshop Registration BSS NSS/FTS FTS/On-board equipment Ed Nix Senior NSS Design Engineer, Network Rail Yes Yes Yes Neil Ramsey Senior Programme Manager, Network Rail Yes Yes Chris Fulford GSMR Operations Advisor, ATOC Yes Yes Yes Rob Hill Senior FTS Design Engineer, Network Rail Yes Paul Ashton Operational Rules Specialist, Network Rail Yes Keith Fox Operations Specialist, RSSB Yes Yes Yes Yes Jay Heavisides Senior Risk Analyst, RSSB Yes Yes Yes Yes Will Clayton Risk Analyst, RSBB Yes Yes Yes Yes David Griffin Senior Risk Analyst, RSSB Yes Yes Yes 8

40 Appendix D Workshop guidewords D. Registration observations Observer Driver View Registration failed Registration failed Duplicate Registration failed PA Wrong headcode returned No headcode returned Signaller D. GSM-R Functions Initiator Driver Function A) Point-to-point call to controlling signaller B) Urgent point-to-point call to controlling signaller (yellow button) C) Railway emergency group call (red button) D) Non-operational calls E) Driver safety device activation alarm F) Standing at signal text message Device registration Signaller initiation G) Point-to-point call to driver H) Urgent point-to-point call (yellow button) I) PA announcements J) General broadcast voice calls to local area K) Non-emergency group voice calls L) Railway emergency group call (red button M) Operational text( Wait, Contact signaller ) Other N) Voice recording O) Coverage 9

41 D. Influencing factors: frequency Parameter Migration Deviation During Post Network outage Planned Unplanned Point of journey Leaving depot Start of journey Mid journey End journey Turnaround Splitting/joining units D. Influencing factors: consequence Parameter Alternative communication method Deviation Handportables Transportables CSR NRN IVRS Signal post telephones Public mobile phone Train type Non-DOO DOO(P) Freight ECS Track type Single Double Multiple 0

42 Parameter Train speed Deviation Slow (<5mph) Medium (5-75mph) Fast (>75mph) Line type Rural Sub-urban Mainline Train frequency Low frequency High frequency Journey time/distance Short Medium Long D.5 Potential responses Option group No replacement equipment available Response Suspend service at point of until fixed. Send straight to depot for fixing. Continue to next point of call, then suspend service until fixed. Continue to next point of call, detrain passengers and operate ECS until fixed/replaced. Continue to end of journey, then to depot/fix. Continue to end of day/final journey to depot/fix Replacement equipment available (awaiting outputs from NRN switch off study) Await arrival of handportable/transportable Continue to next point of call to collect handportable/transportable Continue to end of journey/next hub to collect handportable/transportable Rely on SPTs

43 Appendix E Workshop outputs The notes in this appendix represent the outputs after completion of the workshops. That is they represent a fixed point in time during the study. Data gathering and analysis was completed after the workshops to finalise the rates. Calculations for such can be found in the risk model developed for this study (safety disbenefit model v..xls). E. Cab-registrations The letters in the column Impact of are based on function guidewords listed in the table in Appendix D..

44 Observation Cause of Sub-cause of Distinction Impact of Mitigation Failure rate Influences. Registration failed - lead driver. Driver input incorrect registration headcode.. Driver error (misread) Entered data is visible on display A, B, E, F) Yes - no longer calling the controlling signaller but the nominated one A, B, C, E, F) Calling identity is the unit number and not the headcode C) Nominated signaller has control of REC G, H, I) Can only be done using unit number and there will be a delay to call K) Will not function without headcode Current: Driver retries. Call signaller if still fails. Signaller checks code and gives wildcard (wrong headcode) Verbal communication protocol may lead to recognition of error and the signaller will know the train headcode from either ARS or train list Jim Carney (NR) - breakdown of registration statistics During migration - more likely to enter wrong headcode and be unaware of it through preregistration process (wildcard) M) Can only be done using unit number and there will be a delay to call - contact signaller only (check that it can be done using CT) New: Driver would contact the signaller once registration complete to check headcode.. Driver error (input error) As.. As.. As...

45 Observation Cause of Sub-cause of Distinction Impact of Mitigation Failure rate Influences. Registration. Driver input.. Driver error Entered data is As above for.. Current: Driver Jim Carney (NR) - failed - lead driver (continued) incorrect location code (misread) visible on display Performance delay impact retries. Call signaller if still fails. Signaller checks breakdown of registration statistics code and gives wildcard (right headcode). Verbal communication protocol may lead to recognition of error... Driver error (input error) As.. As.... Missing alias plate Speak to signaller As.... Signal Visit signal to As.. New: Provide identity not visible check plate signal repeater plates

46 Observation Cause of Sub-cause of Distinction Impact of Mitigation Failure rate Influences. Registration. Train.. Signaller Speak to signaller As.. Current: Driver failed - lead description not has not entered retries. Call driver (continued) associated with berth TD signaller if still fails. Signaller checks TD and inserts code.. Late entry Speak to signaller As.. As above (..) by automatic coding insertion. Train.. TD.Net Speak to signaller As above for.. but for Current: Use Increased None describer (national) (may not know multiple trains wildcard registration there is a ) rate due to possible duplication.. Local TD Speak to signaller As above for.. but for trains in local area Current: Use wildcard Increased registration rate due to possible duplication (smaller risk than..) 5

47 Observation Cause of Sub-cause of Distinction Impact of Mitigation Failure rate Influences. Registration.5 Cell not.5. Train on Speak to signaller As above for. but for single Current: Use Dependent on Initial increase failed - lead associated with unexpected cell (use wildcard) train and definitely contacting wildcard location - see Jim during driver (continued) berth nominated signaller (not controlling) New: Monitor cell pick-ups Carney migration..5. BSS (see.8) See.8 See.8.6 NSS.6. Failure on demand Use alternative means to contact signaller As above for...7 FTS.7. Failure on demand Signaller may already be aware - use alternative means for contact As above for...8 BSS.8. Interference Use alternative means to contact signaller As above for.. - more localised 6

48 Observation Cause of Sub-cause of Distinction Impact of Mitigation Failure rate Influences. Registration failed - duplicate. Three trains already in service with the same 8 digit code.. As per. Current: Use wildcard - worse case correlation attempted every minutes Minimal. Registration failed - duplicate (continued). NSS.. Current: log as fault as unable to register. Registration - PA. BSS.. Interference on uplink None for driver, yes for signaller dependent on contact I) Not available Current: Contact signaller to determine uplink or downlink. Does not matter if non- DOO(P) Jim Carney (NR) - breakdown of registration statistics. Reduce by factor of 00 for v? (stuck, retry and driver intervention) More likely to cause problems whilst on the move (during migration).. Interference on downlink No impact - driver unaware so possible performance delay 7

