This crossing had had mini red and green lights fitted, but they had been temporarily disabled by Network Rail because of 'safety integrity' concerns.
Had these lights been functioning, and interlocked with signalling, it's possible this would have lessened the chance of the signaller making the grave error he did.
I might be wrong, but I think that the "safety integrity" concerns may have been that they were not interlocked with the signalling.
The issue was more one of documentation. Bombardier said they had assessed the Safety Integrity Level (as 3), and written ("published", though in no obvious sense) a report, but for some reason couldn't give Network Rail a copy. There was just a less formal justification supplied with the original product data.
The
RAIB▸ report is a bit confusing in how it talks about this, referring to the PLC as being "not a SIL 3 product" - to my mind a PLC is a chip, while SIL is really about software reliability. Now the PLC (a kind of simple computer) may come with some software, but that would have a different name.
The equipment is triggered by a treadle (presumably these days actually an axle counter) upstream. (I guess it is cancelled by another one.) That's not "interlocked with the signalling", and rather better in the sense that block boundaries wouldn't be at the right distance. But as it is independent, its reliability is not checked by any part of the signalling system, hence its reliability matters. The key aspect of SIL and its definition is in this paragraph:
The construction and logic of the fault tree analysis provided in the
documentation meant that no convincing argument had been produced to justify
the independence of PLC faults, nor had the analysis demonstrated that a single
PLC fault could not result in the ‘top event’ wrong side failure occurring (green
light showing when a train was approaching the crossing).
Click on the map to explore geographics
