On the morning of 12 December 1988, with the weekend project successfully completed, I had left the hotel and was travelling south on the DC lines from Harrow & Wealdstone to Euston, now part the London Overground but branded Network South East ‘Harlequin Line’ at the time.Writes David Bickell
I was a member of the commissioning team that brought into service the new Willesden Suburban signalling panel and two associated Solid State Interlockings, to replace the innovative if quirky LMS automatic signalling system introduced in 1933 between South Hampstead and Watford Junction. I was feeling proud that the Signal & Telecommunications Engineering Department (S&T) of BR had successfully introduced another modern signal box.
Travelling home to Crewe I noticed posters put up at Euston advising that a ‘derailment’ had caused the closure of Waterloo station. This was a little troubling, but heading north in the pre mobile computing age, it was not until I arrived home in the afternoon and watched television news broadcasts that the full horror of the morning’s events became apparent. 35 people were dead and many more injured. The whole industry was in shock.
On the eve of the twenty-fifth anniversary of the disaster, Clive Kessell, a senior S&T executive with BR at the time, presented a personal analysis to The Institution of Railway Signal Engineers (IRSE). Your writer attended on behalf of The Rail Engineer. Having personal involvement with training and standards during the last 25 years, I am privileged to present the thought provoking key issues elucidated by Clive, adding my own commentary on how things have developed before and after privatisation.
Although the accident was primarily related to signal engineering, readers may identify parallels with the way in which standards, training and competence have been developed within other engineering disciplines.
Clive discussed how BR’s robust response to the recommendations maps through to today’s fragmented railway with rapidly advancing S&T technology. He explained: “The accident was caused by a loose wire, previously removed from a shelf- type relay during wiring alterations, coming into contact with a relay terminal. This in turn false fed a track circuit repeat relay that was key to signal replacement circuitry needed to ensure the correct aspect sequence following the passage of a train. Thus a green signal that should have been at red led to a train travelling at speed and colliding with the rear of a preceding train stopped at the following signal to report a wrong aspect sequence.”
A formal investigation into the causes of and circumstances attending the accident was led by Sir Anthony Hidden QC and published in November 1989. It made 93 wide ranging recommendations. These included S&T specific issues, of which more anon, BR’s general safety culture, crash worthiness of rolling stock, response of the emergency services, and BR’s emergency planning.
Clive highlighted the issue of documentation: “As in all serious accidents, an obvious cause can be the lack or inappropriateness of instructions and documentation. Were signalling policy and procedures adequately set down? Early findings suggested that they were not, with many regional variations to contend with.
Recognition that a standardised approach to installation, testing, maintenance and fault finding of signalling equipment would need to be introduced across the whole of British Rail.”
The need for new documentation was crucial, and specialist teams from across BR were assembled to assess the actual requirements and produce a series of best practice instructions that would be mandatory across the entire railway. So emerged four new staff handbooks:
- Signal Works Testing Handbook (SWTH)
- Signal Maintenance Testing Handbook (SMTH)
- Signal Installation Handbook (SIH)
- Signal Design Handbook (SDH)
In BR days, the creation, updating, and sign-off for issue of standards was a straightforward process within the vertically integrated S&T Engineering department. Furthermore, the reason for the existence of mandatory standards was embedded within corporate knowledge of the Director’s team and passed down by word of mouth to subsequent generations of engineers. It was never envisaged that engineering department hierarchies would be dismantled in later years and thus no process was put in place to document the reason and purpose for every single clause in a standard.
This gives rise to risk today. For example, an important signal control added to circuitry to prevent a potential collision scenario could be removed say 25 years later because the need for it was questioned and there was nobody around who knew what is was for. Indeed, commitment to standards faltered during the Railtrack era when all important signalling maintenance specifications were handed over to contractors.
After a series of high profile train disasters that ultimately led to the downfall of Railtrack, Network Rail took over stewardship of the infrastructure and worked hard to regain control of the standards. When Network Rail brought maintenance back in house, the chief executive declared that it was one company and that there should be one way of doing things. The maintenance specifications had to be purchased back from one of the contractors who had diligently kept them up to date.
What of SWTH, SMTH, SIH and SDH today? The good news is that the handbooks are still in place as mandatory standards and, with the exception of SIH, have been updated within the last year. The SIH hasn’t been updated for nearly two years which is a little worrying given the innovative new signalling kit being provided by various suppliers for installation on the network. Standards promulgate ‘best practice’ which, interestingly, is a requirement stated in Network Rail’s Network Licence.
