Investigation number
RO-2016-011
Occurrence date
Location
Ballarat
State
Victoria
Report release date
Report status
Final
Investigation level
Systemic
Investigation type
Occurrence Investigation
Investigation phase
Final report: Dissemination
Investigation status
Completed
Occurrence category
Incident
Highest injury level
None

Safety summary

What happened

On 11 August 2016, track maintenance was to be undertaken east of Ballarat Railway Station. To protect the work group, three sets of points within the work area were remotely Blocked to prevent them being operated from the train control system (TCS). However, the points unexpectedly operated when a route was set by the train controller for a train to travel from Wendouree to Ballarat Station. There were no injuries or equipment damage.

What the ATSB found

The ATSB found that the train controller had placed a Block on the three sets of points, but these ‘Blocks’ were ineffective due to design errors within the TCS. Train control for the location had been moved from Ballarat to the Melbourne control centre about three months earlier and the new configuration lacked full points-Blocking functionality.

The ATSB found that the software written to provide the points-Blocking functionality within the TCS did not include coding for points that lay outside the selected route but within its overlap. The Wendouree-to-Ballarat route-setting required three sets of points in the overlap to be in a defined position. The absence of Blocking software for the overlap meant that these points were not Blocked and were able to be remotely moved when the route request was executed by the TCS. It was also found that neither Factory- nor Site-Acceptance testing of the new system considered this scenario. As a result, the deficiency was not identified at this early stage.

The system configuration for the relocated train control was uncommon for the Victorian regional network. It placed reliance on the TCS to perform the points-Blocking function rather than also providing an additional level of defence to the interlocking.

What's been done as a result

V/Line have issued instructions for track workers to isolate points prior to undertaking work on them.

The TCS software designer, UGL Pty Limited, have updated their instructions for software development and testing of unit-lever interlockings, to specifically require overlaps to be included in the Blocking functionality.

Safety message

It is critical that system designers ensure that the functionality and performance requirements needed to meet all operational scenarios are incorporated within the design. It is also important that effective check and test processes are developed to fully validate system functionality.

Ballarat Railway Station, VictoriaBallarat Railway Station, VictoriaSource: ATSB

Context

Train control sequence of events

A logger recording of the train control system (TCS) for the period preceding and during the incident provided detail of track routes, the status of points, signal position and train position and movements. From the commencement of the available recording (from 1242), points 35U and 35D were already Blocked (identified by blue highlight, Figure 2) and both were set for the diverge, their ‘Normal’ position. Train 8129 arrived at Ballarat Platform 1 at about 1245.

Train 8129 was recorded as leaving Ballarat and then arriving at Wendouree Station at about 1251. At Wendouree, the train was to reverse direction and return to Ballarat Station as train 7130. At this time, 35 points remained Blocked and 37 points were not yet Blocked (Figure 2).

Figure 2: Signal and points status when train 8129 terminated at Wendouree Station

Figure 2: Signal and points status when train 8129 terminated at Wendouree Station. Source: V/Line TCS recording

Source: V/Line TCS recording

The recording showed that at 1251:08, the train controller called a route between signals BAT2 and BAT24 to bring train 7130 from Wendouree to platform 2 at Ballarat. Soon after, the system indicated a clear route from BAT2 to BAT8. The request for the remainder of the route from BAT8 to BAT24 was automatically stored (stacked) pending the operation of the Lydiard Street level crossing gates.

A short time later, the recording indicated a number of actions taken by the train controller. Blocking previously applied to 35 points was removed and the points were operated to their Reverse (straight) position, and then the Block re-applied at 1253:43. Then 37 points were operated to their Normal (straight) position and a Block applied at 1254:05 (Figure 3).

Figure 3: Extract of panel display showing status of 35 and 37 points at 1254:05

Figure 3: Extract of panel display showing status of 35 and 37 points at 1254:05. Source: V/Line TCS recording

Source: V/Line TCS recording

At 1254:26, the controller called a route between BAT102 (at Wendouree Station) and BAT2 in preparation for the departure of train 7130 from Wendouree Station. Then, upon operation of the level crossing protection at Gillies Street, the system cleared BAT102 signal permitting train 7130 to depart from Wendouree.

