train protection - technical review of the ertms programme

HSE Health & Safety

Executive

Train Protection - Technical review of the ERTMS Programme Team report

Prepared by the NEL Consortium for the Health and Safety Executive 2003

RESEARCH REPORT 067

HSE Health & Safety

Executive

Train Protection - Technical review of the ERTMS Programme Team report

The NEL Consortium consists of -

EQE International Ltd TUV NEL Ltd TUV Bau und Betrieb EQE House East Kilbride Westendstrasse 199 Warrington Road Glasgow D-80686 Birchwood G75 0QU Munich Warrington WA3 6WJ

Prepared by: Richard Adams (EQE), Michael Cavanagh (EQE),

Roger Lillicrapp (EQE), Karl Gotz (TUV),Udo Steininger (TUV) and Heiko Saalbach (TUV)

Approved by: Linda Rowan (NEL)

The final report of the ERTMS Programme Team (EPT), published on 25 April 2002, outlines a way ahead for train control and signalling on the UK main line network. The costs and benefits of the European Rail Traffic Management System (ERTMS) were modelled over a 40 year period and, based on these predictions, recommendations have been made for the implementation of ERTMS while ensuring compliance with the Interoperability Directives. When considering the safety benefits of ERTMS, predicted shifts between different modes of transport strongly influence the report’s conclusions.

The EPT was commissioned to produce the report, which outlines the industry’s plan, by the ERTMS Programme Board (EPB), a body jointly set up and co-chaired by Railway Safety and the Strategic Rail Authority. The HSE has initiated a Review of the EPT report using independent consultants and experts. The NEL Consortium, which comprises NEL, TÜV and EQE International, has been awarded a contract to review the EPT intermediate and final reports. Other reviews are being undertaken by People Science & Policy and by NERA.

This report and the work it describes were funded by the HSE. Its contents, including any opinions and/or conclusions expressed, are those of the authors alone and do not necessarily reflect HSE policy.

HSE BOOKS

© Crown copyright 2003

First published 2003

ISBN 0 7176 2607 5

All rights reserved. No part of this publication may bereproduced, stored in a retrieval system, or transmitted inany form or by any means (electronic, mechanical,photocopying, recording or otherwise) without the priorwritten permission of the copyright owner.

Applications for reproduction should be made in writing to: Licensing Division, Her Majesty's Stationery Office, St Clements House, 2-16 Colegate, Norwich NR3 1BQ or by e-mail to [email protected]

ii

EXECUTIVE SUMMARY

The final report of the ERTMS Programme Team (EPT), published on 25 April 2002, outlines a way ahead for train control and signalling on the UK main line network. The costs and benefits of the European Rail Traffic Management System (ERTMS) were modelled over a 40 year period and, based on these predictions, recommendations have been made for the implementation of ERTMS while ensuring compliance with the Interoperability Directives. When considering the safety benefits of ERTMS, predicted shifts between different modes of transport strongly influence the report’s conclusions.

The EPT was commissioned to produce the report, which outlines the industry’s plan, by the ERTMS Programme Board (EPB), a body jointly set up and co-chaired by Railway Safety and the Strategic Rail Authority. The HSE has initiated a Review of the EPT report using independent consultants and experts. The NEL Consortium, which comprises NEL, TÜV and EQE International, has been awarded a contract to review the EPT intermediate and final reports. Other reviews are being undertaken by People Science & Policy and by NERA.

HSE defined a set of 13 technical questions which form the basis of the NEL Consortium’s review of the EPT report. The primary purpose of this review was to comment on the justification for the conclusions reached by the EPT and to assess the quality of the evidence cited in support of these conclusions. HSE requested liaison between the NEL Consortium and NERA in answering questions 4, 5 and 7.

The EPT report recommends implementation of ERTMS Level 2 in an upgrade programme extending over 30 years. The report claims that capacity, performance and safety should all be enhanced by adopting the recommended strategy. Other options reviewed (principally the Uff/Cullen recommendation) were expected to have financial drawbacks and to reduce rail capacity, resulting in a potential shift of rail passengers to road transport (where mortality rates are far higher), with a consequent rise in risk to travellers. However, the evidence cited in support of this anticipated modal shift was inadequate. Furthermore, ERTMS Level 2 is currently at an early stage of development and because of this, the risks associated with its implementation are not fully understood. The high degree of project risk in recommending ERTMS Level 2 at this stage has not been given sufficient weight in the EPT report. These shortcomings mean that the totality of safety risks to passengers has not been adequately addressed in the report. Although the evidence cited in support of the report’s conclusions was considered to be inadequate, the technical solution recommended (ERTMS Level 2) has significant advantages.

The following paragraphs summarise the NEL Consortium’s comments in response to the 13 questions which were raised by HSE on the EPT report.

The impact on network capacity of implementing different levels of ERTMS (designated A, B, C and D in the report) has been analysed and is supported by traceable data. However, it is considered that further investigation is necessary to validate the report’s conclusions taking into account the initial state of the network, the combination of systems used in the different options and the implementation strategies employed to migrate from the initial state to each of the final states.

The safety benefit for passengers in terms of SPAD-related incidents is the same for every option because the ATP function can provide the same protection for trains irrespective of the ERTMS level installed. However, the reduction in risk to passengers achievable with TPWS/TPWS+ is considered to be greater than that assumed by EPT, so if TPWS/TPWS+ is already installed, then the relative benefit of early ERTMS implementation is substantially

iii

reduced. In addition to these technical issues, the modal shift anticipated includes many potentially uncertain long-term assumptions and complex interactions which make the report’s conclusions on this aspect open to question.

The safety of rail workers improves when ERTMS level 2 is fully installed, but this has not been analysed quantitatively in the EPT final report. However during the process of installing ERTMS it is anticipated that there may be an increase in risk to track workers, although the EPT report has not properly identified and recorded these risks nor have they been fully considered when assessing the safety benefits. The EPT report does acknowledge some uncertainty about the data used in the final report. The EPT report has not addressed the Railway Safety initiatives in reducing risks to trackside workers.

Although modal shift between rail and road transport will occur, the assumption in the EPT reports of 100% modal shift is considered unrealistic and is not supported by credible evidence. The expected modal shift, when appropriate factors are considered, would be expected to be substantially less than that assumed in the EPT reports for both the case of capacity reduction and of capacity increase.

Significant weaknesses were identified in the EPT’s consideration of societal risk as a result of modal shift. There are concerns over the mixing of actual fatalities and equivalent fatalities and the transfer of risk from one transport mode to another.

In analysing the development times of their preferred strategy, ERTMS Option 4, the EPT identified qualitatively a series of critical factors. Although the major EU projects have been researched, a more detailed evaluation of the policy and influence of European railway operators would have given improved timescale estimates for system development and implementation in the UK.

A number of potential business risks have been overlooked in the EPT report. In particular the assessment of ‘risked’ Capital Cost is suspect as there appears to be a lack of correlation between the Capital Cost assessment and the risked Capital Cost assessment.

The EPT report identifies the system development issues and puts them on the critical path. However, there are concerns over the evidence supporting the areas of potential acceleration in the development programme.

The EPT report states that all trains and 46% of all signals including those at pinch points (high risk junctions) will be fitted with TPWS which could avoid 81% of accidents preventable by ATP. Due to this claimed mitigation of risk and the expected higher costs for the early fitment of ERTMS/ETCS there does not appear to be sufficient justification on the grounds of ATP safety benefits alone.

The EPT states that GSM-R is not a proven technology in the UK with the result that acceptance in the UK will be difficult. The EPT has assumed that GPRS could be added to the GSM-R system for a relatively small cost although it is acknowledged that some problems have to be solved before GPRS could be used.

Although the EPT has set out a possible 5 stage migration strategy from TPWS to ERTMS Level 3, it has correctly not considered migration from Level 1 to Level 2 of ERTMS. It has been generally assumed that there is no incremental upgrade path from ERTMS Level 1 to ERTMS Level 2.

The EPT reports do not consider new hazards and safety risks which may be introduced as a result of the implementation of ERTMS Level 2. In particular, the transfer of safety critical

iv

functions from trackside on to trains has not been fully considered. There is no evidence of a formal hazard identification procedure being used with the result that top level hazards and safety requirements have not been defined.

The EPT reports recognise the importance of WCRM in providing a basis for the ERTMS project. However, this is not reflected in the planning process and there is little evidence that the EPT is making full use of inputs from the WCRM project. Confidentiality difficulties have limited the use of WCRM sourced data.

v

CONTENTS

EXECUTIVE SUMMARY i

1. INTRODUCTION 1

1.1 Scope of Review 21.2 Methodology 21.3 Scope of Work 2

2. ANSWER TO TECHNICAL QUESTION 1 4

2.1 The Question to be Addressed 42.2 Approach 42.3 Review Findings 42.4 Conclusions 6








6.1 The Question to be Addressed 176.2 Approach 176.3 Review Findings 176.4 Conclusion 18



vii

vi












13.1 The Question To Be Addressed 3713.2 Approach 3713.3 Review Findings 3713.4 Conclusions 39


14.1 The Question to be addressed 4114.2 Approach 4114.3 Review Findings 4114.4 Conclusions 44

15. CONCLUSIONS 45

16. OTHER RELEVANT FACTORS 47

REFERENCES 48

APPENDIX 1 List of Questions Submitted by HSE 49

viii

1. INTRODUCTION

After the occurrence of several severe accidents that resulted from trains driving through signals, commonly referred to as Signals Passed At Danger (SPAD), there is a requirement within the UK to complete the implementation of the Train Protection and Warning System (TPWS). This system is a conventional, 'on the spot' influence on trains that reduces the risk of SPADs but does not completely eliminate them and there is also no automatic reaction to the failure of system components.

Following the accidents referred to above, a Joint Public Inquiry on Train Protection Systems was convened to report on these accidents and make recommendations on how the risk of such accidents occurring in the future could be reduced significantly. The Inquiry, which was chaired jointly by Professor Uff and Lord Cullen, issued a final report, referred to as the Joint Inquiry Report or the Uff/Cullen Report1. This report recommended that, in addition to introducing TPWS, implementation of Level 1 of the radio-based European Rail Traffic Management System/European Train Control System (ERTMS/ETCS) should also be undertaken within the shortest practical timescale.

The ERTMS/ETCS strategy includes an automated protective function called Automatic Train Protection (ATP) that, under most circumstances, prevents trains from passing signals at danger (SPADs). There is considerable pressure from the media and the general public for the industry to adopt the recommendations in the Uff/Cullen report.

Subsequently, Railway Safety and the Strategic Rail Authority (SRA) jointly set up an ERTMS Programme Board (EPB). The EPB in co-operation with the rail industry appointed a team of experts called the ERTMS Project Team (EPT) to provide an industry response2,3 to the Uff/Cullen report. The EPT proposed moving away from the Uff/Cullen timescales and recommendations and instead proposed that conventional signalling technology including TPWS should continue to be operated until the end of its projected life expectancy, which is around 15 years. Immediately thereafter, implementation of Level 2 of ERTMS/ETCS, which will be available by that time, should take place. The solution favoured by the EPT includes driver’s cab signalling, which would minimise or possibly eliminate exterior (i.e. trackside) signals.

Essentially, the series of arguments is as follows:

a TPWS prevents about 80 % of the SPADs that ATP is able to prevent b ERTMS/ETCS Level 1, which is available at the moment, reduces the capacity of railway

lines and requires exterior signals. i this results in passengers opting to travel by road (i.e. by car) where the risks are higher. ii the necessary work on the tracks (rails) will increase the risk for the railway workers

(employees) c ERTMS/ETCS Level 2, including driver’s cab signalling, increases the capacity of

railway lines and reduces the necessary work on the tracks (rails) once installed, although it increases the work on the tracks during installation.

The EPT also questions whether it is economically justifiable to upgrade initially with TPWS, which is legally necessary, then to implement ERTMS/ETCS Level 1 as soon as possible and finally to implement Level 2 or even Level 3.

1

1.1 SCOPE OF REVIEW

The Health and Safety Executive (HSE) has commissioned a consortium comprising TUV NEL (National Engineering Laboratory), EQE International and TÜV Süddeutschland to undertake an independent review and evaluation of the EPT results and recommendations, focusing particularly on the quality of evidence cited in support of the recommendations. Other reviews have been undertaken by People Science & Policy and by NERA.

In the contract placed by HSE a list of 13 specific questions that were to be addressed was provided. These questions, which are listed in Appendix 1, were aimed at establishing whether there is good quality evidence within the appropriate reports or other external evidence that justifies the EPT's conclusions and whether the EPT considered in full all of the issues that are likely to impact on its conclusions.

The specific nature of the questions resulted in a clear focus on material within the EPT reports relevant to the questions only, not to wider areas of related technology. Furthermore, HSE limited the scope of the review specifically to the Final and Interim EPT Reports and explicitly excluded the existing Preliminary Report. HSE required that the NEL Consortium and NERA, the economic contractor, should liaise with each other on the answers to questions 4, 5 and 7.

It became clear towards the end of the NEL review that the EPT had undertaken a further substantial body of work following the production of their Final Report in April 2002. Although the NEL Consortium’s contractual requirement was not altered, a series of meetings and other exchanges have taken place in an attempt to recognise the latest EPT thinking in the NEL Consortium review. The latest position has therefore been acknowledged, as far as possible, in the answers provided in this report although the comments are primarily based on EPT work up to April 2002.

1.2 METHODOLOGY

Responsibility for addressing the questions posed by HSE was divided between EQEInternational and TÜV Süddeutschland. EQE International has dealt with the questions specific to UK rail operations regarding the number of passengers opting for transportation by car as a result of diminished capacity of railway lines and the effects of this modal shift. Business risk issues have also been addressed by EQE International. The Rail Division of TÜV Süddeutschland assumed responsibility for the technical questions and, in association with the Risk & Reliability Division of TÜV Süddeutschland, has concentrated on questions relating to the operational safety of the various technical solutions proposed and questions concerning the effects on the capacity of the affected routes. In order to address satisfactorily some of the questions there was a need for direct co-operation between both organizations.

