TPWS a retrospective
It is perhaps appropriate to look back at the Train Protection and Warning System (TPWS) since this year marks 20 years since the original project to comply with the Railway Safety Regulations 1999 was delivered. It also marks 25 years since those regulations were laid before parliament and since the last Automatic Train Protection (ATP) preventable Signals Passed at Danger (SPAD) fatal train accident at Ladbrook Grove.
For those unfamiliar with TPWS it is a basic form of train protection developed initially for Great Britain, that will take control away from the driver by applying the brakes for a minimum period of one minute should the train either pass a signal at danger (train stop function) or be deemed to be travelling too fast (overspeed function) at a designated location, usually on approach to a signal at danger, a buffer stop, or a significant speed restriction.
Background
SPADs had been an increasing concern of the Health and Safety Executive (HSE) for a number of years. Until sometime after privatisation, the HSE was the statutory body overseeing railway safety. This came to the fore after the Clapham accident in 1988 which was followed by fatal SPAD related accidents at Purley and Belgrove, both occurring in March 1989. In consequence, the Clapham inquiry had its remit extended to look at opportunities to reduce the incidence and consequence of such accidents, essentially because all three accidents were considered to have a been caused by a signalling problem.
This extension of the remit resulted in recommendations to trial and subsequently fit an Automatic Train Protection (ATP) system. Trials of two different existing ATP systems, developed in mainland Europe, were initiated – one on the Great Western Mainline and its associated high speed train fleet, the other on the Chiltern suburban route which underwent a major renewal programme around that time. While both projects demonstrated the ability to equip the railway with ATP, they also demonstrated the technical and operational difficulties and high cost of so doing.
In 1994, the British government accepted a report from British Rail demonstrating that the fitment of ATP across the network was disproportionately expensive for the benefit delivered. While ATP was not reasonably practicable within the As Low As Reasonably Practicable (ALARP) definition, the SPAD risk did lie in the “tolerable” region meaning duty holders must seek ways to further reduce the risk, cost effectively. Consequently, British Rail and the recently established Railtrack decided to set up a Train Protection Steering Group (TPSG). TPSG established a programme of work under the umbrella of Signals Passed at Danger Reduction and Mitigation (SPADRAM). This led to a number of workstreams being developed.
Three particular SPADRAM workstreams are worth mentioning in the context of TPWS. The first was the concept of defensive, or what we now call professional, driving. This would encourage drivers to respond promptly to early indications of the need to stop the train and consequently approach red signals more cautiously than may have historically been the case. The second was the driver’s reminder appliance, a manually set control that would stop the driver taking power after a station stop without checking the signal aspect – start away from station SPADs made up a significant portion of the total. The final project was to investigate whether there was a way of taking control away from the driver should a SPAD seem to be imminent.
Challenges
One of the major challenges with ATP was the cost of train fitment, a problem that still afflicts projects looking to move to more modern on-board signalling systems such as ETCS. All trains were already fitted with the Automatic Warning System (AWS) and this had an interface to the brakes as part of current functionality. So, the question asked was whether the functionality of AWS could be enhanced so that it could provide a train stop facility. Enhanced AWS led to the rather unfortunate acronym EAWS which it was soon realised would not be good for publicity and the name Train Protection and Warning System (TPWS) was adopted.
The mainline railway had a safe distance beyond signals, the overlap, which was typically between 200 yards (183 metres) and 440 yards (400 metres) depending on the type of signalling in use. This fundamentally allows for minor misjudgements or small patches of poor adhesion but does not fit well with a train stop functionality when a driver has not responded appropriately to one or more signals. So, the second question was whether the AWS upgrade could also provide an automatic brake application if it was determined the train was moving too fast as it approached a red signal.
Research at the time suggested that if we could apply the brakes around 300 metres prior to the signal we could avoid about 70% of the harm arising from accidents occurring as a result of SPAD events. Not all SPADS could be prevented, but most would be mitigated. It is worth noting that at this time SPAD-caused accidents were resulting in a fatality on average every 15 months. Table 1 provides basic details of SPAD and buffer stop accidents where death or injury are recorded for the 20 years prior to 2004 and the 20 years since.