At 1256:43, the Lydiard Street level crossing was activated. The Lydiard Street gates are not automatic and are controlled from Centrol[4]. At 1257:29, the level crossing gates were detected in their Road-Closed/Rail-Open position, at which point the TCS called the previously-stored route between BAT8 and BAT24.

A few seconds later, the TCS recording showed 35 and 37 points had operated and moved to their Normal and Reverse positions respectively. In both cases, the logger recording indicated that Blockings applied by train control had remained, and there was no evidence that the points operation had resulted from a train controller input.

By 1257:48, the system had cleared BAT8 signal for the passage of train 7130. The route was set for the passage of the train to platform 2 at Ballarat Station with 35 and 37 points in their altered positions (Figure 4).

Figure 4: System status when the route from 8 to 24 signal was cleared (green line)

Figure 4: System status when the route from 8 to 24 signal was cleared (green line). The display shows BAT8 signal cleared for train 7130 to proceed to BAT24 signal (for berthing at platform 2). The Lydiard Street gates are depicted in the Road-Closed position. Blocking facilities (shown in blue) have been applied to both 35 and 37 points.<br />
Source: V/Line TCS recording

The display shows BAT8 signal cleared for train 7130 to proceed to BAT24 signal (for berthing at platform 2). The Lydiard Street gates are depicted in the Road-Closed position. Blocking facilities (shown in blue) have been applied to both 35 and 37 points.Source: V/Line TCS recording

At 1300:04, train 7130 occupied the track indicating its arrival at the Ballarat Station platform.

Ballarat signalling

Background

Between 2005 and 2016, the control of points and signals at Ballarat was conducted using a local control panel and relay interlocking[5]. The local panel incorporated unit-lever[6] control of points and signals and provided a monitoring function with indications for signal, turnout position, and track occupancy.

Relocation of Ballarat train control

The implementation of Centralised Traffic Control (CTC)[7] between Melbourne and Ballarat in May 2016 required transfer of the control of points and signals at Ballarat to Centrol in Melbourne.

CTC systems (which are non-vital[8]) interface in the field with signal interlocking (which is vital[9]) to provide remote monitoring and control of the total system. The Centrol TCS for Ballarat was a SigView system developed and supplied by UGL[10]. The SigView workstation provides a graphical user interface (GUI)[11] to display indications for signal aspect, turnout position, track occupancy, and train information. Keyboard and mouse inputs allow for both unit-lever and Entrance-Exit[12] controls for points and signals.

When CTC was implemented at Ballarat, a MicroLok[13] computer-based interlocking (CBI) was used to facilitate the interface, allowing the relay interlocking at Ballarat to remain largely unchanged. MicroLok provides the interface between SigView and the relay interlocking (Figure 5).

Figure 5: The interface between the SigView, MicroLok and interlocking systems

Figure 5: The interface between the SigView, MicroLok and interlocking systems. Source: ATSB

Source: ATSB

Signalling systems usually include both vital controls (signalling interlocking) and non-vital controls (local control panel and/or CTC system). The signal interlocking is designed to provide fail-safe protection for train operations. In other words, the system ensures that field equipment (such as points and signals) is controlled in a manner that will maintain separation between all rail traffic detected (by track circuits) on the network. The CTC system and control panel affords the ability to send commands to operate points and signals, but the interlocking will only allow operation if all prerequisite conditions are satisfied.

In most cases, only trains can be reliably detected by track circuits (and consequently the signal interlocking), whereas maintenance workers and their equipment are not. Because of this, additional process controls are implemented to ensure adequate protection of workers on track.

Blocking facilities are a process control often used for the protection of maintenance workers. Blocking may be applied to exclude rail traffic from a track section, or to prevent the unintended operation of equipment during maintenance activity. For the signalling system at Ballarat, the Blocking functionality existed within the SigView system.

SigView Train Control System

In relation to the real-time monitoring and management of field signalling equipment, SigView provides the train controller with a video display unit (VDU) system display and a keyboard and mouse to enter control requests. To avoid unnecessary field communication, SigView incorporates a feature called Pseudo-Interlocking. Pseudo-interlocking is a model within the TCS that reflects the requirements of the signal interlocking in the field, so that only valid commands that are able to be actioned by the interlocking will be sent by the SigView system.