NEL had responsibility for the overall management of the study and the co-ordination of the activities of the members of the consortium. Production of the report was also undertaken by NEL.

1.3 SCOPE OF WORK

The work of the Consortium was focused on the reports of the EPT produced no later than April 2002. Although discussions with the EPT took place subsequent to this date and it is accepted that the work of the EPT is ongoing, EPT output after April 2002 has not been considered in detail in this report.

Reports produced by the EPT published up to and including April 2002 were not intended to meet the requirements of an official review. This made it difficult to find the required answers

2

within a huge number of more or less independent papers in which many of the cross references are not easy to find.

3

2. ANSWER TO TECHNICAL QUESTION 1

2.1 THE QUESTION TO BE ADDRESSED

To what extent are the reports’ conclusions about the effects on network capacity of installing different levels of ERTMS supported by good quality evidence cited in the reports or otherwise justifiable?

2.2 APPROACH

In formulating a response to the question posed, due consideration has been given to the recommendations of the European Committee for Electrotechnical Standardization (CENELEC), common railway standards and the state of the art in general. Experience of conventional command and control systems and ERTMS/ETCS implementation studies as well as pilot projects in other European countries has also been taking into account. Particular experience relevant to this exercise includes:

· experience of Indusi, which is similar to the Automatic Warning System (AWS) in UK and with the development of Point Train Influence (PZB) being introduced in Germany, which is akin to a preliminary stage to ERTMS Level 1

· knowledge of the ERTMS/ETCS Level 2 project Jüterbog - Halle/Leipzig and the fully developed FunkFahrBetrieb concept (i.e. radio controlled operation), which is an ERTMS concept for regional lines in Germany

· knowledge of the FSS pilot project, which is a Level 2 solution with in-cab signalling at the Olten - Luzern line in Switzerland.

2.3 REVIEW FINDINGS

In order to respond to this question it was necessary to understand the functions of ERTMS and the differences between the different levels. The following information has been extracted from the EPT report and is reproduced here in order to provide the reader with this background information.

ERTMS provides a fully automatic train protection (ATP) function that prevents the majority of SPADs. Also, the various ERTMS applications can influence the track capacity, the effect on this being dependent on several system features. In a Level 1 system the train is supervised at a single point only or at a limited length whereas Level 2 and Level 3 applications allow a continuous supervision by radio network.

ERTMS Level 1 and Level 2 work with fixed blocks (conventional track circuits or axle counters) whereas Level 3 allows moving block operation (trainside integrity check) but is not investigated further by the EPT and, therefore, not discussed in scope of the EPT review. Similarly, the EPT has not considered in depth Level 2 applications with reduced trackside infrastructure for regional lines with low frequency services. The following applications, referred to as ‘Systems’ have been investigated:

a The basic ERTMS Level 1 without infill function (System A) in which the movement authority is passed to the train by a switched balise at the point of a signal if the following signal indicates ‘danger’ or ‘caution’. An update is not possible until the train reaches the next balise even though the line becomes clear (and the following signal switches to ‘proceed’). This entails a significant reduction of track capacity relative to conventional signalling.

5

c

b ERTMS Level 1 with additional infill (System B) that allows an update of the movement authority at the infill points. A smaller reduction of track capacity results with this approach than without infill function. ERTMS Level 2 applications in which movement authority is passed to the train from the Radio Block Centre (RBC). It is important to distinguish between ERTMS Level 2 as an overlay system with additional trackside signals (System C) which maintains conventional as well as radio-controlled traffic on the same track. For instance, this could occur during an implementation period of ERTMS train equipment. The effect of System C on track capacity is expected to be negligible.

d The final Level 2 state with cab signalling (System D) in which trackside signals are completely removed or minimised for fallback operation and replaced by in-cab signalling. This approach offers the greatest potential for improved track capacity and flexibility.

Based on typical operational scenarios and taking into account uncertainties and making the assumption that every system type is implemented to the whole network the capacity impacts were calculated by the EPT. The results are summarised in the Table 1.

Table 1 Capacity impacts

System Impact on overall network Lower bound Upper bound capacity (%) (%)

(%) A - 15 - 30 0 B - 11 - 15 0 C broadly neutral - 5 0 D 5 0 10

An analysis of the effect of ERTMS at a specific pinch-point (Welwyn Viaduct) was undertaken. This analysis indicated that by introducing System D an improvement in performance delay of approximately 100 minutes per day would be expected. An improvement of this magnitude was considered to be equivalent to the improvement that could be achieved by doubling the number of tracks from two to four. Although the EPT report indicates that the introduction of a revised timetable would yield a quite different result the impact ought to be similar for both scenarios.

Further investigation of theses issues is necessary including more detailed analysis of pinchpoints, the effect of changes to the timetables, reduction in performance delay (instead of increased capacity), signalling layout (i.e. distance between signals) and improved traffic management functions and rules. Based on experience with conventional command and control systems and the ERTMS implementation studies and pilot projects, it is considered that the following two aspects should be taken into account:

· A relative evaluation of the reference state, i.e. the impact of the implementation of TPWS and TPWS+, respectively, on network capacity

· The migration process from actual conditions / reference state to final state with respect to the mixture of systems, time schedule and implementation of ERTMS equipment to track first, to trains first or simultaneously to train and track (referred to as ‘options’ by the EPT).

In the EPT report, the relative impact on network capacity of TPWS and TPWS+ implementation is presented for every system type. The reference state, i.e. the state that defines the 100 % value, is not evaluated in the reports. It must be assumed that TPWS and at least

6

TPWS+ reduce network capacity as well, perhaps to the same extent as ERTMS Level 1. From the reports, however, it is not clear whether these aspects have been taken into account.

It is important to know the impact on network capacity of TPWS and TPWS+ explicitly for the final decision making process. Evidence was found that the effects on capacity on the lines, which consist of blocks, points, stations, level crossings etc., for the several ERTMS system types is well understood. In the EPT reports, however, results are presented for each system type based on the assumption that it is fitted to the whole network but in practice every option consists of a mixture of lines fitted with different ERTMS system types. Moreover, there are several interim scenarios before the final state for each line is reached which are likely to have very different effects on network capacity. For example, the capacity reduction for Option 1, which contains only 32% of System A, would be expected to be less than the reduction calculated for System A if applied across the entire network. Also, there will be relatively long periods during implementation when trains and/or tracks are not fully equipped. During these periods it must be assumed that the safety benefit of the ATP will not be fully available whereas the reduction of the capacity could be larger than in the final state due to mixed traffic. For example, in Germany there is evidence that on high-speed lines where there are reduced trackside signals, conventionally controlled trains operated on such lines can effectively block them which has a dramatic effect on capacity.

These effects should be analysed at least for the two most important options - Option 1 (Joint Inquiry Report) and Option 4 (refined - EPB preferred strategy) for the final decision making process.

It is understood that the EPT intends to carry out more detailed investigations of capacity and safety. These should include using a comprehensive model for further investigation of capacity effects similar to that used for safety effects.

2.4 CONCLUSIONS

The impact on whole network capacity of each system type (A, B, C and D) has been analysed and is traceable, however, it is considered that further investigation is necessary to validate the report conclusions. This investigation should take into account the reference state, the mixture of systems used in the different options and the implementation strategies employed to migrate from the reference state to several final states. Also, a more comprehensive analysis of the effect of pinch points on capacity is essential so that the optimum solutions for these difficult operational areas can be determined.

7

c



To what extent are the reports’ conclusions about the effects of installing different levels of ERTMS on (a) passenger safety and (b) railway worker safety supported by good quality evidence cited in the reports or otherwise justifiable?

3.2 APPROACH

In addressing this question it was assumed that it relates to the final state, i.e. after the particular type of ERTMS system has been fully installed. Reference was made to CENELEC, common railway standards and the state of the art in general. In particular, experience of conventional command and control systems and ERTMS/ETCS implementation studies and pilot projects was applied. Experience of particular relevance to this exercise was the ERTMS Special Safety Study initiated by ERTMS Safety Requirements and Objectives Group (ESROG) / ERTMS Core SRS Assessment Group (ECSAG) and UNISIG, the association of signalling manufacturers. TÜV participated in this study along with other European consultants. Other relevant experience included probabilistic safety and risk analysis, data investigation and statistical engineering.

3.3 REVIEW FINDINGS

A thorough review was undertaken of Appendix A4.3 (Safety Benefits)4 to the EPT intermediate report which describes the procedure used and presents a summary of the results. The procedure outlined in the EPT report consists of the following steps:

a Identify accident categories b Choose type of analysis for each accident category

Carry out quantitative modelling and analyse results d Carry out qualitative analysis and analyse results e Combine results of both analyses and develop conclusions and recommendations.

Features of ERTMS relevant to risk have been identified to categorise the accidents with the main emphasis on:

· SPAD reduction · Speed monitoring.

Because these features plainly entail a decrease in risk from accidents compared with the TPWS only case, they have been chosen for quantitative analyses. The accident categories influenced by these features are:

· passenger and non-passenger train SPADs with following train collision between stations · collisions with buffer stops and at level crossings · derailment.

The accident categories identified are suitable to describe the risk impacts on the overall railway system in principle but because of the implementation of new technology many uncertainties could arise. Subdivision into qualitative and quantitative analyses depending on the experience with the different accident categories and the expected impact on the risk is normal.

9

Other features of ERTMS which have been considered are · installation, maintenance and repair of trackside equipment · improved communication systems with Levels C and D · tilt authorisation functionality · capacity implications.

The effects of these features on risk from accident categories are either assumed to be less or very uncertain and, therefore, they have been treated in a qualitative manner. Accident categories influenced by these features are:

· all accidents involving track side workers including inadequate protection · the overall SPAD rate · derailments · collision with objects other than trains on and near the line · road traffic accidents versus rail accidents (due to a transition from road to rail).

For the quantitative analysis the network was broken down into 40 routes with 319 route segments. Ten of these route segments have been chosen to represent different speeds and services on the network and the following five implementation options have been considered:

· Option 1 - Cullen & Uff · Option 2 - Cullen & Uff delayed · Option 3 - EC directive · Option 4 - Trains first · Option 5 - Track first.

Percentage implementation of trackside and trainborne equipment within discrete time periods from 2001 up to the final state in 2043 has been taken into account. The assumption that safety benefits of ERTMS will be realised only when tracks and trains are both equipped on any section is considered to be valid.

The annual base case safety risk is the estimated consequence rate in terms of equivalent fatalities per year of ERTMS preventable accidents with the assumption that neither TPWS nor ERTMS are implemented. This assumption takes into account that, in general, historical data represent a situation without these systems although some of the cases do involve TPWS, BR-ATP or a similar system. Risk reduction due to TPWS and that due to ERTMS, therefore, was calculated analytically. It was assumed by the EPT that TPWS will reduce the rate of SPADrelated accidents only. No allowance was made for the potential reduction of accident consequences. From this analysis TPWS was estimated to prevent approximately 81% of SPADs. The effectiveness of ERTMS in reducing the rate of SPADs was estimated to be 97%. Examples of causes of SPADs, not preventable by ERTMS, are environmental factors, human errors and system failures. Moreover, the EPT assumed that the speed monitoring capability will prevent non-SPAD-related accidents to the same level of effectiveness.

For the quantitative analysis the EPT used the simplified Layout Risk Method (LRM) that takes into account:

· train types, i.e. acceleration and braking ability · line speed that determines the position of the overspeed sensor and the trigger speed · distance from the signal to the potential accident point.

The safety benefits that will result from the implementation of the several options in terms of ATP-preventable equivalent fatalities avoided over a 40-year period due to ERTMS compared

10

with implementation of TPWS only are shown in Table 2. Confidence intervals on these data were not stated. It should be noted that in the report the number of equivalent fatalities is determined by the ratio

1 fatality = 10 major injuries = 200 minor injuries

whereas the CENELEC railway standard recommends a ratio of

1 fatality = 100 minor injuries. Table 2

Safety benefits of options

Option Description Equivalent fatalities avoided versus TPWS only case

2003 - 2043 1 Cullen & Uff 83 2 Cullen & Uff delayed 76 3 EC directive 37 4 Trains first 62 4 Option 4 refined 74 5 Track first 51

After the installation of ERTMS is completed the same safety benefit is assumed for every option.

The database is suitable and the simplified LRM appears appropriate to the problem although it is not completely explained in the documents. In Appendix 4 of the addendum to the EPT report there is a reference to a report5 that had not been published at the time and as a result the traceability is limited. Nevertheless, the results of the analysis regarding the different options and consequent safety benefit were clear. The choice of option is dependent solely on important differences in the safety benefits (i.e. which scenario provides higher safety benefit, considering the same model for all scenarios6). In order to make a final decision it would be necessary to obtain the confidence limits on the data because it is expected that the differences between the scenarios are of a similar order of magnitude to the aleatoric and epistemic uncertainties due to models, assumptions and data.

In an addendum to the EPT report, local benefits for Great Western Main Line (GWML) impact on track worker’s risk during implementation of the various options, social risk impact / modal shift and implementation of Option 4 (refined) have been investigated or at least discussed. This addendum contains a quantitative approach for the assessment of risk due to changes to or from road transport depending on capacity impacts. An increase in the population is assumed to lead to an equivalent increase in passenger numbers. The number of passenger trains is assumed to increase with the increase of passengers up to the limit of line capacity whereas the number of freight trains is assumed to be constant during this time period. The key findings were:

· There is a reduction in ATP-preventable train accident fatalities for all options with the implementation of ERTMS.

· Option 1 (Joint Inquiry Report) generates the highest reduction in ATP-preventable fatalities due principally to the fact that lower levels of ERTMS reduce the rail capacity. The associated modal shift from rail to road causes a potentially large increase in road fatalities.

11

· High speed routes, including all tracks on those routes, represent only 17% of the total route network but contribute 49% of the ATP-preventable safety benefit.

· High passenger density routes with line speeds between 60 and 100 mph represent 22% of the network and contribute 33% of the ATP-preventable safety benefit.