49 E. Base station sub-system Observation Cause of Sub-cause of Distinction Impact of Recovery Geographical size of Duration of Failure rate Influences Notes. Searching networks - please wait. BTS or repeater (local).. Antenna and feeder damage Catastrophic - (specific) alarm to TEC Noncatastrophic - possible alarm No service available whilst display is 'Searching networks' Attempts to search for networks ('Searching networks' displayed). Attaches to nearest cell but might not be on the correct route. -8km of track effected or less depending on whether adjacent cells fill in eg West Coast Mainline Contact Paul Strachan for target fix time and actuals The antenna system takes approximately hours to repair Contact Paul Strachan for target fix time and actuals The mean time between antenna s is 00 hours ie 5 years, so assume 0.07 s per antenna year As system is better understood, recovery rates will improve. If occurs at start of journey, train will not be able to register - if this is the first train to report this problem signaller may not be aware.. Antenna realignment (partial ) Driver reports intermittent coverage - audible and visual in cab alarm As.. or.. Driver reports s to control. Aids subsequent trains Maybe slightly better than.. due to only partial loss as above.. Power loss (specific) alarm to TEC As.. Opportunity to rectify upon receiving alarm. Back up power supply for 6 hours -8km of track effected or less depending on whether adjacent cells fill in eg West Coast Mainline Contact Paul Strachan for target fix time and actuals Contact Paul Strachan for target fix time and actuals as above.. Air conditioning..5 BTS or repeater electronics hardware High temp alarm to TEC (specific) alarm to TEC As.. As.. Opportunity to rectify upon receiving alarm. Opportunity to rectify upon receiving alarm. -8km of track effected or less depending on whether adjacent cells fill in eg West Coast Mainline Maybe slightly better than.. if only partial loss Indicates 5.9km gap in service Contact Paul Strachan for target fix time and actuals Indicates a BTS repeater takes approximately hours to repair Contact Paul Strachan for target fix time and actuals The mean time between repeater s is hours ie 5.7 years, so assume 0.75 s per BTS per year as above as above..6 Cell BTS configuration error None - nondetectable No PP or REC calls System commissioning procedures -8km of track effected or less depending on whether adjacent cells fill in eg West Coast Mainline Indicates a BTS MUX takes approximately hours to repair The mean time between MUX s is 8000 hours ie 58 years, so assume s per year as above..7 Loss of REB due to damage/vandalism Alarm to TEC As.. Replace REB -8km of track effected ask Paul Strachan for contacts ask Paul Strachan for contacts as above Check for contingency plans Ed to confirm % of joint REB sites 8

50 Observation Cause of Sub-cause of Distinction Impact of Recovery Geographical size of Duration of Failure rate Influences Notes. Multi BTS.. FTN transmission (specific) alarm to TEC from BTS and FTN As.., but may also impact availability of SPT and LX T Opportunity to rectify upon receiving alarm. Easier to identify as an infrastructure by the signaller through driver observation. Requires breaks in ring to reduce functionality Single chain - 0km Entire ring - hundreds of km (Check transmission backgrounds) FTN (single chain) takes approximately hours to repair A fixed terminal core takes hours The mean time between FTN s is 670 hours ie.9 years, so assume 0.8 s per year A fixed terminal core is 6800 hours ie 7.8 years, so assume 0.7 s per year. During migration adding additional rings may lead to accidental severance Is transmission to do with a single site? Speak to Ian Burrows.. BSC /damage TEC receives (specific) critical alarm As.. Migrate services onto backup BSC (manual disaster recovery - BSC) All BTS connected to BSC - approx /9th of network hours for disaster recovery to be implemented - TBC Confirmed from RAM study The mean time between BSC s is > hours. Use worst case ie.55 years, so assume s per year Possible problems during software upgrades to BSC. No planned outage of BSC due to constant demand There are 80 BTS across 0 BSCs, each BTS covers 5.9km therefore ring = 80/0*5.9 = 00 km.. NSS - see later workshops.. FTN to NSS (maybe common to..) Can lead to.. or.. As.. Somewhere between.. and.. in 70 years per km of track, although maybe on increase due to possibility of cable theft. Cell inaccessible. RF interference.. Route configuration.. PLMN G (public network) - 900Mhz None As.. or.. Driver identifies problems and is fed back into system design None Reduction of call quality on the downlink whilst travelling 0-0mph, otherwise may not notice. Problems more severe when stationary and will continue to be affected until the voice traffic on the PLMN has dropped. No specific mitigation for the driver to detect this problem at the present time. It can take 0 seconds- minutes for the mobile to re-attach to GSM-R GB but may need a reset. If the driver sees a mast, moving the train away from the mast may help reduce interference. Actions such as moving the train forward slightly or using the cab mobile at the other end of the train have been suggested when at a station. Unable to tell for certain at this stage. Units 0-50m from the interference source will be more affected. But it is likely that it affects a particular train at a time rather than a whole cell. Most likely to be an issue for the train antenna than a BSS. 0 seconds to minutes for the train to locate the correct mobile, once interference has reduced. Longer if the mobile is 'stuck' and needs resetting. Approx 600 EGSM-R s in Germany in years ie 00/year. Alternatively, there were 5 recorded interference s on the GB network over a period of year. Assuming that: only 0% of the network is currently rolled out (x 5), the impending switch-on of Vodafone's additional mobile network increases interference (x) and other PLMN follow suit (x) equates to around 00 s per year for the UK. Only applies during migration May effect migration and could increase impact if more mobile networks switch on. Suggestions have been to add stronger BSSs at stations where most of the impact lies and create a more compatible cab mobile. Filters can concentrate the reception into the mobile, but is costly to set up and sometimes unreliable. One option is to introduce equipment which records interference and replays it to show where in interruptions have been and therefore could be in future. Future strategy between NR and mobile networks unclear. Difficult to predict rate of interference due to the continuing introduction of more PLMN. 9

51 Observation Cause of Sub-cause of Distinction Impact of Recovery Geographical size of Duration of Failure rate Influences Notes.. PLMN G - 900Mhz band.. Broadband noise.. Other train antenna (repeaters) Assumed none Assumed none Assumed none Yet to determine Yet to determine Yet to determine. PA call in progress N/A May allow PA calls in normal operation - depending on rules surrounding process. Fatal error N/A low Recognised that this may happen eg rollout of G technology - data TBC GSM-R GB. BTS.. Cell BTS configuration error Failure on demand No PP or REC calls but gives impression that system is working to user Possible poor quality calls, increased possibility of misrouted calls. Risk of no coverage. Poor speech quality at one end between the driver and the signaller Driver would only be aware if attempting to use radio A BTS repeater takes approximately hours to repair Mean time between BTS core is 8600 hours. Use worst case ie 6.96 years, so assume s per year Misrouted calls caused by cab-mobile attaching to cells on adjacent routes (in the future) may be managed though experience and including trains on actual and adjacent route cell train list. Downside of this approach is that it will increase the size of the REC and therefore potential delays in the event of an emergency. For the purposes of the assessment it will be assumed that the calls may be misrouted.. Multi BTS.. BSC - likely to be a configuration issue TEC receives unique critical alarm If connection made to non-designated cell registration may fail without use of wildcard As above Migrate services onto backup BSC (manual disaster recovery - BSC) All BTS connected to BSC - approx /9th of network hours for disaster recovery to be implemented Mean time between BSC s is > hours. Use worst case ie.55 years, so assume s per year Possible problems during software upgrades to BSC. No planned outage of BSC due to constant demand 50