Contract awarded
Following an invitation for proposals, based on a performance specification which included cost targets to ensure affordability, Redifon MEL, which became part of Thales and is now part of Hitachi, was awarded a development contract based on a system it already had in use with London Underground to ensure correct side door opening. The principle was to transmit simple electromagnetic tones to the train. These would have different effects depending on the frequency, of which six were finally defined.
For the train stop, one frequency would ‘arm’ the system and if the second ‘trigger’ frequency was detected prior to the arming frequency disappearing the brakes would be applied, hence the abutted ‘grids’ now seen at the foot of signals over much of the network. For an overspeed detector the arming frequency would start a timer and again if the trigger frequency was detected prior to the timer expiring the train was travelling too fast and brakes would be applied. Again, this accounts for the separated ‘grids’. Six frequencies were necessary to cope with bidirectional portions of railway.
The onboard TPWS box was designed within the same space envelope and using the same mechanical fixings as the AWS unit it replaced. By using a Programmable Logic Controller (PLC) in lieu of the traditional relays, the added functionality was achieved. Replacing the old AWS box with a new one interfacing to the train brakes in the same way as before made the major challenges for train fitment the mounting of the additional antenna to detect the tones from the track, finding a suitable path for the necessary cable, and providing some additional indications and controls in the cab. Compared to full ATP, this was not expensive or overly complex. Critically, it could be achieved within a single nightshift avoiding train ‘downtime’.
Privatisation
By now we are in the second half of the 1990’s with privatisation disaggregating the railway but, on this issue, there was still strong cooperation. Thameslink agreed to fit one of its Class 319 emus and test sites were established on both the AC electrified railway between Luton and Harpenden and on its DC route around Three Bridges, fundamentally to prove electromagnetic compatibility. Tests during possession successfully demonstrated their unit being tripped at the overspeed and stopping from just above 70mph within the 220-yard (183 metre) overlap. Similarly, Freightliner allowed one of its locomotives to be fitted and a test at Haughley Junction demonstrated the functionality performed as expected.
A feature of TPWS is the need to actively detect an electromagnetic signal from the track to initiate a safety reaction. Clearly there are few other options given what the system is required to do and the existing equipment along a route. A consequence of failure to transmit or detect the signal would be an unsafe or wrongside failure although this would only affect safety if, at the same place, the driver failed to control the train. Part of the design therefore provided various testing and monitoring functions to detect when a system may fail to operate correctly and to indicate this to the driver or signaller. This, together with the move to a single PLC implementation, raised several concerns during the safety approval process. These were largely overcome by demonstrating that the residual risk of a SPAD significantly exceeded the risk of technical failure and human error occurring concurrently.
How and where?
The technical functionality was complete. The problem now was how and where to apply the system. The ‘how’ question begins with the fact that train brakes perform differently in terms of distance to stop for different types of train. Partly as a result of this issue it would also be reasonable to ask what a safe speed is to approach a red signal especially at the location where the overspeed check was likely to be installed.
In terms of ‘where’, the costs of fitting every signal would have been substantial and, following another recommendation from the Clapham inquiry, the need to demonstrate that a safety improvement was cost effective led to testing such improvements against the Value of Preventing a Fatality (VPF). Such an assessment suggested targeted fitment of TPWS was essential. Much work was done, and many stakeholders were involved trying to decide which signals should be equipped.
Among the stakeholders were those from perhaps unanticipated areas. In this case, the railway civil engineer was concerned about the ‘grids’ that provide the transmitting loop sitting in the middle of the four foot. Would these interfere with track maintenance? And what constraints would they impose on working practices?
In the end, the issue of ‘how’ was resolved by agreeing that a passenger train that needed to brake at more than 6%g (circa 0.58m/s2) on the final approach to a red signal was travelling too fast and would have the brakes tripped, and that we would assume any new train could achieve a 12%g (1.16m/s2) emergency retardation rate (as required by the Standards at that time) when estimating the safety benefit. Some older trains would not be fully protected but were more likely to be travelling at lower speeds. For freight it was also agreed that a longer timer setting would be used, thus tripping the brake at a lower speed and partially compensating for the longer stopping distance.