· The benefit of TPWS+ is approximately 2%, in terms of ATP-preventable accidents when applied in addition to TPWS and, therefore, the safety benefit of TPWS+ may not be significant enough to justify its fitment throughout the network. On GWML, which has existing ATP and TPWS, adding TPWS+ has even less benefit.

· All the effects on track worker safety have not yet been fully assessed. The installation and maintenance of ERTMS equipment would cause a relatively small increase in fatalities over the 40 year period. It is anticipated, however, that the reduction in track side equipment associated with the higher levels of ERTMS, and the resulting improved possession management capabilities, would counter this effect.

· The total difference in road user fatalities between Options 1 and 4 (refined), due to passenger modal shift, is estimated to be in the range of 830 to 1170 lives saved over 40 years. This estimate includes a negative modal shift attributable to Option 1, combined with a positive modal shift attributable to Option 4 (refined). The positive modal shift relies on increases in rail capacity and would require investment in other infrastructure, such as trains and stations.

Risk reduction due to TPWS+ has been discussed in the EPT final report as an additional measure over and above TPWS and ATP at GWML. TPWS+ is able to prevent SPADs at higher train speeds than TPWS, although the number of those accidents is relatively small. The EPT reported around 2 % of ATP-preventable accidents and 0.025 equivalent fatalities per year at GWML, however, no consideration was given to the consequences of accidents at higher speed that have the potential to be more severe. This effect could support the argument for the use of TPWS/TPWS+ until the end of their life cycle before installing ERTMS. One drawback, however, is the drivers’ ability to override TPWS/TPWS+. If it is intended to use these systems until the end of their life cycle, countermeasures must be implemented to increase safety awareness, particularly that of drivers.

It is accepted that ERTMS Level 2 and higher has the potential to increase significantly the safety of rail workers after being installed. ERTMS function 4.6.9 (Functional Requirement Specification) is intended to use the train location and actual train speed functions to operate a warning system and FRS 4.6.10 is intended to supervise trains according to systems which protect personnel working on or near the track7. For both functions there are no effective inherent solutions within conventional signalling or in ERTMS Level 1 without Radio Block Centre (RBC). Based on experience with safety management for work on and near the track it is estimated that approximately 50 % of the accidents and about 60 % of the risk during this work should be preventable by use of these functions in an ERTMS Level 2 or higher application8. These effects have been considered qualitatively only as has the different exposure of track workers during maintenance of the different ERTMS levels. It is not clear from the submitted reports whether the results of this qualitative analysis have been considered in arriving at the key findings but they will probably have a smaller impact compared with those from passenger safety considerations.

The EPT view that the safety benefit for passengers due to ATP is the same in every ERTMS level is accepted. Moreover, ERTMS function 4.6.10 in conjunction with RBC, means that in ERTMS Level 2 or higher, protection of trains and passengers against interaction with rail work is provided by virtue of an ‘all clear’ acknowledgement from the work site7. Although the frequency of such accidents is low, some incidents in Germany and Switzerland show that corresponding accidents have potentially severe consequences. It is not clear from the submitted reports whether this effect has been considered.

12

In assessing social impact and modal shift the EPT has made many far-reaching assumptions regarding development of population, passenger and freight transportation, capacity, transition between railway and road traffic, accident risk within railway and road traffic and interactions between these effects over the next 40 years. For instance, it is not apparent how the assumed increase of train passengers is justified in view of the limitation of capacity, as discussed in the answer to Question 4. All these assumptions have a much lower level of confidence than data obtained from railway operation or statistical analysis of accidents. Although it is plausible that a transition of passengers from rail to road provides a higher social risk, the evidence in the analysis of the social impact is poor relative to the analyses of the railway system itself. It is doubtful whether the analysis of societal factors is sufficiently robust to be used in the final decision making process.

3.4 CONCLUSIONS

The EPT final report justifies the claim that ERTMS is able to increase the safety of passengers considerably. Safety benefits delivered by the various scenarios in terms of equivalent fatalities avoided over a 40-year period due to ERTMS compared with the implementation of TPWS alone differ by a factor of 2. The ratio between Cullen & Uff and the ERTMS National Implementation Programme Board (EPB) preferred option is 1.1 (82 : 74). This is equivalent to a variation of about 10 %, however, uncertainties in the models and data and the necessary assumptions are likely to be of a similar order of magnitude. After fitting all tracks and trains the safety benefit for the passengers is the same for every option because the ATP function can provide the same protection for trains independent of the ERTMS level.

Risk reduction obtainable from TPWS/TPWS+ could be greater than assumed by the EPT, especially if the consequences of accidents with these systems are taken into account along with countermeasures to increase the safety culture. The benefit of early implementation of ERTMS is, therefore, reduced considerably if TPWS/TPWS+ is already fitted.

Safety of rail workers increases considerably when a minimum of ERTMS Level 2 is fully installed but this has not been analysed quantitatively by the EPT.

The approach to the assessment of modal shift includes many potentially uncertain and practically unjustifiable long-term assumptions and complex interactions which raise doubts over the reports’ conclusions on this aspect. It is suggested that an absolute criteria of acceptable risk, taking into account only the safety benefits within the railway system, could be more useful for making the final decision for one scenario. For example, the simple normative theory for the sensible management of risks to the public, assuming that a lifesaving intervention ought to return more years of life expectancy in good health than it would consume in years of work to pay for its cost10.

13



To what extent do the reports consider foreseeable risks to passengers and/or railway workers:a after ERTMS is fully installed on the network; andb during the time when ERTMS is being installed on the network?

Does good quality evidence cited in the reports support the reports’ conclusions on these points, or are the conclusions otherwise justifiable?

4.2 APPROACH

The review has examined how the EPT reports have addressed the foreseeable risks to both passengers and workers during installation of ERTMS and when ERTMS is fully installed and operational. It has looked at how potential hazards have been identified, what these hazards are and their role in the ERTMS process to date. A critical review has been undertaken of whether the risks arising from these hazards have been properly recognised and what proposals have been presented for managing them.

This review of the consideration of risk factors is closely related to the findings of Question 12 which looks at the transfer of risk from the trackside on to trains. Many of the same issues have been considered in this chapter.

4.3 REVIEW FINDINGS

The review has focused mainly on the Safety Benefits Analysis presented at Appendix 5 Work Package A4.3 of the Interim Report11 and Appendix F Work Package 4.3 of the Final Report4. All areas of the Interim and Final Reports and their appendices have been examined, however, in order to identify any considerations of potential hazards and the risk they pose.

At no stage does the safety benefits analysis address the potential for safety losses during implementation of ERTMS due to trains continually moving from track at one ERTMS level to another or due to operation of conventional as well as ERTMS controlled trains in one section at the same time. Under these circumstances there is a greater likelihood of driver error potentially leading to SPADs or similar hazards. The interim report identifies potential confusion when interfacing with AWS/TPWS and identifies that further work is required. Work Package A.1 within Appendix 5 to the Interim Report11 deals with Human Factors and identifies a number of relevant safety issues and potential mitigations, however this seems to be largely ignored by the safety benefits analysis. As discussed later in Section 13 (Answer to Technical Question 12) this would benefit from being formally recorded in a hazard log.

The EPT final report recognises that the implementation of ERTMS represents a greater cultural change in the UK than in the rest of Europe with respect to operating rules, signalling procedures and maintenance procedures. These have significant potential to introduce new risks to railway operations, mainly as the system is introduced to the railway network, but these issues have not been addressed in the assessment of safety benefits and losses. Similarly, potential risks to passengers due to transfer of new technology on to trains have not been fully addressed in the safety benefits/losses evaluation. This issue is dealt with in more detail in the response to Question 12.

In the analysis of track worker risk presented in the EPT report no account is taken of risk reduction measures being introduced by Railway Safety to reduce the risks to trackside workers.

15

The stated objectives of the Railway Group in the Railway Group Safety Plan 12 have not been considered within the analysis. This analysis appears to consider a constant level of risk at 2001 levels throughout the life cycle of the ERTMS project, which spans approximately 40 years. In order to achieve the target stated in the Railway Group Safety Plan to ensure there is no accidental fatality to any worker on Railtrack-controlled infrastructure and stations during 2002/3 and to ensure that the risk of accidental major injury to any group of workers on Railtrack-controlled infrastructure and stations will be no greater than one in 750 employees per annum by 2009, Railway Safety is putting controls in place to reduce the risk. A new initiative, RIMINIa, is in place, which is one of a number of measures being introduced to reduce the levels of ‘Red Zone’ working with the aim of reducing risk to trackside workers. The EPT final report should acknowledge that these measures are being introduced and account for this risk reduction in calculating the risk due to ERTMS both during installation and subsequently. This would make options other than Option 4 (refined) look more favourable in terms of safety losses.

Similarly, the EPT final report does not indicate that good use of Health and Safety Management will reduce the risk to trackside workers during installation. Extensive and proper use of possessions and the minimisation of ‘Red Zone’ working by good management will allow the risk to workers to be minimised during the installation of ERTMS thus allowing some reduction in safety losses.

The analysis of trackside worker risk does not make an estimate of the saving in track worker exposure. It is reasonable to expect that the fraction of current trackside work that would be removed by the absence of line side signalling is well understood. Consequently, a good estimate of reduced track worker exposure could have been made.

In Reference (11) only fatality rate data are used when considering track side worker risk. By ignoring the risk involved with injury to trackside workers the accuracy of the assessment of track worker risk is questionable. Also in Reference (11), track worker exposure has been calculated on the basis of projected project costs rather than on projected manning requirements. In order to calculate these costs, estimates of manning levels must have been generated yet these data have not been used in the analysis. This raises doubts over the accuracy of the assessment.

4.4 CONCLUSIONS

In general there will be an increase in risk to workers during installation and a reduction in risk to workers due to the reduction in trackside maintenance following removal of trackside signalling. However, the EPT assessment of track worker risk both during installation and following ERTMS implementation has not based on sound evidence and the assumptions on which it is based have neither made best use of available information nor taken cognisance of Railway Safety’s risk minimisation activities. The risks to passengers are detailed in Section 3.3.

As discussed later under Question 12, it is not believed that the new risks introduced as a result of the implementation of ERTMS and during the transition period have been properly identified and recorded and due regard has not been paid to them in assessing the safety benefits.

The duration of track work is different for the various options proposed and this has been considered only in a qualitative way. During the implementation of any new equipment, including TPWS, exposure of track workers to risk is unavoidable and is a reason for using equipment to the fullest (i.e. until the end of the life cycle) before embarking on a programme of upgrade or replacement.

a The formal Procedure RIMINI has been developed by the German railway operator DB Netz AG and TÜV Süddeutschland Bau und Betrieb GmbH originally

16



To what extent are the reports’ conclusions about the effects of changed railway network capacity on “modal shift” (i.e. passenger transfer to other modes of travel) supported by good quality evidence cited in the reports or otherwise justifiable?

5.2 APPROACH

In assessing the quality of evidence cited in support of statements made by the EPT regarding modal shift, the EPT interim and final reports and supporting documentation have been reviewed in detail. A search for alternative data that would support or challenge the assertions made about modal shift has also been undertaken.

As requested in the brief, the Economic Reviewer of the EPT reports, NERA, has also been consulted on this aspect. This liaison has involved extensive discussions on the merits of the claimed modal shift and the existence of supporting evidence.

Comments on this question have been restricted to a consideration of the evidence that modal shift results from the modelled capacity changes for Options 1 and Option 4 (refined). Evidence supporting the capacity modelling and, therefore, the validity of the capacity modelling results in the interim and final reports is addressed elsewhere (Section 2), as are the risk implications for passengers and workers resulting from modal shift (Section 6). This assessment is undertaken on the basis that the modelled capacity variations are accepted.

5.3 REVIEW FINDINGS

Modal shift is only very briefly referred to in the Safety Benefits report by Arthur D Little4

forming Work Package A4.3 input to Appendix 5 of the EPT interim report. It appears that at the Interim Report stage it was recognised that there may be the potential for some modal shift resulting from the potential capacity changes but it did not form any significant input to the analysis.

At the final report stage modal shift makes a significant contribution to the analysis. The Arthur D Little Work Package report4 supporting the EPT Final Report identifies the modal shift, attempts to quantify it and then examine safety gains and losses resulting from the movement of passengers on to or away from the roads for all options. These resulting safety gains and losses are used explicitly in the EPT final report to compare the options for ERTMS implementation. The assumption made that there is a total modal shift equivalent to the increase or decrease in capacity of the rail network strongly supports the selection of Option 4 (refined) as it diminishes the significance of the safety benefits from Option 1 due to early implementation of ERTMS Level 1 and the consequent ATP functionality.

There are two scenarios identified in the EPT documentation where modal shift is claimed to occur:

· Option 1 –capacity modelling identifies that there is potentially a decrease in capacity of the rail network as a result of implementing this option. It is assumed that this directly results in an equivalent loss in passenger kilometres on the network and that there is a directly equivalent modal shift in passenger kilometres on to the road

· Option 4 (refined) – capacity modelling suggests that by completion of the ERTMS implementation in 2043 there will be an increase in the capacity of the UK rail network.

17

This assumes that this leads to an equivalent increase in passenger kilometres and that there will be a directly equivalent modal shift from the roads to the railways.

In both cases modal shift and the degree of modal shift are assumed and there is neither a presentation of supporting evidence nor any substantiation of the assumptions. While it is accepted that there will be some modal shift due to the change in capacity in both cases, without any supporting evidence it is questionable whether that modal shift will be to the extent assumed by the EPT.

Factors which are believed to affect modal shift and which should be addressed in substantiating assumptions regarding the level of modal shift are discussed in the following sections.

5.3.1 Option 1

Firstly, the unused capacity of the railway should be considered. Intuitively, there is some slack in the capacity of the railway. Trains are not 100% full all of the time and, therefore, some reduction in the capacity of the network will be absorbed by passengers moving to alternative trains.

Secondly, modal shift will not be reflected in the same way across the whole network but will be influenced by geographical factors. In the London area, due to traffic congestion, parking constraints and the distance many people commute, it is not practicable to use the roads as an alternative to railway travel. On long distance routes, e.g. Glasgow, Edinburgh or Manchester to London, air travel offers a viable alternative to rail and road travel and will undoubtedly absorb some of the displaced rail passengers. The EPT accepted at the first review presentation that they had not considered the geographical variations within modal shift.