52 Observation Cause of Sub-cause of Distinction Impact of Recovery Geographical size of Duration of Failure rate Influences Notes.. FTN Alarm to TEC from BTS and FTN As above Opportunity to rectify upon receiving alarm. Easier to identify as an infrastructure by the signaller through driver observation. Requires breaks in ring to reduce functionality Single chain - 0km Entire ring - hundreds of km (Check transmission backgrounds) as above Approx 90% would show a 'Searching please wait' display Mean time between FTN s is 670 hours ie.9 years, so assume 0.8 s per year A fixed terminal core is 6800 hours ie 7.8 years, so assume 0.7 s per year. During migration adding additional rings may lead to accidental severance. Wrong cell accessible.. As.. None As.. or.. Driver identifies problems and is fed back into system design -8km of track effected or less depending on whether adjacent cells fill in eg West Coast Mainline Only applies during migration E. FTS sub-system Observation Cause of Sub-cause of Distinction Impact of Recovery Geographical size of Duration of Failure rate Influences Notes. Registration failed. TD.Net.. Train describer - area failed Apparent to the signaller of the area affected that the TD has failed Registration will fail when location code is entered, signaller will know and issue wildcard (apart from within areas without TD available). Signaller will inform drivers and ops control. Ops control will contact the train operators. Local to one signal box/td area Speak to Paul Strachan Speak to Paul Strachan Ed to clarify that this is the correct recovery procedure. Risk of misrouting due to no ELDA from a shared cell. Driver error in registering will not be picked up and will be accepted when the wildcard is used. FTS can be told that the TD data is not available ie become a non-td area. This accepts location code without checking.. Transmission to or from TD.Net fails.. TD.Net overall Local functionality for the signaller but no link to TD.Net Trains de-correlated nationally in train list As above except signaller will be unaware unless the train list is checked. Trains will de-correlate. National network As above + duplicate connection used in case one fails Do not validate the TD. Will not be able to detect driver entering the wrong info As above As above As above Ed to talk to Rob Hill for s that would cause all trains in train list to de-correlate Whole country As above As above 5

53 Observation Cause of Sub-cause of Distinction Impact of Recovery Geographical size of Duration of Failure rate Influences Notes.. General changes in TD Misrouting calls As above for.. Monitoring for paging by TEC Local to cell as above as above After rollout is complete. TD Bridge.. As per TD.Net as above as above Both bridges would need to fail - replicate bridge on auto start-up as above as above. Complete FTS - loss of site.. Air con Possible loss of all systems except REC (would receive the call on other trains but not signaller). Communication possible between drivers but no signaller Switching over would take approx. hours as above Hot weather.. Loss of power DC power : Shut down of switch ie no calls, registration possible DC and AC has two feeds so some redundancy as above as above AC : no registration, outgoing calls ok, no communication.. Fire Possible loss of all systems except REC (would receive the call on other trains but not signaller). Communication possible between drivers but no signaller as above as above.. Vandalism Worst case - Possible loss of all systems except REC (would receive the call on other trains but not signaller). Communication possible between drivers but no signaller as above as above. Routing Server..5 Terrorism As above as above as above.. Power Unable to register Duplicated on auto start-up as above as above outage.5 Management server.. Hardware.. Software.5. Signaller would be made aware whilst recording new messages As above As above as above as above As above As above as above as above Signallers unable to logon, record new message as above as above Rob to confirm.6 GSC.6. Hardware No calls or messages possible between drivers and signallers as above as above. GSM-R GB. ELDA.. Routing server Immediate Call routing not possible ie no call functionality to the signaller Speak to Paul Strachan Speak to Paul Strachan 5

54 Observation Cause of Sub-cause of Distinction Impact of Recovery Geographical size of Duration of Failure rate Influences Notes.. TD.Net, TD.Bridge Gradual over time as data becomes out of date Misrouted calls eg calls going to the nominated and not controlling signaller as above as above. IMUX.. Hardware Warning on fixed terminal. Future: log out after 0 mins Up 5 fixed terminals will lose their function which may not be in the same signal box ie lose call functionality Possibility of role sharing with another signaller Depends on diversity of FTs fed as above as above Depends where IMUX is based in terms of single or multi panel signal box functionality Rob to investigate. ISDN.. Hardware terminal Share role with another signaller in the same box signaller's position as above as above Only available in multi panel signal box Are there any single points of for multiple fixed terminals. Fixed terminal.. Touch screen unit Blank screen/ nonresponsive screen terminal Share role with another signaller in the same box signaller's position as above as above Only available in multi panel signal box Are there any single points of for multiple fixed terminals.. Audio module Signaller cannot be heard/hear May impact communications if both hands free and handset fails Use other mode signaller's position as above as above.. NTBA box As. Similar to IMUX but would only affect terminal Share role with another signaller in the same box signaller's position as above as above Recovery is dependent on single or multi panel signal box.5 Signal box power.6 GSC.6. Hardware.5. Blank screen All terminals in signal box will fail UPS would provide backup signaller's position Failure on demand - driver unaware Registration possible, but no calls can be made between drivers and signallers. Existing calls will be dropped. Driver initiated REC will stop trains, but the signaller will not be aware. Signaller initiated REC will not stop trains. Attempts will be made to get it fixed. If total, the system at Stoke may be used. as above as above Dependant on single or multi panel signal box as above as above Check with tech (st floor) or Rob to check if all signal boxes connected to UPS 5

55 E. On-board train equipment Observation Cause of Sub-cause of Distinction Impact of Recovery Geographical size of Duration of Failure rate Influences Notes. Searching networks please wait. Broken antenna.. Loose connector Driver checks other cab radio - if functional, fault is identified. Most likely a network if both do not function No functionality. Can preregister None - fault reported cab radio Throughout service for cab Awaiting reliability figures Identified at any point in the journey. Blank. DCP.. Loss of connection between DCP and radio unit. Loss of connection.. Lack of power to screen, hardware fault. Loss of power.. Lack of power to screen.. Degradation as above as above as above as above as above as above as above No screen at power up No call functionality as buttons will not work cab Contact Brian Sowbry at Siemens Contact Brian Sowbry at Siemens Identified at any point in the journey No screen at power up Call functionality available although screen remains blank and unable to tell who is calling cab as above as above as above No screen at power up No call functionality UPS will take over if available cab as above as above as above.. MCB MCB switch set to off No call functionality until reset Driver resets cab as above as above as above. Screen.. Hardware fault No screen at power up Call functionality available although screen remains blank and unable to tell who is calling.5 Driver key/cab active.5. Loose connection None No functionality Alternative method to power up radio (not commonly known) cab as above as above as above cab as above as above as above.5. Hardware None No functionality Alternative method to power up radio (not commonly known) cab as above as above as above.5. Faulty key switching arrangement None No functionality Alternative method to power up radio (not commonly known) cab as above as above as above. Warning (fault). See Appendix R - NRCR HMI Design spec. (Siemens).. Various Unique fault code No critical functionality loss Fault is logged and service is continued cab No actual n/a Ask Ed for 'SIM card incomplete' fault code and warning 0 5

56 Observation Cause of Sub-cause of Distinction Impact of Recovery Geographical size of Duration of Failure rate Influences Notes. Failure. See Appendix R - NRCR HMI Design spec. (Siemens) 5. Cab radio flt 5. Communications between DCP and cab radio unit.. Various Unique fault code No call functionality None during service cab Throughout service 5.. Single fault message No functionality - could receive REC, but no outgoing calls 6. Battery low 6. See EPROM/RAM 7. See flt 8. MT fatal 8. Brick fault 8.. No functionality Reboot by driver or selfreboot may overcome this error None during service cab Throughout service Failure in both cabs (if shared brick) Throughout service Contact Brian Sowbry at Siemens Contact Brian Sowbry at Siemens Contact Brian Sowbry at Siemens Can happen start or midjourney Can happen start or midjourney 9. GSM-R GB 9. Screen freeze 9.. Screen No functionality when calls are attempted and screen does not change Speak to Siemens Reset may fix it cab Contact Brian Sowbry at Siemens 9. Handset 9.. PTT Could hear messages but cannot be heard or vice versa Only affects RECs Handset test cab Throughout service as above 9.. Pickup Could hear messages but cannot be heard or vice versa Affects all calls Handset test cab as above 9.. Speaker Difficult to hear/cannot hear Volume dropped on loudspeaker, handset speaker does not work so may not be able to hear calls coming through Handset test cab as above 9.. Cradle switch Cannot hear loudspeaker May not be aware of calls coming through as all are directed to the handset Handset test cab as above 9. DSD connector 9.. Loose connection Maintenance testing If driver is incapacitated, it will not be detected cab as above 9.. Hardware Maintenance testing If driver is incapacitated, it will not be detected cab as above 9. PA connector 9.. Loose connection 9.. Hardware Failure on demand PA not available (signaller) PA menu test cab Throughout service Failure on demand PA not available (signaller) PA menu test cab Throughout service as above as above 55