The SigView TCS provides the controller with several assistive features. One is the option of using the Entrance-Exit method for setting routes. SigView also incorporates Route-Stacking. This is a function by which SigView stores valid requested routes that are currently unavailable. When the routes become available, the system automatically issues the request to the interlocking.

SigView also provides for Blocking to be applied to points, signals, and tracks. The intent of a ‘Block’ is to prevent the unintended or automatic operation of points and signals, and to prevent clearing of signals that protect Blocked points or tracks.

Signal control tables

The sequence of events suggested that the operation of 35 and 37 points was related to the control of signal BAT8. The signal control tables[14] and the signalling circuits were examined to comprehend the operation of BAT8. The signal control tables defined the requirements for clearing a route from BAT8 to BAT24, and included (but were not limited to) the following:

  • That all tracks between signals BAT8 and BAT24 be unoccupied
  • That all tracks in the overlap[15] be unoccupied
  • That 35 points (in the overlap) be in their Normal position
  • That 37 points (in the overlap) be in their Reverse position
  • The noting of a requirement for interlocking with level crossings.

The control tables also defined the requirements for operating 35 and 37 points, and included (but were not limited to) the following:

  • That points trackage be unoccupied
  • That no routes had been set over the points.

Examination of the Ballarat signalling documentation revealed that the circuit diagrams were consistent with the requirements of the control tables. Therefore, so long as the specified conditions were met, SigView would issue commands to operate points and clear signals.

Interlocking

The interface circuitry between the control system and interlocking was such that all control functionality and indications were achieved through discrete Inputs and Outputs. Under this type of control, the only way for points to operate was for the interlocking to receive a control signal via the interface circuits. In this case, a MicroLok Computer Based Interlocking (CBI) interface connected the SigView control system with the relay interlocking at Ballarat.

__________

  1. The operational control centre for Victoria’s regional broad-gauge rail network, located in Melbourne.
  2. Railway signalling apparatus designed to prevent conflicting movements at an intersection of tracks, such as junctions or crossings. Interlocking is designed such that a Proceed signal indication is impossible unless the route to be used has been proven clear and ‘safe’.
  3. Unit-Lever control describes a signalling control panel where a separate lever or switch is provided for each signal and set of points. To set a route, the signaller is required to first set all the required points before operating the lever or switch for the particular signal.
  4. Operated under Automatic & Track Control (ATC) safeworking rules under the Network Service Plan, applicable between Deer Park West and Ballarat.
  5. Those signalling system components that will not affect the safe operation of the signalling system.
  6. Equipment that is fundamental to the safe operation of the signalling system. If such equipment fails, it is designed to do so in a predetermined state that does not create an unsafe situation.
  7. UGL Pty Limited is a wholly-owned subsidiary of Australian publicly listed company CIMIC Group Limited.
  8. A Graphical User Interface allows users to interact with electronic devices using images rather than [keyboard] text commands. A GUI presents the information and actions available to a user via graphical icons and visual indicators. The actions are usually performed through direct manipulation of the graphical elements.
  9. Entrance-Exit is a method of signalling control whereby a signaller operates a switch (usually on a mimic panel or VDU) at the entrance to the required route and another at the exit. This action initiates the automatic setting of all points required by the route and (when all conditions are valid) the automatic clearing of relevant signals.
  10. MicroLok is a computer-based interlocking (CBI) control system specifically designed for safety-critical railway signalling applications. MicroLok is usually configured for vital interlocking, but in this application was mainly providing a non-vital interface function between the SigView system and the relay interlocking at Ballarat.
  11. Signal control tables describe, in tabular form, the requirements for the operation of various items of signalling equipment (points, signals level crossings).
  12. The overlap of a signal is the extension of a track circuit beyond a Stop signal to provide a margin of safety beyond that signal.
Safety analysis

The incident

The Route-Setting feature of the SigView Train Control System (TCS) provides for the automatic setting of points required to complete a particular route. Depending on the signalling design for each route, the interlocking may also require points outside of the direct route (such as in an overlap) to be in a particular position to permit the route being set.