Any assumption on the levels of modal shift also must take account of other factors that influence people’s decision to travel by rail. For example, cost of rail travel compared with the cost of alternative forms of travel (e.g. road) will affect these decisions. Cross elasticities of demand for travel13 examines the elasticities of modal shift with respect to a number of such factors. Findings from this support the fact that there would be modal shift from rail to road but show that a number of other factors, especially cost of travel, have an influence on the extent of modal shift likely to occur.

Other factors that could influence the modal shift from rail to road include the potential for congestion charging being introduced in major cities to discourage car use and move passengers on to public transport. Measures of this type are likely to be seen in some major cities over the time span being considered for ERTMS installation within the EPT final report. Increasing congestion on UK roads is also likely to influence the pattern of modal shift.

The period following the Hatfield accident in the last quarter of 2000 has the potential to throw some light on what happens when the capacity of the rail network is reduced. Reference (14) states that ‘The extra traffic [road] resulting from the Hatfield rail crash on 14 October and subsequent disruption to rail traffic was too small to be quantified…’. Reference (15) states ‘This suggests that the disruption to train services in the aftermath of the Hatfield crash had little impact on car use. This finding is consistent with road traffic statistics, which show that although some rail journeys undoubtedly switched to road, the effect on overall traffic levels was too small to be detectable’. These sources support the review conclusion that modal shift will occur but will not be at the level claimed in the EPT final report.

18

5.3.2 Option 4 Refined

A modal shift from the roads on to the railways as a result of increased capacity assumes that there is a population of potential passengers who are currently not using the trains due to capacity limitations. Again, since the capacity of the rail network is currently not fully utilised, this is not entirely expected. There will be some modal shift but it is unlikely to fully fill the increased rail capacity.

Many of the factors discussed under Option 1 above must also be considered when addressing modal shift from road to rail and also support the argument that there will be only a limited modal shift. For example, the relative costs of rail travel and car travel will influence the shift as will train punctuality, quality of service and other external economic factors. Again there will be regional variations in modal shift and not all modal shift will be from car users but may include those previously using air travel. DETR statistics16 indicate that the real cost of car usage has not increased since 1974 whereas the cost of rail travel has increased by over 80%. A continuation of this trend over the 40 year period considered in the EPT report will influence modal shift.

Another key factor that must be recognised when considering modal shift from road to rail is that an increase in rail usage will require people to travel to and from railway stations, generally by car. This increased car usage occurs essentially at peak times and predominantly on urban roads, which have the worst safety record.

5.4 CONCLUSIONS

There is no evidence cited in the EPT documentation to support the claimed modal shifts to rail from roads for Option 4 (refined) and from rail to road for Option 1. Modal shift and the level of modal shift are assumed in the EPT reports without any supporting justification. Modal shift in both cases is likely to occur but there are major doubts over the levels of modal shift claimed.

It is recognised that this is a very complex and difficult subject to address. However, the 100% modal shift claimed is clearly not a feasible outcome. It is also noted that a more realistic modal shift would have a significant effect on the relative safety benefits of Options 1 and Option 4 (refined) claimed in the EPT final report.

In summary, some of the factors that are relevant and which are not addressed in the EPT report in predicting the levels of modal shift include:

· Geographical variations in the modal shift · Elasticity of passenger demand for rail travel to network capacity · Effects of and relative elasticities of other factors affecting passenger decisions to use the

railway such as punctuality, quality of service, journey times, relative costs of rail and car travel.

· Other potential economic factors affecting modal shift such as congestion charging, continuing decrease in the cost of motoring etc.

· Potential introduction of extra car usage as a result of increased rail usage (i.e. travel to and from railway stations).

19



To what extent are the reports’ conclusions about the effects of modal shifts on totality of risks faced by travellers supported by good quality evidence cited in the reports or otherwise justifiable?

6.2 APPROACH

Consideration was given to how the report addressed the impact on traveller/user risk as a result of changed network capacity and other associated factors. Supporting evidence and assumptions and the methodology used by EPT were assessed. Not only was a judgement made of the quality of the evidence used but also the availability of other existing evidence that was not cited by the EPT.

The means used to identify risks, how these risks were assessed, the validity of supporting data and information used in the assessment of risk, the credibility of any supporting assumptions and the validity of the conclusions were also considered.

6.3 REVIEW FINDINGS

The EPT report’s conclusions on totality of risks faced by travellers are inextricably linked to the EPT report’s conclusions and assertions in relation to modal shift. Similarly, the EPT report’s conclusions on modal shift are driven by EPT report’s conclusions, assertions and assumptions in relation to capacity. Consequently, if the EPT report's conclusions are to stand up to scrutiny, all input data and assumptions need to be extremely robust. The models used for analysis must also be robust, applicable, proven and reliable. For analysis and subject matter that are interrelated, it is reasonable to expect data and assumptions to be as consistent as possible. For example, it is difficult to compare analyses based on ‘fatalities’ and on ‘equivalent fatalities’.

The type of predictive analysis and reporting utilised by the EPT is imprecise, even using the best currently available techniques and data. There are many uncertainties and various elements of change could impact on the projected results. Although the EPT report and its supporting documentation goes some way to acknowledging this point, it states that there are varying levels of confidence in risk estimates and it cautions the reader about making comparisons between the report’s estimates.

Conclusions on societal benefit cannot be totally relied upon as they are not accurately quantified. This finding is supported by the AD Little Safety Benefits Modelling Report 761669

which clearly states that ‘it was not the aim of the ERTMS societal risk modelling to accurately quantify the societal benefit…’. Reference (9) aims to compare possible levels of relative societal benefit between the ERTMS options, assuming modal shift occurs to fill rail capacity. Although this aim has been achieved, the societal benefits analysis as reported should not be greatly relied upon to justify or determine the choice of ERTMS Option. It is clear that further work in this important area is needed.

Reference (9) also concludes that the studies suggested the existence of a modal shift from road to rail and vice versa when changes to the standard of rail service occur. While this accepted, it should be noted that this assertion is an inevitable conclusion of the AD Little studies. Modal shift from road to rail and vice versa, however, is not a forgone conclusion. The phenomenon of modal shift generally does not appear to be robustly supported at the present time by suitable

21

studies or data. There are many uncertainties around the phenomenon and the issue is a complex one. The drivers of modal shift are many and need careful definition and categorisation and the drivers for shift from rail to road may not be the same as from road to rail. There are also other options that must be considered such as alternative modes of transport or journey necessity.

Despite this, the assumptions used by EPT to support their case for modal shift are weak. Most notably, the assumption that all rail capacity variation would be taken up by a modal shift (to road) and that no journeys are lost or gained. There is no evidence to support this assumption and there is plenty of contradictory evidence in recent transport studies to suggest modal shift from rail to road after the Hatfield incident was much lower than anecdotal evidence would suggest. Regional variations in relation to rail or road use have not been considered.

The EPT report shows that the rail safety benefit calculated for Option 1 is greater than that for Option 4 (refined), although the difference is small. This conclusion, which is based on known rail industry data, is widely accepted and used by the rail industry.

Road safety benefit calculated for Option 4 is greater than for Option 1 but the quality of supporting evidence is inadequate. Similarly, the overall safety benefit, including road safety, was calculated to be greater for Option 4 than for Option 1 but again the quality of supporting evidence was poor.

A number of factors were not addressed by the EPT reports in their consideration of the totality of risks to travellers resulting from modal shift. Modal shift from road to rail does not result in a total transfer of risk. People using the trains have to travel to the station at high risk times on higher risk roads than the motorways they may otherwise have used. The EPT report assumes road accident fatalities remain at 1999 levels for a 40 year period. This would not be expected as Government figures show a continuing downward trend in road fatalities over the last 30 years that would be expected to continue, especially if Government initiatives to further improve road safety are considered.

It was claimed that implementation of Annex 10 of the Joint Enquiry Report would potentially reduce safety overall. While accepting that it has this potential, the use of the term 'potential' needs further and more robust evaluation as the quality of supporting evidence is inadequate. In the light of the evidence reviewed, this EPT claim seems unjustified.

6.4 CONCLUSIONS

The report's conclusions on the effects of modal shifts on totality of risks faced by travellers are not supported by good quality evidence cited in the reports and do not appear to be justifiable.

There are significant weaknesses in the report’s approach and analyses of the subject of modal shift and the totality of risks to travellers. The quality of evidence is not good, even allowing for a degree of subjectivity in interpreting what constitutes good quality. Reviewing the evidence results in more questions being raised than answers given and does not give a high level of confidence in the report's conclusions. However, it is acknowledged that the EPT is committed to ongoing, further validation and analysis work.

Significant emphasis has been placed on modal shift and related safety in the executive summary of the EPT report. However, it is difficult to reconcile such emphasis with the EPT Report’s acknowledgements on the sensitivity of data and weakness of assumptions in relation to modal shift analysis. While Option 4 (refined) may well be the best overall option for ERTMS implementation, the significance of modal shift and related safety seems overstated.

22



To what extent are the reports’ conclusions about the development time needed for the different levels of ERTMS supported by good quality evidence cited in the reports or otherwise justifiable? Are the reports’ conclusions on this issue supported by the experience of railway operators in other countries – for example Switzerland, Spain and Holland?

7.2 APPROACH

Factors identified in the EPT final report as driving the development times have been taken into account. Supporting evidence has been examined and reviewed in detail to establish its validity. Sensitivity of the EPT final report’s conclusions to the evidence has been assessed and the methodology used for estimating the projected figures has been reviewed in order to judge the validity of these figures.

Related experience in other countries within Europe has been examined and the findings of relevant operators were established and reviewed. These are considered in terms of how they relate to the environment of the UK rail industry and compared with the findings of the EPT final report.

Experience in other countries that has been used to inform this review of the work of the EPT is outlined in the following sections.

7.2.1 Experience of the Swiss rail industry

The Swiss Railway project for an ETCS-Level 2 (FSS “Führerstandssignalisierung”; ATP Cab Signalling) was ordered on the Basis of SRS 5A before UNISIG SRS 2.0.0 was available. At present, scenarios are developed in order to upgrade the pilot trial site and 59 locomotives to comply with the actual state of the relevant European specifications. During the first trial period solely ETCS-Level 2 fitted locomotives were allowed to operate on the track. Due to the absence of a conventional signalling system the performance in the case of a disturbance led to severe time constraints for the train service. Thus, the fallback strategy chosen has turned out to be a major drawback for the integration of ETCS-Level 2. Furthermore, problems due to interference with existing infrastructure (ZUB) as well as functional problems in track-to-train radio communication (start-up, hand-over) were experienced and are not yet fully resolved.

7.2.2 Experience of the German rail industry

The Deutsche Bahn (DB) AG strategy for implementation of ETCS-Level 2 began in 1998 with GSM-R tests on the Stuttgart-Bruchsal line. From 1999 to 2000 the development of early prototypes of ETCS constituents (e.g. RBC) took place. Trial operation on the first GSM-R test track commenced in 2001. Interoperability and consolidation of specifications as well as standardisation with regard to CENELEC is planned to take place up to the end of 2003 aiming at a preliminary system approval for the pilot line by the German railway authority EBA (“Eisenbahnbundesamt”) to start in early 2004. The current expectation is that trials leading to full certification of the complex system will occupy whole of 2004.

7.2.3 Experience of the Austrian rail industry

A current Austrian rail project, based on the cross-border Vienna - Budapest line linking the capitals of Austria and Hungary, is representative of many other projects relating to

23

ERTMS/ETCS-Level 1 implementation. This project has a 15 km Level 1 pilot line that is still in a trial status until consolidation of specifications and interoperability with the European normative references is finally confirmed.

7.2.4 Experience in other European countries

The EPT report has identified several other European projects in Spain, Netherlands, France and Italy where ERTMS/ETCS is being implemented. These are either in a similar project state or at an even earlier phase. Exact details of the respective status of the different European projects are partially confidential, so it is not always possible to ascertain the current state of implementation.

7.3 REVIEW FINDINGS

The EPT final report identified that the implementation strategies for ERTMS/ETCS variants requires further development of complex computer equipment, i.e. electronic interlocking in order to gain potential for significant capacity increase. As for all other variants and strategies reduction in capacity have been identified by the EPB to justify their preferred strategy that allows time for system development to enable more of System D to be introduced. An Indicative Industry Plan that illustrated an indicative schedule for the system development phase and the implementation phase was also presented in the EPT final report. It was concluded by the EPT that high performance ERTMS/ETCS system variants are not expected to be proven as a wholly reliable total system ready for national implementation in the UK until approximately 2008. An implicit reference was made to a quantitative schedule risk assessment undertaken by the EPT17. A provisional timescale illustrated by Figure 2 in the EPT final report3 indicates that GSM-R (Data) implementation will not be ready before 2010 and, therefore, the EPT identified GSM-R as one major critical item driving the development time.

Methods and assumptions made for time and resource modelling to create indicative schedules for the development and implementation phase were also addressed.

The following critical factors were identified in the EPT final report:

· EC trials and Specification work (revision) · Total System Development · Overall system Safety Case and Safety Approval · Modifications of Operational Rules · Early Deployment · National Test Bed · Tele-Communication Proving (GSM-R Voice/Data)

All of these factors are mainly driven or influenced by the homologation process within European projects for:

· ERTMS/ETCS constituents and functionality · GSM(R) · HEROE · ETML.

A better understanding of the status of relevant projects within the continental European rail industry would have given the EPT a more accurate view of the likely development times.

24

In all cases evaluation of the issues has been qualitative. Where numerate measures were necessary (e.g. cost and time metrics) these have been derived from first principles research, professional judgement and, in some cases, comparison with similar activities or tasks. The emerging, more detailed work undertaken for WCRM/JPT has proved valuable as a benchmark for such studies, as have the various mainland European pilot projects that were examined.