57 Observation Cause of Sub-cause of Distinction Impact of Recovery Geographical size of Duration of Failure rate Influences Notes 9.5 DCP stuck buttons 9.5. Lack of maintenance, wear and tear Failure on demand Depends on button concerned Alternative means of contacting signaller ie tries other buttons (yellow, red, call signaller, phonebook), go to other cab cab as above 56

58 Appendix F Call success probabilities The availability, coverage and effectiveness calculations are contained within the risk model developed for the study (safety disbenefit model v..xls). F. Intercity trains types Speed Consequence scenario Availability Broadcasting Receiving Call Success Probability Coverage Effectiveness Coverage Effectiveness Normal GSM-R cab mobile - base case (as per NRN) No radio Unregistered radio DSD/PA link unavailable Driver:Driver communication only GSM-R registered handportable CSR NRN Reduced (60mph) No radio Unregistered radio DSD/PA link unavailable Driver:Driver communication only

59 F. Suburban train types Speed Consequence scenario Availability Broadcasting Receiving Call Success Probability Coverage Effectiveness Coverage Effectiveness Normal GSM-R cab mobile - base case (as per NRN) No radio Unregistered radio DSD/PA link unavailable Driver:Driver communication only GSM-R registered handportable CSR NRN Reduced (60mph) No radio Unregistered radio DSD/PA link unavailable Driver:Driver communication only

60 F. Suburban DOO(P) train types Speed Consequence scenario Availability Broadcasting Receiving Call Success Probability Coverage Effectiveness Coverage Effectiveness Normal GSM-R cab mobile - base case (as per NRN) No radio Unregistered radio DSD/PA link unavailable Driver:Driver communication only GSM-R registered handportable CSR NRN Reduced (60mph) No radio Unregistered radio DSD/PA link unavailable Driver:Driver communication only

61 F. Freight train types Speed Consequence scenario Availability Broadcasting Receiving Call Success Probability Coverage Effectiveness Coverage Effectiveness Normal GSM-R cab mobile - base case (as per NRN) No radio Unregistered radio DSD/PA link unavailable Driver:Driver communication only GSM-R registered handportable CSR NRN Reduced (60mph) No radio Unregistered radio DSD/PA link unavailable Driver:Driver communication only

62 Appendix G Functional loss scenarios These functional loss scenarios were identified following the completion of the workshops. Functional loss scenario Consequence Scope Single cab radio No radio (receiving and broadcasting). One cab. Small radio network No radio (receiving and broadcasting). All trains passing through a small section of the network. Assumed to be the equivalent of a BTS outage. Medium radio network No radio (receiving and broadcasting). All trains passing through a medium section of the network. Assumed to be the equivalent of a BSC outage. Large radio network No radio (receiving and broadcasting) All cabs. Assumed to occur if Stoke and Didcot not working. Single unregistered cab radio - temporary Cab radio functions but communication may not be to the controlling signaller. This reduces the effectiveness of urgent communications to the signaller. REC still works. Assumed to be one cell for one cab (radio correlated on reaching new cell). Single unregistered cab radio - permanent Cab radio functions but communication may not be to the controlling signaller. This reduces the effectiveness of urgent communications to the signaller. REC still works. All journeys for one cab. Multiple uncorrelated cab radios (TD.net outage) Cab radio functions but communication may not be to the controlling signaller. This reduces the effectiveness of urgent communications to the signaller. REC still works. All cabs. Multiple uncorrelated cab radios (TD feed outage) Cab radio functions but communication may not be to the controlling signaller. This reduces the effectiveness of urgent communications to the signaller. REC still works. All cabs through the affected signaller s area. DSD/PA link unavailable Cab radio functions but signaller cannot use PA on-board train. DSD alarm not received by signaller One cab. 6

63 Functional loss scenario Single radio terminal Consequence Cab radio functions but communication may not be available to the controlling signaller. This reduces the effectiveness of calls from the driver, as alternative routes of communication are required. Signallers cannot contact drivers. Driver initiated REC works but recovery is slower. SPTs still work Scope All cabs through the affected signaller s area. Multiple radio terminal Cab radio functions but communication may not be available to the controlling signaller. This reduces the effectiveness of calls from the driver as alternative routes of communication are required. Signallers cannot contact drivers. Driver initiated REC works but recovery is slower. SPTs still work. All cabs through the affected signallers areas. Assumed to affect 5 signallers. Driver:driver communication only Cab radio functions but no communication available to any signaller via radio. Driver initiated REC works but recovery is slower. SPTs still work. All cabs through the affected areas. 6

64 Appendix H Mapping of operational delay to functional losses Functionality loss scenario Response 0 Continue in service Cancel trains Hand/trans portable Reduced speed Delayed reduced speed Single cab A, G A, B A, C, G A, D, G A, D, G Small network (BTS outage) A, G A, E A, G A, D, G A, D, G Medium network (BSC outage) A, G A, E A, G A, D,G A, D, G Large network (total outage) A, G A, B A, G A, D, G A, D, G Single registered cab - temporary F B, F F D, F F Single registered cab - permanent F B, F F D, F F Multiple uncorrelated cab (TD.net outage) F B, F F D, F D, F Multiple uncorrelated cab (TD feed outage) F E, F F D, F D, F DSD/PA link unavailable G B, G G D, G D, G Single terminal G, H E, G, H G, H D, G, H D, G, H Multiple terminal G, H E, G, H G, H D, G, H D, G, H Driver:driver communication only* G B, G G D, G D, G *Does not affect calls from SPTs Where: A. Delays are accrued in the event that a radio is required to help ease other operational disruptions eg stop at signal/failed signalling but no radio is available on-board train. B. Full (at start of journey) or part (mid-way through journey) cancellation of trains, plus full cancellation of their subsequent journeys. Part cancellation assumed to be 5 equivalent delay minutes. Full cancellation assumed to be 50 equivalent delay minutes. C. Delays accrued to obtain hand/transportable. D. Delays accrued from running at reduced speed. E. Part cancellation of trains, through a particular section. 6

65 F. Delays from rerouting call, initial call goes to nominated rather than controlling signaller. G. Delays from the signaller not being able to contact a member of on board staff. H. Delays from the driver not being able to contact the controlling signaller at all. 6