In this instance, an Entrance-Exit route had been requested between BAT2 and BAT24 signals. This route consisted of two component sub-routes; BAT2 to BAT8 and BAT8 to BAT24. All conditions were met for the first sub-route from BAT2, so the request was issued from SigView to the Ballarat signal interlocking. However, the route ahead of BAT8 was not available due to the interlocking requirements at Lydiard Street level crossing and the lay of 35 and 37 points within the overlap. The route request from BAT8 was therefore stored by the Route-Stacking function until conditions within the SigView pseudo-interlocking were met.

Once the Lydiard Street level crossing was detected in the Road-Closed position, the conditions for BAT8 signal were met except for the lay of 35 and 37 points. At this point, SigView automatically issued a request to move 35 and 37 points to their required position. The previously applied Blocking of 35 and 37 points (on SigView) to protect maintenance workers, did not stop the command to move the points being issued to the interlocking.

Ballarat TCS Blocking functionality

The route-setting functionality of the TCS system only evaluated the Blocked points between the entrance and exit signals and did not take into consideration the Blocking of points that lay within the overlap. UGL subsequently modified both Factory- and Site-Acceptance test procedures for control of unit-lever relay interlockings to explicitly test the Blocking functionality in overlaps.

Testing and commissioning of new control

Testing conducted by UGL was limited to the software functions that had been included in the design and did not include testing of other possible operational scenarios or conditions.

There was no explicit requirement to test the Blocking of points in the overlap (outside the entrance and exit for a route) either as part of the factory testing or during on-site commissioning.

Reconfiguration of signalling control

Relocation of train control from Ballarat to Melbourne, resulted in the adoption of the SigView TCS. As part of this reconfiguration of train control for Ballarat, the in-field relay interlocking was retained and a computer based interlocking (CBI) (MicroLok) introduced to provide the communication interface between SigView and the relay interlocking.

However at other locations controlled by the Ballarat TCS, the interlockings were designed to provide points keying functionality[16] ensuring a second level of protection by implementing a Train Controller-initiated Block (a SigView function) to the specific points using the interlocking.

On the SigView screen, manual control of specific points is achieved by using a graphical depiction of a three-position (Normal-centre-Reverse) rotary switch, or ‘points key’. The points key is set to the centre position where routing of trains and control of points is to be done automatically by the TCS. However, if the points key is manually switched to either the Reverse or Normal position, the points are controlled to that position.

At other locations controlled by the SigView TCS, the signal blocking function also incorporated a points keying function as a second level of protection. That is, if a command was issued to Block a set of points in the Normal position, the system would also simulate placing the corresponding point key to the Normal position, thereby preventing automatic control. Similarly, for Blocking of points in the Reverse position.

Combining the points keying functionality with the signal Blocking command had not been implemented for the Ballarat TCS. Consequently, the system did not prevent the interlocking from responding to automatic SigView routing commands for points 35 and 37.

__________

  1. Latching of the points at the interlocking in response to the Train Controller placing the on-screen unit-lever switch to either Normal or Reverse position.
Findings

From the evidence available, the following findings are made with respect to the signalling control system irregularity that occurred at Ballarat, Victoria, on the 11 August 2016. These findings should not be read as apportioning blame or liability to any particular organisation or individual.

Contributing factors

  • Software written to manage the points-Blocking functionality within the Ballarat SigView Train Control System (TCS) did not include coding for points that lay within the overlap of the selected route
  • The factory testing and commissioning of the new TCS configuration for Ballarat did not include processes that tested the Blocking and response of points in signalling overlap areas.

Other factors that increased risk

The implementation of Blocking functionality for Ballarat differed from other locations controlled by the Ballarat TCS by not incorporating points-keying functionality.

Safety actions

Whether or not the ATSB identifies safety issues in the course of an investigation, relevant organisations may proactively initiate safety action in order to reduce their safety risk.

