In October 2017, four trains running on the Cambrian Coast line in North Wales, United Kingdom, did not receive temporary speed restriction (TSR) information, after an automated signalling system failed. Thankfully, no accident occurred, but one train approached a level crossing at 50 kilometres per hour above the TSR, endangering the lives of road users.
An investigation launched by the Rail Accident Investigation Branch (RAIB) found that TSR data was not uploaded during an automated signalling computer restart the prior evening. Meanwhile, a display screen erroneously showed the data as being loaded for transmission.
To avoid this issue, it was necessary to perform a manual check of the upload. However, this procedure had not been clearly outlined in the software documentation. Network Rail and the Independent Safety Assessor had reviewed the documentation, but failed to identify the missing instruction.
The investigation concluded, amongst other things, that the software vendor ought to improve its safety assurance protocol, in light of the near miss. But how should assurance protocol be adjusted to adequately safeguard new automation software? Moreover, how can it better pre-empt the safety challenges posed by technologies of the future?
These are questions continually asked by Rail Safety Leader and Visiting Professor at the University of Huddersfield, George Bearfield. With the fast evolution of digital tech in rail reshaping the industry’s risk profile, he believes safety practices should adapt at an equal pace.
“A particular interest of mine is how the safety of software is assured, and will continue to be in the coming years, as rail embarks on the fourth industrial revolution,” said Bearfield. “Systematic software failures can’t be exhaustively tested out, so assurance must come from robust reviews and the checking of technical asset development.
“Process industry safety standards have set the template for how to do this. These standards require the setting of Safety Integrity Levels (SILs), which constrain the system architecture and require verification of safety requirements through the whole asset life.
“But the problem is that the standards were built with the mindset of 1980s and 1990s computing, where software was a limited adjunct to electro-mechanical systems, the vendor landscape was different, and AI was in its infancy. The models on which these standards are built are therefore looking increasingly shaky,” he said.
Ahead of the RISSB Rail Safety Conference, Prof Bearfield outlines several key features of the current safety landscape which could serve as an intellectual basis for future assurance protocol.
#1 – Siloed and sparse technical expertise
As more functionality is built into the Australian railway system, reliance on global supply chains is growing – and with this often comes the compartmentalisation of technical expertise, Bearfield highlights.
“Nowadays, there are only a handful of locations, worldwide, where you can get really good train door systems, for example. That specialisation is great when it comes to productivity and efficiency metrics. But from a safety assurance perspective, it’s concerning, because you lose project visibility and control,” he said.
“If something has the potential to go wrong, it often goes unnoticed, because operators don’t know how the technology works – nor what is going on underneath the proverbial bonnet. Data sovereignty, of course, makes this more challenging.
“It’s quite unlike rail operations several decades ago, in which technology was simpler, supply chains were more localised, and the majority of operational staff undertook apprenticeships, where they learned these sorts of skills. Staff used to get in and diagnose things – and they got a lot of practice doing so, as things went wrong more often. Nowadays, there are fewer hiccups, leaving staff reliant on some complex, abstract process that they’ve had little experience with,” he added.
Compounding this, systems are often comprised of ‘black boxes’ which, once plugged together, are hard to read and predict. Few operators understand how these products interrelate with people and other technologies; and their potential failure modes. This is particularly true for off-the-shelf products, or those with imported applications.
“Localised monitoring is a bit of a piecemeal approach. There is no overarching science and, given the technical complexity involved, it’s often not done very well. Without that deep understanding of how things work, assurance can be a bit of a paperwork exercise,” Bearfield said.
“I think, going forward, we need to break down these intellectual siloes and ensure the right level of technical expertise is available to us – either within the company, or at least within the country.”
#2 – Greater opportunity for malign actors
The more we introduce software into engineered systems, the more we make it possible for malign actors to achieve devastating consequences when tinkering with vulnerabilities. Whilst interconnectivity is, on the whole, a positive development for rail, cyber resilience will need to be thought about more proactively in this ‘low frequency high intensity’ landscape, Bearfield argued.
“The cyber scene is becoming more fraught each day and ransomware attacks have been on the rise, particularly during the COVID-19 pandemic where home working has, in general, made IT systems less secure. The cyber security of the ‘operating technology’ (trains, and signalling systems) is often an afterthought, when, ideally, it should be baked in from the outset. As we race towards digitisation, we must not forget to design and implement systems with cyber security front and centre of mind, from the beginning – not just as an adjunct to the physical engineering,” he said.
“A lot of work is already required to retrofit rail systems to address current cyber threats. This process will never end as the technology domain is in a state of constant global revolution. For example, unimaginably power ‘quantum computers’ are now maturing, with the power to break the majority of our current data encryption protocols. Quantum cyber defence technology exists, but their implementation needs to be planned and added to the workbank.”
Pure safety assurance will need to evolve to be digital too. There is an opportunity for artificial intelligence to take some of these traditionally add-on safety engineering activities and integrate them more at the system level, through real time monitoring of automated system function.
“AI based data analytics bring some of that safety thinking into real time. It allows operational faults and cyber interventions to be detected instantly by the systems themselves,” Bearfield said.
# 3 – Under-reliance on people and teams
“The computer is gradually taking over in terms of its control and functionality, with more and more of the tasks traditionally done by people performed by the system. The problem is, safety is an inherently human thing. It’s also an intangible – an intellectual construct – which makes it easy to miss and forget,” Bearfield said.
“The challenge is to make sure safety requirements retain their prominence as we relinquish more control to machines. People are adaptable and have a critical role in safety – how can we transpose that role effectively into a more computerised world?”
Industry collaboration and team work will play a significant part in this process, Bearfield said.
“It can be hard for individuals to know if they’ve done safety assurance correctly, particularly with high-integrity software-based systems. To this end, industry collaboration will play a vital role in establishing best practice for safety assurance.
“In an increasingly competitive transport sector, these measures will be key to maintaining consumer confidence in rail, and to realise its environmental benefits,” he concluded.
Prof George Bearfield is a Director of Health, Safety and Cyber Security at Rock Rail, the globally focussed rolling stock leasing company, and Visiting Professor of Rail System Safety at the University of Huddersfield.
Join him for more discussion at the RISSB Rail Safety Conference due to take place 11-12 May.
This year’s event will be held both virtually and at the Swissotel Sydney.
Learn more and register.