66 Appendix I Modelling assumptions The following assumptions were included in the risk modelling. I. Philosophical assumptions SPTs are available at every signal and therefore the average distance between signals is 0.66miles. The type of train detection does not impact the frequency or consequences of GSM-R radio. Only one approaching train is at risk of hitting the wreckage of a previous accident. 50% likelihood of the driver of an affected cab radio being the one to initiate a REC or call. Simillarly 50% likelihood of the driver of an affected cab radio being the one to receive a REC or call. The train broadcasting a REC is stationary (this is a simplification for the calculations). In-cab radio is Siemens version. The same network strength coverage is needed for both red and yellow button calls. Cab/network faults occur halfway through the operating day, half-way through the current journey. Network problems are fixed at the end of the day. There is always a rolling stock technician at each available location in order to install a transportable. Reduction in speed only benefits passenger/ecs trains ie not freight (as the average speed is below the reduced speed limit (taken to be 60mph).Reduction in speed only benefits hazard events where speed is considered a factor of the consequences ie includes derailments and collisions but not train fires, explosions etc. The effect of the speed reduction is based on the average speed before the reduction relative to the average speed after the reduction (as estimated from timetable analysis). When using an unregistered cab radio, the radio does not mitigate against collisions/derailments due to miscommunication. If the cab radio is unregistered the DSD and PA link still works. Part/full cancellation of trains do not incur reactionary delays. Each train service type model is made up of only trains of the same type. The strength of signal from a BTS decays at a rate proportional to the inverse square of the distance from the BTS. Response uses the results (availability and coverage) of the NRN study [Ref: ] for a GSM-R registered handportable. The number of hours before a speed restriction is put in place (response 5) is hours. The knock-on risk from delays such as overcrowding at stations, passenger loadings on trains, assaults has not been included in the assessment as a simplification (timescales of the project) and due to uncertainty in previous estimates for other projects. Cancelling a train removes all risk from that train I. Numerical assumptions These are based on both data (D) and expert judgement (E). 65

67 Part cancellation is taken to be 5 equivalent delay minutes. Full cancellation is taken to be 50 equivalent delay minutes. There are 80 BTS and 9 BSC on the GSM-R network (D). There are 67 signallers working at any one time (taken from the number of terminals) (D) The average distance of track covered by a signaller is km (the average track km per signaller) (D). The probability that a driver initiated yellow button call goes to the wrong signaller is 0. (E) this is considered conservative. The probability that the train latches onto the wrong base station is 0.0 (E). The times to contact signallers agreed for the NRN study [Ref: ] equally apply and in addition: It takes 0 minutes for help to arrive via a single line (E). It takes 5 minutes to receive and setup a hand/transportable at an available station (E). It takes an additional minutes to contact a signaller via an SPT or platform phone (E). Reactionary delay is times the primary delay (D). There are,07,000 track metres (D). 88,7,7 passenger train km, 5,89,06 freight train km,,79,000 ECS train km (D). The proportion of track that is single track (weighted by train miles) is (D). The rate at which a DOO(P) service has needed help via the PA link is once every 0 years (D). The additional safety benefit the DSD/PA link provides to the driver is 0.0 FWI/event (E). There are 8 operational hours per day, and 6.5 operational days per year (D). The value of preventing a fatality (VPF) is,76,000 per FWI (D). Driver reaction time to apply brakes is 5 seconds, the brake build-up time is seconds (E). The minimum strength required for cab mobile is -0dBm, the optimum strength for a cab mobile is -98dBm (D). The probability of the faulty cab being used to return the train to the maintenance depot is 0.5 (E). The number of signallers affected by a multiple terminal outage or TD.net feed problem is 5 (E). I. Train type assumptions These are based on both data (D) and expert judgement (E). Assumption Intercity Suburban Suburban DOO(P) Freight Cost of delay ( /minute) 7 (D) 5 (D) 5 (D) 7 (D) Distance between needs to contact the signaller (miles) 00 (E) 50 (E) 50 (E) 60 (E) National journeys per day 580 (D) 80 (D) 87 (D) 865 (D) Journeys per day on a typical route 7 (D) (D) (D) 0 (E) Journeys per day per train set (D/E). (D/E). (D/E) (D/E) 66

68 Assumption Intercity Suburban Suburban DOO(P) Freight Typical journey lengths (km) 69 (D) 58 (D) 60 (D) 66 (D) Average journey lengths to next available location (km) Average journey lengths to next suitable locations (km) Average journey lengths to maintenance depot (km) (D/E) 5 (D/E) 5 (D/E) (E) (D/E) 8 (D/E) 8 (D/E) (E) 6 (D/E) (D/E) (D/E) (E) 67

69 Appendix J Hazardous events mitigated by GSM-R radio This appendix includes a list of the hazardous events modelled in the Safety Risk Model version 7 [Ref: 0] that are considered to be partially mitigated by GSM-R radio. HET-0 HET-0 HET-0 HET-0 HET-0 HET- HET- HET- HET-7 HEM-0 HEM- HEM- HEM-5 HEN- HEN-67 Collision between two passenger trains resulting from a: passenger train Cat A SPAD; runaway train; misrouted train; or WSF Collision between a passenger train and non-passenger train resulting from a: passenger train Cat A SPAD; runaway train; misrouted train; or WSF Collision between two non-passenger trains resulting from a: non-passenger train Cat A SPAD; runaway train; misrouted train; or WSF Collision of train with object (not resulting in derailment) Passenger train collision with road vehicle on level crossing Non-passenger train collision with road vehicle on level crossing Derailment of passenger train Derailment of non-passenger train Fire on passenger train Passenger injury during evacuation following stopped train (not at a platform) MOP (trespasser) struck/crushed by train while on tracks at station Workforce (not infrastructure worker) struck/crushed by train MOP (trespasser) struck/crushed by train while on railway infrastructure not at station Passenger fall from platform onto track (no electric shock nor struck by train) MOP (non-trespasser) fall from platform onto track (no electric shock nor struck by train) 68

70 Appendix K Safety benefits K. Safety benefits by function loss scenario The response options with the greatest safety benefit are highlighted in green. K.. Intercity Response Safety benefit ( /event) Functional loss Cancel trains Hand/trans portable Reduced speed Delayed reduced speed Single cab radio 5 Small radio network outage 0 Medium radio network outage 980 0,900,600 Large radio network outage,700 0,000 6,00 Single unregistered cab radio - temporary 0 0 < 0 Single unregistered cab radio - permanent < >- 0 Multiple uncorrelated cab radios (TD.net outage) ,000 5,700 Multiple uncorrelated cab radios (TD feed outage) DSD/PA link unavailable >- 0 5 Single radio terminal 5 0 Multiple radio terminal Driver:driver communications only,00 0,000 5,900 69

71 K.. Suburban train types Response Safety benefit ( /event) Functional loss Cancel trains Hand/trans portable Reduced speed Delayed reduced speed Single cab radio Small radio network outage 0 < Medium radio network outage Large radio network outage,00 0,700,600 Single unregistered cab radio - temporary 0 0 < 0 Single unregistered cab radio - permanent < >- < 0 Multiple uncorrelated cab radios (TD.net outage) 5 0,00,00 Multiple uncorrelated cab radios (TD feed outage) DSD/PA link unavailable >- 0 Single radio terminal Multiple radio terminal Driver:driver communications only,00 0,500,500 70

72 K.. Suburban DOO(P) train types Response Safety benefit ( /event) Functional loss Cancel trains Hand/trans portable Reduced speed Delayed reduced speed Single cab radio 7 5 Small radio network outage 0 Medium radio network outage 00 0, Large radio network outage,00 0,000 6,00 Single unregistered cab radio - temporary 0 0 < 0 Single unregistered cab radio - permanent < >- < 0 Multiple uncorrelated cab radios (TD.net outage) 5 0,000 6,00 Multiple uncorrelated cab radios (TD feed outage) DSD/PA link unavailable >- >- 6 5 Single radio terminal Multiple radio terminal Driver:driver communications only,00 0,000 6,00 7