The ATSB has been advised of the following proactive safety actions in response to this occurrence:

  • V/Line instituted several interim mitigation actions, including conducting a system review of points-Blocking, and issuing formal instructions for track workers to place points individually into the ‘Hand’ mode
  • UGL issued an internal engineering instruction that identified the design deficiency and the necessary changes to the design, check, and test processes for software development. Design procedures were modified to explicitly require overlaps to be included in the Blocking expression and both the Factory- and Site-Acceptance test procedures were similarly modified
  • SigView expressions and functionality were modified such that when points are Blocked in a position contrary to that required for a route, then if requested by the train controller the route called will be suppressed by SigView and not stacked
  • Examination of similar scenarios resulted in extensive testing and minor changes to SigView expressions for other adjacent points that have been installed, tested and in use since late September 2016, with no further Blocking issues observed.
Sources and submissions

Sources of information

The sources of information during the investigation included:

  • V/Line Pty Ltd
  • UGL Limited.

Submissions

Under Part 4, Division 2 (Investigation Reports), Section 26 of the Transport Safety Investigation Act 2003 (the Act), the Australian Transport Safety Bureau (ATSB) may provide a draft report, on a confidential basis, to any person whom the ATSB considers appropriate. Section 26 (1) (a) of the Act allows a person receiving a draft report to make submissions to the ATSB about the draft report.

A draft of this report was provided to V/Line, ONRSR, TSV, and UGL Limited.

Any submissions from those parties were reviewed and where considered appropriate, the text of the draft report was amended accordingly.

Appendices

Appendix A – SigView TCS replay sequence of events

Time

SigView event description

Comment

1242

35U and 35D points shown blocked

37 points are not yet blocked

1245

Train 8129 arrives at Ballarat station

 

1251

Train 8129 arrives at Wendouree station

 

12:51:08

Entrance button

Controller calling a route from number 2 signal to number 24 signal (Ballarat)

12:51:12

Exit button

 

12:51:16

Route set BAT2-BAT8. Route stored BAT8-BAT24

 

12:51:29

Train number 8129 change to 7130

 

12:53:26

Blocking removed from 35 points

The replay does not show the ‘Unblock’ button being pressed before the block is removed from 35 points

However, it is evident that the actions controlling 35 and 37 points have been undertaken by the controller

12:53:29

35 points loss of Normal detection

 

12:53:38

35 points Reverse detection

 

12:53:42

Block button & block applied to 35 points Reverse

 

12:53:51

37 points loss of Reverse detection

 

12:53:59

37 points Normal detection

 

12:54:03

Block button & block applied to 37 points Normal

 
     

12:54:26

Entrance button

Controller calling a route from number 102 signal to number 2 signal (departure from Wendouree)

12:54:28

Exit button

 

12:54:34

7130 identified as ‘Express’. Gillies St LX operating

 

12:55:09

Route set BAT102-BAT2.

 

12:55:17

Track 102T occupied

Train 7130 departure from Wendouree

     

12:56:43

Lydiard St LX operating, 2AT occupied

Lydiard St level crossing gates in the Road-Closed position is a requirement for locking a route from number 8 signal

12:57:29

Lydiard St LX gates road-closed, BAT8 route yellow

 

12:57:36

35 & 37 points loss of detection

Number 35 and 37 points running. However, there is no indication that this has resulted from a controller input

12:57:43

35 points normal detection

 

12:57:44

37 points reverse detection

 

12:57:48

Route set BAT8-BAT24

Number 8 signal clear

     

13:00:04

Track A38T occupied

Train 7130 arrival at platform 2, Ballarat

Purpose of safety investigations & publishing information

Purpose of safety investigations

The objective of a safety investigation is to enhance transport safety. This is done through:

  • identifying safety issues and facilitating safety action to address those issues
  • providing information about occurrences and their associated safety factors to facilitate learning within the transport industry.

It is not a function of the ATSB to apportion blame or provide a means for determining liability. At the same time, an investigation report must include factual material of sufficient weight to support the analysis and findings. At all times the ATSB endeavours to balance the use of material that could imply adverse comment with the need to properly explain what happened, and why, in a fair and unbiased manner. The ATSB does not investigate for the purpose of taking administrative, regulatory or criminal action.