But are there too many standards? Network Rail’s current position was outlined by Gareth Llewllyn, executive director for safety and sustainable development, in the June 2013 issue of The Rail Engineer. He said that the large number of standards indicates that the workforce is severely constrained by the content therein. Progress must never be compromised. Network Rail’s vision is to have a small number of mandatory business-critical rules supported by guidelines on how to do the job. This, according to Gareth, will then enable the workforce to be effective and innovative and to embrace new technology with enthusiasm, knowing that they are working within a framework of flexible risk controls.
In order to help rebuild BR staff morale post Clapham, a new look S&T department was launched under the brand ‘Safety, Quality & Teamwork’ (SQT). A high level of staff engagement was sought in order to provide
a successful launch of the new standard handbooks. Allied to this was the enhancement of training provision. The Railway Engineering School at Derby became the academy for testing training and a range of design and maintain courses covering complex equipment.
The regional schools had no less an onerous role in providing training on the important basic elements of S&T – installation, points, track circuits, interlocking principles, wiring techniques, cable jointing, local telephone exchanges etc.
Also launched at this time was a suite of ‘distance learning’ programmes. Some high- quality full-colour training modules were released for study at home or in the depot. This obviated the need for staff to stay away from home on a similar classroom based residential course.
Sadly these excellent initiatives had a short life span with the break-up of the industry just a few years away. BR’s S&T training units were sold off and have subsequently either been closed or had a chequered career. To some extent, training has turned full circle with Network Rail building its own brand-new signal engineering training centres.
Competence – IRSE licensing scheme
Clive explained that in-house measures by BR were however not seen as sufficient to restore the credibility of the S&T profession.“A form of independent assessment of competence was needed and the chosen solution has been the IRSE Licensing Scheme. Since the IRSE is both the body representing the interests of the profession and independent of any railway organisation or equipment supplier, it was a logical decision. It took a while for the scheme to be designed and developed, and it was not until 1994 that the scheme was formally launched by Sir Anthony Hidden.”
There are currently 62 categories of licence for S&T covering specific roles within the broad categories of installation, maintenance, testing, design, project engineering and engineering management. Licences are issued on a personal basis. Obtaining a licence involves a workplace assessment and competence assessment, using the applicants Log Book – a record of training, qualifications, and work experience as evidence. Assessing Agents, who are subject to regular audit by the IRSE, oversee and manage the assessment process. A licence is normally valid for five years.
Clive continues: “Pragmatism is always a means of moving forward and there have been many compromises allowed in order that important work programmes are not stopped. When Network Rail decided to take maintenance back in house following the Hatfield accident, S&T staff were inherited complete with their licences.
“The need to continue with licensing inside Network Rail has been questioned and an alternative ‘Assessment in the Line’ system has been devised. If applied properly, this could be more rigorous than an IRSE licence since it requires a yearly assessment to take place. However this seemed not to happen in practice and the ORR issued a non-conformity on the company. As a result, Network Rail has re- engaged with the scheme and is concentrating on getting fault finder and maintainer staff re-equipped with licences.
“To date, some 397 licences have been issued to such staff out of a total of 3,000. There is a declared intention to re-licence installation technicians and although the paper work was approved some 18 months ago, no licences have yet been issued. Network Rail does use the scheme for design, project engineering and engineering management staff.
“An impending challenge is how to prove competence for staff responsible for train borne ERTMS signalling equipment. This could mean the licensing scheme having to stray into the traction and rolling stock arena since it is certain that split maintenance regimes for trains within a depot will not be tolerated by the train companies.
“A working party has been set up to look at the problem, initially discussing three areas: how to safely commission equipment into service, how to sign systems in and out of service and how to manage software updates. Lessons may be gleaned from London Underground since it has had train-borne signalling systems for many years and uses the standard licence portfolio to certify such staff. However, LU is still a vertically integrated entity, which makes for much simpler managerial control.
“Whatever the shortcomings, the Licensing scheme must be judged a big success. Since its inception in 1994, some 12,000 licences have been issued. The number of licences as at September 2013 is 5,554.”
Clive asserts “Clapham was never going to be the ‘accident to end all accidents’ and other serious ones have occurred subsequently. Some have demonstrated fundamental weaknesses both in rail organisation and engineering management.”
Crucial issues emerge from signalling and track related accidents in which sixty seven passengers have lost their lives since Clapham. Fifty five of these deaths were caused by Signals Passed at Danger (SPAD), a risk
that has been substantially reduced by the introduction of the Train Protection & Warning System (TPWS).
The Potters Bar (2002), Hatfield (2000) and Grayrigg (2007) accidents contained elements of commercial pressures, loss of national control of maintenance standards, staff competence and training.
Pertinent to this discussion is the serious accident that occurred on the Washington Metro in 2009. This was a chilling repeat of Clapham.