73 K.. Freight train types Response Safety benefit ( /event) Functional loss Cancel trains Hand/trans portable Reduced speed Delayed reduced speed Single cab radio < < 0 0 Small radio network outage < Medium radio network outage Large radio network outage, Single unregistered cab radio - temporary Single unregistered cab radio - permanent > Multiple uncorrelated cab radios (TD.net outage) Multiple uncorrelated cab radios (TD feed outage) DSD/PA link unavailable Single radio terminal < Multiple radio terminal Driver:driver communications only,

74 K. Safety benefits by observation scenario K.. Intercity type trains Response Safety benefit ( /year) Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks 550 <, GSM-R GB,700,00 5,000 8,700 Blank screen Registration - lead driver >-, Registration - duplicate > Registration - PA Failure/fault ,00,800 K.. Suburban train types Response Safety benefit ( /year) Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks 50 < GSM-R GB,00,600 7,600 5,000 Blank screen Registration - lead driver > Registration - duplicate > Registration - PA Failure/fault,000,000,600,00 7

75 K.. Suburban DOO(P) train types Response Safety benefit ( /year) Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks 70 <, GSM-R GB,500,600 9,000,000 Blank screen Registration - lead driver >-, Registration - duplicate > Registration - PA Failure/fault,00,00,900,800 K.. Freight train types Response Safety benefit ( /year) Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks 50 < 0 0 GSM-R GB Blank screen Registration - lead driver Registration - duplicate Registration - PA Failure/fault

76 Appendix L Operational delays The response options with the most operational delays are highlighted in red. The response options with the least operational delays are highlighted in green. Values are presented as costs. Negative values therefore represent an operational delay saving relative to the base case continue in service. L. Operational delay by functional scenario L.. Intercity train types Response Operational delay ( /year) Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Single cab radio,000, ,000 60,000,000 9,000,000 Small radio network outage 6,000, ,000,000 9,00,000 Medium radio network outage 90,000 0,00,000,00,000 Large radio network outage,000,000 0,800,000,600,000 Single unregistered cab radio - temporary 7,000, ,000,000 0 Single unregistered cab radio - permanent,900,000 0,000,600,000 0 Multiple uncorrelated cab radios (TD.net outage),00,000 0,800,000,500,000 Multiple uncorrelated cab radios (TD feed outage),00, ,00,000,00,000 DSD/PA link unavailable,700, ,000,000 7,000,000 Single radio terminal,000, ,000,000,000,000 Multiple radio terminal,000, ,000,000 9,800,000 Driver:driver communications only 70, ,000 00,000 75

77 L.. Suburban train types Response Operational delay ( /year) Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Single cab radio,000,000-5,700,000 8,000,000 7,000,000 Small radio network outage,000,000 0,600,000,000,000 Medium radio network outage 56, ,000 60,000 Large radio network outage 0, ,000 00,000 Single unregistered cab radio - temporary 0,000,000 0,000,000 0 Single unregistered cab radio - permanent,00,000,000 00,000 0 Multiple uncorrelated cab radios (TD.net outage) 90, ,000 00,000 Multiple uncorrelated cab radios (TD feed outage) 70,000 0,00, ,000 DSD/PA link unavailable 5,000, ,900,000 5,00,000 Single radio terminal 6,00, ,00,000,600,000 Multiple radio terminal 00,000 0,00,000,900,000 Driver:driver communications only 6, ,000 78,000 76

78 L.. Suburban DOO(P) train types Response Operational delay ( /year) Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Single cab radio -,000,000 5,900,000-9,000,000-8,000,000 Small radio network outage -,000, ,600,000 -,000,000 Medium radio network outage -78, ,000-60,000 Large radio network outage -0, ,000-00,000 Single unregistered cab radio - temporary -0,000, ,000,000 0 Single unregistered cab radio - permanent -,00,000 -,000-0,000 0 Multiple uncorrelated cab radios (TD.net outage) -90, ,000-00,000 Multiple uncorrelated cab radios (TD feed outage) -70, ,00, ,000 DSD/PA link unavailable -5,000, ,00,000-5,00,000 Single radio terminal -6,00, ,00,000 -,600,000 Multiple radio terminal -00, ,00,000 -,900,000 Driver:driver communications only -6, ,000-78,000 77

79 L.. Freight train types Response Operational delay ( /year) Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Single cab radio 60,000-7, Small radio network outage 70, Medium radio network outage, Large radio network outage 0, Single unregistered cab radio - temporary,800, Single unregistered cab radio - permanent 0,000, Multiple uncorrelated cab radios (TD.net outage) 0, Multiple uncorrelated cab radios (TD feed outage) 0, DSD/PA link unavailable 0, ,000 Single radio terminal 0, Multiple radio terminal 0, Driver:driver communications only,

80 L. Operational delay by observation scenario L.. Intercity train types Response Operational delay ( /year) Observation Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks 6,000,000 -,000,000,000,000 GSM-R GB,000,000-0,000 90,000,000 0,000,000 Blank screen 90,000-5,000 6,600,000,900,000 Registration - lead driver,000,000 0,000,000,000,500,000 Registration - duplicate,00,000,00,600,000,500,000 Registration - PA,00, ,00,000,00,000 Failure/fault 6,000,000-70,000,000,000 5,000,000 L.. Suburban train types Response Operational delay ( /year) Observation Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks,000,000 -,00,000,500,000 GSM-R GB 5,000,000 -,900,000,000,000 9,000,000 Blank screen 870,000-0,000,600,000,00,000 Registration - lead driver 0,000,000,000,00,000 80,000 Registration - duplicate 0, ,000 80,000 Registration - PA,00,000 0,700,000,00,000 Failure/fault 5,700,000 -,600,000 0,000,000 7,500,000 79

81 L.. Suburban DOO(P) train types Response Operational delay ( /year) Observation Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks,000,000 -,00,000,500,000 GSM-R GB,000,000 -,000,000,000,000 0,000,000 Blank screen 860,000-50,000,600,000,00,000 Registration - lead driver 0,000,000,000,00,000 80,000 Registration - duplicate 0, ,000 80,000 Registration - PA,00,000 0,800,000,00,000 Failure/fault 5,600,000 -,600,000,000,000 7,700,000 L.. Freight train types Response Operational delay ( /year) Observation Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks -870,000 < 0 0 GSM-R GB -,00,000 -, ,000 Blank screen -6, Registration - lead driver -,00,000 -, Registration - duplicate -0, Registration - PA -85, ,700 Failure/fault -70,000 -,

82 Appendix M Functional loss scenario comparisons M. Intercity train types Operational benefit ( k/year) Safety benefit ( k/year) Single cab radio Small radio network outage Medium radio network outage - 00,000-60,000-0,000-80,000-0,000 0,000-80,000-60,000-0,000-0,000 0,000-5,000 -,000 -,000 -,000 -,000,000 Large radio network outage Single unregistered cab radio - temporary Single unregistered cab radio - permanent -,000 -,500 -,000 -,500 -, ,000-0,000-0,000-0,000 0,000-5,000 -,000 -,000 -,000 -,000,000 Multiple uncorrelated cab radios (TD.net outage) Multiple uncorrelated cab radios (TD feed outage) PA unavailable -,000 -,500 -,000 -,500 -, ,000-6,000-5,000 -,000 -,000 -,000 -,000,000-5,000-0,000-5,000-0,000-5,000-0,000-5,000 5,000 Single radio terminal Multiple radio terminal Driver:driver communications only - 0,000-0,000-0,000-0,000 0,000-0,000-5,000-0,000-5,000 5, Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see 8

