Common failure symptoms

Symptoms of a CCS subsystem failure are usually observed when that subsystem is in operation. As such, they are described from the perspective of a CCS subsystem user when they get written up. For example: ‘a system fails to provide a warning when it should have done’.

This risk from a CCS failure can be split into three categories:

  • Safety related (high risk): a failure that increases the risk to persons or the operational railway and where no other CCS capability provides protection to mitigate the risk to an acceptable level.
  • Safety related (low risk): a failure that increases the risk to persons or the operational railway but where an acceptable level of protection is maintained (either by the CCS subsystem or by procedures), even though reliability or availability of the operational railway is degraded by the failure.
  • Negligible risk: a failure that does not directly increase the risk to persons or the operational railway.

Through the development of RIS-0707-CCS, the industry agreed the possible failure symptoms for each CCS subsystem used in Great Britain. A risk classification was assigned to each of these symptoms. This includes the European Train Control System (ETCS).

This means that any organisation assessing a CCS failure event can identify the failure symptom observed and quickly see the industry-agreed risk classification.

Using a standardised set of failure symptoms and risk classifications that is owned and managed by the rail industry also helps organisations to develop:

  • a common understanding of the risk arising from a CCS subsystem failure.
  • appropriate failure response plans that are proportionate to the shared risk.

Further information on the responsibilities and requirements of organisations when assigning a risk classification is available in RIS-0707-CCS.

Hazard indices

All systems can fail. On a busy railway where lots of system failure information is being collected, it can be hard to decide which failure events to prioritise for investigation. RIS-0707-CCS explains how using a hazard index and calculating a hazard rating could help with this. By determining which investigations should take precedence they also point to where resources should be allocated.

The hazard rating informs the risk classification. It applies ‘adjustment factors’ based on an event’s location and its potential consequences. This removes subjectivity from the prioritisation process. The rating considers, for example, the permissible speed at the location, how many trains per hour are timetabled in the area, and the complexity of the track layout.

The higher a hazard rating is calculated to be, the greater the realised or potential hazard risk it proposes. It follows that higher-rated events should be prioritised for investigation.

Two examples are shown in RIS-0707-CCS. One is based on a scheme developed for signalling failures, the other for telecoms failures.