Supporting evidence cited by the EPT and used to undertake a quantitative analysis is based on numerous general assumptions. Similar general assumptions have been made to create indicative schedules for time and resource modelling for the development and the implementation phase in order to produce plans such as the System Development Phase Critical Path Analysis.

ERTMS/ETCS class 1 specifications are defined as open specifications. In the EPT final report it is stated that the quality standards must ensure conformity to these specifications and guarantee the interoperability of different products from different manufacturers. Due to this constraint, the ERTMS/ETCS users group has initiated a consolidation strategy to confirm by examination and provision of objective evidence that the ERTMS/ETCS Class 1 specifications fulfil the requirements for their use on the European high speed network. This work is not expected to be finalized before the end of 2003. Depending on the results and findings, modifications and retesting must be considered as an additional risk for the time schedule. Figures quoted for EC trials and specification revision, therefore, are considered to be appropriate.

The critical factors identified directly affect the conclusions drawn by the EPT. Any assumptions made on indicative dates for ERTMS/ETCS development have been derived directly from the related European project status and can, therefore, be validated.

European trial status was discussed in the EPT final report and the results were listed briefly and unresolved issues documented. Comparison was made between the UK railways and other European railways. In this comparison, different aspects have been considered, including signalling, track layouts, ATP, timing and operating practice and utilisation. The conclusion drawn is that the railways of mainland Europe have more experience with ATP systems than the UK railways. This lack of knowledge and experience demands that the UK rail industry exercises extreme care in the implementation of any ATP system and assesses carefully all relevant factors and the consequences of any changes to the present system. Special UK applications were also discussed and implicit references to the knowledge and experience of the UK rail industry were made. It was acknowledged that UK rail industry is well acquainted with traditional UK rail equipment and signalling principles but less experienced with continental European ATP systems or early ERTMS/ETCS applications.

7.4 CONCLUSIONS

In the EPT Final Report justification for development times quoted is based on implicit references to the major projects for implementation of ERTMS/ETCS in continental Europe. No further evidence was provided on dedicated time figures or details relating to the time scales of these projects. In order to justify the assumptions made it would be necessary to provide quantitative figures for these projects, preferably split into time spent for the development phase and time spent for the application specific implementation. If information of this nature had been provided then the development times stated by the EPT for the different levels of ERTMS/ETCS would have been supported more robustly.

Despite this, the reports’ conclusions on this issue are reasonable given the level of information about European projects related to ERTMS/ETCS that is available publicly. From the status of each individual project it is clear that, as a result of the complexity of the system under

25

development, there are potential risks (time, budget) for all parties involved. The specifications available and initiatives at the start of the European projects have been identified as unsuitable for achieving European harmonisation. Further refinement of the specifications as a result of effort by the railway industry has led to an agreed common standard but these are still incomplete and yet to be approved. In the majority of ongoing projects supplier specific variants of ERTMS/ETCS are being implemented without having consolidation of ERTMS/ETCS as a primary target. It must be assumed, therefore, that the integration strategy for ERTMS/ETCS and the development of appropriate specifications will not be stable before consolidation activities at European level have been completed and an agreed harmonised set of operating rules for ERTMS/ETCS operation have been developed.

The conclusions of EPT final report would have been strengthened if the report had explicitly discussed how the policy and influence of continental European railway operators affect specification work and early implementation of ERTMS/ETCS. The evaluation of their individual strategies would allow a more precise identification of time schedules and critical factors enabling improved comparison with the UK applications and more accurate determination of likely timescales for system development and introduction in the UK.

26



To what extent are the report’s conclusions on the business risks associated with early implementation of ERTMS, given its current level of technical development, supported by good quality evidence cited in the reports or otherwise justifiable?

8.2 APPROACH

The EPT has addressed cost variability and non-safety risk at both the interim and final report stages through Work Package C.1.2. An initial report ‘Cost and Risk Modelling’ was produced, which forms Appendix 5 to the interim report, followed by a further report ‘Cost Risk and Strategic Risk’, which is included as Appendix F1.6, to the final report. These build on the output of Work Package C1.1, which looks at the capital cost of the implementation of ERTMS. At the interim report stage the EPT objective was to model the various cost and other risks for each of the five implementation options. Work at the final report stage focused on the two remaining options under consideration, Option 1 and Option 4 (refined). This latter report focused increasingly on the cost aspects, including the impacts of both schedule overrun and of uncertainties in the overall capital cost estimate.

This review of the work of the EPT has focussed on the output of Work Packages C1.1 and C1.2. This is represented in Appendix 5 to the interim report, reports by Work Packages C1.1 and C1.2 and in Appendices F1.5 and 1.6 to the final report.

The reference to early implementation has been interpreted as follows:

Implementation of ERTMS to some level (Level 1 or Level 2) in the timescales set out in the Joint Inquiry report or in advance of those presented for Option 4 (Refined) in the EPT Final Report.

In reviewing the interim and final reports the objective has been to assess how the EPT has dealt with the business risks associated with Options 1 and 2 which appear to be the only systems considered by the EPT for early implementation

8.3 REVIEW FINDINGS

Key findings of the Interim Report were:

a The risk profile of implementation increases as the programme accelerates b The risk profile of implementation increases if installation commences before systems are

fully proven.

and conclusions drawn were that:

a Risk will be reduced if an adequate system development phase is included, and if the timing of implementation is realistic

b Implementation cannot sensibly commence until the stakeholders’ views of their perceived risks and incentives are aligned and agreed.

The appreciation of these conclusions was used to drive the planning for the implementation schedule for Option 4 (refined), as presented in the final report. This classified the non-safety

27

risks into three categories; Cost Risk, Strategic Risk and Programme Risks. Specific issues associated with the latter two are listed below.

a) Strategic Risks (listed in the final report):

· Changes in priority due to public perception, eg following a multi-fatality rail accident · Reduction in WCRM scope, or substantial delays to delivery · Inability of GSM-R to provide the communications capacity for the operation of ERTMS,

or substantial delays in the GSM-R delivery programme · Lack of sufficient or timely funding · Inability of industry to resource the programme of work · Substantial delays in carrying out the signalling renewals · On-going uncertainty about the industry structure · Failure of ERTMS to deliver interoperability or significant capacity increases · Failure to implement ETML needed to ensure capacity benefits.

b) Programme Risks (See Appendix F.1.6):

· Late availability or changes to technical specifications · Role and suitability of adopted System Authority · Availability of possessions and trains out of service · ERTMS performance · Results of early deployment schemes · Stakeholder communication.

The Cost Risk analysis is used to provide a likely range of capital and whole-life costs for Option 1 and Option 4 (Refined), and to inform the choice of which option is preferred.

The EPT developed the risk analysis through the identification of risks (in safety terms these would be regarded as ‘hazards’) using workshops and by interviewing experienced industry members. Quantification of the risks is carried out, where relevant, in cost and programme terms, through the judgement of the analysts and expert team members. The analysis is regarded as being very preliminary, due to the high level of existing uncertainty.

Business risks were discussed with Nigel Williams of the EPT on Thursday 5 September 2002. Mr Williams' view of the main business risks facing the project were:

· Capacity – the effects on overall network capacity are key to the Business Case. This will be mitigated by further, more detailed analysis, and by the development of understanding through the Early System Deployment projects

· Links to re-signalling with Computer Based Interlocking (CBI). The cost of the resignalling with CBI is estimated to cost £50bn over the ERTMS implementation period. The level of this cost compared to the ERTMS capital cost (approximately £3bn), may cause concern and delays, but is thought to be unlikely to stop the project.

A further business risk discussed was the ownership of the overall system risk. Mr Williams noted that neither the UNISIG suppliers nor the individual duty holders or ROSCOs were willing to assume responsibility for this.

The interim and final reports appear to have not examined any early implementation of ERTMS other than consideration of Options 1 and 2.

28

8.3.1 Unidentified Risks

Although a fairly comprehensive list of risks has been generated by the EPT, the following are real risks that are not explicitly addressed within the EPT reports:

· Failure of the development process to deliver a workable Level 2 system. It is entirely feasible that despite a long and expensive development process a Level 2 ERTMS that is capable of operating on the UK rail network is not delivered.

· Other European countries could abandon ERTMS due to the technical complexity and cost leaving the UK having spent large sums of money on a system that does not deliver interoperability. Railway industry publications indicate that other European countries are questioning whether to go ahead with ERTMS, therefore, abandonment is a distinct possibility. Should other countries not go ahead, principally due to the technical complexity and cost, the UK will be left having invested money in a system that does not provide an interoperable system with its European neighbours.

· Failure to achieve safety acceptance could cause a delay to the programme. As discussed under Question 12, there is the potential for ERTMS to introduce new hazards to the railway and to place very high integrity demands on software-based systems and equipment using novel technology. These systems will require onerous safety justifications before being accepted and there is a risk that these will not be achieved in the timescales required.

· Regulatory authorities do not allow required change in signalling principles and operational rules. Level 2 ERTMS will require a comprehensive revision of the UK signalling principles and operating rules. All these changes will be subject to acceptance by the regulatory authorities who will need to be satisfied that the safe operation of the railway is maintained. There is some risk that this may not be achieved.

· An ERTMS initiated multi-fatality accident in the early days of ERTMS. As identified in the response to Question 12, there are a number of potential hazards that ERTMS may introduce to the railway. Should one of these hazards arise and result in an accident, the public perception of ERTMS would suffer a negative reaction and the further progress of the project could be threatened.

8.3.2 Commercial Risks

Commercial risks associated with all five options were addressed during the interim report stage by Work Package C1.2 in Appendix 5. Spreadsheets were compiled by the EPT to calculate the risk cost, which was added to the calculated capital cost. These calculations were re-run at final report stage for Option 1 and Option 4 (Refined).

The manner in which the information has been presented both in the interim report and final report is confusing. In the analysis there appears to be a greater emphasis on uncertainty in the cost estimating process rather than with risk. Management of uncertainty did not appear to be addressed but uncertainty was used to add more to the capital cost in order to cover all possible outcomes. This creates the impression that if these uncertainties were properly identified, managed and controlled the real cost of each option could be much lower than stated.

In Appendix C1.2 of the interim report it is stated clearly that capital costs have been produced at the mean, 80% and 95% confidence levels while in Appendix C1.1 it is claimed that the capital costs (unrisked) have been calculated. According to the graph on page 12 of Appendix C1.2 to the interim report, however, for Option 1 the assessed capital cost (from C1.1) of £4.09 billion has 0% confidence. This large discrepancy is across the analysis. Provided the assessment of capital cost is sound, it would be expected that uncertainty factors and external events have the potential to reduce the capital cost as well as increase to it. The unrisked assessment of capital cost would, therefore, be expected to appear somewhere near the 50% confidence level on the risked cost curve. The difference between the capital cost and the

29

‘risked’ capital cost was greater in the final report. For option 1 a capital cost of £3.415 billion increased to £6.39 billion with 95% confidence when risk was assessed. Subsequently, the main reports (interim and final) continuously refer to this risked cost figure as the actual capital cost of each option. Based on the capital cost assessment and risked cost for Option 1 presented in the final report and identified above the figures show the assessed capital cost to be little more than half of the ‘risked’ cost.

In the final report, the ‘risked cost’ calculation also includes costs for death and injury to personnel during installation (Appendix F1.6 to the final report page 50). The safety benefits, however, have not been removed from the calculation of risked cost. In the calculation of risked cost, all the likelihood data and cost data for each threat occurring has been quoted as percentages with a reference to a Work Package and a date. Due to time limitations it has not been possible to review these references but they appear to be estimates from EPT members. No references have been provided for data from verifiable external sources. In each case a distribution type has been identified for the likelihood of increased cost but no justification of selection of the distribution has been given and, therefore, it is not possible to comment on the correct use of the distributions. This give rise to concerns over the accuracy of the assessment of these business risks.

In both the interim and final report it is noted that other costs make a significant contribution to the total cost. For example, these other costs exceed track fitment costs and generally are more than 70% of the train fitment costs. In the final report these items have been split further into other cost and development cost, which include items that raise the following issues:

· GSM-R is allocated the same cost regardless of system option in both the interim and final reports. In the final report (Appendix F1.5, page 11) a cost for development of GSM-R data upgrade has been assigned to Option 1. Elsewhere in the final report (Appendix F1.6, page 62), however, it has been assumed that Level 1 does not require GSM-R data functionality. It has also been stated (Appendix F1.5, page 7) that the GSM-R voice system only is of no cost to ERTMS as this is included in Railtrack’s GSM-R project remit. The capital cost for Option 1 GSM-R does not, therefore, seem realistic, especially since by approximately 2005 WCRM will have an operational GSM-R system supporting operation of ERTMS Level 1

· A price was included for a new fleet of trains to replace the maximum number of trains out of service at one time as well as to provide additional depot roads to accommodate the trains being refitted where this exceeds current capacity. It is questionable whether this is feasible based on the wide variety of rolling stock on the network. A single fleet of trains would be unlikely to meet the requirements of suburban DMUs, and EMUs as well as high-speed routes, rural services and freight. This approach makes the early deployment options appear less favourable, particularly those in the interim report

· Project Management/System Authority costs are extremely high for the early deployment Option 1, when in fact the whole fitment would be completed in a significantly shorter time scale. No details are given in the report concerning how this figure has been calculated

8.4 CONCLUSIONS

The EPT interim and final reports have not addressed early implementation of ERTMS other than to consider Options 1 and 2 at the interim stage and Option 1 at the final stage. These represent implementation of lower level ERTMS at timescales close to those recommended in the Joint Enquiry report.

A small number of potential risks have been identified that were not considered in the assessment of business risk by the EPT. These risks, which are not specifically related to early implementation but are provided as a constructive output of this review, are:

30

· Failure of the development process to deliver a workable Level 2 system · Other European countries abandon ERTMS due to the technical complexity and cost

leaving the UK having spent large sums of money on a system that does not deliver interoperability.

· Failure to achieve safety acceptance causes a delay to the programme. · Regulatory authorities do not allow required change in signalling principles and operational

rules. · An ERTMS initiated multi-fatality accident in the early days of ERTMS.