A ‘wrong-side’ track circuit failure meant a stationary train vanished from the system allowing a following train to crash into the back of it. Whilst the poor workmanship at Clapham has been addressed, the possibility of a ‘wrong- side’ failure of the train detection equipment itself must not be overlooked. The safety integrity of the signal interlocking is totally dependent upon train detection units correctly reporting the position of trains. Track circuits and axle counters are, of course, designed to be extremely safe but the Washington disaster is a reminder that such faults, however rare, can occasionally occur. The need for a signalling/ train sequence monitoring system is discussed below.
At the time of Clapham, the vast majority of interlockings were of the relay type. Today there are many computer-based interlockings in service. But whatever the variant of relay or computer system, they do the same job of moving points and changing signal aspects safely with due regard to the state of train detection units, in accordance with the signal control tables which are a logical expression of the requirements for route setting.
There is scope for error in writing control tables, circuit design in the case of relay systems, or data preparation in the case of computer interlockings. Finally, there could be design errors or a breakdown of the actual hardware, as at Washington.
System Safe Sequence Monitoring
Clive gave his audience a worrying last thought. “A fundamental cause of the Clapham accident was that a train disappeared from the system and the system was incapable of recognising that. Wind the clock forward and ask the same question; if a train operating in a computer controlled signalling environment – maybe ERTMS but even perhaps SSI and its more modern derivatives – disappeared off the signaller’s display screen, would the system recognise the situation and raise an urgent alarm?
“It begs the question as to the management of all wrong side failures. These still occur but only come to light when somebody notices that something odd has occurred, in other words, a human detection. Should more effort be put into the design so that train movements are predicted in advance and if the sequence is not followed in practice, then an alarm be raised? I believe this happens in air traffic control so why not in rail?”
In 1988, computer technology in train control and supervision was in its infancy. Today the signalling system outputs significant amounts of data for the monitoring of train running by train operators and Network Rail. Signallers’ computer display systems include a ‘SPAD’ alarm and ‘out of sequence’ alarm for train detection which would raise the alarm if a train disappeared from the system. This could be developed further to include signal aspect monitoring in order to provide an overall and continuous real time check. This data could be combined to feed an algorithm devised to compare predicted versus actual train movements.
Raising an alarm on a signallers display screen in the new world of the Rail Operating Centres (ROC) will require some thought. Signallers will be supervising large areas and primarily focussed on dealing with operating issues rather than watching the progress of every train. It could be challenging to suddenly drop what he or she is doing and then assimilate all train movements in the area for which an alarm is sounding in order to take instant action to avoid something bad happening!
Accident investigation or prevention?
It’s comforting to know that inspectors at the Rail Accident Investigation Branch (RAIB) are as astute as the ex-military men who used to investigate accidents under the auspices of ‘Her Majesty’s Railway Inspectorate’, leaving no stone unturned. Ironically, if the RAIB has become involved, it may be too late. There may be injuries or a fatality resulting from the accident under investigation. The RAIB has no monitoring function over Network Rail’s day-to- day engineering and operations.
So, who does audit Network Rail’s commitment to standards and competence? The Office of Rail Regulation (ORR) has the role of National Safety Authority. Much of ORR’s safety work revolves around Health & Safety Legislation and The Railway and Other Guided Transport Systems (Safety Regulations) 2006 (ROGS). ORR staff do indeed carry out inspections checking that ROGS systems are in place, and that includes safety critical work including staff competence. However, it would appear that more proactive and vigorous checks ‘RAIB style’ are needed to try and prevent accidents occurring in the first place.
No room for complacency
Clive concluded: “The recent RAIB annual report for 2012 was remarkable in that signalling barely featured, only two SPAD incidents being investigated in the period 2008-12. This is in itself a tribute to the good work that has been done since Clapham to get S&T back into a good shape.
“So, things have moved on a long way since that fateful day in 1988. Clapham and other subsequent accidents have caused the S&T profession to move from a position where safety was questionable to one where safety processes are rigorous and reliable. No-one should however conclude that nothing more needs to be done. The recruiting, training and competence proving of next generation staff will be a big challenge.
“The cost of signalling is still perceived as too high and means of obtaining equipment based on commercial designs is going to have to happen. The supply industry needs to be more integrated so that equipment purchased is both interoperable and interchangeable regardless of manufacturing organisation.
“Signal engineers need to be re-orientated from the long established tradition of having to invent something different every time, whether for new projects or enforcing changes to existing products, so as to utilise standard industry designs. This might mean changing signalling / operating rules.
“Software security risks need to be better understood and safeguards built into both equipment design and transmission media. The division of responsibility for trackside and train-borne equipment needs resolving with some urgency, which will mean a much closer relationship between the Institutions that represent both interests.
“Clapham was never going to be the last accident involving signalling systems and indeed others have happened since. It is to be hoped that nothing can ever happen again on this scale but the real challenge will be to identify new emerging risks and to manage these before anything awful occurs.”