The GSM-R train radio is essential for driver-signaller communication. It also provides the Railway Emergency Call (REC) which, when activated in an emergency, alerts all trains in the vicinity and instructs them to stop. Although GSM-R is a very reliable system, it does occasionally fail and, when it does, these key safety functions of GSM-R are unavailable.
In 2014, in response to potential industrial action, the Office of Rail and Road (ORR) challenged the industry to deal with the issue of failures of the GSM-R system and the appropriate operational response. We joined forces with industry to consider the issue and advised using risk analysis to understand the risk from GSM-R failures. Working closely with ASLEF, we set up the GSM-R Failure Working Group which included representatives from the ORR, Rail Delivery Group, train operating companies, Network Rail, ASLEF and RMT.
One option for dealing with failures that affect safety is to take the train out-of-service. However, it was recognised that this may not always be the safest option, especially if the impact of stopping trains introduces secondary risks within the railway system, such as slips, trips, accidents at the passenger-train interface, or overcrowding on stations due to associated delays and a reduction in capacity. The group agreed that the safest operational response to failure would be the group’s recommendation.
Over the course of about six months, our System Safety Team ran a series of workshops with the GSM-R Failure Working Group to develop the risk model. The final risk model was extensively scrutinised by the group and sensitivity to all assumptions were fully tested. This model was used to evaluate the operational response for a range of failure scenarios. In each case, the safety risk was evaluated and compared to the safety risk when GSM-R is working fully. The change in risk was calculated in two ways: i) the increase in risk of a train accident occurring due to the GSM-R failure; and ii) the ‘knock-on’ risk to passengers through such events as station crowding caused by train cancellations, or delays caused by running at reduced speed.
Following our analysis, the answer was clear:
- Trains with known failures (excluding failure to register) should not enter service.
- Trains already running which then suffer a GSM-R failure can stay in service for a maximum of 75 miles, after which the failure will need to be dealt with.
This led to a set of operational principles fully supported by industry. These principles form the basis of a new Rail Industry Standard 3708-TOM for GSM-R radio which contains requirements and guidance for contingency planning to manage failures of the GSM-R voice system. As a result, a consistent approach can now be taken to the management of GSM-R failures across the GB mainline network.
This work demonstrates our role in coordinating a collective industry response to an issue that could otherwise have led to significant industrial action and cost the industry millions of pounds. The newly developed operational principles not only support safety but also train performance. Many trains can complete their journeys within the 75-mile limit, saving the industry the costs of train cancellations and giving the train operator time to make alternative arrangements to deal with the failure.