Capital cost and risk cost calculations in the interim and final reports have been reviewed, particularly with reference to Option 1. There is a large difference between these costs calculated in the interim and those in the final report. Data used in the calculation of risked cost (i.e. business risks) for all options is based on discussions internal to the EPT and uses no external reference data. On this basis it must be concluded that no detailed evidence has been presented to support the business risks for Option 1 (early implementation). The basis for the calculation is unclear since it appears from the confidence levels quoted in the interim report in particular that the level of confidence is 0%.

Uncertainty in the estimates of cost has been treated as risk and added to the initial assessment of capital cost. It is questionable whether these cost increases are a contingency or are in fact the costs of risk.

31



To what extent have the reports identified the systems development issues that are on the critical path, and indicated whether there may be potential for acceleration?

9.2 APPROACH

The interim and final reports and their supporting documentation have been reviewed in detail, Appendix F2.4 to the final report, which provides an analysis of the critical path for the system development phase, was of particular relevance. This documentation has been reviewed for evidence that the potential for acceleration has been considered.

9.3 REVIEW FINDINGS

The scope of the review has been limited to consideration of the completeness of the system development issues that have been identified as being on the critical path and whether the documentation suggests any areas where acceleration may be achieved. Activities on the critical path for system development and identified in Section 4.2 of Appendix F2.4 to the final report are:

· ECB acceptance phase · Prepare and agree UK Functional and Other Specs. · Award Development Contracts · Systems Development · Product Development · Equipment/Product Proving · System Proving · Interoperability Proving · Availability and Reliability Proving

The associated Gantt chart is the Draft Development Phase Schedule dated 22 February 2002, which is included in the Additional Files for Appendix F4.2. It should be noted that the dates given in this Gantt chart do not include any allowance for the variations in timescales due to the risks recognised in the Appendix.

Derivation of the programme is based upon several assumptions, which can be found in Section 3 of the Appendix. It is recognised that the UK Specification must be available and include inputs from the ERTMS Class 1 Specifications (re-issue date end of 2003), WCRM specifications, the change from national requirements, rules and principles re-write and ATOC/ROSCO/RIASIG maintenance requirements. An optimistic assumption has been made that all contractual conditions for the development programmes will be resolved prior to the award of development contracts. Failure to achieve agreement could result in a delay to the programme. The assumption that development of the ERTMS variants will be in parallel but with sequential completion related to complexity (e.g. variant C stages of development would precede those for variant D) seems logical. Similarly, the four test phases, from product proving through to reliability/availability proving seem logical.

One aspect that must be addressed at some stage during the overall development is interoperability with European developed systems. Testing to demonstrate this has not been included in the current development programme. The EPT report mentions the differences

33

between UK and European implementation that need to be addressed in the UK ERTMS Specification, which is on the critical path. Although this is a potential problem the opportunity exists to make use of the European experience to accelerate the production of the Specification and, hence, the development phase.

There is no specific mention, either in the development activities or in the programme, of a milestone for the availability of GSM-R for data transmission. This is an essential requirement for Option 4 and must be available at the appropriate time to enable complete system testing. At present, GSM-R is recognised as being unproven for data transmission in operational railway use. There is, therefore, a need to manage the GSM-R upgrade to carry data as well as voice transmissions so that it is at an acceptable level of functionality when required for testing during the early deployment phase. This must be considered a risk to the ERTMS programme and should be included as a milestone on the critical path.

An indicative timescale for the development phase has been prepared by the EPT (Section 4.3 of Appendix F4.2) which gives milestone completion dates for the various activities. This indicates completion dates for Availability and Reliability Proving (the last aspect of the development phase) of the first quarter of 2007 for system variants B and C and first quarter of 2008 for variant D. Some potential for acceleration is discussed in the systems development phase critical path analysis (Appendix F4.2). This indicates that there are two key factors which, if mitigated, could allow for acceleration of the schedule. These are:

· Tender and award of early development contracts · System development (by variant).

In the report it is suggested that an acceleration of up to 12 months could be achieved by commencing the award of early deployment contracts prior to completion and approval of the UK Specification. Significant risk is associated with this course of action due to the possibility of changes being introduced before approval and no evidence is presented that duty holders and funders would be prepared to accept this risk. A further potential acceleration of 12 months is envisaged during the system development phases by parallel development of the different variants. The principal risk associated with this approach is recognised to be the lack of availability of suitably experienced resources to undertake the work on all variants for all suppliers simultaneously. Many of these resources are likely to be already employed by WCRM or their suppliers on the ERTMS installation on that line and are unlikely to become available to the project in the short term. Also, there will be competition for the services of these resources with other projects and possibly other industries, leading to a shortage until more resources obtain the necessary level of expertise. It should be noted that in Appendix F4.2 of the EPT report it is stated that the timescales for the development phase are only indicative, therefore, actual timescales will depend upon mitigation of the time risks recognised in the Appendix.

A quantitative assessment of these risks has been performed, the results of which are included in Appendix F1.6 to the EPT report. This assessment suggests that there is a small probability of early start (i.e. acceleration) for some of the tasks but a more significant probability (about 50%) that possible finish dates for the Availability and Reliability testing could be late. A 5% possibility is stated of extending beyond the third quarter of 2010 for variants B and C and the fourth quarter of 2011 for variants D and E. If the assumptions used are realistic then it would appear that there is little prospect of acceleration and more likelihood of delay.

9.4 CONCLUSIONS

Specific ERTMS system development issues on the critical path have been identified, however, the availability of GSM-R for data transmission, which is critical for testing of version D, has

34

been assumed and has not been identified on the Gantt chart. Non-availability of the GSM-R would pose a serious risk to completion of the development programme on schedule.

Although the EPT report identified specific areas where there could be potential for acceleration, no evidence was presented to give confidence that the barriers to achievement of these could be overcome. The quantitative schedule risk assessment implies a potential slight acceleration due to early start of some activities. Although these results are plausible they are not traceable due to a lack of a description of the model and input data. It is significant that a high possibility of late finish is identified which would cause delay rather than acceleration.

The research and monitoring of EU projects referred to in Sections 5.2.10 and 5.3.2 of the EPT final report and the deployment of EPT staff in Europe should continue to form a key element in the development of the UK ERTMS specification and testing.

35



To what extent have the reports considered the potential for early fitment of lower levels of ERTMS to “pinch points” in the network? Is this a feasible approach?

In this question only, pinch points were defined by HSE as regions of the network where there is a significant safety risk.

10.2 APPROACH

An examination of how early fitment of ERTMS/ETCS has been addressed in the EPT reports with respect to ‘pinch points’ has been undertaken. The approach proposed by the EPT has been critically reviewed to ensure that it is robust and based on valid and reliable evidence and a view has been taken on whether early fitment will give the expected future improvements in capacity and safety. Consideration has also been given to whether ‘pinch points’ remain static or would vary during the upgrade and improvement works.

10.3 REVIEW FINDINGS

Table 1 in the EPT final report3 gives an overview of the ERTMS/ETCS system variants together with their impact on capacity and lists the basic considerations for potential application levels appropriate to early fitment of ERTMS/ETCS. Results of analysis work on relative capacity implications are also mentioned in the table.

In the EPT final report it is stated that further investigation of ERTMS/ETCS Level 2 with the option for interfacing to conventional relay interlocking (System D) is necessary in order to gain a potential increase in capacity. The EPT also highlighted that in the view of the EPB the deployment of lower level ERTMS/ETCS does not appear to be justified on the basis of ATP safety benefits alone.

Recommendations in the Joint Inquiry Report addressed the scope, sequence and priority of the track and train fitment for the installation of ERTMS/ETCS. Following these recommendations, the EPT final report expands on the output from the EPT interim report regarding the modelling of five different implementation options. In order to undertake modelling of theses different options the EPT defined five different system variants, which are defined in Table 6 of the EPT final report together with their key characteristics.

As stated within the EPT final report, all trains and 46% of all signals, including ‘pinch points’, will be fitted with TPWS. A preliminary safety analysis by the EPT has shown that TPWS will avoid 81% of ATP-preventable accidents. Given this predicted positive impact on safety for TPWS, there is insufficient justification for embarking on a programme of early fitment of ERTMS/ETCS on the basis of ATP safety benefits alone, especially when the expected higher costs are taken into account.

The approach used in the EPT reports addresses the SRA policy in that higher level ERTMS/ETCS has been identified as offering potential for significant capacity increase. It is noted, however, that the EPT final report considers system D only with respect to electronic interlocking. Further investigation of the potential of adaptation to relay interlocking in combination with extensions of conventional relay technology to deliver additional improvement should be undertaken.

37

An analysis performed by the EPT was based upon a comparison of the two options for implementation (Option 1 and Option 4). This analysis, however, focused on the modelling of the five different implementation options and did not consider early fitment of ERTMS with explicit respect to ‘pinch points’ in sufficient detail for a final justification. Furthermore, the TPWS safety analysis model used to assess the benefit of fitting TPWS+, specifically on the GWML, was revised in order to verify the quantitative figures. Although technically feasible, any further action on the deployment of lower level ERTMS/ETCS (Level 1 without/with infill) will be counterproductive unless the fitment of ERTMS/ETCS Level 2 is delayed significantly.

Early fitment of lower levels ERTMS/ETCS to ‘pinch points’ must be considered as potential threat to the overall strategy for implementation of ERTMS/ETCS Level 2. From a technical viewpoint there is low potential risk attached to the early fitment of with ERTMS/ETCS as the compatibility issues between various ERTMS/ETCS levels are well understood. The business case for implementing lower level ERTMS/ETCS to any particular 'pinch point' can also be established and justified. If, however, the overall objective is to improve safety combined with increased capacity at an optimum cost then the fitment of lower level ERTMS/ETCS should not be considered for 'pinch points'. Only higher level ERTMS/ETCS offers the potential for significant increase in capacity.

10.4 CONCLUSIONS

Clearly, the EPT has a thorough understanding of the problem and has conducted a critical examination of the issues and potential solutions to ensure that any proposals are robust and based on valid and reliable evidence. In the implementation options analysed by the EPT it can be assumed that ‘pinch points’ remain unaffected during the upgrade and improvement work.

38



To what extent are the reports’ conclusions about the current state of development of GSM (R), and about the possible need to develop GPRS as an alternative, supported by good quality evidence cited in the reports or otherwise justifiable?

11.2 APPROACH

The work of the GSM-R task force18 has been examined. This identified the sources of information used by the task force and these have been examined to establish whether the best data available was used. Conclusions drawn by the task force concerning GSM-R and GPRS, as presented in the EPT final report3, have been reviewed in light of the information used taking due cognisance of its validity.


The GSM-R standard implements a number of applications and requirements specific to the railway environment but using the common GSM platform. GSM-R is now used by most of the railways of Europe (seventeen have so far signed agreements for its implementation), but already additional requirements have been identified. These include the use of General Packet Radio Service (GPRS) in railway applications and its interoperability with GSM-R. In addition, early implementations of GSM-R have raised issues on specifications and international roaming which need to be addressed as a matter of urgency.

In order to address these issues, a new European Telecommunications Standards Institute (ETSI) Project on Railway Telecommunications (EPRT) has been launched. This project will continue the work in this area undertaken by ETSI's former Special Mobile Group, which, supported by Specialist Task Force 139, accomplished the standardisation of GSM-R. The main task of the project is to maintain the specifications for application of GSM to meet the requirements of the railways.

The EPT final report addresses the development status of ERTMS regarding the remaining significant development work, which relate to design and validation of GSM-R. There is concern, however, that the major risk identified is that GSM-R is not a proven technology in the UK, particularly with respect to its use for data transmission. The possibility of using GPRS as an advanced option has been considered. It was assumed that GPRS could be added to the GSM-R system for a relatively small cost but recognising that consideration must be given to the numerous problems that have to be solved before GPRS could be used. GSM-R, however, is not required for the implementation of ERTMS Level 1.

It should be noted that, as identified in the EPT final report (Section 7.2), there is a specific SRA requirement to develop specifications for the suitability of GPRS based GSM-R radio services to support ERTMS operation at Level 2 (System D) and above on the most densely trafficked/complex areas of the network. By implication, therefore, GPRS is considered necessary.

11.4 CONCLUSIONS

The GSM-R task force will update and develop the existing ETSI standards in response to the relevant European Directives. There is huge potential for the application of GSM-R world-wide and EPRT will also investigate these possibilities.

39

GSM-R, however, is not yet fit for service, especially with respect to capacity problems and outstanding refinement of specification work. As it constitutes a key element in the ERTMS architecture (Level 2 and Level 3) the potential risk of it being unsuitable for the intended purpose has to be minimized prior to installation. This is a key task for the development phase and, therefore, has not been evaluated further within the EPT final report. Potential problems associated with the use of GMS-R (e.g. data transmission capability and capacity limitations) could require ERTMS to use GPRS to overcome these difficulties.

40

c



To what extent have the reports considered the scope for, and risk implications of, migration between levels of ERTMS?

12.2 APPROACH

The safety benefits of ETCS have been considered against the CENELEC Railway Standards EN 50 128 (software), EN 50 129 (System/Hardware), EN 50 126 (Reliability) and EN 50 1591 and EN 50 159-2 (Communication). Other sources of information used in relation to operational aspects, accident analyses, capacity and also safety benefits were:

· common railway standards · state-of-the-art · experience from analyses and surveys of conventional command and control systems (for

instance PZB – point train influence) · direct experience of developing ERTMS/ETCS system solutions

Additionally, experience with ERTMS/ETCS implementation studies and pilot projects carried out in other European countries was used to support this review of the EPT's work.


The migration strategy proposed by the EPT3 considers the following items:

· manage the cultural change for the move to in-cab signalling · avoid unacceptable patchwork of ERTMS and non-ERTMS operations · capture requirements for transition stage.

Track and train implementation programmes were expressed as a series of six principles:

a Categorise the routes into four groups considering speed and density b Prioritisation within each group on the basis of EC directives, SRA’s strategy and safety

benefit Co-ordination with Railtrack’s signalling renewal programme where possible

d Attempt to use synergy of train fitment from adjacent or neighbouring routes when determining the route sequence

e Co-ordinate the train fitment with the track sequence f Avoid retrofitting short residual life vehicles by advancing vehicle replacements where

economically justified

A hierarchy of planning, a strategic schedule and an indicative industry plan have been developed on this basis taking into account ‘early deployments’.