The issue of ‘where’ was finally settled by the HSE in the Railway Safety Regulation 1999 which called for all signals protecting a junction on a passenger line to be fitted together with buffer stops on passenger lines and locations where speed was reduced by 30% or more from an initial speed of or exceeding 60mph. HSE would have liked temporary speed restrictions falling in to this category to be covered but accepted the risks of installation and removal probably exceeded the risk they were trying to address. The concept of TPWS means it is notoriously difficult to supervise and intervene for any speed reduction other than one where a complete stand is the requirement, i.e. a red signal or buffer stop. Thus, there have been several cases of speed restriction fitment that have not satisfied the requirement in one way or another.
Five-year window
The regulations were laid before parliament in July 1999 and thus took effect. They gave a five-year window for all trains to be fitted and for the specified scope of infrastructure fitment to be completed. Coordinating such a programme was going to be a challenge and, as fate would have it, one of the early meetings planned to achieve that objective was held close to Paddington station on the day of the Ladbroke Grove accident. This gave added impetus to all involved.
The Ladbroke Grove accident, which had been preceded two years earlier by that at Southall, had brought SPAD related accidents to the fore again. Both had occurred on a route fitted with ATP, but in the case of Southall the on-board unit was not switched on, and the train which passed the signal at danger causing Ladbroke Grove was unfitted. The Cullen inquiry was established in 2000 to both examine the Ladbroke Grove accident and extended to coordinate with the Uff inquiry into Southall (via the Joint Inquiry into Train Protection Systems) to consider what safety measures in terms of train protection should be put in place, considering the circumstances of both the Southall and Ladbroke Grove accidents. This reopened the discussion about fitment of ATP and whether TPWS was an adequate alternative.
In the end, because of the potential timescales for implementation and the anticipated costs, the inquiry recommended continued roll out of TPWS together with investigation to further enhance the protection possible and the fitment of ETCS to the mainlines by 2008. The fact that such fitment is still nowhere near complete reinforces the correctness of continued TPWS rollout.
Obviously, the five years up to 2004 were focussed on the legally required fitments. Since then, there have been further developments especially in the selection of additional locations to be fitted, for example to protect a stopping train from being hit by a following express at selected stations where this is a significant risk. Also, the way the overspeed function is applied on approach to signals has been enhanced to give a greater level of protection especially where trains may approach at speeds where they are unlikely to stop within the available safe envelope. It is probably a learning point that every project should assume someone will come up with an improvement or amended requirement a few years after the basic project is complete.
Outcomes
So, you may ask, what has been achieved? Despite TPWS not being a completely fail-safe system, and with the knowledge at the start that it will not give complete protection, it has been successful in mitigating SPAD events. As shown in Table 1, since 1999 there has not been a SPAD related accident in which a fatality or significant injury has occurred where driver error in responding to a signal was the fundamental cause. Some of this credit is due to other changes in behaviour, especially professional driving and amendments to signalling design standards, but equally as much is due to TPWS interventions reducing the consequences of signals being passed at danger by forcing the train to stop before the danger point.
There have been SPAD related accidents but those such as the recent Sailsbury accident at Fisherton Tunnel have been dominated by adhesion issues. That is not to say such an event will not happen in the future and result in the overall statistics being closer to the original expectation. TPWS is not a complete cure. There have been buffer stop collisions and overspeed incidents. There have also been some near misses from SPAD events where the TPWS intervention has occurred late relative to the evolving incident, sometimes after the driver has realised the error. Fortunately, all these events have passed without serious harm but show more work needs to be done to manage moving train safety and further extend the supervision of a driver unintentionally omitting to control their train.
Whether further significant enhancement can be made to TPWS is perhaps questionable. The current, simple, location-specific overspeed detectors are probably near the limit of their capability, as already demonstrated by the challenges with many speed restriction fitments. New speed measurement systems are likely to add significant additional complexity and thus substantially increase the cost of fitment. Ultimately, a full ATP system that continuously supervises the driver is required, preferably a system that offers other operational and cost benefits to the railway. However, a further pointer to the success of TPWS has been its adoption by some other railway administrations to meet a similar need.
This is very much a potted review of TPWS to mark 20 years or more of service. It has not covered all the challenges the project met. However, TPWS has delivered the majority or more of its expectations. It also demonstrates what can be achieved when a robust risk assessment process is conducted which leads to a cost-effective proposal being developed and implemented. Hopefully TPWS will continue to perform until a full ATP system, probably in the form of ETCS or its evolution, can be installed.