Terminology

An explanation of terminology used in ATSB investigation reports is available here. This includes terms such as occurrence, contributing factor, other factor that increased risk, and safety issue.

Publishing information 

Released in accordance with section 25 of the Transport Safety Investigation Act 2003

Published by: Australian Transport Safety Bureau

© Commonwealth of Australia 2018

Ownership of intellectual property rights in this publication

Unless otherwise noted, copyright (and any other intellectual property rights, if any) in this report publication is owned by the Commonwealth of Australia.

Creative Commons licence

With the exception of the Coat of Arms, ATSB logo, and photos and graphics in which a third party holds copyright, this publication is licensed under a Creative Commons Attribution 3.0 Australia licence.

Creative Commons Attribution 3.0 Australia Licence is a standard form licence agreement that allows you to copy, distribute, transmit and adapt this publication provided that you attribute the work.

The ATSB’s preference is that you attribute this publication (and any material sourced from it) using the following wording: Source: Australian Transport Safety Bureau

Copyright in material obtained from other agencies, private individuals or organisations, belongs to those agencies, individuals or organisations. Where you wish to use their material, you will need to contact them directly.

Occurrence

The incident occurred in Ballarat, a Victorian regional city located about 100 km west of Melbourne. Ballarat is linked to Melbourne and other regional centres by the regional rail network managed by V/Line.

At about 1230 on 11 August 2016, track maintenance personnel were preparing to commence maintenance works near Ballarat Railway Station. The maintenance included points cleaning and was to be conducted under Lookout Protection.

To prevent the unintended movement of points, the Signal Maintenance Technician (SMT) in charge of the maintenance group contacted the train controller for the Ballarat location and requested that a Block[1] be applied to motor point №s 35 (two sets) and 37 (one set) (Figure 1).

Figure 1: Points 35D, 35U and 37 adjacent to Ballarat Railway Station

Figure 1: Points 35D, 35U and 37 adjacent to Ballarat Railway Station. Note that the Normal position for points 35U and 35D was for the respective turnouts and not the straight-ahead direction. The Normal position for points 37 was for the straight. Source: ATSB

Note that the Normal position for points 35U and 35D was for the respective turnouts and not the straight-ahead direction. The Normal position for points 37 was for the straight.Source: ATSB

System logs indicate that the train controller first Blocked 35D and 35U points and subsequently Blocked 37 points. These Blocks were placed through the train control system (TCS).

At about 1251, the train controller prepared a route from signal BAT2[2] to BAT24, using a ‘route-setting’ feature of the TCS, for train 7130 to travel from Wendouree to Ballarat. Wendouree Station is approximately 4.5 rail-kilometres from Ballarat Station.

The TCS cleared the route between BAT2 to BAT8 and stacked[3] the remainder of the route, from BAT8 to BAT24, pending the required pre-conditions being met. The system would automatically execute the control commands and create the route when those conditions were satisfied.

At about 1257, points 35 and 37 moved to meet overlap requirements for the BAT8 to BAT24 route and the full route was established. The previously applied blocks to 35 points (two sets) and 37 points did not prevent their movement during the execution of the route.

The SMT in the field noticed the movement of the points and contacted the train controller to confirm the application of the Blocks. The controller confirmed that the Blocks had been applied but acknowledged the points had moved. Due to this apparent anomaly, the controller notified the Senior Train Controller.

The maintenance workers were not affected by the unexpected movement of the points and there were no injuries.

__________

  1. The electronic Blocking of a system component such as a set of points is done to ensure that an inadvertent control command cannot operate or activate that component in the field. Electronic Blocking replicates the functionality achieved by “sleeving” a points lever (or switch on a control desk) and is non-vital (see footnote 7 and 8).
  2. The ‘BAT’ prefix on signal numbers indicates the Ballarat location.
  3. Storage of commands until conditions allow the commands to be executed.
Train Details
Train number
7130
Train damage
Nil
Departure point
Wendouree Railway Station, Vic.
Rail occurrence type
Signal Irregularity
Destination
Southern Cross Railway Station, Vic
Rail Operator
V/Line Pty Ltd
Rail Operation Type
Passenger