The EPT noted that Railtrack’s long term strategy for all categories of lines is the implementation of ERTMS Level 2 as a minimum. To obtain maximum benefit, this requires trains to be fitted prior to the removal of trackside equipment. Various options have been leading ultimately to the selection of Option 4 (refined), which is the EPB's preferred strategy. Option 4 (refined) comprises only 4% of system B and 96% of the Level 2 systems C, D or E.

41

This proposed strategy relates to migration from the existing system to the final ERTMS state. For all options it has been assumed that the system type initially installed remains and that there is no future upgrade of system type. No evidence was found to suggest that migration between levels of ERTMS had been considered.

Experience with ERTMS projects in other European countries confirms the fact that the most difficult issue is not to define a final situation but to show how this situation should be reached from the initial state. The scope for, and risk implications of, several systems and options have been discussed in other chapters. Although the EPT migration strategy considers aspects of safety, capacity and commercial risk, the time schedule for implementation seems to consider commercial and business risks more than the other aspects.

A ‘track first’ strategy would entail mixed traffic on the lines. This has not only an impact on capacity (see EPT final report Section 4.1) but also on safety, especially with the human element involved. The ultimate choice of a ‘trains first’ strategy is able to minimise this problem or possibly even avoid it.

12.4 CONCLUSIONS

The EPT has not considered migration between levels 1 and 2 of ERTMS. It has been generally assumed that the system type initially installed remains and that there will be no future upgrade of system type. The EPT report correctly states that there is no improvement upgrade path from ERTMS Level 1 to ERTMS Level 2.

However the general upgrade path from current technology as far as ERTMS Level 3 is outlined in Table 4 of the EPT final report, while cost modelling options presented in Section 4/7/4 of the final report include the upgrading of all levels of ERTMS to System D.

42



ERTMS transfers some safety critical functions from trackside on to trains. Is there good quality evidence cited in the reports that shows that any risk implications resulting from this have been considered?

13.2 APPROACH

The EPT favours Option 4 (refined), which utilises ERTMS at Level 2, Variant D. In this configuration lineside signalling is minimised and the train receives movement authority and advisory speeds via the GSM-R system from the Radio Block Centre. Train positioning data are in return received at the Radio Block Centre via the GSM-R system. By its nature, this configuration causes a transfer of safety critical signalling systems from the trackside into the Radio Block Centre, Control Centres and on to the trains. This architecture leads to the safety critical system being more distributed and, as a consequence, new operational rules and signalling principles will be required.

The EPT reports have been examined in order to determine whether the risks associated with this relocation of safety critical equipment, revised operational rules and updated signalling principles have been properly addressed to a level commensurate with the phase of development at final report stage. Furthermore, the credibility of any supporting information and assumptions made as well as the validity of the conclusions have been assessed.

An examination has been conducted of how the EPT reports have addressed the foreseeable risks, both to passengers and workers, as a result of the transfer of safety critical functions from the trackside into the trains. The process by which potential hazards have been identified, the nature of these hazards and their role in the ERTMS process to date have been scrutinized. The review has critically examined whether the risks arising from these hazards have been properly recognised and what proposals have been presented for managing them.

This topic is closely related to the issues raised in Question 3, which looks at the risks to passengers and workers during installation of ERTMS and once it is fully installed.


Examination of the interim and final reports specifically reveals extensive consideration of SPAD-related risk. It has been correctly identified that ERTMS delivers a significant safety benefit with respect to reducing the risk of SPADs and SPAD-associated accidents. The reports compare this risk reduction with that gained from the current implementation of TPWS and the possible introduction of TPWS+.

The EPT reports also correctly identify that the removal of lineside signalling equipment will bring about safety benefits in terms of the reduction of risk to trackside workers by reducing their exposure. This is dealt with in greater detail in the answer to Question 3.

Within the EPT reports and their supporting documentation no consideration has been given of potential hazards and safety losses introduced to the railway as a result of installing novel technology, increased reliance on software-based equipment, redistribution of safety critical equipment, the requirement for new signalling principles and the resulting cultural change to operation of the railway.

43

Signalling equipment is safety critical. The implementation of ERTMS will change entirely the philosophy of signalling on the UK railway network. Reports by the EPT recognise that the implementation of ERTMS to Level 2 will require a total revision of signalling principles in the UK. These fundamental changes, by their very nature, have the potential to introduce new risks on to the railway. The new signalling systems will utilise novel technology and will be more reliant on software-based systems than are current systems. It is a well established fact that novel systems exhibit lower levels of reliability in the early years and hence increase the safety risk. This more extensive use of software also introduces potential risks as there will be requirements for software to high safety integrity levels (SILs as defined in BS IEC 6150819 and BS EN 5012820). At the higher levels these can be difficult to achieve and, again, introduce the potential for increased risk in the early years. It is recognised, however, that the EPT undertook an audit of three potential suppliers and found that they are capable of developing and providing SIL 4 equipment

The redistribution of safety critical systems also introduces new risks. In order to ensure and maintain safe operation of these systems, new safety critical maintenance regimes will need to be introduced and managed to address systems in distributed locations. The introduction of these systems has the potential for increased risk of error, which could lead to accidents in the early years of system operation.

The need to completely revise UK signalling principles will create the potential to introduce risk to the railway and will need to be managed carefully within the safety assurance and design and development processes. At this stage, however, it is sufficient that the EPT final report recognises that this fundamental change in signalling principles will be necessary. The EPT final report recognises that the implementation of ERTMS represents a greater cultural change in the UK than in the rest of Europe with respect to operating rules, signalling procedures and maintenance procedures. Although these issues are discussed above, it should be recognised that a cultural change of this significance has the potential to introduce new risks to railway operations. These aspects have not been addressed in the assessment of safety benefits and losses within the EPT Reports.

Option 4 (refined) and ERTMS System D in particular, places a high performance requirement on the GSM-R system. Any loss of GSM-R has the potential to bring large parts of the network to a standstill and to introduce hazards related to re-instating train movements thus adding additional risk to operation of the railway. An example of such a situation occurred in Switzerland21, where, on the ETCS Level 2 pilot project, a Radio Control Block crashed and trains could not operate for a significant period of time.

It has been acknowledged in the EPT reports that an extensive safety acceptance process will be necessary throughout the development and implementation of ERTMS. The potential introduction of risk on to the railway due to the factors discussed above, however, have not been addressed within the safety benefits analysis at interim and final report stages. There are concerns, therefore, that this could have a significant influence on the claimed safety benefits in the top level interim and final reports. Also of concern is the fact that top level hazards have not been formally identified at this stage thus allowing safety requirements to drive the development of ERTMS from the outset.

During the installation of ERTMS, trains travelling long distances may transfer several times between ERTMS levels as well as non-ERTMS areas. This increases the likelihood of driver error and introduces potentially new risk to the railway.

The EPT reports have identified operational benefits due to the implementation of ERTMS. For example, the introduction of cab-signalling greatly reduces the stress on drivers as well as improving driver performance through monitoring to enhance driver techniques. Lessons

44

learned from the UK’s only previous experience with cab signalling ATP systems (i.e. BR-ATP and Eurostar (TVM 430/KVB/TBL)), however, have been taken into consideration by the EPT. This experience has been used in the EPT reports when considering the following issues, which are discussed and analysed in Appendix 5 of the interim report.

· standardisation of cab display · selecting objects within the CENELEC DMI · defining functions required to permit rules drafting, training needs and DMI configuration

for GB · rules migration · rules for pilot sites · driver training · simulators · fitness and competence management · human factors and ergonomics integration · level transitions / operating modes · cab ergonomics & cab fitment surveys · consistency between DMI and EIRENE equipment in the cab · mandating the identified ergonomics principles through Group Standards · signaller/controller training and impact on their tasks · effect of adhesion

The programme of work undertaken by the EPT during the interim and final report phases appears weak with respect to a formal safety acceptance process as it does not include a formal hazard identification process and there is no maintained hazard log. While it is appreciated that the project is at a conceptual stage, it is considered to be to the benefit of the project if the principal hazards were formally identified and recorded in a maintained hazard log. Throughout the documentation there are various arguments and mitigating features which show some consideration of the hazards discussed here but these have not been formally recorded. A hazard log would provide a central location for all mitigating design and operational features to be recorded against the principal hazards which they are intended to address. This formal hazard log would allow the definition of the top level safety requirements for the ERTMS system. It would be advantageous to the project, particularly at this conceptual stage, if top level hazards and safety requirements were formally identified. This would give a greater understanding of the potential safety risks and allow means of controlling these risks to be addressed early in the system’s development. These could be developed as part of the safety acceptance process to lower levels throughout the development, design and subsequent project phases. This is especially important in light of the project’s intention to address safety acceptance at an early stage.

13.4 CONCLUSIONS

Although the EPT reports have given safety a relatively high profile compared with the other issues involved in the project, the effects of the transition of safety critical equipment from the trackside on to trains and into control centres have not been properly addressed at this stage. Hazards and risks associated with the introduction of novel technology and increasingly software based equipment, the redistribution of safety critical equipment and the requirement for new signalling principles and the resulting cultural change to operation of the railway have not been identified and, therefore, means of mitigating the risks have not been considered. The absence of a formal hazard identification process and hazard log raises concerns about the role safety will play in the project during development and design. It is essential to define proper safety requirements and, at this conceptual stage, to have formally identified top level safety requirements.

45

It is, however, acknowledged in the EPT final report that further investigation is required of the risks associated with the implementation of safety critical functions on trains. This would be undertaken in a future development phase.

46



Is there good quality evidence cited in the reports to show that the EPT have fully considered the positive inputs, particularly in terms of identifying new operational rules, learning lessons from current technical specifications, the application of GSM-R, that the West Coast Main Line Train Control System project could make into the UK ERTMS implementation?

14.2 APPROACH

The EPT reports have been reviewed to determine the nature and quality of evidence cited by the EPT to demonstrate that due consideration has been given to the positive inputs that could be gained from the West Coast Rail Modernisation (WCRM) project. In particular, evidence relating to:

· Identification of new operating rules · Learning lessons from the development of technical specifications · The application of GSM-R

has been reviewed but a number of other areas where valuable input may be gained have also been explored. Discussions were held with the EPT22 to examine their use of input from the WCRM programme. A representative of Railtrack's WCRM Train Control System team was also consulted23.

This assessment has focused on reviewing the use of WCRM experience in developing Option 4 (refined), as described in the EPT final report. It is acknowledged that Option 1 will be a national roll-out of the WCRM systems and, as such, will apply the rules, specifications and GSM-R implementation as developed for the West Coast. Work required to complete the UK ERTMS specifications for Systems D and E is shown diagrammatically in Figure 19 of the EPT final report. This shows a breakdown of the Generic European Requirements, the UK National Requirements and Specific Application Requirements. It indicates where requirements specifications are existing, are partially defined, based on existing specifications or are yet to be defined. These include operational rules, technical specifications, GSM-R and other aspects. This assessment has considered the extent to which the EPT plans to use WCRM experience and data in the development of the UK National ERTMS.


The EPT final report (Page 73) acknowledges that the WCRM Joint Programme Team is a major source of ERTMS technical and operational expertise in the UK. Work already completed and that being executed during 2002 would significantly reduce the workload required to implement ERTMS nationally and, as acknowledged by the EPT, could set the standard for subsequent projects. The possibility of a reduction in scope of the project or substantial delays to it, however, are seen as one of the major risk factors for the national ERTMS project (EPT final report, Page 91).

14.3.1 Views of the EPT

A meeting was held with the EPT to discuss their use of input from the WCRM programme. Although WCRM experience has been used significantly in programme development, the EPT was unable to comment on the issues of identification of new operating rules, lessons learned from the development of technical specifications or the application of GSM-R. The EPT was of

47

the opinion that much of the information from the WCRM project was difficult to use due to confidentiality issues and that from a technical standpoint the EPT project was closing the gap on WCRM, citing relationships with the ROSCOs and train operators and suppliers as being well advanced.

14.3.2 Identification of new operating rules

The development of new operating rules is briefly mentioned in the EPT final report and this is discussed in the interim report and fully supported by Appendix 5, Work Package A1. The analysis proposes a radical re-write of UK signalling principles and operating rules to allow full benefit to be taken from the change from a route signalled railway to a speed signalled railway. In the WCRM project rules will be required for operating under ERTMS Systems B and C (i.e. with lineside signalling). This will not require the radical re-write of the rules that will be desirable under System D and, hence, would not be expected to embark on such a project. It is understood from discussions with the WCRM TCS team that a rules group has been working under the guidance of Railway Safety since April 2002 (i.e. after the publication of the EPT final report) to develop the rules for the West Coast. This rules forum is taking a top-down view of the rules requirement under ERTMS, including the requirement with no lineside signals. It would, therefore, be expected that this group would cover both WCRM and the national rules requirement. In so far as WCRM is represented on the working group and is the most immediate user of the rule sets, WCRM is able to make a positive input into the rules development.

It is recognised that in the field of signalling there will be similar problems to those described for operational rules because the higher ERTMS Level 2, Systems D and E are based on a significant revision of the UK signalling principles.

14.3.3 Learning lessons from the development of technical specifications

The WCRM project has developed top level Principal Requirements Specifications (PRS) and corresponding, more detailed, Customer Requirements Specifications (CRS) to direct the application of the ERTMS Class 1 specifications into the specific requirements of the West Coast route. While these specifications are recognised to reflect ERTMS Systems B and C for the West Coast, rather than the national requirement for System D, they include significant work on the requirements for ERTMS in the UK. The EPT final report (Pages 68-69) states that it is intended to use the WCRM Specifications as inputs to the UK ERTMS Specifications, where appropriate, pending agreement. IPR issues are significant in determining rights between ‘Public Domain’ information and the contractors’ own information. The project has also addressed many of the underlying practical issues with ERTMS, such as odometry, and has produced technical reports that should be available to the national ERTMS project.

