How command, control and signalling risk is reduced over time

Continuous improvement in command, control and signalling is essential to maintaining safe train operations as systems age, operating models change and new technologies are introduced. Risk reduction depends on maintaining the integrity of existing systems, strengthening controls through renewal and enhancement, and managing the transition to digital and more automated technologies in a controlled way.

Taken together, these activities form a continuous improvement cycle, moving from the management of existing assets through renewal and transition, and ultimately delivering improved resilience and safety. 

Managing long-term reliance on Train Protection and Warning System (TPWS)

TPWS has been in service on Network Rail’s infrastructure for significantly longer than was anticipated when it was introduced under the Railway Safety Regulations 1999. This extended use presents ongoing challenges, including equipment approaching the end of its design life, the need for continued scrutiny of maintenance regimes, and consideration of enhancements where the introduction of ERTMS or other ATP solutions is not yet envisaged.

Given the extended timescales for retaining TPWS and uncertainty over the pace of Digital Railway implementation, dutyholders are expected to consider the reasonable practicability of introducing improvements to strengthen risk control.

Strengthening resilience during centralisation into Railway Operating Centres

The progressive centralisation of signalling control into twelve Railway Operating Centres (ROCs) is changing the signalling risk profile on the mainline railway. While centralisation offers benefits in network management, coordination and cost efficiency, it also concentrates control of large sections of the railway, increasing the potential impact of failures.

Continuous improvement during this transition depends on ensuring adequate contingency arrangements to manage risks arising from cyber-attack, fire, power loss and system failures, and on avoiding single points of failure that could affect large geographic areas. Ensuring sufficient redundancy and resilience to disruption remains a key requirement as control arrangements are reconfigured.

Human performance is a critical factor in the safe operation of ROCs. The move to centralised control has raised concerns that unsustainable workloads may be placed on signallers, with potential impacts on decision-making, communication and overall performance. Robust prospective workload assessments are therefore essential, and conclusions must be acted upon as systems and operating demands change. Network Rail has established standards to manage the risk of operator error arising from workload changes, including the National Operating Procedure (NOP) Operational Workload Assessment (3.37).

Experience has shown that combining workstations can, in some cases, result in unmanageable workload where cognitive demands are not well understood or visible. Temporary mitigations have been required in some instances before permanent solutions could be implemented. Measuring and predicting cognitive workload remains challenging, and RAIB’s 2020 Class Investigation into safety-critical human performance highlighted the need for improved techniques to assess and manage these risks. Progress has been made, but further work is required, and ORR continues to oversee completion of this recommendation.

Other risks associated with ROC integration include loss of signallers’ local geographical knowledge, particularly of level crossings, and design configurations that do not adequately meet users’ information needs. Learning from incidents, such as the collision at Hockham Road in 2016, reinforces the importance of strong human factors integration alongside robust assurance processes to support the safe operation of new and upgraded signalling systems in ROCs.

Improving assurance of software, data and system integrity

Software and data integrity are increasingly important as signalling systems become more complex and interconnected. Incidents have shown that errors can pass through testing and commissioning where assurance responsibilities are unclear or fragmented.

Loss of safety critical signalling data on the Cambrian Coast line, 20 October 2017 highlights how software systems need to be assured. The investigation makes five recommendations:

Dutyholders are expected to strengthen assurance arrangements to ensure the continued integrity of signalling software, data and interfaces throughout the system lifecycle. This includes learning from incidents, improving communication of assurance responsibilities and maintaining clear accountability as systems evolve.

Cyber security also forms part of this assurance landscape. As systems become more connected and digitally enabled, continuous improvement requires cyber risks to be addressed alongside traditional safety risks.

Managing the transition to the Digital Railway

The term ‘Digital Railway’ is used to describe Network Rail’s programme to roll out ERTMS. ERTMS refers to the standardised, interoperable European Rail Traffic Management System. It comprises GSM-R, the mobile communications system for railways, and ETCS, the European Train Control System.

Whilst rail data transmission has been via GSM-R, this system has now become obsolete and it is understood this is to be replaced by The Future Railway Mobile Communication System (FRMCS).

The implementation plan for ERTMS within Great Britain will take many years, targeting equipment that is life expired and represents a long-term transition rather than a single change. The rollout of ERTMS, automated train protection, traffic management systems and increasingly automated train operation will involve periods where multiple signalling and train control technologies coexist.

One element of the Digital Railway is the Traffic Management systems (TM). Traffic Management takes inputs from various systems, uses this data to identify conflict points and predict and deliver plans or options to counteract any clashes, and ensures all users are informed of changes as the systems make adjustments. TM has considerable scope to minimise delay and disruption, and to assist in reducing signallers’ workload. They also have the potential to be linked to the Driver Advisory System (DAS), which is present on some fleets – meaning drivers receive real time information.

Continuous improvement in this context depends on:

While digital systems offer significant opportunities to improve safety, capacity and performance, their integration is inherently complex and requires sustained focus to ensure risks are reduced rather than displaced.

More information on ERTMS is provided in the Appendix.

Exploiting opportunities through renewal and enhancement

Whenever signalling systems are renewed or enhanced, opportunities arise to strengthen risk controls. Resignalling schemes can address risks that were not previously considered in design, such as interactions between signals and level crossings. New schemes also provide opportunities to design signalling systems that better support track worker protection and safer systems of work.

Exploiting these opportunities is a key element of long-term risk reduction, enabling safety improvements to be embedded through design rather than relying on procedural controls alone.

Embedding improvement as normal practice

Sustained improvement in command, control and signalling depends on embedding these approaches into routine planning, operation, renewal and change management. Maintaining system integrity, strengthening assurance, learning from incidents and managing transitions safely are ongoing requirements as the railway continues to evolve.

Continuous improvement therefore supports both the safe operation of existing signalling systems and the safe introduction of future technologies.