83 M. Suburban train types Operational benefit ( k/year) Safety benefit ( k/year) Single cab radio Small radio network outage Medium radio network outage - 0,000-0,000-0,000-0,000 0,000-5,000-0,000-5,000-0,000-5,000 5, Large radio network outage Single unregistered cab radio - temporary Single unregistered cab radio - permanent ,000-00,000-60,000-0,000 0,000 -,500 -,000 -,500 -,000 -,500 -, Multiple uncorrelated cab radios (TD.net outage) Multiple uncorrelated cab radios (TD feed outage) PA unavailable ,00 -,00 -, ,000-7,000-6,000-5,000 -,000 -,000 -,000 -,000,000 Single radio terminal Multiple radio terminal Driver:driver communications only - 0,000-8,000-6,000 -,000 -,000,000 -,000 -,500 -,000 -,500 -,000 -,500 -, Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see 8

84 M. Suburban DOO train types Operational benefit ( k/year) Safety benefit ( k/year) Single cab radio Small radio network outage Medium radio network outage - 50,000-0,000-0,000-0,000-0,000 0,000 Large radio network outage - 5,000-0,000-5,000-0,000-5,000 5,000 Single unregistered cab radio - temporary Single unregistered cab radio - permanent Multiple uncorrelated cab radios (TD.net outage) - 0,000-00,000-80,000-60,000-0,000-0,000 0,000 Multiple uncorrelated cab radios (TD feed outage) -,500 -,000 -,500 -,000 -,500 -, PA unavailable Single radio terminal -,00 -,00 -, Multiple radio terminal - 8,000-7,000-6,000-5,000 -,000 -,000 -,000 -,000,000 Driver:driver communications only - 0,000-8,000-6,000 -,000 -,000,000 -,000 -,500 -,000 -,500 -,000 -,500 -, Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see 8

85 M. Freight train types Operational benefit ( k/year) Safety benefit ( k/year) Single cab radio Small radio network outage Medium radio network outage Large radio network outage Single unregistered cab radio - temporary Single unregistered cab radio - permanent Multiple uncorrelated cab radios (TD.net outage) -,000 -,500 -, Multiple uncorrelated cab radios (TD feed outage) PA unavailable Single radio terminal Multiple radio terminal Driver:driver communications only Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see 8

86 Appendix N Observation scenario comparisons N. Intercity train types Operational benefit ( k/year) Safety benefit ( k/year) Searching for networks GSM-R GB Blank screen - 80,000-60,000-0,000-0,000 0,000-00,000-50,000-00,000-50,000 50,000-7,000-6,000-5,000 -,000 -,000 -,000 -,000,000 Registration - lead driver Registration - duplicate Registration - PA - 50,000-0,000-0,000-0,000-0,000 0,000-5,000 -,000 -,000 -,000 -,000,000-8,000-7,000-6,000-5,000 -,000 -,000 -,000 -,000,000 Failure/fault - 50,000-0,000-0,000-0,000-0,000 0,000 Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see 85

87 N. Suburban train types Operational benefit ( k/year) Safety benefit ( k/year) Searching for networks GSM-R GB Blank screen - 5,000-0,000-5,000-0,000-5,000 5,000 Registration - lead driver - 50,000-0,000-0,000-0,000-0,000 0,000 Registration - duplicate -,000 -,500 -, Registration - PA - 0,000-00,000-60,000-0,000 0,000 Failure/fault -, ,000 -,500 -, ,000-0,000-8,000-6,000 -,000 -,000,000,000 Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see 86

88 N. Suburban DOO(P) train types Operational benefit ( k/year) Safety benefit ( k/year) Searching for networks GSM-R GB Blank screen - 5,000-0,000-5,000-0,000-5,000 5,000 Registration - lead driver - 50,000-0,000-0,000-0,000-0,000 0,000 Registration - duplicate -,000 -,500 -, Registration - PA - 0,000-00,000-60,000-0,000 0,000 Failure/fault -, ,000 -,500 -, ,000-0,000-8,000-6,000 -,000 -,000,000,000 Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see 87

89 N. Freight train types Operational benefit ( k/year) Safety benefit ( k/year) Searching for networks GSM-R GB Blank screen -, Registration - lead driver -,00 -,00 -, Registration - duplicate Registration - PA -,500 -,000 -,500 -, Failure/fault Note: the safety benefit is plotted on the charts above but due to the significant difference in magnitude is hard to see 88

90 Appendix O Benefit cost ratios BCRs highlighted in green are negative but show potential for safety benefits and operational delay savings. BCRs highlighted in red are negative but show potential for safety disbenefits as well as operational delay costs. O. Functional loss scenarios O.. Intercity type trains Response BCR Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Single cab radio.8 x x 0-. x 0-. x 0- Small radio network outage. x x 0-. x 0- Medium radio network outage 7. x 0-0. x 0-. x 0- Large radio network outage. x 0-0. x 0-. x 0- Single unregistered cab radio - temporary 0 0. x 0-0 Single unregistered cab radio - permanent. x x 0-6. x 0-0 Multiple uncorrelated cab radios (TD.net outage).8 x x 0-. x 0- Multiple uncorrelated cab radios (TD feed outage).9 x x 0-. x 0- DSD/PA link unavailable -.5 x x 0-. x 0- Single radio terminal 5.7 x x 0-.7 x 0- Multiple radio terminal 9. x x 0-. x 0- Driver:driver communications only. x x 0-. x 0-89

91 O.. Suburban train types Response BCR Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Single cab radio.7 x x 0-. x 0-. x 0- Small radio network outage.5 x x 0-. x 0- Medium radio network outage. x 0-0. x 0-. x 0- Large radio network outage 5. x 0-0. x 0-. x 0- Single unregistered cab radio - temporary x 0-0 Single unregistered cab radio - permanent. x x x 0-0 Multiple uncorrelated cab radios (TD.net outage) 6. x x 0-.8 x 0- Multiple uncorrelated cab radios (TD feed outage).5 x x 0-.8 x 0- DSD/PA link unavailable -. x x 0-.7 x 0- Single radio terminal.9 x x x 0- Multiple radio terminal 6. x x 0-.9 x 0- Driver:driver communications only.7 x x 0-.9 x 0-90

92 O.. Suburban-DOO(P) train types Response BCR Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Single cab radio.9 x x 0-7. x 0-7. x 0- Small radio network outage.6 x x 0-7. x 0- Medium radio network outage 8. x x 0-7. x 0- Large radio network outage 5. x x 0-7. x 0- Single unregistered cab radio - temporary x 0-0 Single unregistered cab radio - permanent. x x x 0-0 Multiple uncorrelated cab radios (TD.net outage) 6. x x 0-7. x 0- Multiple uncorrelated cab radios (TD feed outage).5 x x 0-7. x 0- DSD/PA link unavailable -.6 x x x 0- Single radio terminal. x 0-0. x 0-. x 0- Multiple radio terminal 6.7 x x 0-7. x 0- Driver:driver communications only.8 x x 0-7. x 0-9

93 O.. Freight train types Response BCR Functional loss Cancel Hand/trans portable Reduced speed Delayed reduced speed Single cab radio 7.9 x x Small radio network outage.6 x Medium radio network outage.6 x Large radio network outage. x Single unregistered cab radio - temporary Single unregistered cab radio - permanent -8.5 x Multiple uncorrelated cab radios (TD.net outage).6 x Multiple uncorrelated cab radios (TD feed outage) 8. x DSD/PA link unavailable Single radio terminal.5 x Multiple radio terminal.5 x Driver:driver communications only.6 x