It is expected that the specification and function of train-borne equipment will be nearly identical between all levels of ERTMS. Hence, the WCRM train-borne equipment will be very similar in function to that for the national roll-out. Although there are significant issues with respect to hardware fit in different classes of trains and from different manufacturers, this is not within the scope of WCRM. Appendix 5 of the EPT final report, ‘Report by Workpackage A3.3’, deals with the trainborne equipment and a comparison with the WCRM solution. It concludes that the main differences between Systems B and C for the West Coast and System D for the national implementation will lie in software changes in the DMI. Well supported arguments or evidence for this finding have not been provided.

Although the report and appendices acknowledge that the UK ERTMS project intends to use specifications from the WCRM project and this is supported in Appendix F4.2 ‘System Development Phase Critical Path Analysis’, clarification is needed in the planning documents

48

(e.g. Appendix F4.1, ‘Planning the Development Phase’) as to how this information would be used or what specific benefits (perhaps in terms of timescale or cost gains) would be derived.

14.3.4 The Application of GSM-R

Application of the GSM-R system to supporting ERTMS implementation has not yet been fully proven anywhere in Europe, although this objective is expected to be partially met by the various development tests that are currently taking place in Europe and in the UK (WCRM and Old Dalby). A number of areas where further development will be required has been highlighted by the EPT GSM-R task force. The most notable of these are its performance in complex and heavily trafficked areas of the network, where there are concerns about the system capacity and the effects on capacity of overall system performance.

In the WCRM project it is expected to gain practical experience of GSM-R data performance, initially at Old Dalby, and subsequently on the West Coast main line, with full operation in 2005. Although this will not address the capacity in high traffic areas, it would be expected to give substantial practical operating experience in what is currently an unproven system and provide data on the effects of system latency.

The GSM-R task force report (Appendix F 2.2) acknowledges the need to use all available and developing GSM-R experience from WCRM and from trials in Europe. However, this requirement is not reflected in the EPT final report or in either of the appendices dealing with planning (Appendix F4.1 or F4.2).

14.3.5 Other possible inputs

The WCRM is developing versions of ERTMS for application on an operational railway. Experience from this project, therefore, extends across all the activities necessary to develop and justify such a system. Possible areas where the national ERTMS team may gain from their input include:

a Development times/costs

In a meeting with the EPT on 5 September 2002 it was stated that in developing the time and cost estimates for the national ERTMS implementation the EPT has used the WCRM project as a benchmark.

b Safety justification

Appendix F 3.1 has made comparisons with the size and scale of the safety task on the WCRM project. It states that ‘the scope for re-use of the process and and/or deliverables from WCRM will be examined’.

Reliability, availability, maintainability

It is believed that the system reliability, availability and maintainability will be vital in determining the ultimate performance of the ERTMS development. This is not discussed in any detail in the EPT final report but is referred to in Appendix 5 ‘Report by Work Package A3.3’, regarding trainborne equipment.

The WCRM project has developed RAMs requirements, including some numerical values, as part of their specifications. This work and the developing experience as the WCRM project proceeds should provide valuable input to the ERTMS project.

49

c

d Test tracks

The EPT report acknowledges that there will probably be a need for further test tracks in addition to Old Dalby. There is no evidence that the lessons of developing and using Old Dalby will be applied to the ERTMS project.

e Capacity modelling.

The WCRM project has developed its own capacity planning tools, which it is using to develop the 2005 West Coast Timetable. It is acknowledged in ‘Performance and Capacity Modelling – Validation of Final Report Assumptions’ issued on 26 September 2002 that this could be used to assist in validating and refining the capacity change estimates for the national ERTMS.

14.4 CONCLUSIONS

The EPT final report has acknowledged throughout the importance of the WCRM project in reducing the work to be done by the national project overall and the experience in ERTMS which resides within WCRM teams. This is reflected in the technical appendices describing the train implementation and that of the GSM-R working group. There is little evidence, however, that this has been reflected in practice in the planning activities. There is insufficient evidence cited to show that the EPT has made full use of the potential positive inputs from WCRM with respect to new operational rules, learning lessons from current technical specifications and the application of GSM-R.

Verbal comments received from EPT members have reflected the difficulty in using WCRM information due to confidentiality issues.

50

15. CONCLUSIONS

a The impact of the proposed ERTMS implementation on network capacity needs further investigation to validate the EPT report’s conclusions.

b The EPT report underestimates the improvement in safety which would result from implementation of TPWS/TPWS+. If TPWS was installed then the incremental benefit which would arise from the adoption of ERTMS would be less than that stated in the report.

c In addressing the issue of passenger safety, the EPT report’s conclusions assume a predicted shift from rail to road transport which would occur if the Cullen/Uff recommendations were adopted. Insufficient evidence is cited in the report to support this predicted modal shift. In other scenarios outlined in the report, the assumed effects of network capacity increase and decrease on modal shift are similarly not supported by good quality evidence.

d The improvement in safety for railway workers as a consequence of implementing ERTMS Level 2 has not been fully analysed in the EPT report.

e Insufficient evidence is given to support assumptions made in mixing actual and equivalent fatalities and in the transfer of risk from one mode of transport to another. As a result the report’s conclusions about societal risk are weak.

f The justification for the report’s assumptions about development times for different levels of ERTMS would have been strengthened by referring to quantitative figures from similar projects in continental Europe. Similarly, an analysis of available cost figures split by development time and implementation time and a consideration of the policy and influence of European railway operators on ERTMS/ECTS implementation would have added weight to the report’s conclusions.

g Some business risks have not been addressed in the EPT report. In particular, the correlation between the capital cost assessment and the risked capital cost assessment was not clearly established.

h Although the report has identified development issues that are on the critical path, insufficient evidence has been cited to support the possibility of accelerating certain parts of the development programme

i The EPT final report discussed the deployment of lower level ERTMS but concluded that this was not justified, even at pinch points, due to the small incremental benefits in safety over TPWS. Implementing lower level ERTMS, therefore, is not a feasible approach.

j The EPT report states that GSM-R is not a proven technology in the UK and is therefore not yet fit for service.

k The EPT report has considered a migration strategy from current technology potentially to ERTMS Level 3. However migration from ERTMS Level 1 to Level 2 has not been considered. This approach is justified since a decision would normally be taken to opt for either Level 1 or Level 2 as the final system but not to migrate between these levels.

l Further investigations into the risk implications of shifting safety critical functions from trackside on to trains are deemed necessary by EPT. In the report, the risk implications of this transfer have only been considered in very general terms. The report does not assess in

51

detail the effect of new risks on safety benefits or losses. A formal hazard process should be adopted to define high-level safety requirements for the development phase.

m The EPT has alluded to aspects of the WCRM that will form a basis for the planned national ERTMS implementation. However, few specific facts about the WCRM project have been cited in support of the recommendation in the EPT report. Confidentiality difficulties have limited the use of WCRM sourced data.

52

16. OTHER RELEVANT FACTORS

If further analysis and modelling in relation to ERTMS implementation in a broader context is to be undertaken the following observations and viewpoints should be considered:

a Passengers and users are also stakeholders in the railway b The subject of modal shift in relation to rail performance is worthy of comprehensive

research c A wider view of societal risk and safety benefits should be adopted and taken into

consideration when determining rail strategy d Journeys to and from railway stations may result in significant levels of risk exposure,

therefore, modal shift to rail may be more complex in terms of risks to users than is currently assumed

e There are other alternative modes of transport than rail or road f Regional variations in relation to rail or road use may be significant g If rail transport is not available another mode of transport may not necessarily be adopted;

there may be the option not to travel h Changing circumstances and practices may devalue or even invalidate old data i There are many drivers of modal shift from road to rail, the most significant may be fare

cost and not availability j Any increase in the numbers of passengers per train will bring with it an increase in the

potential number of casualties k The true cost of equivalent fatalities is difficult to ascertain because the nature of serious

injuries is complex (e.g. an incident resulting in many surviving burns victims may be more costly than one with survivors having simpler injuries)

l Train Operating Companies may substitute buses for trains when there are capacity problems. This may alter the current bus occupancy rate used for projections

m Government targets for road fatality reduction should be considered when making cross modal comparisons

n Measures to improve road safety are ongoing (e.g. controls, speed cameras, legislation changes, campaigns)

o Technology to improve vehicles and their performance will continue to be developed (e.g. braking/performance, airbags/crashworthiness)

p Projections made using current rail safety profiles may be supplemented by comparative assessment and analysis to known alternative analyses

q Freight may be an important consideration in all modal analysis r For new equipment, it is essential to define proper safety requirements at the earliest

possible point (conceptual stage) and formally identify top level safety requirements s There is significant risk to the project from the ability to achieve the required levels of

integrity and reliability performance from novel equipment t Use should be made of the European experience in the development of the UK ERTMS

Specification and testing. u There are other ongoing projects apart from WCRM, specifically CTRL, which are seeking

to utilise ETCS and which should be reviewed for further input.

53

REFERENCES

1 Uff, J, Cullen, W D, The Southall and Ladbroke Grove Joint Enquiry into Train Protection Systems. HSE Books, 2001

2 ERTMS Programme Team Interim Report. Railway Safety 3 ERTMS Programme Team Final Report. Railway Safety, 2002 4 Addendum to Safety Benefits Modelling for ERTMS Programme Team, Appendix

A4.3 Safety Benefits, Ref 76166, Arthur D Little, April 2002 5 ATP/TPWS module within LRM V5 – Functional Specification, Arthur D. Little,

December 2001 6 Briefing note on estimates of ATP preventable train accident risk, Prof. Evans 7 ERTMS/ETCS Functional Requirement Specification (FRS) V4.29, 03/12/99 8 Steininger & Karff, Risk and Cost Optimisation of the Safeguarding of DB’s Railworks,

in: Schuller & Kafka (eds.), Safety and Reliability, Vol. 2 pp 1593, Balkema, Rotterdam, 1999

9 Reference to be advised 10 Lind, Reliability Engineering & System Safety 78 (2002) 21 - 25 and 27 - 31) 11 Safety Benefits Modelling for ERTMS Programme Team, Ref. 75628-00, Arthur D

Little, January 2002. 12 Railway Group Safety Plan 2002/2003, Railway Safety 13 Acutt, M Z and Dodgson, J S, Cross-elasticities of demand for travel, Transport Policy,

Vol 2 No. 4 pp271-277 14 Traffic in Great Britain, 4th Quarter 2000, Statistics Bulletin (01)5, DETR, February

2001 15 Attitudes to local transport issues, Transport Statistics, Department for Transport,

(available on Government Transport Statistics website, www.transtat.dft.gov.uk) 16 Transport Trends: Indices Data Tables, Table 4.1 Real Changes in the cost of Transport

and Disposable Income: United Kingdom: 1974 to 2000, DETR, (available on Government Transport Statistics website, www.transtat.dft.gov.uk)

17 Appendix F4.2 System development Phase Critical path Analysis, Final Draft, Arthur D Little, 15 March 2002

18 Appendix F2.2 WRK-A2-035 GSM-R Task Force Report, 21 March 2002, Revision 4 19 BS IEC 61508-1:1998 Functional safety of electrical/electronic/programmable

electronic safety-related systems. 20 BS EN 50128:2001 Railway applications. Communications, signalling and processing

systems. Software for railway control and protection systems 21 Railway Gazette International – November 2002, p667 22 Notes of meeting with EPT 5 September 2002, EQE, 5/9/02 23 Record of Conversation with WRCM on 20 September 2002, EQE, 24/9/02

54

APPENDIX 1

LIST OF QUESTIONS SUBMITTED BY HSE

1 To what extent are the reports’ conclusions about the effects on network capacity of installing different levels of ERTMS supported by good quality evidence cited in the reports or otherwise justifiable?

2 To what extent are the reports’ conclusions about the effects of installing different levels of ERTMS on (a) passenger safety and (b) railway worker safety supported by good quality evidence cited in the reports or otherwise justifiable?

3 To what extent do the reports consider foreseeable risks to passengers and/or railway workers: after ERTMS is fully installed on the network; and during the time when ERTMS is being installed on the network? Does good quality evidence cited in the reports support the reports’ conclusions on these points, or are the conclusions otherwise justifiable?

4 To what extent are the reports’ conclusions about the effects of changed railway network capacity on “modal shift” (i.e. passenger transfer to other modes of travel) supported by good quality evidence cited in the reports or otherwise justifiable?

5 To what extent are the reports’ conclusions about the effects of modal shifts on totality of risks faced by travellers supported by good quality evidence cited in the reports or otherwise justifiable?

6 To what extent are the reports’ conclusions about the development time needed for the different levels of ERTMS supported by good quality evidence cited in the reports or otherwise justifiable? Are the reports’ conclusions on this issue supported by the experience of railway operators in other countries – for example Switzerland, Spain and Holland?

7 To what extent are the report’s conclusions on the business risks associated with early implementation of ERTMS, given its current level of technical development, supported by good quality evidence cited in the reports or otherwise justifiable?

8 To what extent have the reports identified the systems development issues that are on the critical path, and indicated whether there may be potential for acceleration?

9 To what extent have the reports considered the potential for early fitment of lower levels of ERTMS to “pinch points” in the network? Is this a feasible approach?

10 To what extent are the reports’ conclusions about the current state of development of GSM (R), and about the possible need to develop GPRS as an alternative, supported by good quality evidence cited in the reports or otherwise justifiable?

11 To what extent have the reports considered the scope for, and risk implications of, migration between levels of ERTMS?

55

12 ERTMS transfers some safety critical functions from trackside on to trains. Is there good quality evidence cited in the reports that shows that any risk implications resulting from this have been considered?

13 Is there good quality evidence cited in the reports to show that the EPT have fully considered the positive inputs, particularly in terms of identifying new operational rules, learning lessons from current technical specifications, the application of GSM-R, that the West Coast Main Line Train Control System project could make into the UK ERTMS implementation?

Printed and published by the Health and Safety Executive C1.25 01/03

ISBN 0-7176-2607-5

RR 067

780717626076£15.00 9

train protection - technical review of the ertms programme

Documents