94 O. Observation scenarios O.. Intercity train types Response BCR Observation Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks.7 x x 0-. x 0-. x 0- GSM-R GB. x x 0-.6 x 0-.6 x 0- Blank screen.8 x x 0-. x 0-. x 0- Registration - lead driver. x x 0-6. x 0-. x 0- Registration - duplicate.8 x x 0-6. x 0-. x 0- Registration - PA -.5 x x 0-. x 0- Failure/fault.8 x x 0-. x 0-. x 0- O.. Suburban train types Response BCR Observation Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks. x x 0-. x 0-. x 0- GSM-R GB.7 x x 0-.6 x 0-.5 x 0- Blank screen.7 x x 0-. x 0-. x 0- Registration - lead driver.7 x x x 0-.8 x 0- Registration - duplicate 8.7 x x x 0-.8 x 0- Registration - PA -. x x 0-.7 x 0- Failure/fault.7 x x 0-. x 0-. x 0-9

95 O.. Suburban DOO(P) train types Response BCR Observation Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks. x x 0-7. x 0-7. x 0- GSM-R GB.9 x x x 0-8. x 0- Blank screen.9 x x 0-7. x 0-7. x 0- Registration - lead driver.8 x x x 0-7. x 0- Registration - duplicate 8.7 x x x 0-7. x 0- Registration - PA -.6 x x x 0- Failure/fault.9 x x 0-7. x 0-7. x 0- O.. Freight train types Response BCR Observation Cancel Hand/trans portable Reduced speed Delayed reduced speed Searching for networks.5 x x GSM-R GB 6.8 x x Blank screen 7.9 x x Registration - lead driver.9 x Registration - duplicate 5.6 x Registration - PA Failure/fault 7.9 x x

96 Appendix P Sensitivity analysis P. The cost of delays The assumed costs of delay per minute impacts the disproportionality between safety benefits and operational delays. The average delay minutes were calculated from a sample of TRUST data (for 0 December 0 January 0, some 9,000 entries), and are shown in Table 0. Table 0: Sensitivity of cost per delay minute (for cab radio defects and cancelling trains) Train type Average delay cost /minute Delay cost required to achieve operational delay:safety benefit ratio /minute 0: 5: : Intercity <0.0 Suburban 5 <0.0 <0.0 <0.0 Suburban DOO(P) 5 <0.0 <0.0 <0.0 Freight The costs per delay minute required to make the cost of operational delay a similar magnitude to the safety disbenefits (that is to remove the grossly disproportionate argument) are significantly lower, and unrealistic. Therefore the conclusions are not considered to be sensitive to the assumed cost of delays. P. The rate of reactionary delay incurred The rate of reactionary delay was estimated from analysis completed for the REC risk assessment [Ref: 5]. For different locations such as Cheddington, Dovey Junction, Clapham Junction, Strathclyde, the delays per minute for the affected train (the source of the primary delay) were calculated relative to the delays incurred to following trains (the reactionary delay). For both Dovey Junction and Cheddington the reactionary delay was estimated to be equivalent to the primary delay. For Clapham Junction, the reactionary delay was estimated to be around three times the primary delay, whereas for Strathclyde, the reactionary delay was estimated to be around nine times that of the primary. As such the mid value of three was taken for the generating the risk assessment results, and sensitivity analysis completed for reactionary delay being one and nine times the primary delay. The sensitivity analysis shows that for intercity, suburban and suburban DOO(P), continuing service with a hand/transportable (response ) or without (response ), remain the best options in all cases. However, in locations where the reactionary delay could be nine times the primary, cancelling trains (response ) offers some reduction in benefit over reduced speed (response ) and delayed reduced speed (response 5) for some functional loss scenarios (such as single cab radio s and large radio network outages). This is because no reactionary delay is assumed in the model where trains are part or fully cancelled. Conversely, in locations where the reactionary delay could be equal to the primary, cancelling trains (response ) appears worse for some functional loss scenarios than delayed reduced speed (response 5). 95

97 For freight type trains the results are not particularly sensitive to reactionary delay. The exceptions being: single cab radio s, which in areas of nine times reactionary delay using a hand/transportable helps becomes the least operationally costly option multiple radio terminal s and driver:driver communications only, which in areas of nine time reactionary delay, the cost of cancelling trains (response ) becomes the most favourable response. P. The version of the cab radio software It was assumed at the start of the risk assessment study that the version of the cab radio software would be Siemens version. However, it may be some time before all existing users are upgraded to this version. One of the key differences of this version, compared to version E, is that the observation scenario Registration duplicate is virtually eradicated. If version E were considered instead, this would change the frequency of cab radios not being able to register a journey, and increase the estimated cost per year due to GSM-R radio registration issues. Although it changes the frequency, it does so to both safety benefit and operational delays, and as the error does not impact the consequences, it does not change the balance between preferred response options. P. The number of base transceiver stations (BTSs) The initial design for the GSM-R system included the provision of 80 BTSs. However, as rollout and commissioning is undertaken, this number may increase to improve network reliability. As such the risk assessment was also run with 000 BTS to account for the potential increase. The impact of more BTS means a greater likelihood of a BTS but with now with lesser consequences as the blackspots created by a failed BTS will be smaller. As such change in risk is small and does not impact the conclusions of the study. P.5 The number of registrations The risk assessment was based on full GSM-R rollout for current levels of operations; that is around 0,000 registrations (or train journeys) per day. However, once GSM-R rollout is complete the level of operations may have increased. To test the effects of this the model was also run with 5% increase on train journeys, and therefore registrations. The increase in registrations, also gives proportionally an increase in failed registrations, cab radios and trains affected by network s. Thus in this sensitivity test the safety benefit increases for each of the response options considered. However, the operational delay associated with each response option also increases and as before where it was grossly disproportionate to the safety benefits it remains so. Therefore the conclusions of this study are not considered to be sensitive to the number of registrations. P.6 How network signal fluctuations are observed by the driver An initial assumption made during the development of the model was that when the cab radio loses the network signal it displays searching for networks. However, there is a transition period between losing the signal completely and when the strength of the signal is not strong enough to make a call. In the case of the latter, the cab radio may still display GSM-R GB. It is unclear what proportion of 96

98 instances where the signal is reduced will display GSM-R GB rather than searching for networks. So sensitivity analysis has been carried out assuming 50% and 90% of the time the cab radio may display GSM-R GB. The effect of this switch does not affect the overall conclusions about whether the response options considered are reasonably practicable. This is because both the safety benefit and operational delays change in proportion with the change in frequency. However, what does change is when GSM-R GB is displayed and the cab radio fails on demand that the likelihood of the cause being due to a cab radio defect is reduced (from 7% to 8%, at the 50% split between GSM-R GB and searching for networks and to 5% at the 90% split between GSM-R GB and searching for networks). Therefore the display of GSM-R GB cannot be concluded as a cab defect without further diagnosis. P.7 The GSM-R cab radio and network rates There is a degree of uncertainty associated with the rates used to calculate both the risk and operational delays. Where possible the rates were estimated with data recorded from routes already using GSM-R or design estimates. However as more experience of the system is obtained these rates may change. Therefore sensitivity analysis was carried out for +/- 0% change in cab radio rates and +/- 0% change in network rates. As shown with previous sensitivity tests, this leads to proportionate changes in both safety benefit and operational delays for each of the response options considered. Therefore although the absolute levels of risk and operational delays change for each response option considered, where the costs of delays were grossly disproportionate to the safety benefit they remain so. Therefore the conclusions of this study with respect to response options are not considered to be affected by errors in the rates. 97